Sdn 4.11 kubernetes 1.24 #1275
Closed
Sdn 4.11 kubernetes 1.24 #1275
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
… allowed node labels Server side validation of node labels was added in kubernetes#90307. We only disabled kubelet-side validation before to make our node role labels work.
…dation for network spec
openshift/origin needs to be able to vendor these definitions so they need to be committed.
UPSTREAM: <carry>: Force releasing the lock on exit for KS squash with UPSTREAM: <carry>: Release lock on KCM and KS termination
…belet logs endpoint Provide an administrator a streaming view of event logs on Windows machines without them having to implement a client side reader. The kubelet API for querying the Linux journal is re-used for invoking the Get-WinEvent cmdlet in a PowerShell. Parameters that have no functional equivalence in Get-WinEvent are ignored when assembling the command. Only available to cluster admins.
Tests that fail on openshift-sdn specifically should be tagged as such, so that they don't also get skipped when running under ovn-kubernetes or third-party network plugins. UPSTREAM: <carry>: Skip "subPath should be able to unmount" NFS test Due to a kernel bug https://bugzilla.redhat.com/show_bug.cgi?id=1854379 in Linux 5.7+ this test fails - the bind-mounted NFS share cannot be cleanly unmounted, gets "Stale file handle" error instead on umount. As a result this test is permafailing on Fedora CoreOS nodes. UPSTREAM: <carry>: Skip GlusterFS tests GlusterFS is not supported in 4.x, we've been running its tests just because we could. Now it does not work on IPv6 systems. E [MSGID: 101075] [common-utils.c:312:gf_resolve_ip6] 0-resolver: getaddrinfo failed (Address family for hostname not supported) UPSTREAM: <carry>: Skip GlusterFS tests The previous commit left two GlusterFS test still running: [sig-storage] Volumes GlusterFS should be mountable [Skipped:ibmcloud] [Suite:openshift/conformance/parallel] [Suite:k8s] [sig-storage] Dynamic Provisioning GlusterDynamicProvisioner should create and delete persistent volumes Skip it, we don't support Gluster and it does not work on ipv6 UPSTREAM: <carry>: 1.22 alpha & other tests disablement UPSTREAM: <carry>: 1.21 alpha & other tests disablement UPSTREAM: <carry>: Enable GenerciEphemeralVolume tests UPSTREAM: <carry>: Re-enable [Feature:NetworkPolicy] tests which were wrongly disabled in rebase UPSTREAM: <carry>: Reenable NetworkPolicy test Signed-off-by: Mohamed Mahmoud <mmahmoud@redhat.com> UPSTREAM: <carry>: Conformance tests (sysctls) should be run We have to run this test for conformance, and the tests pass. Reenable this block which has been disabled for 2 releases (but appears to work fine). UPSTREAM: <carry>: Don't force-disable IPv6, dual-stack, and SCTP tests Instead, openshift-tests will enable or disable them depending on cluster configuration. UPSTREAM: <carry>: update Multi-AZ Cluster Volumes test name This test was renamed upstream in kubernetes@006dc74 UPSTREAM: <carry>: re-enable networking tests after rebase During a bump to k8 ver. 1.22.0, networking tests were disabled to accomplish the bump. This disabled netpol and older network tests. Netpol tests will be enabled in a following PR and therefore only partially fixes BZ. This commit partially fixes bug 1986307. https://bugzilla.redhat.com/show_bug.cgi?id=1986307 Signed-off-by: Martin Kennelly <mkennell@redhat.com> UPSTREAM: <drop>: update test annotate rules
… it doesn't log stack trace when HTTP 500 response is returned squash with UPSTREAM: <carry>: /readyz update stacktrace pred for httplog so that it doesn't log stack trace when HTTP 500 response is returned
UPSTREAM: <carry>: clarify downstream approver rules
… one UPSTREAM: <carry>: kube-apiserver: set up separate signal handler functions to ignore further signals This patches the changes from openshift#558 to provide these new functions without changing the behavior for other repos that depend on them, such as library-go.
…lures of important pods
…ocalhost
to force KS to use localhost set the following flag in kubescheduler (oc edit kubescheduler cluster)
unsupportedConfigOverrides:
arguments:
unsupported-kube-api-over-localhost::
- "true"
…t set of featuregates The volume plugin manager for openshfit's Attach Detach controller in kube-controller-manager uses a set of featuregates that are NOT the same as the the other controllers in KCM and the kubelet. This means these featuregates (if we kept the old names) would be inconsistent inside of a single binary. There are now separate featuregates for the volumepluginmanger when running in the Attach Detach controller to reflect this distintion. See openshift/enhancements#549 for details. Stop <carrying> the patch when CSI migration becomes GA (i.e. features.CSIMigrationAWS / features.CSIMigrationOpenStack are GA). UPSTREAM: <carry>: add CSI migration feature gates for GCE PD and Azure Disk This commit is the next natural step for commit 2d9a8f9. It introduces custom feature gates to enable the CSI migration in GCE PD and Azure Disk plugins. See openshift/enhancements#549 for details. Stop <carrying> the patch when CSI migration becomes GA (i.e. features.CSIMigrationAzureDisk / features.CSIMigrationGCE are GA). UPSTREAM: <carry>: Set CSI migration off when a test needs it In OCP we carry a patch that forces CSI migration to be enabled in Attach/Detach controller (ADC). Update ADC unit tests to disable the migration there when an unit test needs it disabled.
This is a tech preview feature that must be explicitly enabled by setting FeatureGate CR.
UPSTREAM: <carry>: management workloads enhancement 741 UPSTREAM: <carry>: lower verbosity of managed workloads logging Support for managed workloads was introduced by PR#627. However, the the CPU manager reconcile loop now seems to flood kubelet log with "reconcileState: skipping pod; pod is managed" warnings. Lower the verbosity of these log messages.
UPSTREAM: <carry>: simplify apirequest counter code UPSTREAM: <carry>: add more unit tests UPSTREAM: <carry>: fix SetRequestCountsForNode UPSTREAM: <carry>: switch to apirequestcount for all resources UPSTREAM: <carry>: temporarily bypass validation for apirequest count removedInRelease UPSTREAM: <carry>: apirequestcount to show dominators instead of fewest UPSTREAM: <carry>: keep apirequestcounts for non-persisted users between updates UPSTREAM: <carry>: properly honor the max number of users in spec UPSTREAM: <carry>: apirequest count with empty .status.removedInRelease UPSTREAM: <carry>: add apirequestcount useragent UPSTREAM: <carry>: limit cardinality of useragent for removedrequest handling UPSTREAM: <carry>: correct apirequestcount lock UPSTREAM: <carry>: apirequestcount: smear out CR updates over interval squash with UPSTREAM: <carry>: deprecateApiRequestHandler
Set informer for the openstack cloud provider to ensure it is properly initialized when reading config from a secret. Upstream 89885 was closed in favor of 96750. Co-authored-by: Hemant Kumar <hekumar@redhat.com>
…t pods CPUs requests The ManagementCPUOverride admission plugin replaces pod container CPU requests with a new management resource. It applies to all pods that: 1. are in an allowed namespace 2. and have the workload annotation. It also sets the new management resource request and limit and set resource annotation that CRI-O can recognize and apply the relevant changes. For more information, see - openshift/enhancements#703 Conditions for CPUs requests deletion: 1. The namespace should have allowed annotation "workload.openshift.io/allowed": "management" 2. The pod should have management annotation: "workload.openshift.io/management": "{"effect": "PreferredDuringScheduling"}" 3. All nodes under the cluster should have new management resource - "management.workload.openshift.io/cores" 4. The CPU request deletion will not change the pod QoS class Signed-off-by: Artyom Lukianov <alukiano@redhat.com> UPSTREAM: <carry>: Does not prevent pod creation because of no nodes reason when it runs under the regular cluster Check the `cluster` infrastructure resource status to be sure that we run on top of a SNO cluster and in case if the pod runs on top of regular cluster, exit before node existence check. Signed-off-by: Artyom Lukianov <alukiano@redhat.com> UPSTREAM: <carry>: do not mutate pods when it has a container with both CPU request and limit Removing the CPU request from the container that has a CPU limit will result in the defaulter to set the CPU request back equals to the CPU limit. Signed-off-by: Artyom Lukianov <alukiano@redhat.com> UPSTREAM: <carry>: Reject the pod creation when we can not decide the cluster type It is possible a race condition between pod creation and the update of the infrastructure resource status with correct values under Status.ControlPlaneTopology and Status.InfrastructureTopology. Signed-off-by: Artyom Lukianov <alukiano@redhat.com>
…localhost
to force KCM to use localhost set the following flag in kubecontrollermanager (oc edit kubecontrollermanager cluster)
unsupportedConfigOverrides:
extendedArguments:
unsupported-kube-api-over-localhost:
- "true"
OpenShift since 3.x has injected the service serving certificate ca (service ca) bundle into service account token secrets. This was intended to ensure that all pods would be able to easily verify connections to endpoints secured with service serving certificates. Since breaking customer workloads is not an option, and there is no way to ensure that customers are not relying on the service ca bundle being mounted at /var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt, it is necessary to continue mounting the service ca bundle in the same location in the bound token projected volumes enabled by the BoundServiceAccountTokenVolume feature (enabled by default in 1.21). A new controller is added to create a configmap per namespace that is annotated for service ca injection. The controller is derived from the controller that creates configmaps for the root ca. The service account admission controller is updated to include a source for the new configmap in the default projected volume definition. UPSTREAM: <carry>: <squash> Add unit testing for service ca configmap publishing This commit should be squashed with: UPSTREAM: <carry>: Ensure service ca is mounted for projected tokens
Add an admission plugin that validates the dnses.operator.openshift.io custom resource. For now, the plugin only validates the DNS pod node-placement parameters. This commit fixes bug 1967745. https://bugzilla.redhat.com/show_bug.cgi?id=1967745 * openshift-kube-apiserver/admission/customresourcevalidation/attributes.go (init): Install operatorv1 into supportedObjectsScheme. * openshift-kube-apiserver/admission/customresourcevalidation/customresourcevalidationregistration/cr_validation_registration.go (AllCustomResourceValidators, RegisterCustomResourceValidation): Register the new plugin. * openshift-kube-apiserver/admission/customresourcevalidation/dns/validate_dns.go: New file. (PluginName): New const. (Register): New function. Register the plugin. (toDNSV1): New function. Convert a runtime object to a versioned DNS. (dnsV1): New type to represent a runtime object that is validated as a versioned DNS. (ValidateCreate, ValidateUpdate, ValidateStatusUpdate): New methods. Implement the ObjectValidator interface, using the validateDNSSpecCreate and validateDNSSpecUpdate helpers. (validateDNSSpecCreate, validateDNSSpecUpdate): New functions. Validate a DNS, using the validateDNSSpec helper. (validateDNSSpec): New function. Validate the spec field of a DNS, using the validateDNSNodePlacement helper. (validateDNSNodePlacement): New function. Validate the node selector and tolerations in a DNS's node-placement parameters, using validateTolerations. (validateTolerations): New function. Validate a slice of corev1.Toleration. * openshift-kube-apiserver/admission/customresourcevalidation/dns/validate_dns_test.go: New file. (TestFailValidateDNSSpec): Verify that validateDNSSpec rejects invalid DNS specs. (TestSucceedValidateDNSSpec): Verify that validateDNSSpec accepts valid DNS specs. * vendor/*: Regenerate.
… to apiserver_request_total UPSTREAM: <carry>: apiserver: add cluster-policy-controller to system client in apiserver_request_total
UPSTREAM: <carry>: update list of deprecated apis
bump apiserver-library-go
…orkpolicy Revert "UPSTREAM: <carry>: Unskip OCP SDN related tests"
UPSTREAM: 106454: test/e2e: fix e2e tests for restricted policy
…d to CSI Skip test that depend on in-tree Azure Disk volume plugin that (wrongly) uses failure domains for value of "topology.kubernetes.io/zone" label in Azure regions that don't have availability zones. Our e2e tests blindly use that label and expect that a volume provisioned in such a "zone" can be used only by nodes in that "zone" (= topology domain). This is false, Azure Disk CSI driver can use such a volume in any zone and therefore the test may randomly fail. See https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=2066865
Bug 2066865: Skip azure topology tests
Bug 2051985: UPSTREAM: <carry>: An APIRequestCount without dots in the name can cause a panic
…d security policy This is to ensure that all existing tests don't break when defaulting the pod security policy to restricted in the e2e test framework.
…ileged UPSTREAM: 109283: test/e2e/*: use restricted policy by default, default existing tests to privileged
Bug 1999325: Backport 107821 and 107831
… bug Change-Id: Ieeeab689ae51dfe0dc06bdca88519d0ecf66d636
Bug 2075621: UPSTREAM: 109487: Disable JobTrackingWithFinalizers due to unresolved bug
…loglevel Bug 2062459: Identify if there are multiple schedulers running
(cherry picked from commit 356faa9)
This commit fixes bug 1919737. https://bugzilla.redhat.com/show_bug.cgi?id=1919737 * pkg/proxy/iptables/proxier.go (syncProxyRules): Prefer a local endpoint for the cluster DNS service. (cherry picked from commit 54dc362)
…olicy If a service has a "traffic-policy.network.alpha.openshift.io/local-with-fallback" annotation, then only treat it as "externalTrafficPolicy: Local" when there are actually running local pods. That is, if we receive traffic for such a service after the last local pod terminates, then forward it to a remote pod rather than dropping it. (cherry picked from commit 0a5c66b)
Instead, add a method so openshift-sdn can force a full reload only when it really needs to. (cherry picked from commit 712d3c9)
openshift-ci
bot
added
the
needs-rebase
openshift-ci-robot
added
the
backports/unvalidated-commits
|
@bpickard22: PR needs rebase. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: bpickard22 The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Need this for kube rebase on openshift-sdn