- 31 May, 2017 40 commits
-
-
Daniel Smith authored
-
Daniel Smith authored
Also fix a bug in rest client
-
Jeremy Whitlock authored
-
Jeremy Whitlock authored
As part of https://github.com/kubernetes/community/pull/132, thsi commit adds a generic webhook admission controller. This plugin allows for a completely declarative approach for filtering/matching admission requests and for matching admission requests, calls out to an external webhook for handling admission requests.
-
Jeremy Whitlock authored
-
Jeremy Whitlock authored
To properly register the types in the admission API group we need to create an "install" package and wire it up. This is required by the webhook admission controller being developed as part of https://github.com/kubernetes/community/pull/132
-
Kubernetes Submit Queue authored
Automatic merge from submit-queue hack/update-swagger-spec.sh: use posix regex syntax `\s` is a GNU extension, breaking builds with BSD sed.
-
Dr. Stefan Schimanski authored
-
Kubernetes Submit Queue authored
Automatic merge from submit-queue Check volume's status before detaching volume When volume's status is 'detaching', controllermanager will detach it again and return err. It is necessary to check volume's status before detaching volume. same issue: #44536
-
Kubernetes Submit Queue authored
Automatic merge from submit-queue clientgo/examples: Add CRUD Deployment sample
-
Kubernetes Submit Queue authored
Automatic merge from submit-queue (batch tested with PRs 46661, 46562, 46657, 46655, 46640) Improve validation of active deadline seconds **What this PR does / why we need it**: Improve validation of active deadline seconds to not allow it to be larger than max uint32. If users choose a value that is too large, the conversion of that value to a duration in seconds can cause an overflow. I see no practical benefit of having a value larger than uint32 at this time. xref: https://bugzilla.redhat.com/show_bug.cgi?id=1456156 **Release note**: ```release-note Restrict active deadline seconds max allowed value to be maximum uint32 ```
-
Kubernetes Submit Queue authored
Automatic merge from submit-queue (batch tested with PRs 46661, 46562, 46657, 46655, 46640) Implement kubectl get controllerrevisions Before: ```console $ kubectl get controllerrevisions error: unknown type &apps.ControllerRevision{TypeMeta:v1.TypeMeta{Kind:"", APIVersion:""}, ObjectMeta:v1.ObjectMeta{....}...} ``` After: ```console $ kubectl get controllerrevisions NAME CONTROLLER REVISION AGE foo-2312378 DaemonSet/foo 1 2d ``` **Release note**: ```release-note ``` @kubernetes/sig-apps-pr-reviews @kubernetes/sig-cli-maintainers -
Kubernetes Submit Queue authored
Automatic merge from submit-queue (batch tested with PRs 46661, 46562, 46657, 46655, 46640) remove openvpn and nginx from salt only used in azure which doesn't exist.
-
Kubernetes Submit Queue authored
Automatic merge from submit-queue (batch tested with PRs 46661, 46562, 46657, 46655, 46640) remove redundant carriage return for readable **What this PR does / why we need it**: remove redundant carriage to make it more readable.
-
Kubernetes Submit Queue authored
Automatic merge from submit-queue Plumb through the ENABLE_LEGACY_ABAC flag for GKE kube-up. **What this PR does / why we need it**: Makes the "gke" provider in `cluster/` respect the `ENABLE_LEGACY_ABAC` env var by plumbing it through to the `--enable-legacy-authorization` gcloud flag.
-
Kubernetes Submit Queue authored
Automatic merge from submit-queue (batch tested with PRs 46394, 46650, 46436, 46673, 46212) Remove deprecated variable RBACSuperUser authorization-rbac-super-user is deprecated now. So we can remove the vaiable. Further more the comment about this variable is wrong. Remove them also. **Release note**: ```NONE ```
-
Kubernetes Submit Queue authored
Automatic merge from submit-queue (batch tested with PRs 46394, 46650, 46436, 46673, 46212) fix typos in pkg/apis/componentconfig/types.go **What this PR does / why we need it**: fix several typos in `pkg/apis/componentconfig/types.go`
-
Kubernetes Submit Queue authored
Automatic merge from submit-queue (batch tested with PRs 46394, 46650, 46436, 46673, 46212) refactor and export openstack service clients **What this PR does / why we need it**: Refactor and export openstack service client. Exporting OpenStack client so other projects can use the them to call functions that are not implemented in openstack cloud providers yet. **Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes # **Special notes for your reviewer**: **Release note**: ```release-note NONE ```
-
Kubernetes Submit Queue authored
Automatic merge from submit-queue (batch tested with PRs 46394, 46650, 46436, 46673, 46212) Update ip-masq-agent addon with latest image. https://github.com/kubernetes-incubator/ip-masq-agent/releases
-
Kubernetes Submit Queue authored
Automatic merge from submit-queue (batch tested with PRs 46394, 46650, 46436, 46673, 46212) Write "kubectl options" help message to stdout, not stderr Fix a very minor issue causing `kubectl` to write its help messages to `stderr` instead of `stdout`. Try this: `kubectl options | grep log` It should print only the options related to logging, but right now it prints the entire help menu (since it's printing to stderr). This patch brings us closer to unix convention and reduces user friction. ~~Another use case (if a user can't remember whether it's `-r` or `-R` for recursion):~~ ~~`kubectl patch -h | grep recursive`~~ Update: this patch only affects `kubectl options`. The other commands are working as intended. **Release note**: ```release-note NONE ```
-
Kubernetes Submit Queue authored
Automatic merge from submit-queue (batch tested with PRs 46076, 43879, 44897, 46556, 46654) kubelet status manager: short-circut the evaluation if possible This avoids redundant checks in the `PodResourcesAreReclaimed`, which also logs misleading "Pod is terminated" messages on every check /cc @kubernetes/sig-node-pr-reviews
-
Kubernetes Submit Queue authored
Automatic merge from submit-queue (batch tested with PRs 46076, 43879, 44897, 46556, 46654) Use meta.v1 GroupVersionKind with json tags to generate OpenAPI spec We are using two different GVK struct in generation of OpenAPI extensions. This PR unify that and also add json tags to meta.v1 GVK to comply with json naming system in other serializations. Also the value of Action extension is now lowercase. ref: https://github.com/kubernetes/kubernetes/pull/46388
-
Kubernetes Submit Queue authored
Automatic merge from submit-queue (batch tested with PRs 46076, 43879, 44897, 46556, 46654) Local storage plugin **What this PR does / why we need it**: Volume plugin implementation for local persistent volumes. Scheduler predicate will direct already-bound PVCs to the node that the local PV is at. PVC binding still happens independently. **Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: Part of #43640 **Release note**: ``` Alpha feature: Local volume plugin allows local directories to be created and consumed as a Persistent Volume. These volumes have node affinity and pods will only be scheduled to the node that the volume is at. ```
-
Kubernetes Submit Queue authored
Automatic merge from submit-queue (batch tested with PRs 46076, 43879, 44897, 46556, 46654) kubelet/network: report but tolerate errors returned from GetNetNS() Runtimes should never return "" and nil errors, since network plugin drivers need to treat netns differently in different cases. So return errors when we can't get the netns, and fix up the plugins to do the right thing. Namely, we don't need a NetNS on pod network teardown. We do need a netns for pod Status checks and for network setup. @kubernetes/rh-networking @kubernetes/sig-network-bugs @DirectXMan12
-
Kubernetes Submit Queue authored
Automatic merge from submit-queue Node authorizer This PR implements the authorization portion of https://github.com/kubernetes/community/blob/master/contributors/design-proposals/kubelet-authorizer.md and kubernetes/features#279: * Adds a new authorization mode (`Node`) that authorizes requests from nodes based on a graph of related pods,secrets,configmaps,pvcs, and pvs: * Watches pods, adds edges (secret -> pod, configmap -> pod, pvc -> pod, pod -> node) * Watches pvs, adds edges (secret -> pv, pv -> pvc) * When both Node and RBAC authorization modes are enabled, the default RBAC binding that grants the `system:node` role to the `system:nodes` group is not automatically created. * Tightens the `NodeRestriction` admission plugin to require identifiable nodes for requests from users in the `system:nodes` group. This authorization mode is intended to be used in combination with the `NodeRestriction` admission plugin, which limits the pods and nodes a node may modify. To enable in combination with RBAC authorization and the NodeRestriction admission plugin: * start the API server with `--authorization-mode=Node,RBAC --admission-control=...,NodeRestriction,...` * start kubelets with TLS boostrapping or with client credentials that place them in the `system:nodes` group with a username of `system:node:<nodeName>` ```release-note kube-apiserver: a new authorization mode (`--authorization-mode=Node`) authorizes nodes to access secrets, configmaps, persistent volume claims and persistent volumes related to their pods. * Nodes must use client credentials that place them in the `system:nodes` group with a username of `system:node:<nodeName>` in order to be authorized by the node authorizer (the credentials obtained by the kubelet via TLS bootstrapping satisfy these requirements) * When used in combination with the `RBAC` authorization mode (`--authorization-mode=Node,RBAC`), the `system:node` role is no longer automatically granted to the `system:nodes` group. ``` ```release-note RBAC: the automatic binding of the `system:node` role to the `system:nodes` group is deprecated and will not be created in future releases. It is recommended that nodes be authorized using the new `Node` authorization mode instead. Installations that wish to continue giving all members of the `system:nodes` group the `system:node` role (which grants broad read access, including all secrets and configmaps) must create an installation-specific ClusterRoleBinding. ``` Follow-up: - [ ] enable e2e CI environment with admission and authorizer enabled (blocked by kubelet TLS bootstrapping enablement in https://github.com/kubernetes/kubernetes/pull/40760) - [ ] optionally enable this authorizer and admission plugin in kubeadm - [ ] optionally enable this authorizer and admission plugin in kube-up
-
Kubernetes Submit Queue authored
Automatic merge from submit-queue Fix Cross-Build, and reduce test to 1 restart to reduce flakyness In response to https://github.com/kubernetes/kubernetes/pull/46308#issuecomment-304248450 This fixes the error: `test/e2e_node/summary_test.go:138: constant 100000000000 overflows int` from the cross build. This [recent flake](https://k8s-gubernator.appspot.com/build/kubernetes-jenkins/logs/ci-kubernetes-node-kubelet/4179) was because the container restarted during the period where the test expected to Continually see the container in the Summary API. /assign @dchen1107 cc @gmarek @luxas /release-note-none
-
Kubernetes Submit Queue authored
Automatic merge from submit-queue Update 'fluentd-elasticsearch' image. **What this PR does / why we need it**: Plugins updated for `fluentd-elasticsearch`: - fluent-plugin-elasticsearch 1.5.0 -> 1.9.5 - fluent-plugin-kubernetes_metadata 0.24.0 -> 0.27.0 **Release note**: ```release-note NONE ```
-
Di Xu authored
-
Kubernetes Submit Queue authored
Automatic merge from submit-queue (batch tested with PRs 46635, 45619, 46637, 45059, 46415) Update url information to prevent http 304 redirection Although repo [https://github.com/GoogleCloudPlatform/kubernetes](https://github.com/GoogleCloudPlatform/kubernetes) still can be access, but I think one more 304 redirection is no needed ```release-note NONE ```
-
Kubernetes Submit Queue authored
Automatic merge from submit-queue (batch tested with PRs 46635, 45619, 46637, 45059, 46415) Certificate rotation for kubelet server certs. Replaces the current kubelet server side self signed certs with certs signed by the Certificate Request Signing API on the API server. Also renews expiring kubelet server certs as expiration approaches. Two Points: 1. With `--feature-gates=RotateKubeletServerCertificate=true` set, the kubelet will request a certificate during the boot cycle and pause waiting for the request to be satisfied. 2. In order to have the kubelet's certificate signing request auto approved, `--insecure-experimental-approve-all-kubelet-csrs-for-group=` must be set on the cluster controller manager. There is an improved mechanism for auto approval [proposed](https://github.com/kubernetes/kubernetes/issues/45030). **Release note**: ```release-note With `--feature-gates=RotateKubeletServerCertificate=true` set, the kubelet will request a server certificate from the API server during the boot cycle and pause waiting for the request to be satisfied. It will continually refresh the certificate as the certificates expiration approaches. ``` -
Kubernetes Submit Queue authored
Automatic merge from submit-queue (batch tested with PRs 46635, 45619, 46637, 45059, 46415) fix a comment and log message in the nodecontroller I was poking around in the nodecontroller code and this looked wrong.
-
Kubernetes Submit Queue authored
Automatic merge from submit-queue (batch tested with PRs 46635, 45619, 46637, 45059, 46415) migrate group approver to use subject access reviews WIP, needs test and changes to kubeadm depends on https://github.com/kubernetes/kubernetes/pull/45514
-
Kubernetes Submit Queue authored
Automatic merge from submit-queue Switch gcloud compute copy-files to scp gcloud is deprecating `gcloud compute copy-files` and switching to `gcloud compute scp`. Make the change before things start to break. https://cloud.google.com/sdk/gcloud/reference/compute/copy-files Warnings we get: `W0529 10:28:59.097] WARNING: `gcloud compute copy-files` is deprecated. Please use `gcloud compute scp` instead. Note that `gcloud compute scp` does not have recursive copy on by default. To turn on recursion, use the `--recurse` flag.` /cc @jlowdermilk
-
Kubernetes Submit Queue authored
Automatic merge from submit-queue (batch tested with PRs 44061, 46614, 46419, 46628, 46134) clientgo/examples/out-of-cluster: add instructions
-
Kubernetes Submit Queue authored
Automatic merge from submit-queue (batch tested with PRs 44061, 46614, 46419, 46628, 46134) cleanup kubelet new node status test **What this PR does / why we need it**: this scopes the test to just testing allocatable values. extra parts of the original test were copied from another test that was not relevant.
-
Kubernetes Submit Queue authored
Merge pull request #46419 from bruceauyeung/k8s-branch-fix-make-release-doesnt-respect-go-build-flags Automatic merge from submit-queue (batch tested with PRs 44061, 46614, 46419, 46628, 46134) fix make release/quick-release doesn't respect go build flags **What this PR does / why we need it**: k8s build process run `make cross` in a docker container, so we have to pass make command line variables to docker container, then each environment variable in docker container will be transformed into a makefile variable with the same name and value. with this PR, `make release GOFLAGS=xx GOLDFLAGS=xx GOGCFLAGS=xx`, `make quick-release GOFLAGS=xx GOLDFLAGS=xx GOGCFLAGS=xx` will work as expected **Which issue this PR fixes**: fixes #46274
-
Kubernetes Submit Queue authored
Automatic merge from submit-queue (batch tested with PRs 44061, 46614, 46419, 46628, 46134) Remove glusterfs fuse client mount library version check for `auto_unmount` mount option.
-
Janet Kuo authored
-
Kubernetes Submit Queue authored
Automatic merge from submit-queue kubelet: group all container-runtime-specific flags/options into a separate struct They don't belong in the KubeletConfig. This addresses #43253
-
Huamin Chen authored
Signed-off-by:Huamin Chen <hchen@redhat.com>
-