The package "k8s.io/kubernetes/cmd/kubeadm/app/util/pkiutil"
is used for a couple of function calls:
- pkiutil.NewCertAndKey() to generate a cert/key pair
- pkiutil.WriteCertAndKey() to write the pair to disk
Unroll and simplify the functions to obtain the same functionality
while removing the cmd/kubeadm dependency.
github.com/docker/distribution/reference has a new home github.com/distribution/reference
and a new tag v0.5.0. Let's switch to that.
Signed-off-by: Davanum Srinivas <davanum@gmail.com>
I moved a simpler condition to the beginning of the function (when the error == nil). This has substantially streamlined the function for readability and comprehension of its logic flow.
When defining a ClusterIP Service, we can specify externalIP, and the
traffic policy of externalIP is subject to externalTrafficPolicy.
However, the policy can't be set when type is not NodePort or
LoadBalancer, and will default to Cluster when kube-proxy processes the
Service.
This commit updates the defaulting and validation of Service to allow
specifying ExternalTrafficPolicy for ClusterIP Services with
ExternalIPs.
Signed-off-by: Quan Tian <qtian@vmware.com>
component configs is only needed for `kubeadm init`, the `join` and `reset` doesn't
need to provid the config with component configs.
Signed-off-by: Dave Chen <dave.chen@arm.com>
As part of this change, the code responsible for managing the sandbox
image within the kubelet has been removed. Previously, the kubelet used
to prevent sandbox image from the garbage collection process. However,
with this update, the responsibility of managing the sandbox containers
has been shifted to the CRI implementation itself. By allowing sandbox
image pinning from CRI, we improve efficiency and simplify the kubelet's
interaction with the container runtime. As a result, the kubelet can now
rely on the container runtime's built-in mechanisms for sandbox container
lifecycle management.
Signed-off-by: Sohan Kunkerkar <sohank2602@gmail.com>
The voting in https://github.com/kubernetes/kubernetes/issues/117288 led to
one check that got rejected ("ifElseChain: rewrite if-else to switch
statement") and several that are "nice to know".
golangci-lint's support for issue "severity" is too limited to identify "nice
to know" issues in the output (filtering is only by linter without considering
the issue text; not part of text output). Therefore a third configuration gets
added which emits all issues (must fix and nits). The intention is to use
the "strict" configuration in pull-kubernetes-verify and the "hints"
configuration in a new non-blocking pull-kubernetes-linter-hints.
That way, "must fix" issues will block merging while issues that may be useful
will show up in a failed optional job. However, that job then also contains
"must fix" issues, partly because filtering out those would make the
configuration a lot larger and is likely to be unreliably (all "must fix"
issues would need to be identified and listed), partly because it may be useful
to have all issues in one place.
The previous approach of manually keeping two configs in sync with special
comments didn't scale to three configs. Now a single golangci.yaml.in with
text/template constructs contains the source for all three configs. A new
simple CLI frontend for text/template (cmd/gotemplate) is used by
hack/update-golangci-lint-config.sh to generate the three flavors.
In all places map[string]string compounds were used directly
for extra args. Modify said locations to use []Arg
and the new utilities Get/SetArgValue(), ArgumentsTo/FromCommand().
Use []kubeadm.Arg instead of map[string]string when
validating ExtraArgs in the API.
Add new GetArgValue() and SetArgValue() utilities
and tests in apis/kubeadm.
Add new utils for constucting commands from and to
a []kubeadm.Arg slice.
Add a new type Arg that holds a dedicated Name and Value.
Instead of using map[string]string for ExtraArgs in the
API use []Arg.
Adapt v1beta3 conversion to convert to/from the
legacy map[string]string.
When parsing a config file, all settings derived from command line flags are
discarded because only the config settings are used. That has been the
traditional behavior for non-logging flags.
But `--config ... -v=4` used to work until
71ef0dafa7 added logging to the configuration.
To restore the original behavior, kube-proxy now:
- parses flags
- reads the config file
- applies logging settings from the flags to the config loaded from file
- uses that merged config
This implements a drop-in configuration directory for the kubelet
by introducing a "--config-dir" flag. Users can provide individual
kubelet config snippets in separate files, formatted similarly to
kubelet.conf. The kubelet will process the files in alphanumeric order,
appending configurations if subfield(s) doesn't exist, overwriting them if
they do, and handling lists by overwriting instead of merging.
Co-authored-by: Yu Qi Zhang <jerzhang@redhat.com>
This patch modifies kubelet to get the cgroup driver setting from the
CRI runtime using the newly added RuntimeConfig rpc. The new code path
only takes place if the KubeletCgroupDriverFromCRI feature gate is
enabled. If the runtime returns a not-implemented error kubelet falls
back to using the cgroupDriver configuration option, with a log message
instructing the user to upgrade to w newer container runtime. Other rpc
errors cause kubelet to exit as is the case if the runtime returns an
unknown cgroup driver.
This patch refactors the kubelet startup code to initialize the runtime
service earlier in the startup sequence. We want this to be able to
query the cgroup driver setting from the CRI befure initializing the
cgroup manager.
The `dry-run` flag was able to use with the config file, since it was not
configurable in the config file.
Make it configurable in v1beta4, so that eventually, kubeadm could deprecate
the flag and suggest to use the config file instead.
Signed-off-by: Dave Chen <dave.chen@arm.com>
* [API REVIEW] ValidatingAdmissionPolicyStatucController config.
worker count.
* ValidatingAdmissionPolicyStatus controller.
* remove CEL typechecking from API server.
* fix initializer tests.
* remove type checking integration tests
from API server integration tests.
* validatingadmissionpolicy-status options.
* grant access to VAP controller.
* add defaulting unit test.
* generated: ./hack/update-codegen.sh
* add OWNERS for VAP status controller.
* type checking test case.
When someone decides that a Pod should definitely run on a specific node, they
can create the Pod with spec.nodeName already set. Some custom scheduler might
do that. Then kubelet starts to check the pod and (if DRA is enabled) will
refuse to run it, either because the claims are still waiting for the first
consumer or the pod wasn't added to reservedFor. Both are things the scheduler
normally does.
Also, if a pod got scheduled while the DRA feature was off in the
kube-scheduler, a pod can reach the same state.
The resource claim controller can handle these two cases by taking over for the
kube-scheduler when nodeName is set. Triggering an allocation is simpler than
in the scheduler because all it takes is creating the right
PodSchedulingContext with spec.selectedNode set. There's no need to list nodes
because that choice was already made, permanently. Adding the pod to
reservedFor also isn't hard.
What's currently missing is triggering de-allocation of claims to re-allocate
them for the desired node. This is not important for claims that get created
for the pod from a template and then only get used once, but it might be
worthwhile to add de-allocation in the future.
TL;DR: we want to start failing the LB HC if a node is tainted with ToBeDeletedByClusterAutoscaler.
This field might need refinement, but currently is deemed our best way of understanding if
a node is about to get deleted. We want to do this only for eTP:Cluster services.
The goal is to connection draining terminating nodes
Normal binaries should never have to do this. It's not safe when there are
already some goroutines running which might do logging. Therefore the new
default is to return an error when a binary accidentally re-applies.
A few unit ensure that there are no goroutines and have to call the functions
more then once. The new ResetForTest API gets used by those to enable changing the
logging settings more than once in the same process.
Integration tests use the same code as the normal binaries. To make reuse of
that code safe, component-base/logs can be configured to silently ignore any
additional calls. This addresses data races that were found when enabling -race
for integration tests. To catch cases where the integration test does want
to modify the config, the old and new config get compared and an error is
raised when it's not the same.
To avoid having to modify all integration tests which start test servers,
reconfiguring component-base/logs is done by the test server packages.
getLocalDetector() used to pass a utiliptables.Interface to
NewDetectLocalByCIDR() so that NewDetectLocalByCIDR() could verify
that the passed-in CIDR was of the same family as the iptables
interface. It would make more sense for getLocalDetector() to verify
this itself and just *not call NewDetectLocalByCIDR* if the families
don't match, and that's what the code does now. So there's no longer
any need to pass the utiliptables.Interface to the local detector.
Since the single-stack and dual-stack local-detector-getters now have
the same behavior in terms of error-checking and dual-stack config, we
can just replace the contents of getDualStackLocalDetectorTuple() with
a pair of calls to getLocalDetector().
1. When bringing up a single-stack kube-proxy in a dual-stack cluster,
allow using either the primary or secondary IP family.
2. Since the earlier config-checking code will already have bailed out
if the single-stack configuration is unusably broken, we don't need to
do that here. Instead, just return a no-op local detector if there are
no usable CIDRs of the expected IP family.
Rather than having this as part of createProxier(), explicitly figure
out what IP families the proxier can support beforehand, and bail out
if this conflicts with the detected IP family.
Place the tests in common_tests.go on the backend side in
common_tests.go. A test for migrate TestMigrateOldConfig
was already present there. Apply slightly better coverage to it
and rename desc -> name.
Fix typo in argument oldConfig -> config in ValidateConfig().
The test required two APIs to be available to test for migration.
Keep it simple and use a variable "gv" on top of the function body
to easily swap the version to be tested once an old API is deleted.
e.g. currently v1beta3 is the "old" API, v1beta4 is the "new" one.
Ultimately, this test only makes sure that the expected kinds are
available post migration.
Add the flag --allow-experimental-api to the "config migrate" and
"config validate" commands. The flag allows validating / migrating-to
a unreleased / experimental API version.
Add a new experimentalAPIVersions map in validateSupportedVersion()
that contains v1beta4.
Move the defaulting of the BootstrapToken type inside the
bootstraptoken/v1 package. This prevents an error where
codegen complains that a defaulter for the type exists in both
the kubeadm v1beta3 and v1beta4.
Adapt kubeadm code to use the defaulter function and constants
that were moved to bootstraptoken/v1.
NOTE: technically this is a breaking change for direct users of
v1beta3/SetDefaults_BootstrapToken().
- drop versions < 1.22 in the etcd map
- use 3.5.9-0 for >= 1.22 versions
- make the minimum version for external etcd 3.4.13-4 and max 3.5.9-0
- update images_test to not rely on a pinned etcd version in tests
note: the image 3.4.18-0 was never released in registry.k8s.io!
Since kube-proxy in LocalModeNodeCIDR needs to obtain the PodCIDR
assigned to the node it watches for the Node object.
However, kube-proxy startup process requires to have these watches in
different places, that opens the possibility of having a race condition
if the same node is recreated and a different PodCIDR is assigned.
Initializing the second watch with the value obtained in the first one
allows us to detect this situation.
Change-Id: I6adeedb6914ad2afd3e0694dcab619c2a66135f8
Signed-off-by: Antonio Ojea <aojea@google.com>
The command can be used to validate an input --config and throw
warnings and errors.
Add a new argument strctErrors to the functions
documentMapTo{Init|Join}Configuration(). This allows
to return errors from the calls to VerifyUnmarshalStrict().
Add a new function verifyKnownGVKs() in config/common.go
that is used to verify if a list of GVKs in a config file is
known. This function is used by the "validate" and "migrate"
commands.
Both commands now throw errors for unknown APIs or fields.
Move the Linux-specific conntrack setup code into a new
"platformSetup" rather than trying to fit it into the generic setup
code.
Also move metrics registration there.
TestBindToCommandArgRequirements has a .Pointer()
comparison that is not guaranteed to pass given
the reflected functions are closures.
This test is consistently failing on Go 1.21 rc1.
Remove said comparison from the test.
Before this commit, kubeadm starts kubelet before it creates
/etc/kubernetes/manifests. On boot, kubelet tries to load the
static pod manifests from this dir by calling `listConfig()`
7ad8303b96/pkg/kubelet/config/file.go (L97)
and it'll then try to start a file watcher every second for 20s
7ad8303b96/pkg/kubelet/config/file.go (L114)7ad8303b96/pkg/kubelet/config/file_linux.go (L51-L67)
If kubelet starts and calls `listConfig()` before kubeadm creates
`/etc/kubernetes/manifests` (while writing the static pods manifests),
the file watcher will be created less than a second after, but there
will be no changes to report, so the manifests will only be detected
on the next tick of `listTicker`, a bit less than 20s later
7ad8303b96/pkg/kubelet/config/file.go (L102-L103)
Even if we fixed the watch code to `listConfig()` just after starting the
inotify watch, watching source file is only supported on linux,
so moving the manifests generation before kubelet start fixes all
cases and make more sense IMO.
Signed-off-by: Etienne Champetier <e.champetier@ateme.com>
If scheduler fails to be active (elected if leader election is enabled),
setting this option will not start informers so that to avoid memory
overhead.
Signed-off-by: Eric Lin <exlin@google.com>
kubelet option '--image-gc-low-threshold' description says it 'should not be larger than that of --image-gc-high-threshold'. But actually, it must less than '--image-gc-high-threshold', according to 02659772cb/pkg/kubelet/apis/config/validation/validation.go (L84)
If the etcd member is not found, then it has already been removed, and
kubeadm reset should immediately complete the 'remove-etcd-member'
phase. Previously, the phase would complete only once the
exponential-backoff retry expired, up to 3 minutes duration.
This commit also fixes a semantic error in etcd.GetMemberID. Previously,
the function returned 0 if no member was found, but 0 is not a valid
member ID.
* update serial number to a valid non-zero number in ca certificate
* fix the existing problem (0 SerialNumber in all certificate) as part of this PR in a separate commit
Rather than duplicating some of the KubeProxyConfiguration into
ProxyServer, just store the KubeProxyConfiguration itself so later
code can reference it directly.
For the fields that get platform-specific defaults (Mode,
DetectLocalMode), fill the defaults directly into the
KubeProxyConfiguration rather than keeping the original there and the
defaulted version in the ProxyServer.
Validate the --detect-local-mode value in the API object validation
rather than doing it separately later. Also, remove runtime checks and
unit tests for cases that would be blocked by validation
This touches cases where FromInt() is used on numeric constants, or
values which are already int32s, or int variables which are defined
close by and can be changed to int32s with little impact.
Signed-off-by: Stephen Kitt <skitt@redhat.com>
Rather than duplicating some of the KubeProxyConfiguration into
ProxyServer, just store the KubeProxyConfiguration itself so later
code can reference it directly.
For the fields that get platform-specific defaults (Mode,
DetectLocalMode), fill the defaults directly into the
KubeProxyConfiguration rather than keeping the original there and the
defaulted version in the ProxyServer.
Validate the --detect-local-mode value in the API object validation
rather than doing it separately later. Also, remove runtime checks and
unit tests for cases that would be blocked by validation
This commit syncs RBAC from coredns/deployment and removes a get nodes
RBAC.
Historically the federation CoreDNS plugin needed the nodes resource to
fetch zone and region labels.
However, the CoreDNS federation plugin was deprecated and cleaned up a
long time ago and removed the Nodes RBAC requirement here in
`coredns/deployment` coredns.yaml.sed:
https://github.com/coredns/deployment/pull/229
This change however, never made it to `kubernetes/kubernetes`.
Signed-off-by: Nico Berlee <nico.berlee@on2it.net>
testing.T.Cleanup ensures the environment is restored after a test and
any of its parallel sub-tests. It's possible that some of these can be
simplified further to T.Setenv(key, ""), but I did not investigate.
T.Setenv ensures that the environment is returned to its prior state
when the test ends. It also panics when called from a parallel test to
prevent racy test interdependencies.
T.Setenv ensures that the environment is returned to its prior state
when the test ends. It also panics when called from a parallel test to
prevent racy test interdependencies.
