Automatic merge from submit-queue (batch tested with PRs 49284, 49555, 47639, 49526, 49724)
skip WaitForAttachAndMount for terminated pods in syncPod
Fixes https://github.com/kubernetes/kubernetes/issues/49663
I tried to tread lightly with a small localized change because this needs to be picked to 1.7 and 1.6 as well.
I suspect this has been as issue since we started unmounting volumes on pod termination https://github.com/kubernetes/kubernetes/pull/37228
xref openshift/origin#14383
@derekwaynecarr @eparis @smarterclayton @saad-ali @jwforres
/release-note-none
Automatic merge from submit-queue (batch tested with PRs 49284, 49555, 47639, 49526, 49724)
Change pod config to manifest
**What this PR does / why we need it**:
As per https://github.com/kubernetes/kubernetes/pull/46494#discussion_r119675805, change `config` to `manifest` to avoid ambiguous.
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #
**Special notes for your reviewer**:
Since it's a minor fix, there is no issue here.
/cc @mtaufen
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 49651, 49707, 49662, 47019, 49747)
Add support for `no_new_privs` via AllowPrivilegeEscalation
**What this PR does / why we need it**:
Implements kubernetes/community#639
Fixes#38417
Adds `AllowPrivilegeEscalation` and `DefaultAllowPrivilegeEscalation` to `PodSecurityPolicy`.
Adds `AllowPrivilegeEscalation` to container `SecurityContext`.
Adds the proposed behavior to `kuberuntime`, `dockershim`, and `rkt`. Adds a bunch of unit tests to ensure the desired default behavior and that when `DefaultAllowPrivilegeEscalation` is explicitly set.
Tests pass locally with docker and rkt runtimes. There are also a few integration tests with a `setuid` binary for sanity.
**Release note**:
```release-note
Adds AllowPrivilegeEscalation to control whether a process can gain more privileges than it's parent process
```
Automatic merge from submit-queue (batch tested with PRs 47738, 49196, 48907, 48533, 48822)
Fix TODO: rename podInfraContainerID to sandboxID
**What this PR does / why we need it**:
Code-cleanup in kubelet to use consistent naming for sandbox ID. Not super urgent, but thought it would be nice to knock off some TODOs.
**Which issue this PR fixes**
Fixes a TODO in the code, no associated issue.
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 47357, 49514, 49271, 49572, 49476)
Using only the exit code to decide when to fall back on logs
We expect the exit code to be non-zero if the the container process was
OOM killed. Remove the check that uses the "Reason" field.
Automatic merge from submit-queue (batch tested with PRs 45040, 48960)
Do not generate warning event on dns search deduplication
In the case that the node is able to use the cluster DNS, `cluster.local` will already be in the node search domains in `/etc/resolv.conf`. The kubelet then parses `/etc/resolv.conf` on the node and combines it with $namespace.svc.$clusterDomain, svc.$clusterDomain, and $clusterDomain to create the pod DNS search domains. clusterDomain is `cluster.local` by default. This causes the code to generate a Warning event visible to the user for _every_ pod:
```
Warning DNSSearchForming Found and omitted duplicated dns domain in host search line: 'cluster.local' during merging with cluster dns domains
```
This is really overkill. IMHO, this should be done in the background with no user level notification or logging at all.
xref https://bugzilla.redhat.com/show_bug.cgi?id=1471198
@derekwaynecarr @eparis @vefimova
Automatic merge from submit-queue (batch tested with PRs 48976, 49474, 40050, 49426, 49430)
Use presence of kubeconfig file to toggle standalone mode
Fixes#40049
```release-note
The deprecated --api-servers flag has been removed. Use --kubeconfig to provide API server connection information instead. The --require-kubeconfig flag is now deprecated. The default kubeconfig path is also deprecated. Both --require-kubeconfig and the default kubeconfig path will be removed in Kubernetes v1.10.0.
```
/cc @kubernetes/sig-cluster-lifecycle-misc @kubernetes/sig-node-misc
Automatic merge from submit-queue (batch tested with PRs 48976, 49474, 40050, 49426, 49430)
Remove duplicated import and wrong alias name of api package
**What this PR does / why we need it**:
**Which issue this PR fixes**: fixes#48975
**Special notes for your reviewer**:
/assign @caesarxuchao
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue
Remove flags low-diskspace-threshold-mb and outofdisk-transition-frequency
issue: #48843
This removes two flags replaced by the eviction manager. These have been depreciated for two releases, which I believe correctly follows the kubernetes depreciation guidelines.
```release-note
Remove depreciated flags: --low-diskspace-threshold-mb and --outofdisk-transition-frequency, which are replaced by --eviction-hard
```
cc @mtaufen since I am changing kubelet flags
cc @vishh @derekwaynecarr
/sig node
Automatic merge from submit-queue (batch tested with PRs 48636, 49088, 49251, 49417, 49494)
Fix issues for local storage allocatable feature
This PR fixes the following issues:
1. Use ResourceStorageScratch instead of ResourceStorage API to represent
local storage capacity
2. In eviction manager, use container manager instead of node provider
(kubelet) to retrieve the node capacity and reserved resources. Node
provider (kubelet) has a feature gate so that storagescratch information
may not be exposed if feature gate is not set. On the other hand,
container manager has all the capacity and allocatable resource
information.
This PR fixes issue #47809
Automatic merge from submit-queue (batch tested with PRs 49444, 47864, 48584, 49395, 49118)
Move event type
Change SandboxChanged to a constant and move to the event package below.
**Release note**:
```release-note
NONE
```
Replaces use of --api-servers with --kubeconfig in Kubelet args across
the turnup scripts. In many cases this involves generating a kubeconfig
file for the Kubelet and placing it in the correct location on the node.
Automatic merge from submit-queue (batch tested with PRs 49107, 47177, 49234, 49224, 49227)
Make sure the previous symlink file is deleted before trying to create a new one
**What this PR does / why we need it**:
It deletes possibly existing symlinks to container log files.
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #
fixes#49105
**Special notes for your reviewer**:
**Release note**:
```release-note
```
Automatic merge from submit-queue (batch tested with PRs 48981, 47316, 49180)
Add seccomp profile in sandbox security context
**What this PR does / why we need it**:
PR #46332 adds seccomp profile to container security context, but not sandbox. This PR adds seccomp profile in sandbox security context. Without this, we couldn't honour "seccomp.security.alpha.kubernetes.io/pod" for sandbox.
**Which issue this PR fixes**
fixes#49179.
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
/cc @yujuhong
Automatic merge from submit-queue (batch tested with PRs 48981, 47316, 49180)
Added golint check for pkg/kubelet.
**What this PR does / why we need it**:
Added golint check for pkg/kubelet, and make golint happy.
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes#47315
**Release note**:
```release-note-none
```
Automatic merge from submit-queue
Restore cAdvisor prometheus metrics to the main port
But under a new path - `/metrics/cadvisor`. This ensures a secure port still exists for metrics while getting the benefit of separating out container metrics from the kubelet's metrics as recommended in the linked issue.
Fixes#48483
```release-note-action-required
Restored cAdvisor prometheus metrics to the main port -- a regression that existed in v1.7.0-v1.7.2
cAdvisor metrics can now be scraped from `/metrics/cadvisor` on the kubelet ports.
Note that you have to update your scraping jobs to get kubelet-only metrics from `/metrics` and `container_*` metrics from `/metrics/cadvisor`
```
Automatic merge from submit-queue (batch tested with PRs 49116, 49095)
Move pkg/api/v1/ref -> client-go/tools/reference
`pkg/api/v1/ref` is the only remaining package copied from pkg/api/v1 to client-go via staging/copy.sh.
Automatic merge from submit-queue (batch tested with PRs 48702, 48965, 48740, 48974, 48232)
Cleanup the conversion of ObjectReference
**What this PR does / why we need it**:
No need to convert ObjectReference as `k8s.io/kubernetes/pkg/api/v1` and `k8s.io/client-go/pkg/api/v1` has been consistent in `k8s.io/api/core/v1`.
**Which issue this PR fixes**: fixes#48747
**Special notes for your reviewer**:
/assign @caesarxuchao
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 48481, 48256)
Refactor: pkg/util into sub-pkgs
**What this PR does / why we need it**:
- move code in pkg/util into sub-pkgs
- delete some unused funcs
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes#15634
**Special notes for your reviewer**:
This is the final work of #15634. It will close that issue.
/cc @thockin
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 46094, 48544, 48807, 49102, 44174)
add InstanceID to fake cadvisor (used in Kubemark)
This change is for setting Node.Spec.ProviderID field in Kubemark hollow nodes. It shouldn't affect other tests using cadvisor.Fake as field is nil by default.
cc @gmarek
Automatic merge from submit-queue (batch tested with PRs 46094, 48544, 48807, 49102, 44174)
Static deepcopy – phase 1
This PR is the follow-up of https://github.com/kubernetes/kubernetes/pull/36412, replacing the
dynamic reflection based deepcopy with static DeepCopy+DeepCopyInto methods on API types.
This PR **does not yet** include the code dropping the cloner from the scheme and all the
porting of the calls to scheme.Copy. This will be part of a follow-up "Phase 2" PR.
A couple of the commits will go in first:
- [x] audit: fix deepcopy registration https://github.com/kubernetes/kubernetes/pull/48599
- [x] apimachinery+apiserver: separate test types in their own packages #48601
- [x] client-go: remove TPR example #48604
- [x] apimachinery: remove unneeded GetObjectKind() impls #48608
- [x] sanity check against origin, that OpenShift's types are fine for static deepcopy https://github.com/deads2k/origin/pull/34
TODO **after** review here:
- [x] merge https://github.com/kubernetes/gengo/pull/32 and update vendoring commit
But under a new path - `/metrics/cadvisor`. This ensures a secure port
still exists for metrics while getting the benefit of separating out
container metrics from the kubelet's metrics.
Automatic merge from submit-queue (batch tested with PRs 48231, 47377, 48797, 49020, 49033)
Migrate kubelet and linked code from clientset_generated to client-go
Ran a script in the kubernetes repo to migrate kubelet and linked code from clientset_generated package imports to client-go imports.
**NOTE:** There are also some manual changes that were made in order to accommodate some
differences between clientset_generated and client-go. The manual changes are isolated into a
single commit titled "Manual changes."
```sh
#! /bin/bash
for file in $(find . \( -name "clientset_generated" -o -name "informers_generated" \) -prune -o -type f -name "*.go"); do
if [[ -d $file ]]; then
continue
fi
if [[ $file == "./cmd/libs/go2idl/informer-gen/main.go" ]]; then
continue
fi
sed -i '
s|"k8s.io/kubernetes/pkg/client/clientset_generated/clientset"|clientset "k8s.io/client-go/kubernetes"|;
# Correct a couple of unique cases.
s|clientset clientset "k8s.io/client-go/kubernetes"|clientset "k8s.io/client-go/kubernetes"|;
s|cs clientset "k8s.io/client-go/kubernetes"|clientset "k8s.io/client-go/kubernetes"|;
s|VersionedClientSetPackage: clientset "k8s.io/client-go/kubernetes"|VersionedClientSetPackage: "k8s.io/client-go/kubernetes"|;
s|"k8s.io/kubernetes/pkg/client/clientset_generated/clientset/typed/certificates/v1beta1"|"k8s.io/client-go/kubernetes/typed/certificates/v1beta1"|;
s|"k8s.io/kubernetes/pkg/client/clientset_generated/clientset/typed/core/v1"|"k8s.io/client-go/kubernetes/typed/core/v1"|;
s|"k8s.io/kubernetes/pkg/client/clientset_generated/clientset/typed/extensions/v1beta1"|"k8s.io/client-go/kubernetes/typed/extensions/v1beta1"|;
s|"k8s.io/kubernetes/pkg/client/clientset_generated/clientset/typed/autoscaling/v1"|"k8s.io/client-go/kubernetes/typed/autoscaling/v1"|;
s|"k8s.io/kubernetes/pkg/client/clientset_generated/clientset/typed/authentication/v1"|"k8s.io/client-go/kubernetes/typed/authentication/v1"|;
s|"k8s.io/kubernetes/pkg/client/clientset_generated/clientset/typed/authorization/v1beta1"|"k8s.io/client-go/kubernetes/typed/authorization/v1beta1"|;
s|"k8s.io/kubernetes/pkg/client/clientset_generated/clientset/typed/apps/v1beta1"|"k8s.io/client-go/kubernetes/typed/apps/v1beta1"|;
s|"k8s.io/kubernetes/pkg/client/clientset_generated/clientset/typed/rbac/v1beta1"|"k8s.io/client-go/kubernetes/typed/rbac/v1beta1"|;
s|"k8s.io/kubernetes/pkg/client/clientset_generated/clientset/fake"|"k8s.io/client-go/kubernetes/fake"|;
s|"k8s.io/kubernetes/pkg/client/clientset_generated/clientset/typed/core/v1/fake"|"k8s.io/client-go/kubernetes/typed/core/v1/fake"|;
s|k8s.io/kubernetes/pkg/client/clientset_generated/clientset|k8s.io/client-go/kubernetes|;
s|informers "k8s.io/kubernetes/pkg/client/informers/informers_generated/externalversions"|"k8s.io/client-go/informers"|;
s|"k8s.io/kubernetes/pkg/client/informers/informers_generated/externalversions/core/v1"|"k8s.io/client-go/informers/core/v1"|;
s|"k8s.io/kubernetes/pkg/client/informers/informers_generated/externalversions/apps/v1beta1"|"k8s.io/client-go/informers/apps/v1beta1"|;
s|"k8s.io/kubernetes/pkg/client/informers/informers_generated/externalversions/extensions/v1beta1"|"k8s.io/client-go/informers/extensions/v1beta1"|;
s|"k8s.io/kubernetes/pkg/client/informers/informers_generated/externalversions/batch/v1"|"k8s.io/client-go/informers/batch/v1"|;
s|"k8s.io/kubernetes/pkg/client/informers/informers_generated/externalversions/autoscaling/v1"|"k8s.io/client-go/informers/autoscaling/v1"|;
s|"k8s.io/kubernetes/pkg/client/informers/informers_generated/externalversions/policy/v1beta1"|"k8s.io/client-go/informers/policy/v1beta1"|;
s|"k8s.io/kubernetes/pkg/client/informers/informers_generated/externalversions/certificates/v1beta1"|"k8s.io/client-go/informers/certificates/v1beta1"|;
s|"k8s.io/kubernetes/pkg/client/informers/informers_generated/externalversions/storage/v1"|"k8s.io/client-go/informers/storage/v1"|;
s|"k8s.io/kubernetes/pkg/client/listers/core/v1"|"k8s.io/client-go/listers/core/v1"|;
s|"k8s.io/kubernetes/pkg/client/listers/apps/v1beta1"|"k8s.io/client-go/listers/apps/v1beta1"|;
s|"k8s.io/kubernetes/pkg/client/listers/extensions/v1beta1"|"k8s.io/client-go/listers/extensions/v1beta1"|;
s|"k8s.io/kubernetes/pkg/client/listers/autoscaling/v1"|"k8s.io/client-go/listers/autoscaling/v1"|;
s|"k8s.io/kubernetes/pkg/client/listers/batch/v1"|"k8s.io/client-go/listers/batch/v1"|;
s|"k8s.io/kubernetes/pkg/client/listers/certificates/v1beta1"|"k8s.io/client-go/listers/certificates/v1beta1"|;
s|"k8s.io/kubernetes/pkg/client/listers/storage/v1"|"k8s.io/client-go/listers/storage/v1"|;
s|"k8s.io/kubernetes/pkg/client/listers/policy/v1beta1"|"k8s.io/client-go/listers/policy/v1beta1"|;
' $file
done
hack/update-bazel.sh
hack/update-gofmt.sh
```
Automatic merge from submit-queue (batch tested with PRs 49017, 45440, 48384, 45894, 48808)
Fix typo in ExecCommandParam
**What this PR does / why we need it**: Makes ExecCommandParam look like all of the other "Param"s
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*:
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
