Automatic merge from submit-queue (batch tested with PRs 46928, 47345)
kubeadm: Move directory ./master to ./phases/controlplane
**What this PR does / why we need it**:
- Moves app/master into phases/controlplane. It should be in the phases directory, was just overlooked earlier
- Harmonizes the import names in phases/controlplane with the similar import names in cmd/kubeadm
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #
**Special notes for your reviewer**:
Please review only second and third commit, based on https://github.com/kubernetes/kubernetes/pull/47339
Targets v1.8
**Release note**:
```release-note
NONE
```
@kubernetes/sig-cluster-lifecycle-pr-reviews @timothysc @pipejakob
Automatic merge from submit-queue
Add timothysc to kubeadm reviewers
**What this PR does / why we need it**:
Adds timothysc to kubeadm reviewers b/c I'm working on it this cycle.
**Release note**:
```
NONE
```
Automatic merge from submit-queue
Remove old node role label that is not used by kubeadm
**What this PR does / why we need it**:
This label hasn't been used by kubeadm since v1.5.
v1.5 support was dropped when v1.6 arrived due to a potential security flaw and the earlier alpha status.
So this label hasn't been used for around three months.
It makes sense to remove it in time for v1.8, could already have been done for v1.7
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
@kubernetes/sig-cluster-lifecycle-pr-reviews
Automatic merge from submit-queue (batch tested with PRs 48264, 48324, 48125, 47944, 47489)
remove unneeded variable
Signed-off-by: Ma Shimiao <mashimiao.fnst@cn.fujitsu.com>
**What this PR does / why we need it**:
small fix, remove unneeded variable
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue
kubeadm: If `--config` is set, don't allow any other option as it won't have effect
If use config in kubeadm init, cann't get other values from other arguments.
`kubeadm init --config=../kubeadm.config --token 447ad3.96cda76e3206fca0 --apiserver-bind-port 6445`
So I think we need to allow get values from command and is prior than cofig file.
Automatic merge from submit-queue (batch tested with PRs 48295, 48298, 47339, 44910, 48037)
kubeadm: Remove v1.6 version gates, cleanup unused code, etc.
**What this PR does / why we need it**:
- Removes v1.6 version gates and requires a control plane version of v1.7.0 and above
- Removes unused/unnecessary functions that got freed up as a consequence of that
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #
Fixes: kubernetes/kubeadm#327
**Special notes for your reviewer**:
This PR targets v1.8, can be merged first when the code freeze is lifted
**Release note**:
```release-note
NONE
```
@kubernetes/sig-cluster-lifecycle-pr-reviews @timothysc @mikedanese @pipejakob
Automatic merge from submit-queue
Fix kube-proxy panic when running with "--cleanup-iptables=true"
**What this PR does / why we need it**:
Save the `--cleanup-iptables` config for new ProxyServer when it's true.
Also check if Broadcaster and EventClient are nil to avoid other potential panic.
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes#48177
**Special notes for your reviewer**:
/cc @ncdc @irake99
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue
kubeadm: Start using Tolerations in yaml code again and unit-test
**What this PR does / why we need it**:
- Earlier there was a problem with decoding Tolerations from yaml. Seems to be fixed now.
- Added an unit test to catch such a failure if that regression ever happens again
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #
**Special notes for your reviewer**:
Targets v1.8
**Release note**:
```release-note
NONE
```
@kubernetes/sig-cluster-lifecycle-pr-reviews @timothysc
Automatic merge from submit-queue
kubeadm: Expose only the cluster-info ConfigMap in the kube-public ns
**What this PR does / why we need it**:
Noticed a bug; we should only expose the `cluster-info` ConfigMap.
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #
Fixes: https://github.com/kubernetes/kubeadm/issues/320
**Special notes for your reviewer**:
Cherrypick-candidate for v1.8 cc @dchen1107
Not blocking the release though...
**Release note**:
```release-note
NONE
```
@jbeda @pipejakob @timothysc @kubernetes/sig-cluster-lifecycle-pr-reviews
Automatic merge from submit-queue
Use endpoints informer for the endpoint controller
This substantially reduces the number of API calls made by the endpoint
controller. Currently the controller makes an API call per endpoint for
each service that is synced. When the 30s resync is triggered, this
results in an API call for every single endpoint in the cluster. This
quickly exceeds the default qps/burst limit of 20/30 even in small
clusters, leading to delays in endpoint updates.
This change modifies the controller to use the endpoint informer cache
for all endpoint GETs. This means we only make API calls for changes in
endpoints. As a result, qps only depends on the pod activity in the
cluster, rather than the number of services.
**What this PR does / why we need it**:
Address endpoint update delays as described in https://github.com/kubernetes/kubernetes/issues/47597.
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #
https://github.com/kubernetes/kubernetes/issues/47597
**Special notes for your reviewer**:
**Release note**:
```release-note
```
Automatic merge from submit-queue
kubeadm: Make kube-proxy RollingUpgradeable
**What this PR does / why we need it**:
Sets the right updateStrategy for kube-proxy.
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #
Fixes: https://github.com/kubernetes/kubeadm/issues/319
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
@pipejakob @timothysc @kubernetes/sig-cluster-lifecycle-pr-reviews
This substantially reduces the number of API calls made by the endpoint
controller. Currently the controller makes an API call per endpoint for
each service that is synced. When the 30s resync is triggered, this
results in an API call for every single endpoint in the cluster. This
quickly exceeds the default qps/burst limit of 20/30 even in small
clusters, leading to delays in endpoint updates.
This change modifies the controller to use the endpoint informer cache
for all endpoint GETs. This means we only make API calls for changes in
endpoints. As a result, qps only depends on the pod activity in the
cluster, rather than the number of services.
Automatic merge from submit-queue (batch tested with PRs 48012, 47443, 47702, 47178)
incluster config will be used when creating external shared informers.
**What this PR does / why we need it**:
Previously the loopback configuration was used to talk to the server.
As a consequence a custom API server was unable to talk to the root API server.
This PR changes the above by using incluster configuration to create shared informers.
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 48074, 47971, 48044, 47514, 47647)
Move LoadPodFromFile to volume utils
SavePodToFile is not used anywhere and LoadPodFromFile is used only by PV
recycler.
Fix#16970
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 47961, 46276)
Remove duplicate error message output in hyperkube.
**What this PR does / why we need it**:
Currently hyperkube binary will always print duplicate messages if fatal error occurs:
```
$ ./kubelet # run without permission
I0523 08:38:02.642638 25701 feature_gate.go:144] feature gates: map[]
W0523 08:38:02.642827 25701 server.go:472] No API client: no api servers specified
Error: failed to run Kubelet: error reading /var/run/kubernetes/kubelet.key, certificate and key must be supplied as a pair
Error: failed to run Kubelet: error reading /var/run/kubernetes/kubelet.key, certificate and key must be supplied as a pair
```
This is due to RunToExit will print out the error which Run has just printed. https://github.com/kubernetes/kubernetes/blob/8bee44b/cmd/hyperkube/hyperkube.go#L178-L189
This was introduced in following commit for adding GOMAXPROCS calls.
1e679f0069
The following commit removes GOMAXPROCS calls, but did not remove the corresponding error output line.
88ea80b572
**Which issue this PR fixes**
**Special notes for your reviewer**:
**Release note**:
Automatic merge from submit-queue
kubeadm: Remove the validate phase as it's not needed
**What this PR does / why we need it**:
This validation code was added in v1.4 as a way to remove flakiness between deploying the control plane in Static Pods and deploying kube-discovery as a Deployment.
That isn't the case anymore and we're not experiencing such flakiness, as we're using other methods like checking `/healthz` to determine a healthy control plane before proceeding.
https://github.com/kubernetes/kubernetes/pull/43881 removed this logic from `kubeadm init` to having it as a phase. But that phase isn't needed or used in any way, so now I'm removing it here.
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #
**Special notes for your reviewer**:
Targets v1.8
**Release note**:
```release-note
NONE
```
@kubernetes/sig-cluster-lifecycle-pr-reviews @timothysc @mikedanese
Automatic merge from submit-queue (batch tested with PRs 47694, 47772, 47783, 47803, 47673)
Add "alpha phase preflight" command
**What this PR does / why we need it:**
Adds "alpha phase preflight" command to kubeadm in order to run pre-flight checks independently of init phase.
**Which issue this PR fixes:** fixeskubernetes/kubeadm#314
/cc @luxas
Automatic merge from submit-queue (batch tested with PRs 47694, 47772, 47783, 47803, 47673)
Make different container runtimes constant
Make different container runtimes constant to avoid hardcode
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 47915, 47856, 44086, 47575, 47475)
kubelet should resume csr bootstrap
Right now the kubelet creates a new csr object with the same key every
time it restarts during the bootstrap process. It should resume with the
old csr object if it exists. To do this the name of the csr object must
be stable.
Issue https://github.com/kubernetes/kubernetes/issues/47855
Automatic merge from submit-queue (batch tested with PRs 47922, 47195, 47241, 47095, 47401)
Run cAdvisor on the same interface as kubelet
**What this PR does / why we need it**:
cAdvisor currently binds to all interfaces. Currently the only
solution is to use iptables to block access to the port. We
are better off making cAdvisor to bind to the interface that
kubelet uses for better security.
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #
Fixes#11710
**Special notes for your reviewer**:
**Release note**:
```release-note
cAdvisor binds only to the interface that kubelet is running on instead of all interfaces.
```
Right now the kubelet creates a new csr object with the same key every
time it restarts during the bootstrap process. It should resume with the
old csr object if it exists. To do this the name of the csr object must
be stable. Also using a list watch here eliminates a race condition
where a watch event is missed and the kubelet stalls.
Automatic merge from submit-queue
Update addons with upstream CVE fixes
**What this PR does / why we need it**: refreshes the kube-dns, metadata-proxy, and fluentd-gcp, event-exporter, prometheus-to-sd, and ip-masq-agent addons with new base images containing fixes for the following vulnerabilities:
* CVE-2016-4448
* CVE-2016-9841
* CVE-2016-9843
* CVE-2017-1000366
* CVE-2017-2616
* CVE-2017-9526
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes#47386 (yay!)
**Special notes for your reviewer**:
**Release note**:
```release-note
Update kube-dns, metadata-proxy, and fluentd-gcp, event-exporter, prometheus-to-sd, and ip-masq-agent addons with new base images containing fixes for CVE-2016-4448, CVE-2016-9841, CVE-2016-9843, CVE-2017-1000366, CVE-2017-2616, and CVE-2017-9526.
```
/assign @bowei @MrHohn @Q-Lee @crassirostris @dnardo
/cc @dchen1107 @timstclair
Automatic merge from submit-queue (batch tested with PRs 47878, 47503, 47857)
restore working aggregator and avoid duplicate informers
Fixes https://github.com/kubernetes/kubernetes/issues/47866
This runs the informer all the way through and makes sure its started.
@lavalamp ptal
@kubernetes/sig-api-machinery-bugs
