Concerns from alpha-phase reviews have been addressed in
https://github.com/kubernetes/kubernetes/pull/80320
and
https://github.com/kubernetes/kubernetes/pull/82109
and early adopters have given positive feedback; so it seems there are
no blockers to graduate GMSA support to beta.
This patch also enables GMSA support by default, mainly for the sake of
making it easier for cluster admins to use, as well as for e2e tests in
nightly builds.
Signed-off-by: Jean Rouge <rougej+github@gmail.com>
The current mechanism for excluding "master" nodes based on node names
is fragile and should be fixed by using a label exclusion similar to
service load balancers. The legacy code path is preserved behind a
defaulted-on gate and will be removed in the future.
This gate will default to on in 1.16 to cover the behavior of the
existing system, and then in the future default to off and then be
removed once all consumers have migrated.
The feature is complete and supported by an increasing number of CSI
drivers, but before it can be really used, it should be moved out of
alpha into beta.
Promotes the VolumePVCDataSource feature (cloning) to beta for the 1.16
release.
Since alpha release in 1.15 there have been a number of minor bug fixes
in the CSI Hospath Provisioner and the CSI provisioner sidecar. We've
also added e2e tests using the Hostpath provisioner.
Adds the field RunAsUserName in the WindowsSecurityContextOptions type,
which is used in PodSecurityContext and SecurityContext.
This field needs to allow for a valid set of usernames allowed for
Windows containers. It must have the format "U
This commit also validates the runAsUserName field, making sure that it valid,
having the format DOMAIN\USER (case insensitive), where DOMAIN\ is optional and
has to be a valid NetBios or DNS domain name.
For more information about the restrictions on the DOMAIN and USER parts, look here: [1] [2]
Adds the WindowsRunAsUserName alpha feature gate. By default, it is disabled.
If the feature gate is not enabled, the WindowsOptions.RunAsUserName field
will be dropped from both the PodSecurityContext and container
SecurityContext.
Co-Authored-By: Claudiu Belu <cbelu@cloudbasesolutions.com>
[1] https://support.microsoft.com/en-us/help/909264/naming-conventions-in-active-directory-for-computers-domains-sites-and
[2] https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.localaccounts/new-localuser?view=powershell-5.1
Add support for scaling to zero pods
minReplicas is allowed to be zero
condition is set once
Based on https://github.com/kubernetes/kubernetes/pull/61423
set original valid condition
add scale to/from zero and invalid metric tests
Scaling up from zero pods ignores tolerance
validate metrics when minReplicas is 0
Document HPA behaviour when minReplicas is 0
Documented minReplicas field in autoscaling APIs
Nit: remove capitalization of preferred
Remove line from kubelet and add to separate PR for easier merge
nit: dependency added to separate PR
Add check to ensure strict policy cannot be set without feature gate enabled
Topology Manager runs "none" policy by default.
Added constants for policies and updated documentation.
Update the unit tests to include checks for incorrect APIGroup type in
PVC DataSource and change the name of the feature gate to be more clear:
s/VolumeDataSource/VolumePVCDataSource/
This is the 2nd PR to move CSINodeInfo/CSIDriver APIs to
v1beta1 core storage APIs. It includes controller side changes.
It depends on the PR with API changes:
https://github.com/kubernetes/kubernetes/pull/73883
A previous PR (https://github.com/kubernetes/kubernetes/pull/73726)
added GMSA support to the dockershim. Unfortunately, there was a
bug in there: the registry keys used to pass the cred specs down
to Docker were being cleaned up too early, right after the containers'
creation - before Docker would ever try to read them, when trying to
actually start the container.
This patch fixes this.
An e2e test is also provided in a separate PR.
Signed-off-by: Jean Rouge <rougej+github@gmail.com>
This patch comprises the kubelet changes outlined in the GMSA KEP
(https://github.com/kubernetes/enhancements/blob/master/keps/sig-windows/20181221-windows-group-managed-service-accounts-for-container-identity.md)
to add GMSA support to Windows workloads.
More precisely, it includes the logic proposed in the KEP to resolve
which GMSA spec should be applied to which containers, and changes
`dockershim` to copy the relevant GMSA credential specs to Windows
registry values prior to creating the container, passing them down
to docker itself, and finally removing the values from the registry
afterwards; both these changes need to be activated with the `WindowsGMSA`
feature gate.
Includes unit tests.
Signed-off-by: Jean Rouge <rougej+github@gmail.com>
