Automatic merge from submit-queue (batch tested with PRs 57824, 58806, 59410, 59280). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
2nd try at using a vanity GCR name
The 2nd commit here is the changes relative to the reverted PR. Please focus review attention on that.
This is the 2nd attempt. The previous try (#57573) was reverted while we
figured out the regional mirrors (oops).
New plan: k8s.gcr.io is a read-only facade that auto-detects your source
region (us, eu, or asia for now) and pulls from the closest. To publish
an image, push k8s-staging.gcr.io and it will be synced to the regionals
automatically (similar to today). For now the staging is an alias to
gcr.io/google_containers (the legacy URL).
When we move off of google-owned projects (working on it), then we just
do a one-time sync, and change the google-internal config, and nobody
outside should notice.
We can, in parallel, change the auto-sync into a manual sync - send a PR
to "promote" something from staging, and a bot activates it. Nice and
visible, easy to keep track of.
xref https://github.com/kubernetes/release/issues/281
TL;DR:
* The new `staging-k8s.gcr.io` is where we push images. It is literally an alias to `gcr.io/google_containers` (the existing repo) and is hosted in the US.
* The contents of `staging-k8s.gcr.io` are automatically synced to `{asia,eu,us)-k8s.gcr.io`.
* The new `k8s.gcr.io` will be a read-only alias to whichever regional repo is closest to you.
* In the future, images will be promoted from `staging` to regional "prod" more explicitly and auditably.
```release-note
Use "k8s.gcr.io" for pulling container images rather than "gcr.io/google_containers". Images are already synced, so this should not impact anyone materially.
Documentation and tools should all convert to the new name. Users should take note of this in case they see this new name in the system.
```
This is the 2nd attempt. The previous was reverted while we figured out
the regional mirrors (oops).
New plan: k8s.gcr.io is a read-only facade that auto-detects your source
region (us, eu, or asia for now) and pulls from the closest. To publish
an image, push k8s-staging.gcr.io and it will be synced to the regionals
automatically (similar to today). For now the staging is an alias to
gcr.io/google_containers (the legacy URL).
When we move off of google-owned projects (working on it), then we just
do a one-time sync, and change the google-internal config, and nobody
outside should notice.
We can, in parallel, change the auto-sync into a manual sync - send a PR
to "promote" something from staging, and a bot activates it. Nice and
visible, easy to keep track of.
Automatic merge from submit-queue (batch tested with PRs 59010, 59212, 59281, 59014, 59297). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Make kubelet flags of kube-up.sh configurable.
Fixes https://github.com/kubernetes/kubernetes/issues/59503.
For CRI container runtime, we need to pass kubelet the container runtime cgroup.
~~Currently, for `e2e-up.sh` we can use `KUBE_TEST_ARGS` to configure kubelet flags. However, for `kube-up.sh` we don't have a way to configure it.~~
Actually we can also use `KUBE_TEST_ARGS` for kubelet flags. However, I prefer we still make this change to make the env name more formalized.
@kubernetes/sig-cluster-lifecycle-pr-reviews @kubernetes/sig-node-pr-reviews
@yujuhong @feiskyer @mrunalp
Signed-off-by: Lantao Liu <lantaol@google.com>
**What this PR does / why we need it**:
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes #
**Special notes for your reviewer**:
**Release note**:
```release-note
none
```
Automatic merge from submit-queue (batch tested with PRs 59441, 58264, 59287, 59396, 59439). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Ensure docker daemon opts are in effect before docker login
**What this PR does / why we need it**:
Make sure the kubernetes-worker charm is using the configured `docker-opts` daemon options prior to running the `docker-logins` handler.
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes #
https://github.com/juju-solutions/layer-docker/issues/112
**Special notes for your reviewer**:
**Release note**:
```release-note
Fixed charm issue where docker login would run prior to daemon options being set.
```
Previous commit relied on non-obvious reactive behavior, with the
'docker.restart' flag being exploited to re-execute docker_logins_changed
in a single hook execution.
Split this into 2 handlers:
- when docker-logins config changes, set one flag to handle the login
and another to request a daemon restart (if needed).
- run docker login after any potential daemon restarts have occurred.
Automatic merge from submit-queue (batch tested with PRs 54680, 59388, 57455). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Fix RBAC permissions for metadata agent.
**What this PR does / why we need it**:
Allows Stackdriver Metadata Agent to watch nodes and pods
**Release note**:
```release-note
Fix RBAC permissions for Stackdriver Metadata Agent.
```
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
doc: fix typo in cluster
**What this PR does / why we need it**:
fix typo in cluster
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes #
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 55439, 58564, 59028, 59169, 59259). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Configurable etcd quota backend bytes
```release-note
Configurable etcd quota backend bytes in GCE
```
Automatic merge from submit-queue (batch tested with PRs 55439, 58564, 59028, 59169, 59259). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
cluster: delete lot's of stuff
let me know if any of this is too aggressive.
see #49213
```release-note
Remove unmaintained kube-registry-proxy support from gce kube-up.
```
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
bumping timeouts for apiserver communication.
**What this PR does / why we need it**:
Our CI is failing due to timeouts. The times we set node names intersects with apiserver restarts, which can sometimes get caught up for longer than one minute. This is a temporary fix until we can decide on the best long-term solution.
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes #
**Special notes for your reviewer**:
**Release note**:
```release-note
Upped the timeout for apiserver communication in the juju kubernetes-worker charm.
```
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Ensure that the runtime mounts RO volumes read-only
**What this PR does / why we need it**:
This change makes it so that containers cannot write to secret, configMap, downwardAPI and projected volumes since the runtime will now mount them read-only. This change makes things less confusing for a user since any attempt to update a secret volume will result in an error rather than a successful change followed by a revert by the kubelet when the volume next syncs.
It also adds a feature gate `ReadOnlyAPIDataVolumes` to a provide a way to disable the new behavior in 1.10, but for 1.11, the new behavior will become non-optional.
Also, E2E tests for downwardAPI and projected volumes are updated to mount the volumes somewhere other than /etc.
**Which issue(s) this PR fixes**
Fixes#58719
**Release note**:
```release-note
Containers now mount secret, configMap, downwardAPI and projected volumes read-only. Previously,
container modifications to files in these types of volumes were temporary and reverted by the kubelet
during volume sync. Until version 1.11, setting the feature gate ReadOnlyAPIDataVolumes=false will
preserve the old behavior.
```
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Fixing upgrade charm failing if upgrading from an old enough charm
**What this PR does / why we need it**:
Charms before ~Nov 2017 can not upgrade to charms made after that time due to a race with a missing credential dictionary. This change forces the dictionary to be created before we attempt to use it.
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes #
https://github.com/juju-solutions/bundle-canonical-kubernetes/issues/474
**Special notes for your reviewer**:
**Release note**:
```release-note
Fixed issue with charm upgrades resulting in an error state.
```
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Postpone PV deletion with finalizer when it is being used
Postpone PV deletion if it is bound to a PVC
xref: https://github.com/kubernetes/community/pull/1608
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes#33355
**Special notes for your reviewer**:
**Release note**:
```release-note
Postpone PV deletion when it is being bound to a PVC
```
WIP, assign to myself first
/assign @NickrenREN
Add a feature gate ReadOnlyAPIDataVolumes to a provide a way to
disable the new behavior in 1.10, but for 1.11, the new
behavior will become non-optional.
Also, update E2E tests for downwardAPI and projected volumes
to mount the volumes somewhere other than /etc.
Automatic merge from submit-queue (batch tested with PRs 57683, 59116, 58728, 59140, 58976). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Fixing issue with capitalization in allow-privileged
**What this PR does / why we need it**:
Config option in kubernetes-master allow-privileged would do odd things if you used True instead of true.
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes #
https://github.com/juju-solutions/bundle-canonical-kubernetes/issues/374
**Special notes for your reviewer**:
**Release note**:
```release-note
Fixed issue with kubernetes-worker option allow-privileged not properly handling the value True with a capital T.
```
Automatic merge from submit-queue (batch tested with PRs 57683, 59116, 58728, 59140, 58976). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Add self anti-affinity to kube-dns pods
Otherwise the "no single point of failure" setting doesn't actually work (a single node failure can still take down the entire cluster).
Fixes#40063
```release-note
Added anti-affinity to kube-dns pods
```
Automatic merge from submit-queue (batch tested with PRs 59053, 59005). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Forcing get_node_name to continue searching for a node name.
There was a race condition where the kubelet was restarting and we were querying the api server for this node. In that case, we may get a valid list of nodes that doesn't include our node. This would cause the code to just raise an exception. Now we wait the full timeout before raising the exception.
**What this PR does / why we need it**:
Fixes a race condition on the get_node_name function inside the kubernetes-worker charm.
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes #
**Special notes for your reviewer**:
**Release note**:
```release-note
Fixed a race condition inside kubernetes-worker that would result in a temporary error situation.
```
