Use GetCurrentProcessToken() instead of checking the groups of a user.
The Go stdlib way of fetching the groups of an user appears
to be failing on some Windows setups. Which could be a regression
in later Go versions, or simply the code does not work on certain
setups.
Instead of erroring during the preflight check 'CreateJob'
from "upgrade" commands when there are no schedulable nodes,
show a warning.
This can happen in single node clusters.
Also increase the Job TTL after completion to 20 seconds
to make sure it's more than the timeout what waits
for the Job to complete.
During upgrade apply we had logic to download the kubelet and
kubeproxy configs from the cluster as part of the call to:
FetchInitConfigurationFromCluster()
With the introduction of UpgradeConfiguration there was
some refactor in this area and the function no longer
had the argument skipComponentConfigs set to false.
It is set to 'true', an InitConfiguration is downloaded
but it would contain empty / defaulted component configs.
- Set the argument to 'false'
- Perform minor cleanup of STDOUT messages and comments.
that were missed in 1.30.
- Mark the phase 'init kubelet-finilize experimental-cert-rotation'
as deprecated and print a warning if its used directly. It should be
removed in 1.32.
- Add a replacement phase 'enable-client-cert-rotation'.
(!!) We should stop using the 'experimental' and 'alpha' names for
phases, clI flags and k8s object names as this complicates
the graduation and users will use the feature in production regardless.
Having a 'DEPRECATED' or 'EXPERIMENTAL' text in descriptions is
sufficient to indicate a status of a feature that should not be used
in production.
The function KubernetesReleaseVersion is being called in
a number of locations during unit tests but by default it
uses a "fetch version from URL" approach.
- Update the function to return a placeholder version
during unit tests.
- Update unit tests for this function.
- Update strings / comments in other version_tests.go
locations.
The improvement is significant:
time go test k8s.io/kubernetes/cmd/kubeadm/app/... -count=1
before:
real 2m47.733s
after:
real 0m10.234s
According to kubeadm repo ticket 1665, /etc/pki
can contain subdirectories with private keys on some distros.
Avoid mounting the entire /etc/pki and mount /etc/pki/ca-trust
and /etc/pki/tls/certs instead. These directories are mounted
as an extra locations which can be used to search
for additional system CAs.
Currently, there are some unit tests that are failing on
Windows due to various reasons:
- time.Now() is not as precise on Windows, which means that
2 consecutive calls may return the same timestamp.
- Different "File not found" error messages on Windows.
- The default Container Runtime URL scheme on Windows is npipe, not unix.
StaticPodMirroringTimeout and StaticPodMirroringRetryInterval
are use for just an API call to get Pods(). The already existing
constants.KubernetesAPICallRetryInterval
and kubeadmapi.GetActiveTimeouts().KubernetesAPICall.Duration
can be used for that instead.
Follow the same process of adding the Timeouts struct
to UpgradeConfiguration similarly to how it was done for
other API Kinds.
In the Timeouts struct include one new timeout:
- UpgradeManifests
When the flag is defaulted before writing the apiserver manifest,
the input "cfg" object should not be mutated.
If the "cfg" is mutated, the upload ClusterConfiguration
to the cluster will include the defaulting, which is not
needed.
