Automatic merge from submit-queue (batch tested with PRs 36140, 38304)
remove validation dependency on version negotiation
Things that just need a REST client or a bit of discovery information should not attempt to perform negotiation. Doing so just limits the genericness of the client.
@kubernetes/sig-cli
@fabianofranz this blocks the kubernetes-discovery work.
Automatic merge from submit-queue
make invocation ReadDockerConfigFile can handle .dockerconfigjson file
**What this PR does / why we need it**:
When **.docker/config.json** is used to authenticate docker registry, the data key **.dockerconfigjson** should be used if we want to save this kind of docker auth data into a secret. So this PR is mainly to make invocation `ReadDockerConfigFile `have ability to read **.dockerconfigjson** file.
@liggitt
Automatic merge from submit-queue
Cover port_allocator_test with more conditions
The test cases of port_allocator_test should cover more conditions, such as `rangeAllocator.used.Bit`.
Automatic merge from submit-queue (batch tested with PRs 36543, 38189, 38289, 38291, 36724)
context.Context should be the first parameter of a function in vsphere
**What this PR does / why we need it**:
Change the position of the context.Context parameter.
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #
**Special notes for your reviewer**:
golint
**Release note**:
```release-note
```
Signed-off-by: yupeng <yu.peng36@zte.com.cn>
Automatic merge from submit-queue (batch tested with PRs 36543, 38189, 38289, 38291, 36724)
add authentication/authorization to kubernetes-discovery
Wires authentication and authorization into `kubernetes-discovery` and re-enables the `local-up-cluster.sh` along with proper permission granting for RBAC cases.
@sttts @liggitt
Automatic merge from submit-queue (batch tested with PRs 36543, 38189, 38289, 38291, 36724)
Kubelet: only check podUID when it is actually set
Fixes#38188.
cc/ @timstclair @yujuhong
Automatic merge from submit-queue (batch tested with PRs 38294, 37009, 36778, 38130, 37835)
fix permissions when using fsGroup
Currently, when an fsGroup is specified, the permissions of the defaultMode are not respected and all files created by the atomic writer have mode 777. This is because in `SetVolumeOwnership()` the `filepath.Walk` includes the symlinks created by the atomic writer. The symlinks have mode 777 when read from `info.Mode()`. However, when the are chmod'ed later, the chmod applies to the file the symlink points to, not the symlink itself, resulting in the wrong mode for the underlying file.
This PR skips chmod/chown for symlinks in the walk since those operations are carried out on the underlying file which will be included elsewhere in the walk.
xref https://bugzilla.redhat.com/show_bug.cgi?id=1384458
@derekwaynecarr @pmorie
Automatic merge from submit-queue (batch tested with PRs 38294, 37009, 36778, 38130, 37835)
Re-use tested ratelimiter
The ratelimiter introduced in #35583 is not working correctly when called from multiple threads
This reverts to the tested ratelimiter we were previously using to unblock 1.5 (automated revert wasn't possible)
Ref #38273
reproducing test case:
```
func TestMultiThreadedBlocking(t *testing.T) {
done := make(chan bool)
// 100 QPS, burst of 100
b := NewBucketWithRate(100, 100)
go func() {
defer close(done)
fmt.Println(time.Now(), "Waiting for 1000 (should block for ~9-10 seconds)")
b.Wait(1000)
fmt.Println(time.Now(), "Got 1000")
}()
// give the request for 1000 plenty of time to take the tokens
time.Sleep(2 * time.Second)
fmt.Println(time.Now(), "Waiting for 1 (should wait until 1000 block is refilled)")
b.Wait(1)
fmt.Println(time.Now(), "Got 1 (should happen right after the wait for 1000 completes)")
<-done
}
$ go test ./pkg/util/ratelimit/ -v -run TestMultiThreadedBlocking
=== RUN TestMultiThreadedBlocking
2016-12-07 12:15:36.222133049 -0500 EST Waiting for 1000 (should block for ~9-10 seconds)
2016-12-07 12:15:38.222797752 -0500 EST Waiting for 1 (should wait until 1000 block is refilled)
2016-12-07 12:15:38.222897951 -0500 EST Got 1 (should happen right after the wait for 1000 completes)
2016-12-07 12:15:45.223125234 -0500 EST Got 1000
```
in contrast, the same test run against juju/ratelimit:
```
go test ./pkg/util/flowcontrol/ -v -run TestMultiThreadedBlocking
=== RUN TestMultiThreadedBlocking
2016-12-07 12:32:56.796077782 -0500 EST Waiting for 1000 (should block for ~9-10 seconds)
2016-12-07 12:32:58.799159059 -0500 EST Waiting for 1 (should wait until 1000 block is refilled)
2016-12-07 12:33:05.801076002 -0500 EST Got 1000
2016-12-07 12:33:05.807510387 -0500 EST Got 1 (should happen right after the wait for 1000 completes)
--- PASS: TestMultiThreadedBlocking (9.01s)
```
deployment_controller.go:299] Error syncing deployment
e2e-tests-kubectl-2l7xx/e2e-test-nginx-deployment:
Deployment.extensions "e2e-test-nginx-deployment" is invalid:
status.unavailableReplicas: Invalid value: -1:
must be greater than or equal to 0
The validation error above occurs usually when a Deployment is
scaled down. In such a case we should default unavailableReplicas
to 0 instead of making an invalid api call.
Automatic merge from submit-queue (batch tested with PRs 38181, 38128, 36711)
etcd2: have prefix always prepended
The prefix issue is discussed in #36290.
This is fixing etcd2 behavior separately.
**release note**:
```
etcd2: have prefix always prepended
```
Automatic merge from submit-queue
Enable OpenAPI spec validation
Spec validation was failing on Jenkins. I am enabling it in this PR to figure out if we can get it pass. No review is necessary until all test passes.
Automatic merge from submit-queue
Fix pods/log OpenAPI/Swagger spec to return string instead of v1.Pod
log operation is part of pod and had the assumption of returning a v1.Pod. First I added the support for an operation to be able to customize its return object then add the support to pods/log operation to return an string as an object sample.
Fixes#37881
Cc @kubernetes/sig-api-machinery
Automatic merge from submit-queue
add a configuration for kubelet to register as a node with taints
and deprecate --register-schedulable
ref #28687#29178
cc @dchen1107 @davidopp @roberthbailey
Automatic merge from submit-queue (batch tested with PRs 37032, 38119, 38186, 38200, 38139)
etcd2: remove unnecessary PrevValue in SetOption
ref: https://github.com/kubernetes/kubernetes/issues/37994
Summary:
- PrevValue is set in HTTP header, and large value (>1MB) could exceed check limit
- We don't need PrevValue indeed since we already use PrevIndex in SetOptions and each PrevIndex corresponds to each PrevValue.
I don't really think we need extra tests for this. There is already test for GuaranteedUpdate covering its use cases.
Automatic merge from submit-queue (batch tested with PRs 37032, 38119, 38186, 38200, 38139)
Remove genericapiserver.Options.MasterServiceNamespace
Deprecated and not used anymore.
Automatic merge from submit-queue (batch tested with PRs 37032, 38119, 38186, 38200, 38139)
Detect long-running requests from parsed request info
Follow up to https://github.com/kubernetes/kubernetes/pull/36064
Uses parsed request info to more tightly match verbs and subresources
Removes regex-based long-running request path matching (which is easily fooled)
```release-note
The --long-running-request-regexp flag to kube-apiserver is deprecated and will be removed in a future release. Long-running requests are now detected based on specific verbs (watch, proxy) or subresources (proxy, portforward, log, exec, attach).
```
Automatic merge from submit-queue
Add integration tests for desire state of world populator
Add integration tests for desire state of world populator
This adds tests for code introduced here :
https://github.com/kubernetes/kubernetes/issues/26994
Via integration test we can now verify that if pod delete
event is somehow missed by AttachDetach controller - it still
get cleaned up by Desired State of World populator.
Automatic merge from submit-queue (batch tested with PRs 38194, 37594, 38123, 37831, 37084)
remove unnecessary fields from genericapiserver config
Cleans up some unnecessary fields in the genericapiserver config.
Automatic merge from submit-queue (batch tested with PRs 38194, 37594, 38123, 37831, 37084)
Better compat with very old iptables (e.g. CentOS 6)
Fixes reported issue with CentOS6 iptables 1.4.7 (ancient)
Older iptables expanded things like 0x4000 into 0x00004000, which defeats the
fallback "check" logic.
Fixes#37416
Automatic merge from submit-queue (batch tested with PRs 36990, 37494, 38152, 37561, 38136)
join client CA bundles
Last commit grabs client CA bundles from disparate parts of the auth config and makes a pool that contains all of them.
I suspect a rebase broke this because of ordering. I'll keep these separate to make it easier for me to debug.
Automatic merge from submit-queue (batch tested with PRs 36990, 37494, 38152, 37561, 38136)
Never set hairpin mode on every interface
<!-- Thanks for sending a pull request! Here are some tips for you:
1. If this is your first time, read our contributor guidelines https://github.com/kubernetes/kubernetes/blob/master/CONTRIBUTING.md and developer guide https://github.com/kubernetes/kubernetes/blob/master/docs/devel/development.md
2. If you want *faster* PR reviews, read how: https://github.com/kubernetes/kubernetes/blob/master/docs/devel/faster_reviews.md
3. Follow the instructions for writing a release note: https://github.com/kubernetes/kubernetes/blob/master/docs/devel/pull-requests.md#release-notes
-->
**What this PR does / why we need it**:
Abandon setting hairpin mode if finding the peer interface fails; simply return an error.
There are many reasons why finding the peer could fail - "`ethtool` not installed" is popular. Going ahead and changing the hairpin setting on every bridge-connected interface on the machine may have unwanted effects on other things installed on the machine (e.g. https://github.com/kubernetes/kops/issues/879)
**Which issue this PR fixes** : fixes#19766
**Special notes for your reviewer**:
**Release note**:
<!-- Steps to write your release note:
1. Use the release-note-* labels to set the release note state (if you have access)
2. Enter your extended release note in the below block; leaving it blank means using the PR title as the release note. If no release note is required, just write `NONE`.
-->
```release-note
Kubelet will no longer set hairpin mode on every interface on the machine when an error occurs in setting up hairpin for a specific interface.
```
/cc @thockin who appears to have requested this implementation at https://github.com/kubernetes/kubernetes/pull/13628#issuecomment-138128180
Check for error conditions from the vSphere API and return the err if one occurs. The vSphere API does not return an err for unauthenticated users, it just returns a nil user object.
this is a workaround for the unmount device issue caused by gci mounter. In GCI cluster, if gci mounter is used for mounting, the container started by mounter script will cause additional mounts created in the container. Since these mounts are irrelavant to the original mounts, they should be not considered when checking the mount references. By comparing the mount path prefix, those additional mounts can be filtered out.
Plan to work on better approach to solve this issue.
