If a bearer token is present in a request, the exec credential plugin should accept that as the chosen method of authentication. Judging by an [earlier comment in exec.go](c18bc7e9f7/staging/src/k8s.io/client-go/plugin/pkg/client/auth/exec/exec.go (L217)), this was already intended. This would however not work since UpdateTransportConfig would set the GetCert callback which would then get called by the transport, triggering the exec plugin action even with a token present in the request. See linked issue for further details.
See #87369 for further details.
Signed-off-by: Anders Eknert <anders.eknert@bisnode.com>
While the umask was previously set for builds (and in fact `docker run`
sets it to 0022 by default), the release pipeline `cp`'s files (with
`-a`) which respect the user's umask, and is outside of the build path.
This sets the umask in a common function called by all build tools,
which Stephen agreed was the simplest and most complete fix. The
`verify-prereqs` function is already poorly named for what it does, and
this only makes it epsilon worse.
Some binaries now run as non-root (kube-scheduler). When umask is 0027,
for example, the container image we build has the binary 0750, which is
not executable by the non-root UID.
We have been having issues with making builds reproducible, especially
with the `.note.go.buildid` ELF section. One tip from a golang issue was
to set `-ldflags=-buildid=` which seems to work well. You can confirm
that the buildid is set to empty by inspecting the binaries with the go
command example `go tool buildid _output/local/go/bin/kubectl`
Signed-off-by: Davanum Srinivas <davanum@gmail.com>
- On unstable arch like ARM, etcd needs the "ETCD_UNSUPPORTED_ARCH" to be set
`# etcd --version
etcd on unsupported platform without ETCD_UNSUPPORTED_ARCH=arm64 set`
- `tail -n +1 | head -n 1` is unnecessary, `head -n 1` is enough.
The image used by the Image Promoter (gcr.io/k8s-testimages/gcb-docker-gcloud:v20190906-745fed4)
is based on busybox, and thus, the sed binary is actually busybox. image-util.sh calls
kube::util::ensure-gnu-sed several times, which ensures that a GNU sed binary exists
(it checks by greping GNU in its --help output). Obviously, it won't match the busybox sed
binary. But the sed usage in image-util.sh is fairly simple, and the busybox sed is sufficient.
This was previously fixed in: #87188, but it was reverted by #87653 as it was failing
on Mac (sed does not exist). This commit fixes that issue as well.
In 24d105995d, a fix was made in bazel
based builds to ensure that we add `selinux` tag when we build all
binaries especially the `kubelet`. We need to do the same for in our
hack scripts so things like `make release` will work properly as well.
Some scripts use `GOFLAGS=-tags=providerless` for example, So we should
support the tags to be specified in GOFLAGS as well. We parse out the
tags from there and ensure selinux is added to the list of tags we used
for building the binaries. Note that we add our own `-tags` with the
full set of tags and since we specify our parameter at the end, ours
full list takes precendence
Prior to the Image Centralization part 4 (https://github.com/kubernetes/kubernetes/pull/81170),
a PR merged that enables the Image Promoter to run on the k/k test images.
The Image Promoter currently only builds the Conformance-related images, but the
Image Centralization part 4 centralized some of those images into agnhost, so they
need to be removed from the conformance_images list.
Additionally, https://github.com/kubernetes/kubernetes/pull/81226 proposes mounttest-user
image to be removed, and RunAsUser to be used in tests instead.
The image used by the Image Promoter (gcr.io/k8s-testimages/gcb-docker-gcloud:v20190906-745fed4)
is based on busybox, and thus, the sed binary is actually busybox. image-util.sh calls
kube::util::ensure-gnu-sed several times, which ensures that a GNU sed binary exists
(it checks by greping GNU in its --help output). Obviously, it won't match the busybox sed
binary. But the sed usage in image-util.sh is fairly simple, and the busybox sed is sufficient.
Bumps image versions for: jessie-dnsutils, nonewprivs, resource-consumer, sample-apiserver. These
images are included in the conformance_images that are being built by the Image Promoter, so
we're bumping them just to make sure we're not breaking anything and cause all the CIs to fall.
We're going to bump the image versions used in tests in a subsequent PR. The image version was not
bumped for: agnhost, kitten, nautilus, as they were already bumped by the Image Centralization part 4
PR.
"etcd -version" command output an additional line on ARM platform:
"running etcd on unsupported architecture "arm64" since
ETCD_UNSUPPORTED_ARCH is set"
Currently etcd version filtering code can not get correct version
number.
Signed-off-by: Howard Zhang <howard.zhang@arm.com>
When discovering the kube version we only consider tags that match the
glob 'v*'. By doing so users can create/use their custom tags as long as
they don't look like a version (starting with a 'v').
We already do a similar thing when building the pause container, see how
the `REV` is set in git.k8s.io/kubernetes/build/pause/Makefile.
When using hack/local-up-cluster.sh deploy local cluster, it
failed with following message "kube-proxy terminated unexpectedly"
and "Failed to retrieve node info: nodes "127.0.0.1" not found" in
kube-proxy.log.
The root reason for this error is miss boot order of kubernetes
services in local-up-cluster.sh, kube-proxy and kubectl daemon.
When starting kube-proxy, it would check node information. And
these information are collected by kubelet daemon. However, in
the shell script, kube-proxy service start before kubelet daemon.
This patch changed the boot order of kubelet daemon and kube-proxy
and check if node stats ready for kube-proxy start.
Signed-off-by: Howard Zhang <howard.zhang@arm.com>
Removed hack/lib/test.sh from /hack/shellcheck_failures
Removed and }s to satisfy shellcheck SC2004
Added double quotes to satisfy shellcheck SC2086
Converted array reference to access all elements to satisfy shellcheck SC2128
Updates to satisfy shellcheck SC2143
Updates to satisfy shellcheck SC2178 & SC2124
Updates to satisfy shellcheck SC2128
Updates to satisfy shellcheck SC2207
Remove double quotes to allow expansion. Fixed piping to grep -q
Removed quotes to allow for expansion on flags
Adds a go app which runs the e2e tests with ginkgo.
- Supports all the existing env vars of the bash script
- Improved flow control to avoid and better report issues
regarding the process PID
- Adds flags for modifying where to find the test binary and
ginkgo binary so that you can run it locally
- Adds 3 flags for specifying extra args before the double-dash,
extra args after the double-dash, and the seperator to use between
values in those env vars. This allows setting arbitrary, complex
values for use on the command such as flags which include spaces
or other characters.
when compile kubectl on platform other than
linux/amd64, we need to check the KUBE_SERVER_PLATFORMS
array emptiness before assign it.
the example command is:
make WHAT=cmd/kubectl KUBE_BUILD_PLATFORMS="darwin/amd64 windows/amd64"
Prior to this change, including windows/amd64 in KUBE_BUILD_PLATFORMS
would, for example, attempt to build the server binaries/tars/images for
Windows, which is not supported. This can break downstream build steps.
Recent change to hack/lib/golang.sh broke the build on MacOS this way:
$ make clean && make generated_files
+++ [0325 13:38:22] Verifying Prerequisites....
+++ [0325 13:38:23] Removing _output directory
k8s.io/kubernetes/vendor/github.com/spf13/pflag
k8s.io/kubernetes/hack/make-rules/helpers/go2make
+++ [0325 13:38:40] Building go targets for darwin/amd64:
./vendor/k8s.io/code-generator/cmd/deepcopy-gen
can't load package: package k8s.io/kubernetes: no Go files in k8s.io/kubernetes/_output/local/go/src/k8s.io/kubernetes
!!! [0325 13:38:40] Call tree:
!!! [0325 13:38:40] 1: k8s.io/kubernetes/hack/lib/golang.sh:629 kube::golang::build_some_binaries(...)
!!! [0325 13:38:40] 2: k8s.io/kubernetes/hack/lib/golang.sh:764 kube::golang::build_binaries_for_platform(...)
!!! [0325 13:38:40] 3: hack/make-rules/build.sh:27 kube::golang::build_binaries(...)
make[1]: *** [_output/bin/deepcopy-gen] Error 1
make: *** [generated_files] Error 2
It was caused by 'binaries' array not being declared with 'local -a'.
It looks like MacOS' old bash version makes an array to contain first
empty element if declared this way.
The fix has been tested on MacOS High Sierra and Linux openSUSE 42.3 (x86_64)
Signed-off-by: Ed Bartosh <eduard.bartosh@intel.com>
Test script:
#!/bin/bash
rev1="foo"
rev2="\"bar\""
rev3="'bar'"
newrev1="${rev1//[\'\"]}"
newrev2="${rev2//[\'\"]}"
newrev3="${rev3//[\'\"]}"
oldrev1=$(echo "${rev1}" | sed "s/['\"]//g")
oldrev2=$(echo "${rev2}" | sed "s/['\"]//g")
oldrev3=$(echo "${rev3}" | sed "s/['\"]//g")
echo "$newrev1 vs. $oldrev1"
echo "$newrev2 vs. $oldrev2"
echo "$newrev3 vs. $oldrev3"
expected output:
foo vs. foo
bar vs. bar
bar vs. bar
