github/kubernetes
4
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
116,447 Commits 1 Branch 31 Tags
b4dfae25dee40dd9233f90079a1eb51a902b7612
Commit Graph

78 Commits

Author SHA1 Message Date
Sascha Grunert
58923c9f1a Default to sandbox Seccomp field instead of SeccompProfilePath 
The seccomp field is the new default since a couple of releases, means
we can stop using `SeccompProfilePath`.

Follow-up on https://github.com/kubernetes/kubernetes/pull/96281

Signed-off-by: Sascha Grunert <sgrunert@redhat.com>
 2023-02-20 12:16:32 +01:00
Kubernetes Prow Robot
2ef00038d3 Merge pull request #112961 from marosset/windows-hostnetwork-alpha 
Windows hostnetwork alpha
 2022-11-07 12:42:16 -08:00
David Ashpole
64af1adace Second attempt: Plumb context to Kubelet CRI calls (#113591) 
* plumb context from CRI calls through kubelet

* clean up extra timeouts

* try fixing incorrectly cancelled context
 2022-11-05 06:02:13 -07:00
Mark Rossetti
f4305db4ee populate namespace options in runtimeapi.WindowsSandboxSecurityContext + unit tests 
Signed-off-by: Mark Rossetti <marosset@microsoft.com>
 2022-11-04 09:29:39 -07:00
Antonio Ojea
9c2b333925 Revert "plumb context from CRI calls through kubelet" 
This reverts commit f43b4f1b95.
 2022-11-02 13:37:23 +00:00
Kubernetes Prow Robot
9bbd0fbdb2 Merge pull request #113476 from marosset/hpc-to-stable 
Promoting WindowsHostProcessContainers to stable
 2022-11-01 19:59:43 -07:00
Mark Rossetti
498d065cc5 Promoting WindowsHostProcessContainers to stable 
Signed-off-by: Mark Rossetti <marosset@microsoft.com>
 2022-11-01 14:06:25 -07:00
David Ashpole
f43b4f1b95 plumb context from CRI calls through kubelet 2022-10-28 02:55:28 +00:00
Giuseppe Scrivano
67b38ffe6e kubelet: propagate errors from namespacesForPod 
it is a preparatory change for the next commit.

Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
 2022-08-03 19:53:22 +02:00
Deep Debroy
dfdf8245bb Introduce PodHasNetwork condition for pods 
Signed-off-by: Deep Debroy <ddebroy@gmail.com>
 2022-08-01 09:51:43 -07:00
Mark Rossetti
0c6088861b Fixing issue in generatePodSandboxWindowsConfig for hostProcess containers by 
where pod sandbox won't have HostProcess bit set if pod does not have a
security context but containers specify HostProcess.

Signed-off-by: Mark Rossetti <marosset@microsoft.com>
 2022-06-02 12:10:10 -07:00
Sascha Grunert
de37b9d293 Make CRI v1 the default and allow a fallback to v1alpha2 
This patch makes the CRI `v1` API the new project-wide default version.
To allow backwards compatibility, a fallback to `v1alpha2` has been added
as well. This fallback can either used by automatically determined by
the kubelet.

Signed-off-by: Sascha Grunert <sgrunert@redhat.com>
 2021-11-17 11:05:05 -08:00
Eric Ernst
2c0fad1f52 kuberuntime: populate sandbox resources, overhead 
Populate Resources and Overhead fields which, are now part of
LinuxPodSandboxConfig.

Signed-off-by: Eric Ernst <eric_ernst@apple.com>
 2021-10-20 11:30:23 -07:00
Antonio Ojea
0cd75e8fec run hack/update-netparse-cve.sh 2021-08-20 10:42:09 +02:00
marosset
fd94032b21 Kubelet updates for Windows HostProcess Containers 2021-05-19 16:24:14 -07:00
Krzysztof Gibuła
629d5ab213 Migrate pkg/kubelet/kuberuntime to structured logging 2021-03-17 01:53:44 +01:00
pacoxu
3de4dd841f remove featuregate for sysctl 
Co-authored-by: Skyler Clark <wgahnagl@protonmail.com>
 2021-02-22 16:51:43 -05:00
Sergey Kanzhelev
4c9e96c238 Revert "Merge pull request #92817 from kmala/kubelet" 
This reverts commit 88512be213, reversing
changes made to c3b888f647.
 2021-01-12 22:27:22 +00:00
Sergey Kanzhelev
06da0e5e74 GA of RuntimeClass feature gate and API 2020-11-11 19:22:32 +00:00
Mrunal Patel
32b9ac7d0c kubelet: Use CRI SecurityProfile for Seccomp 
We set both the old and the new fields for now and will
remove the old field in the next release.

Signed-off-by: Mrunal Patel <mpatel@redhat.com>
 2020-11-05 15:43:29 -08:00
Kubernetes Prow Robot
f5a42d69c9 Merge pull request #93475 from ravisantoshgudimetla/fix-kubelet-scc 
Strip unnecessary security contexts on Windows
 2020-09-10 18:14:14 -07:00
ravisantoshgudimetla
cd8686bc57 Strip unnecessary security contexts on Windows 
As of now, the kubelet is passing the security context to container runtime even
if the security context has invalid options for a particular OS. As a result,
the pod fails to come up on the node. This error is particularly pronounced on
the Windows nodes where kubelet is allowing Linux specific options like SELinux,
RunAsUser etc where as in [documentation](https://kubernetes.io/docs/setup/production-environment/windows/intro-windows-in-kubernetes/#v1-container),
we clearly state they are not supported. This PR ensures that the kubelet strips
the security contexts of the pod, if they don't make sense on the Windows OS.
 2020-08-03 23:43:31 -04:00
Keerthan Reddy,Mala
851d778531 address review comments 2020-07-22 11:54:58 -07:00
Keerthan Reddy,Mala
90cc954eed add sandbox deletor to delete sandboxes on pod delete event 2020-07-22 11:54:58 -07:00
Paulo Gomes
b451563560 Add seccomp least privilege for kuberuntime 2020-07-08 22:03:29 +01:00
Paulo Gomes
8976e3620f Add seccomp enforcement and validation based on new GA fields 
Adds seccomp validation.

This ensures that field and annotation values must match when present.

Co-authored-by: Sascha Grunert <sgrunert@suse.com>
 2020-07-06 09:13:25 +01:00
Javier Diaz-Montes
9743cda4a7 Adding Kubelet changes to enable SetHostnameAsFQDN feature 
These changes allow to set FQDN as hostname of pods for pods
that set the new PodSpec field setHostnameAsFQDN to true. The PodSpec
new field was added in related PR.

This is PART2 (last) of the changes to enable KEP #1797 and addresses #91036
 2020-06-14 21:26:27 -04:00
Davanum Srinivas
442a69c3bd switch over k/k to use klog v2 
Signed-off-by: Davanum Srinivas <davanum@gmail.com>
 2020-05-16 07:54:27 -04:00
Khaled Henidak(Kal)
dba434c4ba kubenet for ipv6 dualstack 2019-07-02 22:26:25 +00:00
Davanum Srinivas
33081c1f07 New staging repository for cri-api 
Change-Id: I2160b0b0ec4b9870a2d4452b428e395bbe12afbb
 2019-03-26 18:21:04 -04:00
Lantao Liu
0ac651bfc3 Include pod logs in the pod ephemeral storage. 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2019-03-08 16:42:14 -08:00
Lantao Liu
f14c6c95d6 New pod log directory /var/log/pods/NAMESPACE_NAME_UID. 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2019-03-08 16:42:14 -08:00
Tim Allclair
e27f7ef151 Surface selected pod RuntimeHandler in Kubelet logs 2018-12-17 16:36:47 -08:00
Davanum Srinivas
954996e231 Move from glog to klog 
- Move from the old github.com/golang/glog to k8s.io/klog
- klog as explicit InitFlags() so we add them as necessary
- we update the other repositories that we vendor that made a similar
change from glog to klog
  * github.com/kubernetes/repo-infra
  * k8s.io/gengo/
  * k8s.io/kube-openapi/
  * github.com/google/cadvisor
- Entirely remove all references to glog
- Fix some tests by explicit InitFlags in their init() methods

Change-Id: I92db545ff36fcec83afe98f550c9e630098b3135
 2018-11-10 07:50:31 -05:00
Yu-Ju Hong
a1f7ae7ab3 kubelet: skip initializing/using the RuntimeClass in standalone mode 
In standalone mode, kubelet will not be configured to talk to an
apiserver. The RuntimeClass manager should be disabled in this case.
 2018-09-11 13:21:53 -07:00
Tim Allclair
63f3bc1b7e Implement RuntimeClass support for the Kubelet & CRI 2018-09-04 13:45:11 -07:00
Lantao Liu
3193a4a469 Fix RunAsGroup. 2018-07-06 15:42:26 -07:00
Seth Jennings
6729add11c sysctls: create feature gate to track promotion 2018-06-06 00:23:11 +02:00
Jan Chaloupka
ab616a88b9 Promote sysctl annotations to API fields 2018-06-05 23:17:00 +02:00
Lee Verberne
e10042d22f Increment CRI version from v1alpha1 to v1alpha2 
This also incorporates the version string into the package name so
that incompatibile versions will fail to connect.

Arbitrary choices:
- The proto3 package name is runtime.v1alpha2. The proto compiler
  normally translates this to a go package of "runtime_v1alpha2", but
  I renamed it to "v1alpha2" for consistency with existing packages.
- kubelet/apis/cri is used as "internalapi". I left it alone and put the
  public "runtimeapi" in kubelet/apis/cri/runtime.
 2018-02-07 09:06:26 +01:00
Lee Verberne
0f1de41790 Update kubelet for enumerated CRI namespaces 
This adds support to both the Generic Runtime Manager and the
dockershim for the CRI's enumerated namespaces.
 2018-02-07 09:06:26 +01:00
Zihong Zheng
386d1b61bd Consolidate DNS codes in kubelet pkg 2017-11-16 21:07:24 -08:00
Shawn Hsiao
5cba1f47c3 Support copying options in resolv.conf into pod sandbox when dnsPolicy is Default 2017-11-07 07:54:52 -05:00
Pengfei Ni
f3150c9c8c Support seccomp profile from container's security context 2017-08-13 15:42:15 +08:00
Chao Xu
60604f8818 run hack/update-all 2017-06-22 11:31:03 -07:00
Chao Xu
f4989a45a5 run root-rewrite-v1-..., compile 2017-06-22 10:25:57 -07:00
Pengfei Ni
22e99504d7 Update CRI references 2017-06-09 10:16:40 +08:00
Pengfei Ni
8bc6e59278 kuberuntime: set sysctls for sandbox config 2017-05-15 12:52:38 +08:00
Michael Taufen
cbad320205 Reorganize kubelet tree so apis can be independently versioned 2017-05-12 10:02:33 -07:00
Jamie Hannaford
9440a68744 Use dedicated Unix User and Group ID types 2017-05-05 14:07:38 +02:00