Updated patches for Kubernetes v1.25 (aws#1826)

* Updated patches for Kubernetes v1.25 * Checksums
danbudris · Sep 25, 2023 · 715b4e6 · 715b4e6
1 parent 1e45229
commit 715b4e6
Show file tree

Hide file tree

Showing 4 changed files with 61,764 additions and 26,181 deletions.
diff --git a/projects/kubernetes/kubernetes/1-25/CHECKSUMS b/projects/kubernetes/kubernetes/1-25/CHECKSUMS
@@ -1,19 +1,19 @@
-b593abf9ea06e756c5d46cc6dc4eb4e639903f83ee6fd85d1c453a7712499c56  _output/1-25/bin/darwin/amd64/kubectl
-d0f6c342aa6f0384c8b947c989ff23840e05166fa3f92dae3df07e2b48467bae  _output/1-25/bin/linux/amd64/kube-apiserver
-3fc04374003bda85c13e536660e247345cc04d78f9bfbd22273db78d7d566139  _output/1-25/bin/linux/amd64/kube-controller-manager
-4cf7db9846df1218c26f10d5e5513d8052c31da0f4ea45ee8e84660e90aa8f66  _output/1-25/bin/linux/amd64/kube-proxy
-48eab073cb951389bc1d744e55fbc11272d54d304b2d40c6ee5f8a66b2de41be  _output/1-25/bin/linux/amd64/kube-scheduler
-be31f9dc4a3d9accf3c9442eacdc600ccedcb89e64a8011784202dc38770b2b0  _output/1-25/bin/linux/amd64/kubeadm
-793c5f19f9b6a70da33e03fc41b1dabb161cf134e81153ac7219d8c7e15dd6c8  _output/1-25/bin/linux/amd64/kubectl
-c55d75c66124cbd660948e00549b218ed7e9b834cffc3c44fdb89cb3cee9bc76  _output/1-25/bin/linux/amd64/kubelet
-0924d84fe1903eec195c4fd236941a23ed4c6235621752a499bdd56530644bca  _output/1-25/bin/linux/arm64/kube-apiserver
-445402428a49c99247a6a332e76d4842f90ed1372457bd441570aa5fef45c334  _output/1-25/bin/linux/arm64/kube-controller-manager
-12471c7d94e9d27972ec3a636b9e84b4882acdaca54498eb613ea278cad4cac2  _output/1-25/bin/linux/arm64/kube-proxy
-673d93cee31eeabb3ed9c82d07da40729f9cd5eb1657dff82e4b9c893517d202  _output/1-25/bin/linux/arm64/kube-scheduler
-1e1bf7cdba60cc83791e9d444c50371b94bd40fff4051936920238897437041d  _output/1-25/bin/linux/arm64/kubeadm
-efb9dfde5c46320c99228eb47bd55517cd5fb1ac59db4ca6e04ff085e3a1fa52  _output/1-25/bin/linux/arm64/kubectl
-b3ae9907a3fcab820d0a321e8bb25f9421455488c39856dd8a151b828a94a13a  _output/1-25/bin/linux/arm64/kubelet
-c6e86d878ac5433a1e0f381249255dee8776a25225dc1dadb6fe687b2b22e97f  _output/1-25/bin/windows/amd64/kube-proxy.exe
-1ffb7bf575bc74c889f90694c3cb4480389382fdcaa4868912db06b92ba8c0fe  _output/1-25/bin/windows/amd64/kubeadm.exe
-c6cc85411ae03d11a6d884d482d54860f22bb18d59353181f89939fd2054bf72  _output/1-25/bin/windows/amd64/kubectl.exe
-393240f01db0527e7c8a0305113444700092761b0c99bf3cdf28cc069a31cbca  _output/1-25/bin/windows/amd64/kubelet.exe
+e4418a44703e1565a08ae6a9660da6712cada21c7518704ba70d03380be7c555  _output/1-25/bin/darwin/amd64/kubectl
+05a01a14881d31c619c9532ec2ab9c7ee3edf3fcb3fc3f81722d3aaee6e98d90  _output/1-25/bin/linux/amd64/kube-apiserver
+08fa7d50cb98f23b53edcf0f01dec1aa685b0fbe153a2576241a16fe29f0a400  _output/1-25/bin/linux/amd64/kube-controller-manager
+11475821ec3e3f4d8b793a307bc6ad8874f6139c2a70a3d5862b23b14dfd3ef0  _output/1-25/bin/linux/amd64/kube-proxy
+dee77a0b8cf028283b145d5e2c27acda995c78ed500e41ac07f72283bc10f7fc  _output/1-25/bin/linux/amd64/kube-scheduler
+0468120a0b81af6807d551d8bf0c53e6f7fb8bc7db9f06c22d8fa21acda63955  _output/1-25/bin/linux/amd64/kubeadm
+ff5682d6f2781b5ef4d31177e6674b38c3bb58530a29cd4442cd35eb9405063f  _output/1-25/bin/linux/amd64/kubectl
+1c469c47f10b4e26543250b41c3986b990e5b0360b8c147c12c3e899df598ce7  _output/1-25/bin/linux/amd64/kubelet
+b01b18d084c9d5485defa49c61cd6f8bb80fade233be5272757a07d16dcf90a4  _output/1-25/bin/linux/arm64/kube-apiserver
+9174763fe895a4e9c4bedd499cd7c2682b861fba416bbb1d4eedcde90c283ba7  _output/1-25/bin/linux/arm64/kube-controller-manager
+766989a3301a99a371ffd8ed282dab739707c6f964f65dc69ac066f7be4d499a  _output/1-25/bin/linux/arm64/kube-proxy
+2d4cc93a5ff13dd01334459c65b9bf76d37b3a4a71c36c60b17735d6215e11d0  _output/1-25/bin/linux/arm64/kube-scheduler
+393cd4d1b1b07ecdc2d2d18f25668129ca3d962df443f387e936fd109593b98c  _output/1-25/bin/linux/arm64/kubeadm
+5a9235bb142cb16175576d61c622dab55941fdb01558c9deaef4b88df51efe4b  _output/1-25/bin/linux/arm64/kubectl
+28bd038e3a597ca4bc7b1b4e3048ebe062ad156a43dd48ac88ee252780a8bc71  _output/1-25/bin/linux/arm64/kubelet
+ccee2e7dcacf35841cc04395e4ffdb861861ea6231967f8c2a1c32eb0fa525ed  _output/1-25/bin/windows/amd64/kube-proxy.exe
+c5f584a17a6ca75476ff212e729fdb27390de444f27dc63a3021a611acbfd700  _output/1-25/bin/windows/amd64/kubeadm.exe
+945209a394717cad94277beb4e8e6af93f77393aaf30e628abc947bec8cba3eb  _output/1-25/bin/windows/amd64/kubectl.exe
+f23c1b76b082c60313f4f057a1f2d7bcc8f5e2c121c64c2ca01f284a6544e7a0  _output/1-25/bin/windows/amd64/kubelet.exe
diff --git a/...rnetes/kubernetes/1-25/patches/0002-EKS-PATCH-admission-webhook-exclusion-from-file.patch b/...rnetes/kubernetes/1-25/patches/0002-EKS-PATCH-admission-webhook-exclusion-from-file.patch
@@ -4,25 +4,25 @@ Date: Wed, 21 Dec 2022 20:12:26 -0600
 Subject: [PATCH] --EKS-PATCH-- admission webhook exclusion from file
 
 ---
- .../generic/exclusionrules/exclusion.go       | 152 +++++++
- .../generic/exclusionrules/exclusion_test.go  | 425 ++++++++++++++++++
+ .../exclusionrules/critical_path_excluder.go  | 152 +++++++
+ .../critical_path_excluder_test.go            | 427 ++++++++++++++++++
  .../webhook/generic/exclusionrules/matcher.go |  81 ++++
  .../generic/exclusionrules/matcher_test.go    | 333 ++++++++++++++
- .../plugin/webhook/generic/webhook.go         |   5 +
- .../webhook_exclusion_rules_test.go           | 278 ++++++++++++
+ .../plugin/webhook/generic/webhook.go         |  24 +
+ .../webhook_exclusion_rules_test.go           | 281 ++++++++++++
  vendor/modules.txt                            |   1 +
- 7 files changed, 1275 insertions(+)
- create mode 100644 staging/src/k8s.io/apiserver/pkg/admission/plugin/webhook/generic/exclusionrules/exclusion.go
- create mode 100644 staging/src/k8s.io/apiserver/pkg/admission/plugin/webhook/generic/exclusionrules/exclusion_test.go
+ 7 files changed, 1299 insertions(+)
+ create mode 100644 staging/src/k8s.io/apiserver/pkg/admission/plugin/webhook/generic/exclusionrules/critical_path_excluder.go
+ create mode 100644 staging/src/k8s.io/apiserver/pkg/admission/plugin/webhook/generic/exclusionrules/critical_path_excluder_test.go
  create mode 100644 staging/src/k8s.io/apiserver/pkg/admission/plugin/webhook/generic/exclusionrules/matcher.go
  create mode 100644 staging/src/k8s.io/apiserver/pkg/admission/plugin/webhook/generic/exclusionrules/matcher_test.go
  create mode 100644 test/integration/apiserver/admissionwebhook/webhook_exclusion_rules_test.go
 
-diff --git a/staging/src/k8s.io/apiserver/pkg/admission/plugin/webhook/generic/exclusionrules/exclusion.go b/staging/src/k8s.io/apiserver/pkg/admission/plugin/webhook/generic/exclusionrules/exclusion.go
+diff --git a/staging/src/k8s.io/apiserver/pkg/admission/plugin/webhook/generic/exclusionrules/critical_path_excluder.go b/staging/src/k8s.io/apiserver/pkg/admission/plugin/webhook/generic/exclusionrules/critical_path_excluder.go
 new file mode 100644
-index 00000000000..71c4f548854
+index 00000000000..65abc4496a8
 --- /dev/null
-+++ b/staging/src/k8s.io/apiserver/pkg/admission/plugin/webhook/generic/exclusionrules/exclusion.go
++++ b/staging/src/k8s.io/apiserver/pkg/admission/plugin/webhook/generic/exclusionrules/critical_path_excluder.go
 @@ -0,0 +1,152 @@
 +package exclusionrules
 +
@@ -35,11 +35,10 @@ index 00000000000..71c4f548854
 +)
 +
 +// Enables you to pass a config file to kube-api-server
-+// that defines resources to exempt from admission webhooks.
 +const ADMISSION_WEBHOOK_EXCLUSION_ENV_VAR = "EKS_PATCH_EXCLUSION_RULES_FILE"
 +
-+func init() {
-+	LoadRules()
++type CriticalPathExcluder struct {
++	exclusionRules []ExclusionRule
 +}
 +
 +type ExclusionRule struct {
@@ -71,7 +70,13 @@ index 00000000000..71c4f548854
 +	Scope *v1.ScopeType `json:"scope,omitempty"`
 +}
 +
-+var exclusionRules []ExclusionRule
++func NewCriticalPathExcluder() CriticalPathExcluder {
++	exclusionRulesFromFile := readFile()
++	filteredExclusionRules := filterValidRules(exclusionRulesFromFile)
++	return CriticalPathExcluder{
++		exclusionRules: filteredExclusionRules,
++	}
++}
 +
 +func readFile() []ExclusionRule {
 +	//Default values for backwards compatability for eks-d
@@ -162,26 +167,21 @@ index 00000000000..71c4f548854
 +	return false
 +}
 +
-+func LoadRules() {
-+	exclusionRulesFromFile := readFile()
-+	exclusionRules = filterValidRules(exclusionRulesFromFile)
-+}
-+
-+func ShouldSkipWebhookDueToExclusionRules(attr admission.Attributes) bool {
-+	for _, r := range exclusionRules {
++func (excludor CriticalPathExcluder) ShouldSkipWebhookDueToExclusionRules(attr admission.Attributes) bool {
++	for _, r := range excludor.exclusionRules {
 +		m := Matcher{ExclusionRule: r, Attr: attr}
 +		if m.Matches() {
 +			return true
 +		}
 +	}
 +	return false
 +}
-diff --git a/staging/src/k8s.io/apiserver/pkg/admission/plugin/webhook/generic/exclusionrules/exclusion_test.go b/staging/src/k8s.io/apiserver/pkg/admission/plugin/webhook/generic/exclusionrules/exclusion_test.go
+diff --git a/staging/src/k8s.io/apiserver/pkg/admission/plugin/webhook/generic/exclusionrules/critical_path_excluder_test.go b/staging/src/k8s.io/apiserver/pkg/admission/plugin/webhook/generic/exclusionrules/critical_path_excluder_test.go
 new file mode 100644
-index 00000000000..ab6da215728
+index 00000000000..481348aa463
 --- /dev/null
-+++ b/staging/src/k8s.io/apiserver/pkg/admission/plugin/webhook/generic/exclusionrules/exclusion_test.go
-@@ -0,0 +1,425 @@
++++ b/staging/src/k8s.io/apiserver/pkg/admission/plugin/webhook/generic/exclusionrules/critical_path_excluder_test.go
+@@ -0,0 +1,427 @@
 +package exclusionrules
 +
 +import (
@@ -294,8 +294,10 @@ index 00000000000..ab6da215728
 +	}
 +	for _, testcase := range testcases {
 +		t.Run(testcase.name, func(t *testing.T) {
-+			exclusionRules = testcase.exclusionRules
-+			result := ShouldSkipWebhookDueToExclusionRules(testcase.attr)
++			criticalPathExcluder := CriticalPathExcluder{
++				exclusionRules: testcase.exclusionRules,
++			}
++			result := criticalPathExcluder.ShouldSkipWebhookDueToExclusionRules(testcase.attr)
 +			if result != testcase.result {
 +				t.Fatalf("Unexpected result %v for test case %v", result, testcase.name)
 +			}
@@ -1034,22 +1036,55 @@ index 00000000000..3f7abbb9d90
 +	}
 +}
 diff --git a/staging/src/k8s.io/apiserver/pkg/admission/plugin/webhook/generic/webhook.go b/staging/src/k8s.io/apiserver/pkg/admission/plugin/webhook/generic/webhook.go
-index c04225e94f7..f12f920e29e 100644
+index c04225e94f7..8d9c56c9db6 100644
 --- a/staging/src/k8s.io/apiserver/pkg/admission/plugin/webhook/generic/webhook.go
 +++ b/staging/src/k8s.io/apiserver/pkg/admission/plugin/webhook/generic/webhook.go
-@@ -20,6 +20,7 @@ import (
+@@ -20,6 +20,8 @@ import (
  	"context"
  	"fmt"
  	"io"
 +	"k8s.io/apiserver/pkg/admission/plugin/webhook/generic/exclusionrules"
-
++	"sync"
+
  	admissionv1 "k8s.io/api/admission/v1"
  	admissionv1beta1 "k8s.io/api/admission/v1beta1"
-@@ -153,6 +154,10 @@ func (a *Webhook) ShouldCallHook(h webhook.WebhookAccessor, attr admission.Attri
+@@ -38,6 +40,20 @@ import (
+ 	clientset "k8s.io/client-go/kubernetes"
+ )
+
++var criticalPathExcluder exclusionrules.CriticalPathExcluder
++var LoadCriticalPathExcluder *sync.Once
++
++func init() {
++	// We are using a pointer to sync.Once in order to "reset" the sync.Once within our integration tests
++	// so that when the integration test api-server starts up, sync.Once has not been exhausted
++	// this is required because LoadCriticalPathExcluder is a global variable and when a suite of tests run
++	// the first test that starts an api-server will use up the sync.Once and subsequent launches of the api-server will
++	// not try to load the exclusion rules.
++	// see: test/integration/apiserver/admissionwebhook/webhook_exclusion_rules_test.go
++	// see: https://github.com/golang/go/issues/25955#issuecomment-398278056
++	LoadCriticalPathExcluder = new(sync.Once)
++}
++
+ // Webhook is an abstract admission plugin with all the infrastructure to define Admit or Validate on-top.
+ type Webhook struct {
+ 	*admission.Handler
+@@ -85,6 +101,10 @@ func NewWebhook(handler *admission.Handler, configFile io.Reader, sourceFactory
+ 	cm.SetAuthenticationInfoResolver(authInfoResolver)
+ 	cm.SetServiceResolver(webhookutil.NewDefaultServiceResolver())
+
++	LoadCriticalPathExcluder.Do(func() {
++		criticalPathExcluder = exclusionrules.NewCriticalPathExcluder()
++	})
++
+ 	return &Webhook{
+ 		Handler:          handler,
+ 		sourceFactory:    sourceFactory,
+@@ -153,6 +173,10 @@ func (a *Webhook) ShouldCallHook(h webhook.WebhookAccessor, attr admission.Attri
  		return nil, nil
  	}
 
-+	if exclusionrules.ShouldSkipWebhookDueToExclusionRules(attr) {
++	if criticalPathExcluder.ShouldSkipWebhookDueToExclusionRules(attr) {
 +		return nil, nil
 +	}
 +
@@ -1058,18 +1093,20 @@ index c04225e94f7..f12f920e29e 100644
  		m := rules.Matcher{Rule: r, Attr: attr}
 diff --git a/test/integration/apiserver/admissionwebhook/webhook_exclusion_rules_test.go b/test/integration/apiserver/admissionwebhook/webhook_exclusion_rules_test.go
 new file mode 100644
-index 00000000000..0575b054b10
+index 00000000000..3388050d507
 --- /dev/null
 +++ b/test/integration/apiserver/admissionwebhook/webhook_exclusion_rules_test.go
-@@ -0,0 +1,278 @@
+@@ -0,0 +1,281 @@
 +package admissionwebhook
 +
 +import (
 +	"context"
 +	"fmt"
 +	coordinationv1 "k8s.io/api/coordination/v1"
++	"k8s.io/apiserver/pkg/admission/plugin/webhook/generic"
 +	"k8s.io/apiserver/pkg/admission/plugin/webhook/generic/exclusionrules"
 +	"os"
++	"sync"
 +	"testing"
 +	"time"
 +
@@ -1092,6 +1129,7 @@ index 00000000000..0575b054b10
 +)
 +
 +func TestWebhookExclusionRulesNoEnvVarSet(t *testing.T) {
++	generic.LoadCriticalPathExcluder = new(sync.Once) //reset sync.Once to force behavior of new startup https://github.com/golang/go/issues/25955#issuecomment-398278056
 +	t.Logf("starting server")
 +	server := kubeapiservertesting.StartTestServerOrDie(t, nil, nil, framework.SharedEtcd())
 +	defer server.TearDownFn()
@@ -1111,6 +1149,7 @@ index 00000000000..0575b054b10
 +}
 +
 +func TestWebhookExclusionRulesEnvVarSetNoFile(t *testing.T) {
++	generic.LoadCriticalPathExcluder = new(sync.Once) //reset sync.Once to force behavior of new startup https://github.com/golang/go/issues/25955#issuecomment-398278056
 +	server := kubeapiservertesting.StartTestServerOrDie(t, nil, nil, framework.SharedEtcd())
 +	defer server.TearDownFn()
 +
@@ -1124,7 +1163,6 @@ index 00000000000..0575b054b10
 +	if err != nil {
 +		t.Fatalf("unexpected error clearing %v env var", exclusionrules.ADMISSION_WEBHOOK_EXCLUSION_ENV_VAR)
 +	}
-+	exclusionrules.LoadRules()
 +
 +	createBrokenWebhook(t, client)
 +
@@ -1138,6 +1176,7 @@ index 00000000000..0575b054b10
 +}
 +
 +func TestWebhookExclusionRulesEnvVarSetBadFile(t *testing.T) {
++	generic.LoadCriticalPathExcluder = new(sync.Once) //reset sync.Once to force behavior of new startup https://github.com/golang/go/issues/25955#issuecomment-398278056
 +	// Test env var set, bad file, should be broken webhook
 +	err := os.Setenv(exclusionrules.ADMISSION_WEBHOOK_EXCLUSION_ENV_VAR, exclusionRulesFile)
 +	if err != nil {
@@ -1149,7 +1188,6 @@ index 00000000000..0575b054b10
 +	}
 +	defer os.Remove(exclusionRulesFile)
 +
-+	exclusionrules.LoadRules()
 +	server := kubeapiservertesting.StartTestServerOrDie(t, nil, nil, framework.SharedEtcd())
 +	defer server.TearDownFn()
 +
@@ -1169,6 +1207,7 @@ index 00000000000..0575b054b10
 +}
 +
 +func TestWebhookExclusionRules(t *testing.T) {
++	generic.LoadCriticalPathExcluder = new(sync.Once) //reset sync.Once to force behavior of new startup https://github.com/golang/go/issues/25955#issuecomment-398278056
 +	err := os.Setenv(exclusionrules.ADMISSION_WEBHOOK_EXCLUSION_ENV_VAR, exclusionRulesFile)
 +	if err != nil {
 +		t.Fatalf("unexpected error clearing %v env var", exclusionrules.ADMISSION_WEBHOOK_EXCLUSION_ENV_VAR)
@@ -1192,7 +1231,6 @@ index 00000000000..0575b054b10
 +	}
 +	defer os.Remove(exclusionRulesFile)
 +
-+	exclusionrules.LoadRules()
 +	server := kubeapiservertesting.StartTestServerOrDie(t, nil, nil, framework.SharedEtcd())
 +	defer server.TearDownFn()
 +