Skip to content
Permalink
Browse files

Merge remote-tracking branch 'origin/master' into release-1.16

  • Loading branch information...
idealhack committed Sep 4, 2019
2 parents 34ba9e7 + 7e906ae commit 48ca054daba9e610f13c6d6bfcedf6c7de12b138
Showing with 751 additions and 181 deletions.
  1. +1 −2 OWNERS_ALIASES
  2. +2 −2 cluster/OWNERS
  3. +4 −1 cluster/gce/windows/configure.ps1
  4. +30 −21 cluster/gce/windows/k8s-node-setup.psm1
  5. +0 −1 cmd/kube-controller-manager/OWNERS
  6. +0 −1 hack/.staticcheck_failures
  7. +0 −1 pkg/api/testing/OWNERS
  8. +0 −1 pkg/api/v1/OWNERS
  9. +0 −1 pkg/apis/core/OWNERS
  10. +0 −1 pkg/apis/core/v1/OWNERS
  11. +0 −1 pkg/apis/core/validation/OWNERS
  12. +0 −1 pkg/client/OWNERS
  13. +0 −2 pkg/cloudprovider/OWNERS
  14. +3 −1 pkg/controller/volume/persistentvolume/pv_controller_test.go
  15. +34 −42 pkg/kubectl/cmd/cp/cp.go
  16. +12 −25 pkg/kubectl/cmd/cp/cp_test.go
  17. +4 −0 pkg/kubelet/dockershim/network/hostport/fake_iptables.go
  18. +14 −2 pkg/kubelet/kubelet_network_linux.go
  19. +0 −1 pkg/master/OWNERS
  20. +10 −2 pkg/proxy/iptables/proxier.go
  21. +28 −0 pkg/proxy/iptables/proxier_test.go
  22. +11 −2 pkg/proxy/ipvs/proxier.go
  23. +30 −0 pkg/proxy/ipvs/proxier_test.go
  24. +0 −1 pkg/registry/OWNERS
  25. +14 −0 pkg/util/iptables/iptables.go
  26. +13 −2 pkg/util/iptables/testing/fake.go
  27. +2 −2 staging/src/k8s.io/apiserver/pkg/admission/plugin/webhook/testing/authentication_info_resolver.go
  28. +0 −2 staging/src/k8s.io/apiserver/pkg/registry/generic/OWNERS
  29. +48 −0 staging/src/k8s.io/apiserver/pkg/registry/generic/registry/store_test.go
  30. +0 −1 staging/src/k8s.io/apiserver/pkg/registry/rest/OWNERS
  31. +14 −1 staging/src/k8s.io/apiserver/pkg/storage/etcd3/store.go
  32. +40 −21 staging/src/k8s.io/apiserver/pkg/util/webhook/authentication.go
  33. +84 −0 staging/src/k8s.io/apiserver/pkg/util/webhook/authentication_test.go
  34. +17 −7 staging/src/k8s.io/apiserver/pkg/util/webhook/client.go
  35. +0 −2 staging/src/k8s.io/cloud-provider/OWNERS
  36. +1 −1 test/e2e/framework/log/logger_test.go
  37. +3 −7 test/e2e/framework/ssh/ssh.go
  38. +5 −0 test/e2e/network/dns_configmap.go
  39. +10 −16 test/e2e/network/service.go
  40. +17 −7 test/e2e_node/critical_pod_test.go
  41. +1 −0 test/integration/apiserver/admissionwebhook/BUILD
  42. +299 −0 test/integration/apiserver/admissionwebhook/client_auth_test.go
@@ -363,7 +363,6 @@ aliases:
- janetkuo
- justinsb
- pwittrock
- roberthbailey
- ncdc
- tallclair
- yifan-gu
@@ -461,7 +460,7 @@ aliases:
- prydonius # Apps
- pwittrock # CLI
- quinton-hoole # Multicluster
- roberthbailey # Cluster Lifecycle
- justinsb # Cluster Lifecycle
- saad-ali # Storage
- seans3 # CLI
- soltysh # CLI
@@ -6,14 +6,14 @@ reviewers:
- jbeda
- Katharine
- mikedanese
- roberthbailey
- zmerlynn
approvers:
- eparis
- jbeda
- mikedanese
- roberthbailey
- spiffxp
- zmerlynn
emeritus_approvers:
- roberthbailey # 2019-03-08
labels:
- sig/cluster-lifecycle
@@ -111,7 +111,10 @@ try {
Set-EnvironmentVars
Create-Directories
Download-HelperScripts
InstallAndStart-LoggingAgent

Install-LoggingAgent
Configure-LoggingAgent
Restart-LoggingAgent

Create-DockerRegistryKey
Configure-Dockerd
@@ -1091,12 +1091,13 @@ $STACKDRIVER_VERSION = 'v1-9'
$STACKDRIVER_ROOT = 'C:\Program Files (x86)\Stackdriver'


# Restart the Stackdriver logging agent
# `Restart-Service StackdriverLogging` may fail because StackdriverLogging
# sometimes is unstoppable, so we work around it by killing the processes.
function Restart-StackdriverLoggingAgent {
# Restarts the Stackdriver logging agent, or starts it if it is not currently
# running. A standard `Restart-Service StackdriverLogging` may fail because
# StackdriverLogging sometimes is unstoppable, so this function works around it
# by killing the processes.
function Restart-LoggingAgent {
Stop-Service -NoWait -ErrorAction Ignore StackdriverLogging

# Wait (if necessary) for service to stop.
$timeout = 10
$stopped = (Get-service StackdriverLogging).Status -eq 'Stopped'
@@ -1132,13 +1133,13 @@ function Restart-StackdriverLoggingAgent {
Start-Service StackdriverLogging
}

# Install and start the Stackdriver logging agent according to
# Installs the Stackdriver logging agent according to
# https://cloud.google.com/logging/docs/agent/installation.
# TODO(yujuhong): Update to a newer Stackdriver agent once it is released to
# support kubernetes metadata properly. The current version does not recognizes
# the local resource key "logging.googleapis.com/local_resource_id", and fails
# to label namespace, pod and container names on the logs.
function InstallAndStart-LoggingAgent {
function Install-LoggingAgent {
# Remove the existing storage.json file if it exists. This is a workaround
# for the bug where the logging agent cannot start up if the file is
# corrupted.
@@ -1156,9 +1157,7 @@ function InstallAndStart-LoggingAgent {
# well.
Log-Output ("Skip: $STACKDRIVER_ROOT is already present, assuming that " +
"Stackdriver logging agent is already installed")
# Restart-Service restarts a running service or starts a not-running
# service.
Restart-StackdriverLoggingAgent
Restart-LoggingAgent
return
}

@@ -1174,25 +1173,35 @@ function InstallAndStart-LoggingAgent {
Log-Output 'Invoking Stackdriver installer'
Start-Process $installer_file -ArgumentList "/S" -Wait

# Install the record-reformer plugin.
Start-Process "$STACKDRIVER_ROOT\LoggingAgent\Main\bin\fluent-gem" `
-ArgumentList "install","fluent-plugin-record-reformer" `
-Wait

Remove-Item -Force -Recurse $tmp_dir
}

# Writes the logging configuration file for Stackdriver. Restart-LoggingAgent
# should then be called to pick up the new configuration.
function Configure-LoggingAgent {
$fluentd_config_dir = "$STACKDRIVER_ROOT\LoggingAgent\config.d"
$fluentd_config_file = "$fluentd_config_dir\k8s_containers.conf"
if (-not (ShouldWrite-File $fluentd_config_file)) {
Log-Output ("Skip: fluentd logging config $fluentd_config_file already " +
"exists")
return
}

# Create a configuration file for kubernetes containers.
# The config.d directory should have already been created automatically, but
# try creating again just in case.
New-Item "$STACKDRIVER_ROOT\LoggingAgent\config.d" `
-ItemType 'directory' `
-Force | Out-Null
$FLUENTD_CONFIG | Out-File `
-FilePath "$STACKDRIVER_ROOT\LoggingAgent\config.d\k8s_containers.conf" `
-Encoding ASCII

# Restart the service to pick up the new configurations.
Restart-StackdriverLoggingAgent
Remove-Item -Force -Recurse $tmp_dir
New-Item $fluentd_config_dir -ItemType 'directory' -Force | Out-Null
$config = $FLUENTD_CONFIG.replace('NODE_NAME', (hostname))
$config | Out-File -FilePath $fluentd_config_file -Encoding ASCII
Log-Output "Wrote fluentd logging config to $fluentd_config_file"
}

# The NODE_NAME placeholder must be replaced with the node's name (hostname).
$FLUENTD_CONFIG = @'
# This configuration file for Fluentd is used to watch changes to kubernetes
# container logs in the directory /var/lib/docker/containers/ and submit the
@@ -1344,7 +1353,7 @@ $FLUENTD_CONFIG = @'
"logging.googleapis.com/local_resource_id" ${"k8s_node.NODE_NAME"}
</record>
</filter>
'@.replace('NODE_NAME', (hostname))
'@


# Export all public functions:
@@ -54,7 +54,6 @@ reviewers:
- pmorie
- quinton-hoole
- resouer
- roberthbailey
- rootfs
- rrati
- saad-ali
@@ -26,7 +26,6 @@ pkg/credentialprovider
pkg/credentialprovider/aws
pkg/credentialprovider/azure
pkg/kubeapiserver/admission
pkg/kubectl/cmd/cp
pkg/kubectl/cmd/get
pkg/kubelet/apis/podresources
pkg/kubelet/cm/devicemanager
@@ -20,7 +20,6 @@ reviewers:
- zmerlynn
- justinsb
- pwittrock
- roberthbailey
- tallclair
- yifan-gu
- eparis
@@ -25,7 +25,6 @@ reviewers:
- luxas
- janetkuo
- justinsb
- roberthbailey
- ncdc
- tallclair
- eparis
@@ -33,7 +33,6 @@ reviewers:
- janetkuo
- justinsb
- pwittrock
- roberthbailey
- ncdc
- tallclair
- yifan-gu
@@ -25,7 +25,6 @@ reviewers:
- luxas
- janetkuo
- justinsb
- roberthbailey
- ncdc
- tallclair
- eparis
@@ -25,7 +25,6 @@ reviewers:
- janetkuo
- justinsb
- pwittrock
- roberthbailey
- tallclair
- eparis
- soltysh
@@ -31,7 +31,6 @@ reviewers:
- luxas
- janetkuo
- justinsb
- roberthbailey
- ncdc
- tallclair
- yifan-gu
@@ -29,9 +29,7 @@ reviewers:
- zmerlynn
- luxas
- justinsb
- roberthbailey
- eparis
- jlowdermilk
- piosz
- jsafrane
- dims
@@ -21,7 +21,7 @@ import (
"testing"
"time"

"k8s.io/api/core/v1"
v1 "k8s.io/api/core/v1"
storagev1 "k8s.io/api/storage/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/watch"
@@ -260,12 +260,14 @@ func TestControllerSync(t *testing.T) {

reactor := newVolumeReactor(client, ctrl, fakeVolumeWatch, fakeClaimWatch, test.errors)
for _, claim := range test.initialClaims {
claim = claim.DeepCopy()
reactor.AddClaim(claim)
go func(claim *v1.PersistentVolumeClaim) {
fakeClaimWatch.Add(claim)
}(claim)
}
for _, volume := range test.initialVolumes {
volume = volume.DeepCopy()
reactor.AddVolume(volume)
go func(volume *v1.PersistentVolume) {
fakeVolumeWatch.Add(volume)
@@ -45,6 +45,15 @@ var (
# !!!Important Note!!!
# Requires that the 'tar' binary is present in your container
# image. If 'tar' is not present, 'kubectl cp' will fail.
#
# For advanced use cases, such as symlinks, wildcard expansion or
# file mode preservation consider using 'kubectl exec'.
# Copy /tmp/foo local file to /tmp/bar in a remote pod in namespace <some-namespace>
tar cf - /tmp/foo | kubectl exec -i -n <some-namespace> <some-pod> -- tar xf - -C /tmp/bar
# Copy /tmp/foo from a remote pod to /tmp/bar locally
kubectl exec -n <some-namespace> <some-pod> -- tar cf - /tmp/foo | tar xf - -C /tmp/bar
# Copy /tmp/foo_dir local directory to /tmp/bar_dir in a remote pod in the default namespace
kubectl cp /tmp/foo_dir <some-pod>:/tmp/bar_dir
@@ -71,8 +80,9 @@ type CopyOptions struct {
Namespace string
NoPreserve bool

ClientConfig *restclient.Config
Clientset kubernetes.Interface
ClientConfig *restclient.Config
Clientset kubernetes.Interface
ExecParentCmdName string

genericclioptions.IOStreams
}
@@ -143,6 +153,10 @@ func extractFileSpec(arg string) (fileSpec, error) {

// Complete completes all the required options
func (o *CopyOptions) Complete(f cmdutil.Factory, cmd *cobra.Command) error {
if cmd.Parent() != nil {
o.ExecParentCmdName = cmd.Parent().CommandPath()
}

var err error
o.Namespace, _, err = f.ToRawKubeConfigLoader().Namespace()
if err != nil {
@@ -307,7 +321,7 @@ func (o *CopyOptions) copyFromPod(src, dest fileSpec) error {
// remove extraneous path shortcuts - these could occur if a path contained extra "../"
// and attempted to navigate beyond "/" in a remote filesystem
prefix = stripPathShortcuts(prefix)
return o.untarAll(reader, dest.File, prefix)
return o.untarAll(src, reader, dest.File, prefix)
}

// stripPathShortcuts removes any leading or trailing "../" from a given path
@@ -412,7 +426,8 @@ func recursiveTar(srcBase, srcFile, destBase, destFile string, tw *tar.Writer) e
return nil
}

func (o *CopyOptions) untarAll(reader io.Reader, destDir, prefix string) error {
func (o *CopyOptions) untarAll(src fileSpec, reader io.Reader, destDir, prefix string) error {
symlinkWarningPrinted := false
// TODO: use compression here?
tarReader := tar.NewReader(reader)
for {
@@ -453,48 +468,25 @@ func (o *CopyOptions) untarAll(reader io.Reader, destDir, prefix string) error {
continue
}

// We need to ensure that the destination file is always within boundries
// of the destination directory. This prevents any kind of path traversal
// from within tar archive.
evaledPath, err := filepath.EvalSymlinks(baseName)
if mode&os.ModeSymlink != 0 {
if !symlinkWarningPrinted && len(o.ExecParentCmdName) > 0 {
fmt.Fprintf(o.IOStreams.ErrOut, "warning: file %q is a symlink, skipping (consider using \"%s exec -n %q %q -- tar cf - %q | tar xf -\")\n", destFileName, o.ExecParentCmdName, src.PodNamespace, src.PodName, src.File)
symlinkWarningPrinted = true
continue
}
fmt.Fprintf(o.IOStreams.ErrOut, "warning: skipping symlink: %q -> %q\n", destFileName, header.Linkname)
continue
}
outFile, err := os.Create(destFileName)
if err != nil {
return err
}
// For scrutiny we verify both the actual destination as well as we follow
// all the links that might lead outside of the destination directory.
if !isDestRelative(destDir, filepath.Join(evaledPath, filepath.Base(destFileName))) {
fmt.Fprintf(o.IOStreams.ErrOut, "warning: file %q is outside target destination, skipping\n", destFileName)
continue
defer outFile.Close()
if _, err := io.Copy(outFile, tarReader); err != nil {
return err
}

if mode&os.ModeSymlink != 0 {
linkname := header.Linkname
// We need to ensure that the link destination is always within boundries
// of the destination directory. This prevents any kind of path traversal
// from within tar archive.
linkTarget := linkname
if !filepath.IsAbs(linkname) {
linkTarget = filepath.Join(evaledPath, linkname)
}
if !isDestRelative(destDir, linkTarget) {
fmt.Fprintf(o.IOStreams.ErrOut, "warning: link %q is pointing to %q which is outside target destination, skipping\n", destFileName, header.Linkname)
continue
}
if err := os.Symlink(linkname, destFileName); err != nil {
return err
}
} else {
outFile, err := os.Create(destFileName)
if err != nil {
return err
}
defer outFile.Close()
if _, err := io.Copy(outFile, tarReader); err != nil {
return err
}
if err := outFile.Close(); err != nil {
return err
}
if err := outFile.Close(); err != nil {
return err
}
}

0 comments on commit 48ca054

Please sign in to comment.
You can’t perform that action at this time.