Merge pull request #18 from openshift-cloud-team/rebase-bot-master

OCPBUGS-6406: Merge https://github.com/kubernetes/cloud-provider-gcp:master into master
openshift · Feb 13, 2023 · ce69207 · ce69207
2 parents 83eb1c6 + 2e0341e
commit ce69207
Show file tree

Hide file tree

Showing 3,187 changed files with 395,877 additions and 57,955 deletions.
diff --git a/.bazelversion b/.bazelversion
@@ -0,0 +1 @@
+5.4.0
diff --git a/.gitignore b/.gitignore
@@ -1,2 +1,3 @@
 bazel-*
+cluster/bin
 MERGED_LICENSES
diff --git a/WORKSPACE b/WORKSPACE
@@ -33,9 +33,8 @@ http_archive(
 
 http_archive(
     name = "io_bazel_rules_docker",
-    sha256 = "4521794f0fba2e20f3bf15846ab5e01d5332e587e9ce81629c7f96c793bb7036",
-    strip_prefix = "rules_docker-0.14.4",
-    urls = ["https://github.com/bazelbuild/rules_docker/releases/download/v0.14.4/rules_docker-v0.14.4.tar.gz"],
+    sha256 = "b1e80761a8a8243d03ebca8845e9cc1ba6c82ce7c5179ce2b295cd36f7e394bf",
+    urls = ["https://github.com/bazelbuild/rules_docker/releases/download/v0.25.0/rules_docker-v0.25.0.tar.gz"],
 )
 
 load("@bazel_skylib//lib:versions.bzl", "versions")
@@ -68,10 +67,6 @@ load("@io_bazel_rules_docker//repositories:deps.bzl", container_deps = "deps")
 
 container_deps()
 
-load("@io_bazel_rules_docker//repositories:pip_repositories.bzl", "pip_deps")
-
-pip_deps()
-
 container_pull(
     name = "distroless",
     digest = "sha256:c6d5981545ce1406d33e61434c61e9452dad93ecd8397c41e89036ef977a88f4",
@@ -80,6 +75,16 @@ container_pull(
     tag = "b54513ef989c81d68cb27d9c7958697e2fedd2c4",
 )
 
+
+container_pull(
+    name = "go-runner",
+    registry = "registry.k8s.io",
+    repository = "build-image/go-runner",
+    # 'tag' is also supported, but digest is encouraged for reproducibility.
+    tag = "v2.3.1-go1.19.4-bullseye.0",
+    digest = "sha256:06f8a7671cc1a1d80196522e0f793dba9ee687d0cea49ae852a095af331133b4",
+)
+
 load("@bazel_gazelle//:deps.bzl", "gazelle_dependencies")
 
 gazelle_dependencies()
@@ -95,11 +100,11 @@ load("//defs:repo_rules.bzl", "fetch_kube_release")
 fetch_kube_release(
     name = "io_k8s_release",
     archives = {
-        "kubernetes-server-linux-amd64.tar.gz": "f813ecb6487bd50b5af95ae207921053dd7ad5156ecdcd4465d7a1c213b98f87",
-        "kubernetes-manifests.tar.gz": "34d1208ae284ff4c2ac2f1ddc3f9dcd24d691d861dc20b0adc08ff44256f35c2",
+        "kubernetes-server-linux-amd64.tar.gz": "9046ae36fdbe444c44c2bbf0274b9eb11f4dd83d487d56e51e5d3125d016513d",
+        "kubernetes-manifests.tar.gz": "d25ce072f315e8003f5107f4b0e7368c0a53332fe58f0e7414cdfc6c5cc053a3",
         # we do not currently make modifications to these release tars below
-        "kubernetes-node-linux-amd64.tar.gz": "27de16edf89c48903877b28b1ff84037fe73f896dc9f313d4bb9ee400503a152",
-        "kubernetes-node-windows-amd64.tar.gz": "cc600b41f75d94efadfc36bac2e23c424aad4d825cef02633f2783109b22842e",
+        "kubernetes-node-linux-amd64.tar.gz": "62edcc0774fa29fd12cc8cb4e16d7470df976eb7c885952c76c1e833b91af69f",
+        "kubernetes-node-windows-amd64.tar.gz": "48339207092b47ee820e16d8c996cf518d7ed6b1c897e47ba9e5baa019fa7840",
     },
-    version = "v1.25.2",
+    version = "v1.26.0",
 )
diff --git a/cloudbuild.yaml b/cloudbuild.yaml
@@ -0,0 +1,24 @@
+# See https://cloud.google.com/cloud-build/docs/build-config
+# For more information about Image pushing refer to https://github.com/kubernetes/test-infra/blob/master/config/jobs/image-pushing/README.md
+timeout: 3600s
+
+options:
+  substitution_option: ALLOW_LOOSE
+
+steps:
+  - name: 'gcr.io/cloud-builders/bazel'
+    env:
+    - IMAGE_REGISTRY=gcr.io
+    - IMAGE_REPO=k8s-staging-cloud-provider-gcp
+    - IMAGE_TAG=$SHORT_SHA
+    args:
+      - run
+      - //cmd/cloud-controller-manager:publish
+
+substitutions:
+  _GIT_TAG: '12345'
+  _PULL_BASE_REF: 'master'
+
+tags:
+- 'cloud-controller-manager'
+- $_GIT_TAG
diff --git a/cluster/addons/calico-policy-controller/podsecuritypolicies/calico-node-psp-binding.yaml b/cluster/addons/calico-policy-controller/podsecuritypolicies/calico-node-psp-binding.yaml
diff --git a/cluster/addons/dns/kube-dns/kube-dns.yaml.base b/cluster/addons/dns/kube-dns/kube-dns.yaml.base
@@ -114,7 +114,7 @@ spec:
         kubernetes.io/os: linux
       containers:
       - name: kubedns
-        image: registry.k8s.io/dns/k8s-dns-kube-dns:1.22.8
+        image: registry.k8s.io/dns/k8s-dns-kube-dns:1.22.13
         resources:
           # TODO: Set memory limits when we've profiled the container for large
           # clusters, then set request = limit to keep this container in
@@ -170,7 +170,7 @@ spec:
           runAsUser: 1001
           runAsGroup: 1001
       - name: dnsmasq
-        image: registry.k8s.io/dns/k8s-dns-dnsmasq-nanny:1.22.8
+        image: registry.k8s.io/dns/k8s-dns-dnsmasq-nanny:1.22.13
         livenessProbe:
           httpGet:
             path: /healthcheck/dnsmasq
@@ -217,7 +217,7 @@ spec:
               - NET_BIND_SERVICE
               - SETGID
       - name: sidecar
-        image: registry.k8s.io/dns/k8s-dns-sidecar:1.22.8
+        image: registry.k8s.io/dns/k8s-dns-sidecar:1.22.13
         livenessProbe:
           httpGet:
             path: /metrics

diff --git a/cluster/addons/dns/kube-dns/kube-dns.yaml.in b/cluster/addons/dns/kube-dns/kube-dns.yaml.in
@@ -114,7 +114,7 @@ spec:
         kubernetes.io/os: linux
       containers:
       - name: kubedns
-        image: registry.k8s.io/dns/k8s-dns-kube-dns:1.22.8
+        image: registry.k8s.io/dns/k8s-dns-kube-dns:1.22.13
         resources:
           # TODO: Set memory limits when we've profiled the container for large
           # clusters, then set request = limit to keep this container in
@@ -170,7 +170,7 @@ spec:
           runAsUser: 1001
           runAsGroup: 1001
       - name: dnsmasq
-        image: registry.k8s.io/dns/k8s-dns-dnsmasq-nanny:1.22.8
+        image: registry.k8s.io/dns/k8s-dns-dnsmasq-nanny:1.22.13
         livenessProbe:
           httpGet:
             path: /healthcheck/dnsmasq
@@ -217,7 +217,7 @@ spec:
               - NET_BIND_SERVICE
               - SETGID
       - name: sidecar
-        image: registry.k8s.io/dns/k8s-dns-sidecar:1.22.8
+        image: registry.k8s.io/dns/k8s-dns-sidecar:1.22.13
         livenessProbe:
           httpGet:
             path: /metrics

diff --git a/cluster/addons/dns/kube-dns/kube-dns.yaml.sed b/cluster/addons/dns/kube-dns/kube-dns.yaml.sed
@@ -114,7 +114,7 @@ spec:
         kubernetes.io/os: linux
       containers:
       - name: kubedns
-        image: registry.k8s.io/dns/k8s-dns-kube-dns:1.22.8
+        image: registry.k8s.io/dns/k8s-dns-kube-dns:1.22.13
         resources:
           # TODO: Set memory limits when we've profiled the container for large
           # clusters, then set request = limit to keep this container in
@@ -170,7 +170,7 @@ spec:
           runAsUser: 1001
           runAsGroup: 1001
       - name: dnsmasq
-        image: registry.k8s.io/dns/k8s-dns-dnsmasq-nanny:1.22.8
+        image: registry.k8s.io/dns/k8s-dns-dnsmasq-nanny:1.22.13
         livenessProbe:
           httpGet:
             path: /healthcheck/dnsmasq
@@ -217,7 +217,7 @@ spec:
               - NET_BIND_SERVICE
               - SETGID
       - name: sidecar
-        image: registry.k8s.io/dns/k8s-dns-sidecar:1.22.8
+        image: registry.k8s.io/dns/k8s-dns-sidecar:1.22.13
         livenessProbe:
           httpGet:
             path: /metrics

diff --git a/cluster/addons/dns/nodelocaldns/nodelocaldns.yaml b/cluster/addons/dns/nodelocaldns/nodelocaldns.yaml
@@ -138,14 +138,16 @@ spec:
         operator: "Exists"
       containers:
       - name: node-cache
-        image: registry.k8s.io/dns/k8s-dns-node-cache:1.22.8
+        image: registry.k8s.io/dns/k8s-dns-node-cache:1.22.13
         resources:
           requests:
             cpu: 25m
             memory: 5Mi
         args: [ "-localip", "__PILLAR__LOCAL__DNS__,__PILLAR__DNS__SERVER__", "-conf", "/etc/Corefile", "-upstreamsvc", "kube-dns-upstream" ]
         securityContext:
-          privileged: true
+          capabilities:
+            add:
+            - NET_ADMIN
         ports:
         - containerPort: 53
           name: dns

diff --git a/cluster/addons/ip-masq-agent/podsecuritypolicies/ip-masq-agent-psp-binding.yaml b/cluster/addons/ip-masq-agent/podsecuritypolicies/ip-masq-agent-psp-binding.yaml
diff --git a/...ter/addons/metadata-agent/stackdriver/podsecuritypolicies/metadata-agent-psp-binding.yaml b/...ter/addons/metadata-agent/stackdriver/podsecuritypolicies/metadata-agent-psp-binding.yaml
diff --git a/cluster/addons/metadata-proxy/gce/podsecuritypolicies/metadata-proxy-psp-binding.yaml b/cluster/addons/metadata-proxy/gce/podsecuritypolicies/metadata-proxy-psp-binding.yaml
diff --git a/cluster/addons/node-problem-detector/podsecuritypolicies/npd-psp-binding.yaml b/cluster/addons/node-problem-detector/podsecuritypolicies/npd-psp-binding.yaml
diff --git a/cluster/addons/rbac/cluster-loadbalancing/glbc/roles.yaml b/cluster/addons/rbac/cluster-loadbalancing/glbc/roles.yaml
@@ -67,3 +67,7 @@ rules:
 - apiGroups: ["coordination.k8s.io"]
   resources: ["leases"]
   verbs: ["get","create","update"]
+ # GLBC uses endpoint slices
+- apiGroups: ["discovery.k8s.io"]
+  resources: ["endpointslices"]
+  verbs: ["get","list", "watch"]
diff --git a/cluster/addons/storage-class/openstack/default.yaml b/cluster/addons/storage-class/openstack/default.yaml
diff --git a/...er/addons/volumesnapshots/volume-snapshot-controller/rbac-volume-snapshot-controller.yaml b/...er/addons/volumesnapshots/volume-snapshot-controller/rbac-volume-snapshot-controller.yaml
@@ -35,13 +35,16 @@ rules:
     verbs: ["get", "list", "watch"]
   - apiGroups: ["snapshot.storage.k8s.io"]
     resources: ["volumesnapshotcontents"]
-    verbs: ["create", "get", "list", "watch", "update", "delete"]
+    verbs: ["create", "get", "list", "watch", "update", "delete", "patch"]
   - apiGroups: ["snapshot.storage.k8s.io"]
     resources: ["volumesnapshots"]
-    verbs: ["get", "list", "watch", "update"]
+    verbs: ["get", "list", "watch", "update", "patch"]
   - apiGroups: ["snapshot.storage.k8s.io"]
     resources: ["volumesnapshots/status"]
-    verbs: ["update"]
+    verbs: ["update", "patch"]
+  - apiGroups: ["snapshot.storage.k8s.io"]
+    resources: ["volumesnapshotcontents/status"]
+    verbs: ["patch"]
   - apiGroups: ["apiextensions.k8s.io"]
     resources: ["customresourcedefinitions"]
     verbs: ["create", "list", "watch", "delete", "get", "update"]

diff --git a/...ons/volumesnapshots/volume-snapshot-controller/volume-snapshot-controller-deployment.yaml b/...ons/volumesnapshots/volume-snapshot-controller/volume-snapshot-controller-deployment.yaml
@@ -22,7 +22,7 @@ spec:
       serviceAccount: volume-snapshot-controller
       containers:
         - name: volume-snapshot-controller
-          image: registry.k8s.io/sig-storage/snapshot-controller:v4.2.1
+          image: registry.k8s.io/sig-storage/snapshot-controller:v6.1.0
           args:
             - "--v=5"
             - "--metrics-path=/metrics"

diff --git a/cluster/bin/kubectl b/cluster/bin/kubectl
diff --git a/cluster/gce/addons/konnectivity-agent/konnectivity-agent-ds.yaml b/cluster/gce/addons/konnectivity-agent/konnectivity-agent-ds.yaml
@@ -27,7 +27,7 @@ spec:
       nodeSelector:
         kubernetes.io/os: linux
       containers:
-        - image: registry.k8s.io/kas-network-proxy/proxy-agent:v0.0.32
+        - image: registry.k8s.io/kas-network-proxy/proxy-agent:v0.0.33
           name: konnectivity-agent
           command: ["/proxy-agent"]
           args: [

diff --git a/cluster/gce/config-common.sh b/cluster/gce/config-common.sh
@@ -160,7 +160,7 @@ export WINDOWS_KUBEPROXY_KUBECONFIG_FILE="${WINDOWS_K8S_DIR}\kubeproxy.kubeconfi
 # Path for kube-proxy kubeconfig file on Windows nodes.
 export WINDOWS_NODEPROBLEMDETECTOR_KUBECONFIG_FILE="${WINDOWS_K8S_DIR}\node-problem-detector.kubeconfig"
 # Pause container image for Windows container.
-export WINDOWS_INFRA_CONTAINER="registry.k8s.io/pause:3.8"
+export WINDOWS_INFRA_CONTAINER="registry.k8s.io/pause:3.9"
 # Storage Path for csi-proxy. csi-proxy only needs to be installed for Windows.
 export CSI_PROXY_STORAGE_PATH="https://storage.googleapis.com/gke-release/csi-proxy"
 # Version for csi-proxy

diff --git a/cluster/gce/config-default.sh b/cluster/gce/config-default.sh
@@ -255,15 +255,14 @@ if [[ (( "${KUBE_FEATURE_GATES:-}" == *"AllAlpha=true"* ) || ( "${KUBE_FEATURE_G
   RUN_CONTROLLERS="${RUN_CONTROLLERS:-*,endpointslice}"
 fi
 
+# List of the set of feature gates recognized by the GCP CCM
+export CCM_FEATURE_GATES="APIListChunking,APIPriorityAndFairness,APIResponseCompression,APIServerIdentity,APIServerTracing,AllAlpha,AllBeta,CustomResourceValidationExpressions,KMSv2,OpenAPIEnums,OpenAPIV3,RemainingItemCount,ServerSideFieldValidation,StorageVersionAPI,StorageVersionHash"
+
 # Optional: set feature gates
+# shellcheck disable=SC2034 # Variables sourced in other scripts.
 FEATURE_GATES="${KUBE_FEATURE_GATES:-}"
 
 if [[ -n "${NODE_ACCELERATORS}" ]]; then
-    if [[ -z "${FEATURE_GATES:-}" ]]; then
-        FEATURE_GATES="DevicePlugins=true"
-    else
-        FEATURE_GATES="${FEATURE_GATES},DevicePlugins=true"
-    fi
     if [[ "${NODE_ACCELERATORS}" =~ .*type=([a-zA-Z0-9-]+).* ]]; then
         NON_MASTER_NODE_LABELS="${NON_MASTER_NODE_LABELS},cloud.google.com/gke-accelerator=${BASH_REMATCH[1]}"
     fi
@@ -399,7 +398,7 @@ EVICTION_HARD="${EVICTION_HARD:-memory.available<250Mi,nodefs.available<10%,node
 # Optional: custom scheduling algorithm
 SCHEDULING_ALGORITHM_PROVIDER="${SCHEDULING_ALGORITHM_PROVIDER:-}"
 
- # Optional: install a default StorageClass
+# Optional: install a default StorageClass
 # (TODO/cloud-provider-gcp): This should be reverted when we add ENABLE_DEFAULT_STORAGE_CLASS to kubetest2 parsed argument
 # ENABLE_DEFAULT_STORAGE_CLASS="${ENABLE_DEFAULT_STORAGE_CLASS:-false}"
 ENABLE_DEFAULT_STORAGE_CLASS="${ENABLE_DEFAULT_STORAGE_CLASS:-true}"
@@ -554,4 +553,23 @@ export TLS_CIPHER_SUITES=""
 
 # CLOUD_PROVIDER_FLAG defines the cloud-provider value presented to KCM, apiserver,
 # and kubelet
-export CLOUD_PROVIDER_FLAG="${CLOUD_PROVIDER_FLAG:-gce}"
+# (TODO/cloud-provider-gcp): Need to add overwrite in kubetest2
+# export CLOUD_PROVIDER_FLAG="${CLOUD_PROVIDER_FLAG:-gce}"
+export CLOUD_PROVIDER_FLAG="${CLOUD_PROVIDER_FLAG:-external}"
+
+# When ENABLE_AUTH_PROVIDER_GCP is set, following flags for out-of-tree credential provider for GCP
+# are presented to kubelet:
+# --image-credential-provider-config=${path-to-config}
+# --image-credential-provider-bin-dir=${path-to-auth-provider-binary}
+# Also, it is required that DisableKubeletCloudCredentialProviders and KubeletCredentialProviders
+# feature gates are set to true for kubelet to use external credential provider.
+ENABLE_AUTH_PROVIDER_GCP="${ENABLE_AUTH_PROVIDER_GCP:-true}"
+
+# (TODO/cloud-provider-gcp): Need to figure out how we can add this FeatureGate as an env.
+if [[ ${ENABLE_AUTH_PROVIDER_GCP:-true} == "true" ]]; then
+   if [[ -z "${FEATURE_GATES:-}" ]]; then
+        FEATURE_GATES="KubeletCredentialProviders=true,DisableKubeletCloudCredentialProviders=true,DisableCloudProviders=true"
+    else
+        FEATURE_GATES="${FEATURE_GATES},KubeletCredentialProviders=true,DisableKubeletCloudCredentialProviders=true,DisableCloudProviders=true"
+    fi
+fi