Automatic merge from submit-queue
remove unneeded authenticator dependencies from genericapiserver
Refactors the authenticator options to remove unneeded dependencies.
@sttts
Automatic merge from submit-queue (batch tested with PRs 39146, 39094)
cleanup last e2e authorization failures
Builds on https://github.com/kubernetes/kubernetes/pull/39080. This adds rbac role bindings during e2e tests for test that use SA permissions to loopback to the API server.
Assigned to me until its ready.
Automatic merge from submit-queue
Node E2E: Set user with `--ssh-user` flag when running remote node e2e.
This PR unblocks https://github.com/kubernetes/test-infra/issues/1348.
In our test environment, we must login test instance as user `jenkins` because of the service account. Node e2e is always using the default user on the host, which works fine till now, because it is always run as `jenkins` in our test environment.
However, now we moved the test runner into a docker container, inside the container user is `root` by default, which will cause error:
```
Permission denied (publickey)
```
This PR added a flag `--ssh-user` to explicitly specify the user used to ssh into test instance. The dockerized test runner can set user to `jenkins` with this flag.
@krzyzacy @ixdy
Automatic merge from submit-queue
register batch/jobs to federation-apiserver
register batch/jobs api objects to federation-apiserver
**Release note**:
```release-note
Federation: Add `batch/jobs` API objects to federation-apiserver
```
@quinton-hoole @nikhiljindal @deepak-vij
#34261
Automatic merge from submit-queue
Added 'hollow'-node-problem-detector to hollow-nodes in kubemark
Added node-problem-detector container in kubemark hollow-nodes, which takes in a 'hollow' (having an empty list of rules and conditions) kernel monitor config.
cc @kubernetes/sig-scalability-misc @wojtek-t @gmarek
Automatic merge from submit-queue (batch tested with PRs 36751, 38968)
Convert * users/groups to system:authenticated group in ABAC
Part of enabling anonymous auth by default in 1.6 means protecting earlier policies that did not intend to grant access to anonymous users.
This modifies ABAC policies that match `user` or `group` `*` to only match authenticated users.
Docs PR to update examples to use `system:authenticated` or `system:unauthenticated` groups explicitly: https://github.com/kubernetes/kubernetes.github.io/pull/1992
```release-note
ABAC policies using "user":"*" or "group":"*" to match all users or groups will only match authenticated requests. To match unauthenticated requests, ABAC policies must explicitly specify "group":"system:unauthenticated"
```
Automatic merge from submit-queue
Moved kubemark master from Debian to GCI
This PR fixes issue #37484
Kubemark master now runs on GCI instead of Debian, taking it one step closer to a real cluster master.
Primary changes:
1. changing master VM image/OS in kubemark's config-default.sh to debian
2. moving kubelet to systemd from supervisord
3. changing directory for cert/key/csv files from /srv/kubernetes to /etc/srv/kubernetes
cc @kubernetes/sig-scalability-misc @wojtek-t @gmarek
Automatic merge from submit-queue
Add test to detach a pd whose node was deleted
**What this PR does / why we need it**:
A test for the following issue :
If a node with a GCE PD attached is deleted (before the volume is detached), subsequent attempts by the attach/detach controller to detach it should not fail.
**Bonus** :Added additional code to ensure that the pd can still be attached to a different node.
Edit : Removed it as it was making the test much slower.
https://github.com/kubernetes/kubernetes/issues/29358
Automatic merge from submit-queue (batch tested with PRs 38426, 38917, 38891, 38935)
Support different image during GCE node upgrade
**What this PR does / why we need it**: It lets GCE upgrade tests upgrade to a GCI node image.
**Which issue this PR fixes**: fixes#37855
Automatic merge from submit-queue (batch tested with PRs 38942, 38958)
Added MULTIZONE flag to e2e remove master script.
Added MULTIZONE flag to e2e remove master script. The script is used by HA tests which set-up multizone cluster.
Automatic merge from submit-queue (batch tested with PRs 34353, 33837, 38878)
Add e2e test for configmap volume
There are two patches:
- refactor e2e volume tests to allow multiple volumes mounted into single pod
- add a test for ConfigMap volume mounted twice to test #28502
Automatic merge from submit-queue (batch tested with PRs 34353, 33837, 38878)
Gce persistentvolume testing
Add E2E PersistentVolume test for a GCE environment. Tests that deleting a PV or PVC before the referencing pod does not fail on unmount and detach during pod deletion.
cc @jeffvance
Automatic merge from submit-queue (batch tested with PRs 37468, 36546, 38713, 38902, 38614)
Remove extensions/v1beta1 Job
Fixes https://github.com/kubernetes/kubernetes/issues/32763. This endpoint was deprecated in 1.5 and was planned to be removed in 1.6.
**Release note**:
```release-note
Remove extensions/v1beta1 Jobs resource, and job/v1beta1 generator.
```
Automatic merge from submit-queue (batch tested with PRs 37468, 36546, 38713, 38902, 38614)
Adds e2e firewall tests for LoadBalancer service, ingress, and e2e cluster
Fixes#25488 and fixes#31827.
This PR adds e2e firewall test for LoadBalancer type service, ingress and e2e cluster.
Test details for LoadBalancer type service as below:
- Verifies corresponding firewall rule has correct `sourceRanges`, `ports and protocols` and `target tags`.
- Verifies requests can reach all expected instances.
- Verifies requests can not reach instances that are not included.
Overview of the test procedure:
- Creates a LoadBalancer type service.
- Validates the corresponding firewall rule.
- Creates netexec pods as service backends.
- Sends requests from outside of the cluster and examine hitting all instances in range.
- Removes tags from one of the instances in order to get it out of firewall rule's range.
- Sends requests from outside of the cluster and examine not hitting this instance.
- Recovers tags for this instances and verifies its traffic is back.
@bprashanth @bowei @thockin
For LoadBalancer type service:
- Verifies corresponding firewall rule has correct sourceRanges, ports
& protocols, target tags.
- Verifies requests can reach all expected instances.
- Verifies requests can not reach instances that are not included.
For Ingress resrouce:
- Verifies the ingress firewall rule has correct sourceRanges, target
tags and tcp ports.
For general e2e cluster:
- Verifies all required firewall rules has correct sourceRange, ports
& protocols, source tags and target tags.
- Verifies well know ports on master and nodes are not
exposed externally
Automatic merge from submit-queue
Don't check nodeport for nginx ingress
Services behind a standard nginx ingress don't need nodeport, so don't check that.
Extracted delete operations into functions
wait on pv/pvc bind
removed redundant verification, minor refactors
GCEPD: fixed typo
name verifyDiskAttached to verifyGCEDiskAttached
fix empty log msg
Updated test owners
removed unnecessary api calls
Check for apierr IsNotFound for pod,pv,pvc but ignore result
Disable dynamic provisioning in test PVCs
gofmt'd
Automatic merge from submit-queue
Fix Recreate for Deployments and stop using events in e2e tests
Fixes https://github.com/kubernetes/kubernetes/issues/36453 by removing events from the deployment tests. The test about events during a Rolling deployment is redundant so I just removed it (we already have another test specifically for Rolling deployments).
Closes https://github.com/kubernetes/kubernetes/issues/32567 (preferred to use pod LISTs instead of a new status API field for replica sets that would add many more writes to replica sets).
@kubernetes/deployment
Automatic merge from submit-queue (batch tested with PRs 38830, 38750)
[Federation] Stop cleaning federation namespace in e2e tests
when --clean-start=true flag is provided to e2e tests it would cleanup all the leftover namespaces except `default` and `kube-system` and because of this when we run e2e tests in federation soak test job, the federation control plane is destroyed before it runs the tests and all tests start to fail.
So adding federation-system to the list of namespace to be left intact and also changed the default federation namespace name from `federation` to `federation-system` to be consistent with the newer method of deploying federation using kubefed.
@madhusudancs @nikhiljindal
Automatic merge from submit-queue (batch tested with PRs 38830, 38750)
Remove the ReadyReplica version guard
**What this PR does / why we need it**: Removes outlived version guards.
**Which issue this PR fixes**: fixes#37310
Automatic merge from submit-queue
Node Conformance Test: Fix report prefix for node conformance test.
The node conformance CI is running now.
The only problem is that junit files overwrite each other because of the lack of junit prefix. http://gcsweb.k8s.io/gcs/kubernetes-jenkins/logs/ci-kubernetes-node-kubelet-conformance/42/artifacts/
This PR fixes this. I've verified in my environment, it works well.
@timstclair
