Updated patches for Kubernetes v1.24 (#1825)

* Updated patches for Kubernetes v1.24 * Checksums
aws · Mar 9, 2023 · 924cb74 · 924cb74
1 parent 1c2218d
commit 924cb74
Show file tree

Hide file tree

Showing 4 changed files with 61,767 additions and 26,183 deletions.
diff --git a/projects/kubernetes/kubernetes/1-24/CHECKSUMS b/projects/kubernetes/kubernetes/1-24/CHECKSUMS
@@ -1,19 +1,19 @@
-91d65195c9e6c70d3f91021c48840d9e09e3e48c053faa04cb54d6a03a69fc8b  _output/1-24/bin/darwin/amd64/kubectl
-5f30a959e350845e84e338fbdfbd724091aeec0346dd225a7c3ebf9fd1b1ab5a  _output/1-24/bin/linux/amd64/kube-apiserver
-3c89f88063938cc3ede7557bb19378683d700d5d0ba0a5bdf4e04d22508af705  _output/1-24/bin/linux/amd64/kube-controller-manager
-944161e7420f3fb855082416a4b18622397bc4dfd3c31035a715c724c8bb762a  _output/1-24/bin/linux/amd64/kube-proxy
-75a213b838e21a62c3997d0500a6e83964e9347d8e82835ee4080e458992c9d9  _output/1-24/bin/linux/amd64/kube-scheduler
-5d57301716ec2ac7299fd56f637176f0ccb819d717718d3ed82be6b8eb547607  _output/1-24/bin/linux/amd64/kubeadm
-2bbe8660728cbda8622cb4b989f18f463ed83b1d95e7fa10cf9301d62ac39ac7  _output/1-24/bin/linux/amd64/kubectl
-f1d4a76a8bb9a0c21862bf96dc2f7f8abedd0e551fbdaaaa8f9330a5b298937c  _output/1-24/bin/linux/amd64/kubelet
-16abb76446c9b088477fef906020aba865fe3c42904f509a8650b24f4f40e85c  _output/1-24/bin/linux/arm64/kube-apiserver
-d4bb7bd6f590d512ade3694a3b23eba146fa1899df921073dd2a012d5acdf11f  _output/1-24/bin/linux/arm64/kube-controller-manager
-ef477ea005b6d05a94f33b41ba22edac006df639b812fef3bff875423297ec2d  _output/1-24/bin/linux/arm64/kube-proxy
-d4337f2a81cca1058928980c90b733ff9accaba7b7198bc2f9faffa4599f8067  _output/1-24/bin/linux/arm64/kube-scheduler
-37b15bffb2178423694024173ff36fb91e1dc08808922ff992479644f1e602fc  _output/1-24/bin/linux/arm64/kubeadm
-6b99f5d4eb30a689efb6b6bdcc859de3e92eda64f72439ed72585c920ad4a199  _output/1-24/bin/linux/arm64/kubectl
-f6e27218cc97d25df9ba1d35b90ca4b568477ac84bee33719f6fb4db169f11f3  _output/1-24/bin/linux/arm64/kubelet
-27bf5db5577647f583dc4ed52aeed722aaa05a8c948c14ba9d326fd22ab77ff4  _output/1-24/bin/windows/amd64/kube-proxy.exe
-ea89e2f5f71592e2509a48baad2db9396f05f22801201e18f9d6ecced9a01369  _output/1-24/bin/windows/amd64/kubeadm.exe
-dbab590c310781589a5619a1a6063e587cbe1d8383e5eba28a3dc6359d82b2da  _output/1-24/bin/windows/amd64/kubectl.exe
-4124eca9d75d7597ccd11b27a1f4393055f42dfefe58b8183bcfc9500d97264e  _output/1-24/bin/windows/amd64/kubelet.exe
+602226dac5976e664b01788e3fa8ec4d50bc972d124f0142db8420d519ec2b74  _output/1-24/bin/darwin/amd64/kubectl
+27bbd403334d276aa2cb67ae1baa53386caa8d784d72315ba6407a8cdf18a94d  _output/1-24/bin/linux/amd64/kube-apiserver
+4dfedb2b7a84b2d19d46ded5bac8fe9ec95ca78938e65568df8ced6caf0515fd  _output/1-24/bin/linux/amd64/kube-controller-manager
+0165fe89dccb9b269f9e8dc3e42da1e1a3ac9e7fb3f10d7ebe63bd7958b4b662  _output/1-24/bin/linux/amd64/kube-proxy
+56332f63adf81265c96188c252d0c859bf21ed65dd8b5ee04907b5c31c602dc3  _output/1-24/bin/linux/amd64/kube-scheduler
+9f03f77682ba537504034e42ddf88fb012bdaa48232975b78b5a216224b10031  _output/1-24/bin/linux/amd64/kubeadm
+fbfa08b33aa0256c0ceff1b30e18b9f8eea7021ea708ce1b6838bc368550ca6e  _output/1-24/bin/linux/amd64/kubectl
+298154128270541ea6c1c30ba02cc93f2c78eb3a905b7532f5ffa5b1c408eb2b  _output/1-24/bin/linux/amd64/kubelet
+cc0ef90296829e3b5af8e21177aa6e9787ec87eacd117dc4afe6622d545e08da  _output/1-24/bin/linux/arm64/kube-apiserver
+4dbb9c699a4f7938f3de668f8fd8a064277178f0c70be25da170093ec42fe9df  _output/1-24/bin/linux/arm64/kube-controller-manager
+3fc0ca9b3bf7f7d0c81409488295f5cc0fb1a8fb3a986048fcf582d8c09e47d5  _output/1-24/bin/linux/arm64/kube-proxy
+38193177d51d00edd21570df313bbb7af4ad17e871839d8caa0be03d00d42c62  _output/1-24/bin/linux/arm64/kube-scheduler
+525b29fa17b3b92a69c6c563528a80fb46aba35e649a0dee9023ac6f234531d4  _output/1-24/bin/linux/arm64/kubeadm
+c1e418afbf4ac749ee43c26d738d48b2557f834235396275923ba94fb45487b8  _output/1-24/bin/linux/arm64/kubectl
+1b32ec6afb8039b1bc1decaddae7e7b05c5c2646da84dda730646973372154cf  _output/1-24/bin/linux/arm64/kubelet
+4d39bb1c6f59f28a0a73a2557c77918759f2ad6cdb1e17ffcc6f6ac59103f648  _output/1-24/bin/windows/amd64/kube-proxy.exe
+91d567170b6389079affba227bb435401b3753672dc6e3c3414a1d0c59fbfe80  _output/1-24/bin/windows/amd64/kubeadm.exe
+302c1da35e2f5df9ec57291694853e2a27fba28409350aa19b55a35a817b2935  _output/1-24/bin/windows/amd64/kubectl.exe
+f0cd9d28080319055658a9c90c802c177c7d7fd4c5a232c455e608fee85e79b0  _output/1-24/bin/windows/amd64/kubelet.exe
diff --git a/...rnetes/kubernetes/1-24/patches/0002-EKS-PATCH-admission-webhook-exclusion-from-file.patch b/...rnetes/kubernetes/1-24/patches/0002-EKS-PATCH-admission-webhook-exclusion-from-file.patch
@@ -9,26 +9,26 @@ https://github.com/kubernetes/kubernetes/issues/92157
 This change allows for the bypassing of admission controller webhook
 for certain resources.
 ---
- .../generic/exclusionrules/exclusion.go       | 149 ++++++
- .../generic/exclusionrules/exclusion_test.go  | 425 ++++++++++++++++++
+ .../exclusionrules/critical_path_excluder.go  | 152 +++++++
+ .../critical_path_excluder_test.go            | 427 ++++++++++++++++++
  .../webhook/generic/exclusionrules/matcher.go |  81 ++++
  .../generic/exclusionrules/matcher_test.go    | 333 ++++++++++++++
- .../plugin/webhook/generic/webhook.go         |   5 +
- .../webhook_exclusion_rules_test.go           | 278 ++++++++++++
+ .../plugin/webhook/generic/webhook.go         |  24 +
+ .../webhook_exclusion_rules_test.go           | 281 ++++++++++++
  vendor/modules.txt                            |   1 +
- 7 files changed, 1272 insertions(+)
- create mode 100644 staging/src/k8s.io/apiserver/pkg/admission/plugin/webhook/generic/exclusionrules/exclusion.go
- create mode 100644 staging/src/k8s.io/apiserver/pkg/admission/plugin/webhook/generic/exclusionrules/exclusion_test.go
+ 7 files changed, 1299 insertions(+)
+ create mode 100644 staging/src/k8s.io/apiserver/pkg/admission/plugin/webhook/generic/exclusionrules/critical_path_excluder.go
+ create mode 100644 staging/src/k8s.io/apiserver/pkg/admission/plugin/webhook/generic/exclusionrules/critical_path_excluder_test.go
  create mode 100644 staging/src/k8s.io/apiserver/pkg/admission/plugin/webhook/generic/exclusionrules/matcher.go
  create mode 100644 staging/src/k8s.io/apiserver/pkg/admission/plugin/webhook/generic/exclusionrules/matcher_test.go
  create mode 100644 test/integration/apiserver/admissionwebhook/webhook_exclusion_rules_test.go
 
-diff --git a/staging/src/k8s.io/apiserver/pkg/admission/plugin/webhook/generic/exclusionrules/exclusion.go b/staging/src/k8s.io/apiserver/pkg/admission/plugin/webhook/generic/exclusionrules/exclusion.go
+diff --git a/staging/src/k8s.io/apiserver/pkg/admission/plugin/webhook/generic/exclusionrules/critical_path_excluder.go b/staging/src/k8s.io/apiserver/pkg/admission/plugin/webhook/generic/exclusionrules/critical_path_excluder.go
 new file mode 100644
-index 00000000000..31c2247580e
+index 00000000000..65abc4496a8
 --- /dev/null
-+++ b/staging/src/k8s.io/apiserver/pkg/admission/plugin/webhook/generic/exclusionrules/exclusion.go
-@@ -0,0 +1,149 @@
++++ b/staging/src/k8s.io/apiserver/pkg/admission/plugin/webhook/generic/exclusionrules/critical_path_excluder.go
+@@ -0,0 +1,152 @@
 +package exclusionrules
 +
 +import (
@@ -40,11 +40,10 @@ index 00000000000..31c2247580e
 +)
 +
 +// Enables you to pass a config file to kube-api-server
-+// that defines resources to exempt from admission webhooks.
 +const ADMISSION_WEBHOOK_EXCLUSION_ENV_VAR = "EKS_PATCH_EXCLUSION_RULES_FILE"
 +
-+func init() {
-+	LoadRules()
++type CriticalPathExcluder struct {
++	exclusionRules []ExclusionRule
 +}
 +
 +type ExclusionRule struct {
@@ -76,24 +75,33 @@ index 00000000000..31c2247580e
 +	Scope *v1.ScopeType `json:"scope,omitempty"`
 +}
 +
-+var exclusionRules []ExclusionRule
++func NewCriticalPathExcluder() CriticalPathExcluder {
++	exclusionRulesFromFile := readFile()
++	filteredExclusionRules := filterValidRules(exclusionRulesFromFile)
++	return CriticalPathExcluder{
++		exclusionRules: filteredExclusionRules,
++	}
++}
 +
 +func readFile() []ExclusionRule {
 +	//Default values for backwards compatability for eks-d
++	namespace := v1.NamespacedScope
 +	defaultExclusion := []ExclusionRule{
 +		{
 +			APIGroup:   "coordination.k8s.io",
 +			APIVersion: "v1",
 +			Kind:       "Lease",
 +			Namespace:  "kube-system",
 +			Name:       []string{"kube-controller-manager", "kube-scheduler"},
++			Scope:      &namespace,
 +		},
 +		{
 +			APIGroup:   "",
 +			APIVersion: "v1",
 +			Kind:       "Endpoints",
 +			Namespace:  "kube-system",
 +			Name:       []string{"kube-controller-manager", "kube-scheduler"},
++			Scope:      &namespace,
 +		},
 +	}
 +
@@ -164,26 +172,21 @@ index 00000000000..31c2247580e
 +	return false
 +}
 +
-+func LoadRules() {
-+	exclusionRulesFromFile := readFile()
-+	exclusionRules = filterValidRules(exclusionRulesFromFile)
-+}
-+
-+func ShouldSkipWebhookDueToExclusionRules(attr admission.Attributes) bool {
-+	for _, r := range exclusionRules {
++func (excludor CriticalPathExcluder) ShouldSkipWebhookDueToExclusionRules(attr admission.Attributes) bool {
++	for _, r := range excludor.exclusionRules {
 +		m := Matcher{ExclusionRule: r, Attr: attr}
 +		if m.Matches() {
 +			return true
 +		}
 +	}
 +	return false
 +}
-diff --git a/staging/src/k8s.io/apiserver/pkg/admission/plugin/webhook/generic/exclusionrules/exclusion_test.go b/staging/src/k8s.io/apiserver/pkg/admission/plugin/webhook/generic/exclusionrules/exclusion_test.go
+diff --git a/staging/src/k8s.io/apiserver/pkg/admission/plugin/webhook/generic/exclusionrules/critical_path_excluder_test.go b/staging/src/k8s.io/apiserver/pkg/admission/plugin/webhook/generic/exclusionrules/critical_path_excluder_test.go
 new file mode 100644
-index 00000000000..ab6da215728
+index 00000000000..481348aa463
 --- /dev/null
-+++ b/staging/src/k8s.io/apiserver/pkg/admission/plugin/webhook/generic/exclusionrules/exclusion_test.go
-@@ -0,0 +1,425 @@
++++ b/staging/src/k8s.io/apiserver/pkg/admission/plugin/webhook/generic/exclusionrules/critical_path_excluder_test.go
+@@ -0,0 +1,427 @@
 +package exclusionrules
 +
 +import (
@@ -296,8 +299,10 @@ index 00000000000..ab6da215728
 +	}
 +	for _, testcase := range testcases {
 +		t.Run(testcase.name, func(t *testing.T) {
-+			exclusionRules = testcase.exclusionRules
-+			result := ShouldSkipWebhookDueToExclusionRules(testcase.attr)
++			criticalPathExcluder := CriticalPathExcluder{
++				exclusionRules: testcase.exclusionRules,
++			}
++			result := criticalPathExcluder.ShouldSkipWebhookDueToExclusionRules(testcase.attr)
 +			if result != testcase.result {
 +				t.Fatalf("Unexpected result %v for test case %v", result, testcase.name)
 +			}
@@ -1036,22 +1041,55 @@ index 00000000000..3f7abbb9d90
 +	}
 +}
 diff --git a/staging/src/k8s.io/apiserver/pkg/admission/plugin/webhook/generic/webhook.go b/staging/src/k8s.io/apiserver/pkg/admission/plugin/webhook/generic/webhook.go
-index c04225e94f7..f12f920e29e 100644
+index c04225e94f7..8d9c56c9db6 100644
 --- a/staging/src/k8s.io/apiserver/pkg/admission/plugin/webhook/generic/webhook.go
 +++ b/staging/src/k8s.io/apiserver/pkg/admission/plugin/webhook/generic/webhook.go
-@@ -20,6 +20,7 @@ import (
+@@ -20,6 +20,8 @@ import (
  	"context"
  	"fmt"
  	"io"
 +	"k8s.io/apiserver/pkg/admission/plugin/webhook/generic/exclusionrules"
-
++	"sync"
+
  	admissionv1 "k8s.io/api/admission/v1"
  	admissionv1beta1 "k8s.io/api/admission/v1beta1"
-@@ -153,6 +154,10 @@ func (a *Webhook) ShouldCallHook(h webhook.WebhookAccessor, attr admission.Attri
+@@ -38,6 +40,20 @@ import (
+ 	clientset "k8s.io/client-go/kubernetes"
+ )
+
++var criticalPathExcluder exclusionrules.CriticalPathExcluder
++var LoadCriticalPathExcluder *sync.Once
++
++func init() {
++	// We are using a pointer to sync.Once in order to "reset" the sync.Once within our integration tests
++	// so that when the integration test api-server starts up, sync.Once has not been exhausted
++	// this is required because LoadCriticalPathExcluder is a global variable and when a suite of tests run
++	// the first test that starts an api-server will use up the sync.Once and subsequent launches of the api-server will
++	// not try to load the exclusion rules.
++	// see: test/integration/apiserver/admissionwebhook/webhook_exclusion_rules_test.go
++	// see: https://github.com/golang/go/issues/25955#issuecomment-398278056
++	LoadCriticalPathExcluder = new(sync.Once)
++}
++
+ // Webhook is an abstract admission plugin with all the infrastructure to define Admit or Validate on-top.
+ type Webhook struct {
+ 	*admission.Handler
+@@ -85,6 +101,10 @@ func NewWebhook(handler *admission.Handler, configFile io.Reader, sourceFactory
+ 	cm.SetAuthenticationInfoResolver(authInfoResolver)
+ 	cm.SetServiceResolver(webhookutil.NewDefaultServiceResolver())
+
++	LoadCriticalPathExcluder.Do(func() {
++		criticalPathExcluder = exclusionrules.NewCriticalPathExcluder()
++	})
++
+ 	return &Webhook{
+ 		Handler:          handler,
+ 		sourceFactory:    sourceFactory,
+@@ -153,6 +173,10 @@ func (a *Webhook) ShouldCallHook(h webhook.WebhookAccessor, attr admission.Attri
  		return nil, nil
  	}
 
-+	if exclusionrules.ShouldSkipWebhookDueToExclusionRules(attr) {
++	if criticalPathExcluder.ShouldSkipWebhookDueToExclusionRules(attr) {
 +		return nil, nil
 +	}
 +
@@ -1060,18 +1098,20 @@ index c04225e94f7..f12f920e29e 100644
  		m := rules.Matcher{Rule: r, Attr: attr}
 diff --git a/test/integration/apiserver/admissionwebhook/webhook_exclusion_rules_test.go b/test/integration/apiserver/admissionwebhook/webhook_exclusion_rules_test.go
 new file mode 100644
-index 00000000000..0575b054b10
+index 00000000000..3388050d507
 --- /dev/null
 +++ b/test/integration/apiserver/admissionwebhook/webhook_exclusion_rules_test.go
-@@ -0,0 +1,278 @@
+@@ -0,0 +1,281 @@
 +package admissionwebhook
 +
 +import (
 +	"context"
 +	"fmt"
 +	coordinationv1 "k8s.io/api/coordination/v1"
++	"k8s.io/apiserver/pkg/admission/plugin/webhook/generic"
 +	"k8s.io/apiserver/pkg/admission/plugin/webhook/generic/exclusionrules"
 +	"os"
++	"sync"
 +	"testing"
 +	"time"
 +
@@ -1094,6 +1134,7 @@ index 00000000000..0575b054b10
 +)
 +
 +func TestWebhookExclusionRulesNoEnvVarSet(t *testing.T) {
++	generic.LoadCriticalPathExcluder = new(sync.Once) //reset sync.Once to force behavior of new startup https://github.com/golang/go/issues/25955#issuecomment-398278056
 +	t.Logf("starting server")
 +	server := kubeapiservertesting.StartTestServerOrDie(t, nil, nil, framework.SharedEtcd())
 +	defer server.TearDownFn()
@@ -1113,6 +1154,7 @@ index 00000000000..0575b054b10
 +}
 +
 +func TestWebhookExclusionRulesEnvVarSetNoFile(t *testing.T) {
++	generic.LoadCriticalPathExcluder = new(sync.Once) //reset sync.Once to force behavior of new startup https://github.com/golang/go/issues/25955#issuecomment-398278056
 +	server := kubeapiservertesting.StartTestServerOrDie(t, nil, nil, framework.SharedEtcd())
 +	defer server.TearDownFn()
 +
@@ -1126,7 +1168,6 @@ index 00000000000..0575b054b10
 +	if err != nil {
 +		t.Fatalf("unexpected error clearing %v env var", exclusionrules.ADMISSION_WEBHOOK_EXCLUSION_ENV_VAR)
 +	}
-+	exclusionrules.LoadRules()
 +
 +	createBrokenWebhook(t, client)
 +
@@ -1140,6 +1181,7 @@ index 00000000000..0575b054b10
 +}
 +
 +func TestWebhookExclusionRulesEnvVarSetBadFile(t *testing.T) {
++	generic.LoadCriticalPathExcluder = new(sync.Once) //reset sync.Once to force behavior of new startup https://github.com/golang/go/issues/25955#issuecomment-398278056
 +	// Test env var set, bad file, should be broken webhook
 +	err := os.Setenv(exclusionrules.ADMISSION_WEBHOOK_EXCLUSION_ENV_VAR, exclusionRulesFile)
 +	if err != nil {
@@ -1151,7 +1193,6 @@ index 00000000000..0575b054b10
 +	}
 +	defer os.Remove(exclusionRulesFile)
 +
-+	exclusionrules.LoadRules()
 +	server := kubeapiservertesting.StartTestServerOrDie(t, nil, nil, framework.SharedEtcd())
 +	defer server.TearDownFn()
 +
@@ -1171,6 +1212,7 @@ index 00000000000..0575b054b10
 +}
 +
 +func TestWebhookExclusionRules(t *testing.T) {
++	generic.LoadCriticalPathExcluder = new(sync.Once) //reset sync.Once to force behavior of new startup https://github.com/golang/go/issues/25955#issuecomment-398278056
 +	err := os.Setenv(exclusionrules.ADMISSION_WEBHOOK_EXCLUSION_ENV_VAR, exclusionRulesFile)
 +	if err != nil {
 +		t.Fatalf("unexpected error clearing %v env var", exclusionrules.ADMISSION_WEBHOOK_EXCLUSION_ENV_VAR)
@@ -1194,7 +1236,6 @@ index 00000000000..0575b054b10
 +	}
 +	defer os.Remove(exclusionRulesFile)
 +
-+	exclusionrules.LoadRules()
 +	server := kubeapiservertesting.StartTestServerOrDie(t, nil, nil, framework.SharedEtcd())
 +	defer server.TearDownFn()
 +