Commit Graph

3105 Commits

Author SHA1 Message Date
Klaus Ma
c9a46a0806 Deprecated binding object in 1.7. 2017-06-08 10:13:55 +08:00
Kubernetes Submit Queue
6ed4bc7b97 Merge pull request #46828 from cblecker/links-update
Automatic merge from submit-queue (batch tested with PRs 46718, 46828, 46988)

Update docs/ links to point to main site

**What this PR does / why we need it**:
This updates various links to either point to kubernetes.io or to the kubernetes/community repo instead of the legacy docs/ tree in k/k
Pre-requisite for #46813

**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #

**Special notes for your reviewer**:

**Release note**:
```release-note
NONE
```

@kubernetes/sig-docs-maintainers @chenopis @ahmetb @thockin
2017-06-06 11:43:18 -07:00
Kubernetes Submit Queue
8da89aeb00 Merge pull request #46112 from sttts/sttts-unversioned-to-meta
Automatic merge from submit-queue

apimachinery: move unversioned registration to metav1

Follow-up from the discussions in https://github.com/kubernetes/kubernetes/pull/43027:

We need `Status` as unversioned type which is hardcoded to `GroupVersion{Group: "", Version: "v1"}`. If the core group is not in the scheme, we miss `Status`.

Fixing https://github.com/kubernetes/kubernetes/issues/47030.
2017-06-06 03:13:01 -07:00
Christoph Blecker
1bdc7a29ae
Update docs/ URLs to point to proper locations 2017-06-05 22:13:54 -07:00
Jing Xu
0b13aee0c0 Add EmptyDir Volume and local storage for container overlay Isolation
This PR adds two features:
1. add support for isolating the emptyDir volume use. If user
sets a size limit for emptyDir volume, kubelet's eviction manager
monitors its usage
and evict the pod if the usage exceeds the limit.
2. add support for isolating the local storage for container overlay. If
the container's overly usage exceeds the limit defined in container
spec, eviction manager will evict the pod.
2017-06-05 12:05:48 -07:00
Kubernetes Submit Queue
09702160b0 Merge pull request #46264 from Q-Lee/annotate
Automatic merge from submit-queue (batch tested with PRs 46681, 46786, 46264, 46680, 46805)

Add annotation for image policy webhook fail open.

**What this PR does / why we need it**: there's no good way to audit log if binary verification fails open. Adding an annotation can solve that, and provide a useful tool to audit [non-malicious] containers.

**Release note**: add the annotation "alpha.image-policy.k8s.io/failed-open=true" to pods created when the image policy webhook fails open.

```release-note
Add the `alpha.image-policy.k8s.io/failed-open=true` annotation when the image policy webhook encounters an error and fails open.
```
2017-06-03 21:16:43 -07:00
Kubernetes Submit Queue
dbd1503b65 Merge pull request #45924 from janetkuo/daemonset-history
Automatic merge from submit-queue

Implement Daemonset history

~Depends on #45867 (the 1st commit, ignore it when reviewing)~ (already merged)

Ref https://github.com/kubernetes/community/pull/527/ and https://github.com/kubernetes/community/pull/594

@kubernetes/sig-apps-api-reviews @kubernetes/sig-apps-pr-reviews @erictune @kow3ns @lukaszo @kargakis 

---

TODOs:
- [x] API changes
  - [x] (maybe) Remove rollback subresource if we decide to do client-side rollback 
- [x] deployment controller 
  - [x] controller revision
    - [x] owner ref (claim & adoption)
    - [x] history reconstruct (put revision number, hash collision avoidance)
    - [x] de-dup history and relabel pods
    - [x] compare ds template with history 
  - [x] hash labels (put it in controller revision, pods, and maybe deployment)
  - [x] clean up old history 
  - [x] Rename status.uniquifier when we reach consensus in #44774 
- [x] e2e tests 
- [x] unit tests 
  - [x] daemoncontroller_test.go 
  - [x] update_test.go 
  - [x] ~(maybe) storage_test.go // if we do server side rollback~

kubectl part is in #46144

--- 

**Release note**:

```release-note
```
2017-06-03 16:52:38 -07:00
Tim Hockin
be987b015c Merge pull request #46716 from thockin/proxy-comments
Kube-proxy cleanups
2017-06-03 15:57:17 -07:00
Janet Kuo
8275e8f017 Update DaemonSet API for rollback and history
1. Add revisionHistoryLimit (default 10), collisionCount, and validation code
2. Add daemonset-controller-hash label, and deprecate templateGeneration
2017-06-03 00:43:17 -07:00
Kubernetes Submit Queue
e837c3bbc2 Merge pull request #46388 from lavalamp/whitlockjc-generic-webhook-admission
Automatic merge from submit-queue (batch tested with PRs 46239, 46627, 46346, 46388, 46524)

Dynamic webhook admission control plugin

Unit tests pass.

Needs plumbing:
* [ ] service resolver (depends on @wfender PR)
* [x] client cert (depends on ????)
* [ ] hook source (depends on @caesarxuchao PR)

Also at least one thing will need to be renamed after Chao's PR merges.

```release-note
Allow remote admission controllers to be dynamically added and removed by administrators.  External admission controllers make an HTTP POST containing details of the requested action which the service can approve or reject.
```
2017-06-02 23:37:42 -07:00
Kubernetes Submit Queue
348bf1e032 Merge pull request #46627 from deads2k/api-12-labels
Automatic merge from submit-queue (batch tested with PRs 46239, 46627, 46346, 46388, 46524)

move labels to components which own the APIs

During the apimachinery split in 1.6, we accidentally moved several label APIs into apimachinery.  They don't belong there, since the individual APIs are not general machinery concerns, but instead are the concern of particular components: most commonly the kubelet.  This pull moves the labels into their owning components and out of API machinery.

@kubernetes/sig-api-machinery-misc @kubernetes/api-reviewers @kubernetes/api-approvers 
@derekwaynecarr  since most of these are related to the kubelet
2017-06-02 23:37:38 -07:00
Kubernetes Submit Queue
c97c353a71 Merge pull request #46500 from tnozicka/fix-standard-finalizers
Automatic merge from submit-queue (batch tested with PRs 46648, 46500, 46238, 46668, 46557)

Fix standardFinalizers - add missing metav1.FinalizerDeleteDependents

**What this PR does / why we need it**:
It adds [FinalizerDeleteDependents](58167fcfa1/staging/src/k8s.io/apimachinery/pkg/apis/meta/v1/types.go (L77)) to [standardFinalizers](58167fcfa1/pkg/api/helper/helpers.go (L222)) otherwise this finalizer is unusable because apiserver will fail validation because it is not fully qualified name - but it is a standard Kubernetes finalizer [used by garbage collector](58167fcfa1/pkg/controller/garbagecollector/garbagecollector.go (L389)) but it can't be set.

It's sibling [FinalizerOrphanDependents](58167fcfa1/staging/src/k8s.io/apimachinery/pkg/apis/meta/v1/types.go (L76)) is already [there](58167fcfa1/pkg/api/helper/helpers.go (L224)). I suppose this is a bug because otherwise `FinalizerDeleteDependents` is unusable.

Fixes https://github.com/openshift/origin/pull/14322
Might fix https://github.com/kubernetes/kubernetes/pull/45764

**Not for the reviewer:**
[This same definition is also in staging.](58167fcfa1/staging/src/k8s.io/client-go/pkg/api/helper/helpers.go (L222)) Does it get propagated to staging automatically? Editing the same file twice doesn't seem like the intended option.
2017-06-02 15:20:45 -07:00
Dawn Chen
b9e8d2aee6 Merge pull request #46711 from derekwaynecarr/redundant-if-block
Fix cross-build by having active deadline seconds use maxInt32
2017-06-01 17:18:18 -07:00
Tim Hockin
fc34a9d6ba 'Global' -> 'Cluster' for traffic policy 2017-06-01 16:17:38 -07:00
Kubernetes Submit Queue
14a1cdd208 Merge pull request #44785 from jingxu97/April/apistorage
Automatic merge from submit-queue

Add Local Storage Capacity Isolation API

This PR adds the new APIs to support storage capacity isolation as
described in the proposal [https://github.com/kubernetes/community/pull/306](url)

1. Add SizeLimit for emptyDir volume
2. Add scratch and overlay storage type used by container level or
node level


**Release note**:

```release-note
Alpha feature: Local volume Storage Capacity Isolation allows users to set storage limit to isolate EmptyDir volumes, container storage overlay, and also supports allocatable storage for shared root file system. 
```
2017-06-01 09:12:19 -07:00
Daniel Smith
c46e231fc7 generated changes 2017-05-31 16:38:47 -07:00
Quintin Lee
a38c2b4ce1 Add annotation for image policy webhook fail open. 2017-05-31 14:57:28 -07:00
Derek Carr
6207e19fb8 Fix cross-compile error 2017-05-31 16:10:22 -04:00
Jing Xu
695f7be697 generated files 2017-05-31 13:06:39 -07:00
Jing Xu
85f030c2aa Add storage isolation API
This PR adds the new APIs to support storage capacity isolation as described in the proposal
https://github.com/kubernetes/community/pull/306

1. Add SizeLimit for emptyDir volume
2. Add scratch and overlay storage type used by container level or
node level
2017-05-31 12:26:04 -07:00
Jeremy Whitlock
5375bc0cc8 add generated sources for admission API group "install" package 2017-05-31 11:41:10 -07:00
Jeremy Whitlock
83d3d59ce0 add "install" package for admission API group
To properly register the types in the admission API group we need to
create an "install" package and wire it up.  This is required by the
webhook admission controller being developed as part of
https://github.com/kubernetes/community/pull/132
2017-05-31 11:41:10 -07:00
Derek Carr
18bf8f8616 redudant if-block in validation code 2017-05-31 12:08:52 -04:00
deads2k
954eb3ceb9 move labels to components which own the APIs 2017-05-31 10:32:06 -04:00
Shyam Jeedigunta
1cf6b339f6 Use TTL-based caching configmap manager in kubelet 2017-05-31 10:39:40 +02:00
Kubernetes Submit Queue
91cef78f43 Merge pull request #46640 from derekwaynecarr/active-deadline-seconds-fix
Automatic merge from submit-queue (batch tested with PRs 46661, 46562, 46657, 46655, 46640)

Improve validation of active deadline seconds

**What this PR does / why we need it**:
Improve validation of active deadline seconds to not allow it to be larger than max uint32.

If users choose a value that is too large, the conversion of that value to a duration in seconds can cause an overflow.  I see no practical benefit of having a value larger than uint32 at this time.

xref: https://bugzilla.redhat.com/show_bug.cgi?id=1456156

**Release note**:
```release-note
Restrict active deadline seconds max allowed value to be maximum uint32
```
2017-05-31 01:08:11 -07:00
Tomas Nozicka
9ed01e44a1 Fix standardFinalizers - add missing metav1.FinalizerDeleteDependents 2017-05-31 09:21:02 +02:00
Kubernetes Submit Queue
0aad9d30e3 Merge pull request #44897 from msau42/local-storage-plugin
Automatic merge from submit-queue (batch tested with PRs 46076, 43879, 44897, 46556, 46654)

Local storage plugin

**What this PR does / why we need it**:
Volume plugin implementation for local persistent volumes.  Scheduler predicate will direct already-bound PVCs to the node that the local PV is at.  PVC binding still happens independently.

**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: 
Part of #43640

**Release note**:

```
Alpha feature: Local volume plugin allows local directories to be created and consumed as a Persistent Volume.  These volumes have node affinity and pods will only be scheduled to the node that the volume is at.
```
2017-05-30 23:20:02 -07:00
Kubernetes Submit Queue
5995690396 Merge pull request #46076 from liggitt/node-authorizer
Automatic merge from submit-queue

Node authorizer

This PR implements the authorization portion of https://github.com/kubernetes/community/blob/master/contributors/design-proposals/kubelet-authorizer.md and kubernetes/features#279:
* Adds a new authorization mode (`Node`) that authorizes requests from nodes based on a graph of related pods,secrets,configmaps,pvcs, and pvs:
  * Watches pods, adds edges (secret -> pod, configmap -> pod, pvc -> pod, pod -> node)
  * Watches pvs, adds edges (secret -> pv, pv -> pvc)
  * When both Node and RBAC authorization modes are enabled, the default RBAC binding that grants the `system:node` role to the `system:nodes` group is not automatically created.
* Tightens the `NodeRestriction` admission plugin to require identifiable nodes for requests from users in the `system:nodes` group.

This authorization mode is intended to be used in combination with the `NodeRestriction` admission plugin, which limits the pods and nodes a node may modify. To enable in combination with RBAC authorization and the NodeRestriction admission plugin:
* start the API server with `--authorization-mode=Node,RBAC --admission-control=...,NodeRestriction,...`
* start kubelets with TLS boostrapping or with client credentials that place them in the `system:nodes` group with a username of `system:node:<nodeName>`

```release-note
kube-apiserver: a new authorization mode (`--authorization-mode=Node`) authorizes nodes to access secrets, configmaps, persistent volume claims and persistent volumes related to their pods.
* Nodes must use client credentials that place them in the `system:nodes` group with a username of `system:node:<nodeName>` in order to be authorized by the node authorizer (the credentials obtained by the kubelet via TLS bootstrapping satisfy these requirements)
* When used in combination with the `RBAC` authorization mode (`--authorization-mode=Node,RBAC`), the `system:node` role is no longer automatically granted to the `system:nodes` group.
```

```release-note
RBAC: the automatic binding of the `system:node` role to the `system:nodes` group is deprecated and will not be created in future releases. It is recommended that nodes be authorized using the new `Node` authorization mode instead. Installations that wish to continue giving all members of the `system:nodes` group the `system:node` role (which grants broad read access, including all secrets and configmaps) must create an installation-specific ClusterRoleBinding.
```

Follow-up:
- [ ] enable e2e CI environment with admission and authorizer enabled (blocked by kubelet TLS bootstrapping enablement in https://github.com/kubernetes/kubernetes/pull/40760)
- [ ] optionally enable this authorizer and admission plugin in kubeadm
- [ ] optionally enable this authorizer and admission plugin in kube-up
2017-05-30 22:42:54 -07:00
Kubernetes Submit Queue
b0c3fb16ca Merge pull request #46412 from zjj2wry/va-test
Automatic merge from submit-queue

add test in validation

**What this PR does / why we need it**:

**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #

**Special notes for your reviewer**:

**Release note**:

```release-note
NONE
```
2017-05-30 15:43:21 -07:00
Jordan Liggitt
48a9357926
Add PV util for extracting referenced secrets 2017-05-30 15:12:30 -04:00
Derek Carr
9d412210e9 Active deadline seconds validation improvements 2017-05-30 14:57:06 -04:00
Kubernetes Submit Queue
e9a2ddc87b Merge pull request #46217 from zjj2wry/validate
Automatic merge from submit-queue (batch tested with PRs 45327, 46217, 46377, 46428, 46588)

fix some typo

**What this PR does / why we need it**:

**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #

**Special notes for your reviewer**:

**Release note**:

```release-note
```
2017-05-30 01:56:00 -07:00
Dr. Stefan Schimanski
e3b92a11f1 apimachinery: move unversioned registration to metav1 2017-05-29 11:53:45 +02:00
Dan Winship
0923f860f1 Regenerate files 2017-05-28 10:11:02 -04:00
Dan Winship
0683e55fc1 Add networking.k8s.io v1 API, with NetworkPolicy 2017-05-28 10:11:01 -04:00
zhengjiajin
c5121d9e6f add test for validation NFS and GlusterFS 2017-05-27 22:37:56 +08:00
Solly Ross
8d03536d00 Regenerate protobuf and client-go
This commit regenerates the protobuf as per the recent generation
changes (removing erroneous imports, adding k8s.io/metrics), and
syncs the changes to client-go (which also ensures that client-go
protobuf IDL has the correct package names).
2017-05-27 00:37:49 -04:00
Chao Xu
89e506c46a generated 2017-05-26 00:14:11 -07:00
Chao Xu
6b5bd19566 api 2017-05-25 23:55:15 -07:00
Kubernetes Submit Queue
b3181ec2f3 Merge pull request #46305 from sjenning/init-container-status
Automatic merge from submit-queue

clear init container status annotations when cleared in status

When I pod with an init container is terminated due to exceeding its active deadline, the pod status is phase `Failed` with reason `DeadlineExceeded`.  All container statuses are cleared from the pod status.

With init containers, however, the status is being regenerated from the status annotations.  This is causing kubectl to report the pod state as `Init:0/1` instead of `DeadlineExceeded` because the kubectl printer observes a running init container, which in reality is not running.

This PR clears out the init container status annotations when they have been removed from the pod status so they are not regenerated on the apiserver.

xref https://bugzilla.redhat.com/show_bug.cgi?id=1453180

@derekwaynecarr 

```release-note
Fix init container status reporting when active deadline is exceeded.
```
2017-05-24 14:18:45 -07:00
Kubernetes Submit Queue
8e87c02959 Merge pull request #46139 from monopole/removeDepOnPkgHelper
Automatic merge from submit-queue (batch tested with PRs 42042, 46139, 46126, 46258, 46312)

Remove kubectl's dependence on pkg/api/helper

**What this PR does / why we need it**:

Remove kubectl's dependence on pkg/api/helper, as part of
broader effort to isolate kubectl from the rest of k8s.
In this case, the code becomes private to kubectl; nobody else uses it.

**Which issue this PR fixes**

Part of a series of PRs to address kubernetes/community#598

**Release note**:
```release-note
NONE
```
2017-05-23 19:42:59 -07:00
zhengjiajin
857306b3c2 fix some type 2017-05-24 10:05:01 +08:00
Seth Jennings
86bc27b6a1 clear init container status annotations when cleared in status 2017-05-23 18:31:49 -05:00
System Administrator
83520a7470 Kubernetes core API changes for vSphere 2017-05-22 19:43:29 -07:00
Kubernetes Submit Queue
c2c5051adf Merge pull request #44899 from smarterclayton/burst
Automatic merge from submit-queue (batch tested with PRs 38990, 45781, 46225, 44899, 43663)

Support parallel scaling on StatefulSets

Fixes #41255

```release-note
StatefulSets now include an alpha scaling feature accessible by setting the `spec.podManagementPolicy` field to `Parallel`.  The controller will not wait for pods to be ready before adding the other pods, and will replace deleted pods as needed.  Since parallel scaling creates pods out of order, you cannot depend on predictable membership changes within your set.
```
2017-05-22 19:07:09 -07:00
Michelle Au
5fcb82dde9 Fix storage node affinity helpers 2017-05-22 15:30:27 -07:00
Kubernetes Submit Queue
f6b3d083b7 Merge pull request #44640 from msau42/local-pv-api
Automatic merge from submit-queue

LocalStorage api

**What this PR does / why we need it**:
API changes to support persistent local volumes, as described [here](https://github.com/kubernetes/community/pull/306)

**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #
Part of #43640

**Special notes for your reviewer**:
There were a few items I was concerned about.  Will add review comments in those places.

**Release note**:

NONE

Note will be added in subsequent PR with the volume plugin changes
2017-05-22 14:39:05 -07:00
Jeffrey Regan
5a9b06b717 **What this PR does / why we need it**:
Remove kubectl's dependence on pkg/api/helper, as part of
broader effort to isolate kubectl from the rest of k8s.
In this case, the code becomes private to kubectl; nobody else uses it.

**Which issue this PR fixes**

Part of a series of PRs to address kubernetes/community#598

**Special notes for your reviewer**:

**Release note**:
```release-note
NONE
```
2017-05-21 20:44:21 -07:00
Michelle Au
936269a2eb Generated code for local persistent volumes 2017-05-21 12:20:23 -07:00