Automatic merge from submit-queue
add failure check on umount when kubeadm reset, and on service stop
**What this PR does / why we need it**:
before this PR, `umount` will exit with code `123` if `grep` does not match anything
`xargs` has an option:
>-r, --no-run-if-empty
If the standard input does not contain any nonblanks, do not run the command. Normally, the command is run once even if
there is no input. This option is a GNU extension.
1. this PR add `-r` option to `xargs` , so `umount` will not execute and exit with code `0` correctly while `grep` does not match anything.
2. this PR add failure check on umount. for example, if the directory to be umount is busy, a error message will be printed:
>failed to unmount directories in /var/lib/kubelet, umount: /var/lib/kubelet/foo/bar: target is busy
(In some cases useful info about processes that
use the device is found by lsof(8) or fuser(1).)
3. add failure check on kubelet service stop.
Signed-off-by: bruceauyeung <ouyang.qinhua@zte.com.cn>
Automatic merge from submit-queue
Kubeadm unit tests pkg node
Added unit tests for the kubeadm/app/node package testing functionality of bootstrap.go, csr.go, and discovery.go.
This PR is part of the ongoing effort to add tests (#35025)
/cc @pires @jbeda
Automatic merge from submit-queue
change unconfined_t to spc_t
**What this PR does / why we need it**:
When installing kube via kubeadm on a system w/ selinux enabled, it's necessary to disable selinux in order for the etcd and kube-discovery containers to run.
The kube etcd and discovery pods are currently set to unconfined_t in order to avoid disabling selinux, but the correct type for an unconfined container is spc_t. For more information, see http://danwalsh.livejournal.com/2016/10/03/.
updated pkg "k8s.io/kubernetes/pkg/client/clientset_generated/internalclientset" to "k8s.io/kubernetes/pkg/client/clientset_generated/release_1_5" because the type that bootstrap.go:126 checkAPIEndpoint requires changed as well as *internalversion.CertificatesClient in csr_test.go:69
Automatic merge from submit-queue
Add the system verification test to the kubeadm preflight checks
And refactor the system verification test to accept to write to a specific writer in order to customize the output
This PR is targeting v1.5, PTAL
cc @Random-Liu @dchen1107 @kubernetes/sig-cluster-lifecycle
Automatic merge from submit-queue
[kubeadm] use iteration instead of recursion in function
**What this PR does / why we need it**:
before this PR, function `attemptToUpdateMasterRoleLabelsAndTaints` recursively call itself. there are some defeats in it:
1. potential stack overflow.
2. unnecessary extra `json.Marshal` calls.
3. unnecessary extra `client.Nodes().List` calls.
this PR rewrite `attemptToUpdateMasterRoleLabelsAndTaints` function, use iterate instead of recursion.
so these 3 defeats the metioned above are gone.
Signed-off-by: bruceauyeung <ouyang.qinhua@zte.com.cn>
Automatic merge from submit-queue
kubeadm: changed tests to be table driven
Small change to migrate tests in kubeadm/app/util/tokens_test.go to be table driven which should make adding more tests in the future easier and also have them match how other tests are being written.
This PR is part of the ongoing effort to add tests (#35025)
Automatic merge from submit-queue
support customize repository prefix of image through environment KUBE…
## Problem
kubeadm does not support customize repository prefix of image. this prevent us from using our own image repository to deploy k8s.
## Fix
make ```gcr.io/google_containers/ ``` be configurable.
ADD environment variable KUBE_REPO_PREFIX
Signed-off-by: yaoyao.xyy <yaoyao.xyy@alibaba-inc.com>
Hardcoded known stable version will be returned if user
didn't request specific version and kubeadm for some reason
not able to fetch latest stable information from release servers.
For now, fallback version is v1.4.6
Now, defaults can be pointing to "stable" and users will always get
latest available stable build of Kubernetes via kubeadm.
There is no need anymore to hardcode version string inside kubeadm
binary.
It is also possible to use labels like "latest" or point to exact
branch: "stable-1.4"
Automatic merge from submit-queue
Update kubeadm etcd to 3.0.13 in order to switch to the etcd3 storage format
ref: https://github.com/kubernetes/kubernetes/issues/35723
I think we should switch as soon as possible, but run it in etcd2 mode until the full etcd3 mode is stable
@kubernetes/sig-cluster-lifecycle @wojtek-t @xiang90 @lavalamp
In future we might try to verify ports are actually exposed in firewalld
policy, but this can be quite complex. Instead lets just warn the user
if we see firewalld is running.
The kube etcd and discovery pods are set to unconfined_t in
order to avoid disabling selinux, but the correct type for
an unconfined container is spc_t. For more information, see
http://danwalsh.livejournal.com/2016/10/03/.
Automatic merge from submit-queue
add master address into kubeadm join help message and some validations
**What this PR does / why we need it**:
1, add master address into kubeadm join help message. looks like :
>Usage:
> kubeadm join <master address> [flags]
2, when user provides more than one master address, return an error.
3, since `kubeadm join` not only support ip addresses but also host names or domain names, so i delete the word `ip` from error message `must specify master ip address (see --help)`
Signed-off-by: bruceauyeung <ouyang.qinhua@zte.com.cn>
Automatic merge from submit-queue
New command: "kubeadm token generate"
As part of #33930, this PR adds a new top-level command to kubeadm to just generate a token for use with the init/join commands. Otherwise, users are left to either figure out how to generate a token on their own, or let `kubeadm init` generate a token, capture and parse the output, and then use that token for `kubeadm join`.
At this point, I was hoping for feedback on the CLI experience, and then I can add tests. I spoke with @mikedanese and he didn't like the original propose of `kubeadm util generate-token`, so here are the runners up:
```
$ kubeadm generate-token # <--- current implementation
$ kubeadm generate token # in case kubeadm might generate other things in the future?
$ kubeadm init --generate-token # possibly as a subcommand of an existing one
```
Currently, the output is simply the token on one line without any padding/formatting:
```
$ kubeadm generate-token
1087fd.722b60cdd39b1a5f
```
CC: @kubernetes/sig-cluster-lifecycle
**Release note**:
<!-- Steps to write your release note:
1. Use the release-note-* labels to set the release note state (if you have access)
2. Enter your extended release note in the below block; leaving it blank means using the PR title as the release note. If no release note is required, just write `NONE`.
-->
``` release-note
New kubeadm command: generate-token
```
We recently improved this to tolerate existence of things like
/etc/kubernetes/manifests/ as an empty dir, but forgot to do so for the
join pre-flight checks where it is also failing.
Instead ensure only the sub-directories and files we need are available.
Automatic merge from submit-queue
Avoid double decoding all client responses
Fixes#35982
The linked issue uncovered that we were always double decoding the response in restclient for get, list, update, create, and patch. That's fairly expensive, most especially for list. This PR refines the behavior of the rest client to avoid double decoding, and does so while minimizing the changes to rest client consumers.
restclient must be able to deal with multiple types of servers. Alter the behavior of restclient.Result#Raw() to not process the body on error, but instead to return the generic error (which still matches the error checking cases in api/error like IsBadRequest). If the caller uses
.Error(), .Into(), or .Get(), try decoding the body as a Status.
For older servers, continue to default apiVersion "v1" when calling restclient.Result#Error(). This was only for 1.1 servers and the extensions group, which we have since fixed.
This removes a double decode of very large objects (like LIST) - we were trying to DecodeInto status, but that ends up decoding the entire result and then throwing it away. This makes the decode behavior specific to the type of action the user wants.
```release-note
The error handling behavior of `pkg/client/restclient.Result` has changed. Calls to `Result.Raw()` will no longer parse the body, although they will still return errors that react to `pkg/api/errors.Is*()` as in previous releases. Callers of `Get()` and `Into()` will continue to receive errors that are parsed from the body if the kind and apiVersion of the body match the `Status` object.
This more closely aligns rest client as a generic RESTful client, while preserving the special Kube API extended error handling for the `Get` and `Into` methods (which most Kube clients use).
```
Automatic merge from submit-queue
kubeadm preflight checks: Warn user if connections to API or Discovery are going to be over proxy
**What this PR does / why we need it**: Continuing discussion from PR #35044, new version will provide warning if kubeadm run in environment where http connections would go over proxy.
Most of the time, it is not expected behaviour and leads to situations like in #34695
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes#34695
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
kubeadm during initialization of master and slave nodes need to make
several API calls directly to the node where it is running or master.
In environments with http/https proxies, user might accidentally
have configuration where connections to API would go over proxy instead
of directly.
User can re-run kubeadm with corrected NO_PROXY variable. Example:
$ NO_PROXY=* kubeadm join ...
