WIP: Rebase 1.25 #1357

…sruption Add worker to clean up stale DisruptionTarget condition

…-test Promote NamespaceStatus endpoints test +3 Endpoints

…a2-deprecated Deprecate kubescheduler ComponentConfig v1beta2

update smd to 4.2.3

ginkgo: disable color escape sequences by default when not connected to a terminal

KEP-3327: Add CPUManager policy option to align CPUs by Socket instead of by NUMA node

Upgrade CSIMigrationGCE feature gate to GA

Enable 'running_managed_controllers' for KCM/CCM controllers: routes, services and cloud-node

…nges Update CRI API to support Evented PLEG

…ges for kubelet client and serving certificates Signed-off-by: Paco Xu <paco.xu@daocloud.io>

Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>

It is used to request that a pod runs in a unique user namespace. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com> Signed-off-by: Rodrigo Campos <rodrigoca@microsoft.com> Co-authored-by: Rodrigo Campos <rodrigoca@microsoft.com>

Move e2e test from alpha with feature promoted to beta

…ment Allow retroactive storage class assigment to PVCs

KEP: /enhancements/keps/sig-node/1287-in-place-update-pod-resources

…ed files)

Promote CronJobTimeZone to beta

Change-Id: I3be351fb3b53216948a37b1d58224f8fbbf22b47

…uceeded Fix JobTrackingWithFinalizers when a pod succeeds after the job fails

…ional modify the signing/approving controller to tolerate either set of usages for kubelet client and serving certificates

….12.1, kustomize/v4.5.7 (kubernetes#111606)

Signed-off-by: Abirdcfly <fp544037857@gmail.com>

…ertical-scaling-cri CRI changes to support in-place pod resize

This change is to promote local storage capacity isolation feature to GA At the same time, to allow rootless system disable this feature due to unable to get root fs, this change introduced a new kubelet config "localStorageCapacityIsolation". By default it is set to true. For rootless systems, they can set this configuration to false to disable the feature. Once it is set, user cannot set ephemeral-storage request/limit because capacity and allocatable will not be set. Change-Id: I48a52e737c6a09e9131454db6ad31247b56c000a

modify modify modify modify modify

define a feature gate for the user namespaces support. The feature is not enabled by default. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>

e2e: Trim junit reporter to adapt with testgrid

…d-arch-installing-etcd Avoid hard coding Operating System and Architecture in hack/lib/etcd.sh

…im_report Revert "e2e: Trim junit reporter to adapt with testgrid"

Including the full information for successful tests makes the resulting XML file too large for the 200GB limit in Spyglass when running large jobs (like scale testing). The original solution from kubernetes#111627 broke JUnit reporting in other test suites, in particular test/e2e_node. Keeping the code inside the framework ensures that all test suites continue to have the JUnit reporting. AfterReadingAllFlags is a good place to set this up because all test suites using the test context are expected to call it before running tests and after parsing flags. Removing the ReportEntries added by ginkgo.By from all test reports usually avoids the `system-err` part in the JUnit file, which in Spyglass avoids the extra "open stdout" button. Co-authored-by: Patrick Ohly <patrick.ohly@intel.com> Co-authored-by: Dave Chen <dave.chen@arm.com>

Signed-off-by: David Porter <david@porter.me>

This commit just adds a validation according to KEP-127. We check that only the supported volumes for phase 1 of the KEP are accepted. Signed-off-by: Rodrigo Campos <rodrigoca@microsoft.com>

it is used to allocate and keep track of the unique users ranges assigned to each pod that runs in a user namespace. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com> Signed-off-by: Rodrigo Campos <rodrigoca@microsoft.com> Co-authored-by: Rodrigo Campos <rodrigoca@microsoft.com>

Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>

In future commits we will need this to set the user/group of supported volumes of KEP 127 - Phase 1. Signed-off-by: Rodrigo Campos <rodrigoca@microsoft.com>

This commit only changes the UID/GID if user namespaces is enabled. When it is enabled, it changes it so the hostUID and hostGID that are mapped to the currently used UID/GID. This is needed so volumes are created with the hostUID/hostGID and the user inside the container can read them. If user namespaces are disabled for this pod, this is a no-op: there is no user namespace mapping, so the hostUID/hostGID are the same as inside the container. Signed-off-by: Rodrigo Campos <rodrigoca@microsoft.com>

it is a preparatory change for the next commit. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>

Set the user namespace options to use for the pod. Signed-off-by: Rodrigo Campos <rodrigoca@microsoft.com>

Co-authored-by: Rodrigo Campos <rodrigoca@microsoft.com> Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com> Signed-off-by: Rodrigo Campos <rodrigoca@microsoft.com>

Signed-off-by: Rodrigo Campos <rodrigoca@microsoft.com>

vendor: Bump cAdvisor to v0.45.0

- add feature gate - add encrypted object and run generated_files - generate protobuf for encrypted object and add unit tests - move parse endpoint to util and refactor - refactor interface and remove unused interceptor - add protobuf generate to update-generated-kms.sh - add integration tests - add defaulting for apiVersion in kmsConfiguration - handle v1/v2 and default in encryption config parsing - move metrics to own pkg and reuse for v2 - use Marshal and Unmarshal instead of serializer - add context for all service methods - check version and keyid for healthz Signed-off-by: Anish Ramasekar <anish.ramasekar@gmail.com>

…-2022 Add support for user namespaces phase 1 (KEP 127)

Promote Local storage capacity isolation feature to GA

…reference make ObjectReference field ownership granular

…-local-svc Avoid re-syncing LBs for ETP=local services

Implement KMS v2alpha1

cleanup: Remove storageos volume plugins from k8s codebase

Signed-off-by: Davanum Srinivas <davanum@gmail.com>

Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev>

don't quota events.k8s.io events by default

e2e: trim junit report for Spyglass

Stop panic in govet levee under golang 1.19

Signed-off-by: cpanato <ctadeu@gmail.com>

The new field tells Kubernetes if the CSI driver supports mounting of volumes with -o context=XYZ or not.

Let volume plugins decide if they want to mount volumes with "-o context=XYZ" or let the container runtime relabel the volume on container startup. Using NewMounter, as it's the call where a volume plugin gets the other MountOptions.

Add a new call to VolumePlugin interface and change all its implementations. Kubelet's VolumeManager will be interested whether a volume supports mounting with -o conext=XYZ or not to hanle SetUp() / MountDevice() accordingly.

Both ActualStateOfWorld and DesiredStateOfWorld must track SELinux context of volume mounts.

Add separate _errors and _warnings to capture volumes that were rejected from those will be rejected when the feature is expanded to all access mode.

With some minor refactoring to use common getCSIDriver function.

To keep the function smaller.

In theory the check is not necessary, but for sake of robustness and completenes, let's check SELinuxMountReadWriteOncePod feature gate before assuming anything about SELinux labels.

Add handlerSELinuxMetricError() which bumps the right metric + either consumes a SELinux error or lets it propagate up the stack.

github.com/opencontainers/selinux/go-selinux needs OS that supports SELinux and SELinux enabled in it to return useful data, therefore add an interface in front of it, so we can mock its behavior in unit tests.

The error would be logged every reconciler sync (100 ms).

To be able to update content of the function to other access modes when we implement SELinux mount for more of them.

…er minute, scale up&down limited by percentage of Pods per minute

Update publishing-bot rules for go1.17.13 and go1.18.5

add test for GetAPIServerVirtualIP

…cle-test Revert "e2e: should manage the lifecycle of an APIService"

[go] Bump images, dependencies and versions to go 1.19

After the userns PR got merged: kubernetes#111090 gnufied decided it might be safer if we feature gate this part of the code, due to the kubelet volume host type assertion. That is a great catch and this patch just moves the code inside the feature gate if. Signed-off-by: Rodrigo Campos <rodrigoca@microsoft.com>

Signed-off-by: Davanum Srinivas <davanum@gmail.com>

Clear ephemeral container resources field when creating one in volume test

Signed-off-by: Davanum Srinivas <davanum@gmail.com>

…ut-in-1.19-rc2 [golang] Fix things commented out in 1.19rc2

Speed up SELinux volume relabeling using mounts MVP

Update go.mod to go1.19

…ove-sched-pred-from-ccm [CCM - service controller] Remove schedulability predicate for LB set

…es-job-controller Support handling of pod failures with respect to the configured rules

Updates predicate to check for a length >=2 to avoid the index out of bounds panic. Signed-off-by: Edwin Xie <exie@vmware.com> Co-authored-by: Tyler Schultz <tschultz@vmware.com>

…k-test-flake Fix e2e network dns_configmap test

Introduce networking/v1alpha1 api group. Add `ClusterCIDR` type to networking/v1alpha1 api group, this type will enable the NodeIPAM controller to support multiple ClusterCIDRs.

Add a new cidrset named `multicidrset` which extends the current cidrset mechanism to track allocatable Pod and Service CIDRs. multicidrset stores the info about allocated CIDRs in a Map as opposed to the current cidrset implementation where it is stored in a bitmap.

The Priority is determined as follows: P0: ClusterCIDR with higher number of matching labels has highest priority. P1: ClusterCIDR having cidrSet with fewer allocatable Pod CIDRs has higher priority. P2: ClusterCIDR with a PerNodeMaskSize having fewer IPs has higher priority. P3: ClusterCIDR having label with lower alphanumeric value has higher priority. P4: ClusterCIDR with a cidrSet having a smaller IP address value has higher priority.

Signed-off-by: kerthcet <kerthcet@gmail.com>

Change-Id: I5dad644cf5cb232ebed0950a14b35a781a38eeb0

…-2022 volume: FeatureGate access to GetHostIDsForPod()

…xpectations Fix deleting UIDs tracking expectations

…flag KEP-596: Move CSIInlineVolume feature to GA

MultiCIDRRangeAllocator is a new Range Allocator which makes using multiple ClusterCIDRs possible. It consists of two controllers, one for reconciling the ClusterCIDR API objects and the other for allocating Pod CIDRs to the nodes. The allocation is based on the rules defined in https://github.com/kubernetes/enhancements/tree/master/keps/sig-network/2593-multiple-cluster-cidrs

…ential-goroutine-leak-in-metric-recorder Remove potential goroutine leak in testing framework

…locator Enhance NodeIPAM to support multiple ClusterCIDRs

Prevent panic when cloud-provider InstancesV2.InstanceMetadata returns (nil,nil) Signed-off-by: zhaodiaoer <ddaaren@gmail.com>

…t-test node_e2e: add a dbus restart test

Promote Ephemeral Containers e2e test to Conformance

Fix flaky CSIInlineVolumes e2e test (issue 111740)

Add e2e HPA Behavior tests: scale up/down limited by number of Pods / min, scale up/down limited by percentage / min

Also stress tested for ~2 hours to minimize possible races: $ stress ./volume.test -test.run=TestRetroactiveStorageClassAssignment ... 1h59m50s: 3198 runs so far, 0 failures 1h59m55s: 3200 runs so far, 0 failures 2h0m0s: 3201 runs so far, 0 failures 2h0m5s: 3202 runs so far, 0 failures

…ceMetadata Prevent panic in cloud-provider

document that services healthcheckNodePort is inmutable once set

[test] Remove feature to enable e2e tests

This reverts commit 233e0cb.

Revert "enforce strict alpha handling for API serving"

Signed-off-by: Jeremy Rickard <jeremyrrickard@gmail.com>

…ment-int Add integration test for Retroactive default StorageClass assignement

…lease-125 staging/publishing: add release-1.25 branch

…eemption fix a memory leakage problem when calling DryRunPreemption

Docs: node-port-range should not overlap ephemeral

Fixes instances of kubernetes#98213 (to ultimately complete kubernetes#98213 linting is required). This commit fixes a few instances of a common mistake done when writing parallel subtests or Ginkgo tests (basically any test in which the test closure is dynamically created in a loop and the loop doesn't wait for the test closure to complete). I'm developing a very specific linter that detects this king of mistake and these are the only violations of it it found in this repo (it's not airtight so there may be more). In the case of Ginkgo tests, without this fix, only the last entry in the loop iteratee is actually tested. In the case of Parallel tests I think it's the same problem but maybe a bit different, iiuc it depends on the execution speed. Waiting for the CI to confirm the tests are still passing, even after this fix - since it's likely it's the first time those test cases are executed - they may be buggy or testing code that is buggy. Another instance of this is in `test/e2e/storage/csi_mock_volume.go` and is still failing so it has been left out of this commit and will be addressed in a separate one

Fix capture loop vars in parallel or ginkgo tests

openshift-rebase(v1.24):source=bb9c3262208

…oups for internal load balancers UPSTREAM: 84466: legacy-cloud-providers/gce/gce_fake.go: NewFakeGCECloud: make sure that the secondary zone is also part of managedZones Origin-commit: 79d66e294a3906efd0351f125cefb4b9cc1c9ab4 UPSTREAM: 84466: gce: ensureInternalInstanceGroups: reuse instance-groups for internal load balancers Origin-commit: cfb25370a7c8f9bed9688cb334b4bc1c3342da0d UPSTREAM: 84466: gce: add ExternalInstanceGroupsPrefix to filter instance groups that will be re-used for ILB backend Origin-commit: e29c0b6ce3c068e02419a7b3cbc381b919981f50 UPSTREAM: 84466: gce: skip ensureInstanceGroup for a zone that has no remaining nodes for k8s managed IG Origin-commit: 3915cef99ee4eedc9755d454abb7e4efa2a63bff openshift-rebase(v1.24):source=8bd488b66eb openshift-rebase(v1.24):source=8bd488b66eb openshift-rebase(v1.24):source=8bd488b66eb

openshift-rebase(v1.24):source=193d763adc1

Origin-commit: b992ee2fcb5cd610e9242c3165908b6bc6e423f5 UPSTREAM: <carry>: filter out RBR and SCC paths from OpenAPI Origin-commit: 5ce9a77a641ec9d0399226af572e429317d3daf6 UPSTREAM: <carry>: filter out RBR and SCC paths from OpenAPI Origin-commit: 0ee08c7a5e138e8df2bd7d010e9ab59a6543cf63 Revise as per openshift/kubernetes-apiserver#12 openshift-rebase(v1.24):source=c6840e84f86

Origin-commit: 14ba1f8ece9a7bb00ececb2a35b5f8f5fbeacc83 UPSTREAM: <carry>: prevent apiservice registration by CRD controller when delegating Origin-commit: 3d216eab7adcbd8596606d72d31b6af621bfd350 UPSTREAM: <carry>: prevent CRD registration from fighting with APIServices Origin-commit: c1c87eeade4730a2271cb98b4c6ea16af07e3e68 UPSTREAM: <carry>: always delegate namespaced resources Origin-commit: 7f0815b5a88d57046a92fbdbc493bab2ad28a79c openshift-rebase(v1.24):source=f9a6b73ca78 openshift-rebase(v1.24):source=f9a6b73ca78 openshift-rebase(v1.24):source=f9a6b73ca78

…en it exists Origin-commit: d3ceac4e065c3d2689192fda102303030cfdb928 openshift-rebase(v1.24):source=a1c12a7dd32

…trap SDN when SDN is down Origin-commit: 36c5e7d672bf82bd09ee382564bc03ef8e1b3a76 openshift-rebase(v1.24):source=b4aee491855 UPSTREAM: <carry>: use hardcoded rest mapper from library-go openshift-rebase(v1.24):source=58f3815bab1 openshift-rebase(v1.24):source=58f3815bab1 openshift-rebase(v1.24):source=58f3815bab1

…let logs endpoint Provide an administrator a streaming view of journal logs without them having to implement a client side reader. Only available to cluster admins. openshift-rebase(v1.24):source=c2c9d7451f5

…signer to token controller :100644 100644 b32534e... 3e694fc... M pkg/controller/serviceaccount/tokens_controller.go openshift-rebase(v1.24):source=194864933ce openshift-rebase(v1.24):source=194864933ce openshift-rebase(v1.24):source=194864933ce

…ontroller-manager UPSTREAM: <carry>: (squash) kube-controller-manager: allow running bare kube-controller-manager UPSTREAM: <carry>: kube-controller-manager: allow running bare kube-controller-manager openshift-rebase(v1.24):source=18bbb151dd9 openshift-rebase(v1.24):source=18bbb151dd9 openshift-rebase(v1.24):source=18bbb151dd9 UPSTREAM: <carry>: (squash) remove egressnetworkpolicies from gc ignored resources egressnetworkpolicies should not be in garbage collector ignored resources, so users can delete them using "--cascade=foreground" flag. Signed-off-by: Flavio Fernandes <flaviof@redhat.com> openshift-rebase(v1.24):source=771b4b56597

…rces from quota openshift-rebase(v1.24):source=02ce9b3d6d1

…ly to admission plugin openshift-rebase(v1.24):source=fcb3456b7fb

…options Origin-commit: 33a71aff9bb4e204bf2e15af4cdfb5bd0525ce4e openshift-rebase(v1.24):source=ee6f24dc718

Origin-commit: 10c14ca7ae63428823e58790c16078d8094e4b95 openshift-rebase(v1.24):source=c16c14dfa73

The upstream can't enable this, but we need to do so in order to properly validate that cluster upgrades retain availability. Origin-commit: 917e8cb064643370573808e9aba8dbec5df456ff openshift-rebase(v1.24):source=02dabaf4678

openshift-rebase(v1.24):source=87f75213acc openshift-rebase(v1.24):source=87f75213acc openshift-rebase(v1.24):source=87f75213acc

Origin-commit: 170dd7d25cca990fd7683eaf424d00bcd776c39c Origin-commit: 35ef039cb099dc609c576cf594aadd849212a00b UPSTREAM: <carry>: openshift-kube-apiserver: enabled conversion gen for admission configs UPSTREAM: <carry>: openshift-kube-apiserver/admission: fix featuregates resource name UPSTREAM: <carry>: openshift-kube-apiserver/admission: add missing FeatureSets UPSTREAM: <carry>: openshift-kube-apiserver: use github.com/openshift/apiserver-library-go/pkg/labelselector UPSTREAM: <carry>: openshift authenticator: don't allow old-style tokens UPSTREAM: <carry>: oauth-authn: support sha256 prefixed tokens UPSTREAM: <carry>: oauth-token-authn: switch to sha256~ prefix UPSTREAM: <carry>: oauth-token-authn: add sha256~ support to bootstrap authenticator UPSTREAM: <drop>: remove the openshift authenticator from the apiserver In 4.8, we moved the authenticator to be configured via webhookTokenAuthenticators to an endpoint in the oauth-apiserver, this should now be safe to remove. UPSTREAM: <carry>: set ResourceQuotaValidationOptions to true When PodAffinityNamespaceSelector goes to beta or GA this might affect how our ClusterResourceQuota might work UPSTREAM: <carry>: simplify the authorizer patch to allow the flags to function Origin-commit: 0d7fb2d769d631054ec9ac0721aee623c96c1001 UPSTREAM: <carry>: eliminate unnecessary closure in openshift configuration wiring Origin-commit: 3b0c72dd7b9f9367dda8f8645909d9277a6c29e9 openshift-rebase(v1.24):source=78e37fdfb28 UPSTREAM: <carry>: add crdvalidation for apiserver.spec.tlsSecurityProfile Origin-commit: 84ba7fc304870a30df7136da14bccb4d5232f075 openshift-rebase(v1.24):source=eecae1591a1 UPSTREAM: <carry>: openshift-kube-apiserver: Add custom resource validation for network spec openshift-rebase(v1.24):source=2af991c43b1 UPSTREAM: <carry>: stop overriding flags that are explicitly set openshift-rebase(v1.24):source=8355d726bbf UPSTREAM: <carry>: add readyz check for openshift apiserver availability openshift-rebase(v1.24):source=3784942f6fc UPSTREAM: <carry>: wait for oauth-apiserver accessibility openshift-rebase(v1.24):source=0c175222685 UPSTREAM: <carry>: provide a new admission plugin to mutate management pods CPUs requests The ManagementCPUOverride admission plugin replaces pod container CPU requests with a new management resource. It applies to all pods that: 1. are in an allowed namespace 2. and have the workload annotation. It also sets the new management resource request and limit and set resource annotation that CRI-O can recognize and apply the relevant changes. For more information, see - openshift/enhancements#703 Conditions for CPUs requests deletion: 1. The namespace should have allowed annotation "workload.openshift.io/allowed": "management" 2. The pod should have management annotation: "workload.openshift.io/management": "{"effect": "PreferredDuringScheduling"}" 3. All nodes under the cluster should have new management resource - "management.workload.openshift.io/cores" 4. The CPU request deletion will not change the pod QoS class Signed-off-by: Artyom Lukianov <alukiano@redhat.com> UPSTREAM: <carry>: Does not prevent pod creation because of no nodes reason when it runs under the regular cluster Check the `cluster` infrastructure resource status to be sure that we run on top of a SNO cluster and in case if the pod runs on top of regular cluster, exit before node existence check. Signed-off-by: Artyom Lukianov <alukiano@redhat.com> UPSTREAM: <carry>: do not mutate pods when it has a container with both CPU request and limit Removing the CPU request from the container that has a CPU limit will result in the defaulter to set the CPU request back equals to the CPU limit. Signed-off-by: Artyom Lukianov <alukiano@redhat.com> UPSTREAM: <carry>: Reject the pod creation when we can not decide the cluster type It is possible a race condition between pod creation and the update of the infrastructure resource status with correct values under Status.ControlPlaneTopology and Status.InfrastructureTopology. Signed-off-by: Artyom Lukianov <alukiano@redhat.com> openshift-rebase(v1.24):source=ea874aa684f UPSTREAM: <carry>: add CRD validation for dnses Add an admission plugin that validates the dnses.operator.openshift.io custom resource. For now, the plugin only validates the DNS pod node-placement parameters. This commit fixes bug 1967745. https://bugzilla.redhat.com/show_bug.cgi?id=1967745 * openshift-kube-apiserver/admission/customresourcevalidation/attributes.go (init): Install operatorv1 into supportedObjectsScheme. * openshift-kube-apiserver/admission/customresourcevalidation/customresourcevalidationregistration/cr_validation_registration.go (AllCustomResourceValidators, RegisterCustomResourceValidation): Register the new plugin. * openshift-kube-apiserver/admission/customresourcevalidation/dns/validate_dns.go: New file. (PluginName): New const. (Register): New function. Register the plugin. (toDNSV1): New function. Convert a runtime object to a versioned DNS. (dnsV1): New type to represent a runtime object that is validated as a versioned DNS. (ValidateCreate, ValidateUpdate, ValidateStatusUpdate): New methods. Implement the ObjectValidator interface, using the validateDNSSpecCreate and validateDNSSpecUpdate helpers. (validateDNSSpecCreate, validateDNSSpecUpdate): New functions. Validate a DNS, using the validateDNSSpec helper. (validateDNSSpec): New function. Validate the spec field of a DNS, using the validateDNSNodePlacement helper. (validateDNSNodePlacement): New function. Validate the node selector and tolerations in a DNS's node-placement parameters, using validateTolerations. (validateTolerations): New function. Validate a slice of corev1.Toleration. * openshift-kube-apiserver/admission/customresourcevalidation/dns/validate_dns_test.go: New file. (TestFailValidateDNSSpec): Verify that validateDNSSpec rejects invalid DNS specs. (TestSucceedValidateDNSSpec): Verify that validateDNSSpec accepts valid DNS specs. * vendor/*: Regenerate. openshift-rebase(v1.24):source=bd9a55803db UPSTREAM: <carry>: prevent the kubecontrollermanager service-ca from getting less secure openshift-rebase(v1.24):source=cc96bfa11af UPSTREAM: <carry>: allow SCC to be disabled on a per-namespace basis openshift-rebase(v1.24):source=6f2d9a525bc UPSTREAM: <carry>: verify required http2 cipher suites In the Apiserver admission, we need to return an error if the required http2 cipher suites are missing from a custom tlsSecurityProfile. Currently, custom cipher suites missing ECDHE_RSA_WITH_AES_128_GCM_SHA256 or ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 result in invalid http2 Server configuration causing the apiservers to crash. See: go/x/net/http2.ConfigureServer for futher information. Signed-off-by: Damien Grisonnet <dgrisonn@redhat.com> openshift-rebase(v1.24):source=e2fb8191644 UPSTREAM: <carry>: drop the warning to use --keep-annotations When a user runs the `oc debug` command for the pod with the management resource, we will inform him that he should pass `--keep-annotations` parameter to the debug command. Signed-off-by: Artyom Lukianov <alukiano@redhat.com> openshift-rebase(v1.24):source=9726268c979 UPSTREAM: <carry>: admission/managementcpusoverride: cover the roll-back case During the upgrade and roll-back flow 4.7->4.8->4.7, the topology related fields under the infrastructure can be empty because the old API does not support them. The code will equal the empty infrastructure section with the current one. When the status has some other non-empty field, and topology fields are empty, we assume that the cluster currently passes via roll-back and not via the clean install. Signed-off-by: Artyom Lukianov <alukiano@redhat.com> openshift-rebase(v1.24):source=35a93248f51 UPSTREAM: <carry>: Remove pod warning annotation when workload partitioning is disabled openshift-rebase(v1.24):source=67e1c1dac22 UPSTREAM: <carry>: use new access token inactivity timeout field. openshift-rebase(v1.24):source=79be14211df UPSTREAM: <carry>: apirequestcount validation openshift-rebase(v1.24):source=5fbf4195cbb UPSTREAM: <carry>: Added config node object validation for extreme latency profiles Signed-off-by: Swarup Ghosh <swghosh@redhat.com> UPSTREAM: <carry>: Add Upstream validation in the DNS admission check patches

…ndler chain Origin-commit: 5772e7285acbe901762d8cd8cb1fc33d8b459d04 openshift-rebase(v1.24):source=c7c48fdacb0 openshift-rebase(v1.24):source=c7c48fdacb0 openshift-rebase(v1.24):source=c7c48fdacb0 UPSTREAM: <carry>: use lifeCycleSignals for isTerminating openshift-rebase(v1.24):source=d3045350e43

Origin-commit: a869af0c97e3d97bddedcd76af8a62da6c879c02 UPSTREAM: <carry>: apiserver: log new connections during termination Origin-commit: 89d1c3ceeb91755aae9099cd5f76c42a22de18c5 UPSTREAM: <carry>: apiserver: create LateConnections events on events in the last 20% of graceful termination time Origin-commit: 91bc33b6ddf9e1d80906717db5bd9096183e8795 UPSTREAM: <carry>: apiserver: log source in LateConnections event Origin-commit: 575e54740eb7c2ba635c73f24c22ad77cb5a6e70 UPSTREAM: <carry>: apiserver: skip local IPs and probes for LateConnections Origin-commit: 2109b95866e81b84a290f34f0806becc2cbd83e9 UPSTREAM: <carry>: only create valid LateConnections/GracefulTermination events UPSTREAM: <carry>: kube-apiserver: log non-probe requests before ready UPSTREAM: <carry>: apiserver: create hasBeenReadyCh channel UPSTREAM: <carry>: kube-apiserver: log non-probe requests before ready UPSTREAM: <carry>: kube-apiserver: log non-probe requests before ready UPSTREAM: <carry>: fix termination event(s) validation failures UPSTREAM: <carry>: during the rebase collapse to create termination event it makes recording termination events a non-blocking operation. previously closing delayedStopCh might have been delayed on preserving data in the storage. the delayedStopCh is important as it signals the HTTP server to start the shutdown procedure. it also sets a hard timeout of 3 seconds for the storage layer since we are bypassing the API layer. openshift-rebase(v1.24):source=7b9aa03e491 UPSTREAM: <carry>: rename termination events to use lifecycleSignals openshift-rebase(v1.24):source=e90b78a9199

Origin-commit: 45f159f05b92c893c175ffe968f89a34f5581f5b openshift-rebase(v1.24):source=538170825bb

openshift-rebase(v1.24):source=8d9bda8f24c

Origin-commit: beac12d815b4099cfd4f4d953da4b8789054be51 openshift-rebase(v1.24):source=198209159d4

Origin-commit: 4498bb4de03ff3a910fed10bed337ba2fcdf321d openshift-rebase(v1.24):source=4cfb8fafa6f

UPSTREAM: <carry>: Remove a redundant output in the tests This line is not necessary for our test usage and should not be an issue in OpenShift (openshift-tests already verifies this correctly). UPSTREAM: <carry>: Remove excessive logging during e2e upgrade test This line makes the upgrade log output unreadable and provides no value during the set of tests it's used in: ``` Jan 12 20:49:25.628: INFO: cluster upgrade is Progressing: Working towards registry.svc.ci.openshift.org/ci-op-jbtg7jjb/release@sha256:144e73d125cce620bdf099be9a85225ade489a95622a70075d264ea3ff79219c: downloading update Jan 12 20:49:26.692: INFO: Poke("http://a74e3476115ce4d2d817a1e5ea608dad-802917831.us-east-1.elb.amazonaws.com:80/echo?msg=hello"): success Jan 12 20:49:28.727: INFO: Poke("http://a74e3476115ce4d2d817a1e5ea608dad-802917831.us-east-1.elb.amazonaws.com:80/echo?msg=hello"): success ``` Origin-commit: 1cdf04c0e15b79fad3e3a6ba896ed2bb3df42b78 openshift-rebase(v1.24):source=dd0d3bfa831

…y running test OpenShift uses these function before any test is run and they cause NPE openshift-rebase(v1.24):source=52b73523b4c

… secret This patch brings back the downstream changes that were introduced to allow reading openstack cloud provider config from a secret. They are available in release-4.4, but were reverted in master with openshift/origin#24719 This change includes: - Ability to read metadata values for kubelet. Since the service does not have access to the secret to read the configuration, but it needs data to download (e.g. hostname or flavor), we are trying to get it from the metadata server. - Deprecation of kubeConfig parameter. Now we read the file that was provided with --kubeconfig option. Origin-commit: f95edc26155a29769b3c5b80c03755a01a87b5fc UPSTREAM: 89885: legacy-cloud-provider/openstack: include / prefix in instance ID output When we want to read an instance ID from the metadata service, cloud provider doesn't include "/" prefix, which is required for successful parsing of provider the ID later. This commit adds the missing "/" prefix to the output. UPSTREAM: 89885: SQUASH: Fix Cinder provisioning crashing on nil cloud provider OpenStack cloud provider must not use nil when provisioning a Cinder volume. UPSTREAM: 89885: SQUASH: Report OpenStack cloud initialization errors openshift-rebase(v1.24):source=dbe70e455ee UPSTREAM: <carry>: Set informer for openstack Set informer for the openstack cloud provider to ensure it is properly initialized when reading config from a secret. Upstream 89885 was closed in favor of 96750. Co-authored-by: Hemant Kumar <hekumar@redhat.com> openshift-rebase(v1.24):source=d7ecbd903e2 UPSTREAM: 89885: SQUASH: Retry fetching clouds.conf The OpenStack secret is not guaranteed to be present at the time kube-controller-manager is initialised. Co-authored-by: Martin André <m.andre@redhat.com> Co-authored-by: Pierre Prinetti <pierreprinetti@redhat.com> openshift-rebase(v1.24):source=8bc9dd29ef0 UPSTREAM: 89885: Fix panic in openstack.InstanceExistsByProviderID() ... when provider is uninitialised. This is a fix to downstream-only code which was originally proposed upstream as kubernetes#89885 but did not merge. It is therefore not relevant upstream. Given that we will replace the openstack legacy cloud provider in 4.12 we will not re-propose kubernetes#89885 or this fix to it. Causes all openstack.Instances() methods which require more than the local metadata service to return NotImplemented instead of crashing if the provider is not initialised.

…etup openshift-rebase(v1.24):source=4d63cde7462

Origin-commit: 87d123196e9f9b77ff08d8b94c5b1348f3b35a8d openshift-rebase(v1.24):source=b6fed67c9c4

UPSTREAM: <carry>: Copy hack scripts and tools from openshift/origin UPSTREAM: <carry>: Fix shellcheck failures for copied openshift-hack bash UPSTREAM: <carry>: Enable build, test and verify UPSTREAM: <carry>: Copy README content from origin UPSTREAM: <carry>: Copy watch-termination command from openshift/origin UPSTREAM: <carry>: Switch image and rpm build to golang 1.14 UPSTREAM: <carry>: Copy test annotation from origin UPSTREAM: <carry>: Build openshift-compatible kube e2e binary UPSTREAM: <carry>: Updating openshift-hack/images/hyperkube/Dockerfile.rhel baseimages to mach ocp-build-data config UPSTREAM: <carry>: Update test annotation rules UPSTREAM: <carry>: Enable k8s-e2e-serial UPSTREAM: <carry>: Update test annotation rules UPSTREAM: <carry>: Build with golang 1.15 UPSTREAM: <carry>: (squash) Stop installing recent bash and protoc from source UPSTREAM: <carry>: Add rebase instructions UPSTREAM: <carry>: (squash) Update README.openshift to reflect transition UPSTREAM: <carry>: (squash) Stop annotating origin tests with [Suite:openshift] The detection logic was error-prone (different results based on the repo existing in GOPATH vs not) and whether a test comes from origin can be inferred from the absence of the `[Suite:k8s]` tag. UPSTREAM: <carry>: (squash) Update hyperkube version UPSTREAM: <carry>: (squash) Update OpenShift docs UPSTREAM: <carry>: watch-termination: fix deletion race and write non-graceful message also to termination.log UPSTREAM: <carry>: watch-termination: avoid false positives of NonGracefulTermination events UPSTREAM: <carry>: (squash) remove servicecatalog e2e that was dropped upstream UPSTREAM: <carry>: (squash) Fix annotation rules UPSTREAM: <carry>: (squash) Fix image refs UPSTREAM: <carry>: Updating openshift-enterprise-hyperkube builder & base images to be consistent with ART Reconciling with https://github.com/openshift/ocp-build-data/tree/b0ab44b419faae6b18e639e780a1fa50a1df8521/images/openshift-enterprise-hyperkube.yml UPSTREAM: <carry>: (squash) Retry upstream flakes UPSTREAM: <carry>: (squash) Update test exclussions for 1.20.0 UPSTREAM: <carry>: (squash) Add detail to rebase doc - Add new section 'Maintaining this document' - Move checklist above the instructions to emphasize their importance - Add new section 'Reacting to new commits' - Mention that generated changes in carries should be dropped UPSTREAM: <carry>: Enable CSI snapshot e2e tests All images were uploaded to our quay.io mirror and the tests should succeed. UPSTREAM: <carry>: Stop skipping multi-az test (skipped upstream) UPSTREAM: <carry>: bump tag version & update rebase doc UPSTREAM: <carry>: update rebase doc & image UPSTREAM: <carry>: update rebase doc UPSTREAM: <carry>: update rebase doc UPSTREAM: <carry>: update rebase doc UPSTREAM: <carry>: Add Dockerfile to build pause image Ensuring the target directory exists before writing a file to it. UPSTREAM: <carry>: disable part of hack/verify-typecheck-providerless.sh due to our carry patches UPSTREAM: <carry>: Updating openshift-enterprise-pod images to be consistent with ART Reconciling with https://github.com/openshift/ocp-build-data/tree/691e628254f318ce56efda5edc7448ec743c37b8/images/openshift-enterprise-pod.yml UPSTREAM: <carry>: Updating openshift-enterprise-hyperkube images to be consistent with ART Reconciling with https://github.com/openshift/ocp-build-data/tree/691e628254f318ce56efda5edc7448ec743c37b8/images/openshift-enterprise-hyperkube.yml UPSTREAM: <carry>: Add process overlap detection event to watch-termination NOTE: Squash this to watch-termination commit on rebase. UPSTREAM: <carry>: openshift-hack/images/os/Dockerfile: Add io.openshift.build.versions, etc. For example, consider the current 4.10 RHCOS: $ oc image info -o json registry.ci.openshift.org/ocp/4.10:machine-os-content | jq -r '.config.config.Labels | to_entries[] | .key + ": " + .value' | grep '^io\.k8s\|^io\.openshift' io.k8s.description: The Universal Base Image is designed and engineered to be the base layer for all of your containerized applications, middleware and utilities. This base image is freely redistributable, but Red Hat only supports Red Hat technologies through subscriptions for Red Hat products. This image is maintained by Red Hat and updated regularly. io.k8s.display-name: Red Hat Universal Base Image 8 io.openshift.build.version-display-names: machine-os=Red Hat Enterprise Linux CoreOS io.openshift.build.versions: machine-os=49.84.202109102026-0 io.openshift.expose-services: io.openshift.tags: base rhel8 A bunch of those seem to be inherited from the UBI base image, so we can leave them alone. But the io.openshift.build.* entries are RHCOS-specific, and are consumed by 'oc adm release new ...' [1,2] and friends to answer questions like "which RHCOS is in this release?": $ oc adm release info -o json quay.io/openshift-release-dev/ocp-release:4.8.12-x86_64 | jq .displayVersions { "kubernetes": { "Version": "1.21.1", "DisplayName": "" }, "machine-os": { "Version": "48.84.202109100857-0", "DisplayName": "Red Hat Enterprise Linux CoreOS" } } Setting this label will avoid failures when consumers like driver-toolkit's version consumer [3]: name: 0.0.1-snapshot-machine-os bump into ci-tools-built machine-os-content images that lack the io.openshift.build.versions declaration of machine-os version [4]: error: unable to create a release: unknown version reference "machine-os" I've gone with generic testing values, so hopefully this is not something that local maintainers need to remember to bump for each OpenShift z stream. [1]: https://github.com/openshift/oc/blob/f94afb52dc8a3185b3b9eacaf92ec34d80f8708d/pkg/cli/admin/release/image_mapper.go#L328-L334 [2]: https://github.com/openshift/oc/blob/f94afb52dc8a3185b3b9eacaf92ec34d80f8708d/pkg/cli/admin/release/annotations.go#L19-L28 [3]: openshift/driver-toolkit@464acca#diff-4caed9b2b966a8fa7a016ae28976634a2d3d1b635c4e820d5c038b2305d6af53R18 [4]: https://prow.ci.openshift.org/view/gs/origin-ci-test/pr-logs/pull/openshift_kubernetes/959/pull-ci-openshift-kubernetes-master-images/1438398678602616832#1:build-log.txt%3A97 UPSTREAM: <carry>: update rebase doc UPSTREAM: <carry>: squash with the rest of tooling UPSTREAM: <carry>: Updating openshift-enterprise-pod images to be consistent with ART Reconciling with https://github.com/openshift/ocp-build-data/tree/5b89f5b601508a0bcc0399fd3f34b7aa2e86e90e/images/openshift-enterprise-pod.yml UPSTREAM: <carry>: Updating openshift-enterprise-hyperkube images to be consistent with ART Reconciling with https://github.com/openshift/ocp-build-data/tree/5b89f5b601508a0bcc0399fd3f34b7aa2e86e90e/images/openshift-enterprise-hyperkube.yml UPSTREAM: <carry>: rebase script openshift-rebase(v1.24):source=b2b619077ea UPSTREAM: <carry>: Fix networking-related test exclusions Tests that fail on openshift-sdn specifically should be tagged as such, so that they don't also get skipped when running under ovn-kubernetes or third-party network plugins. UPSTREAM: <carry>: Skip "subPath should be able to unmount" NFS test Due to a kernel bug https://bugzilla.redhat.com/show_bug.cgi?id=1854379 in Linux 5.7+ this test fails - the bind-mounted NFS share cannot be cleanly unmounted, gets "Stale file handle" error instead on umount. As a result this test is permafailing on Fedora CoreOS nodes. UPSTREAM: <carry>: Skip GlusterFS tests GlusterFS is not supported in 4.x, we've been running its tests just because we could. Now it does not work on IPv6 systems. E [MSGID: 101075] [common-utils.c:312:gf_resolve_ip6] 0-resolver: getaddrinfo failed (Address family for hostname not supported) UPSTREAM: <carry>: Skip GlusterFS tests The previous commit left two GlusterFS test still running: [sig-storage] Volumes GlusterFS should be mountable [Skipped:ibmcloud] [Suite:openshift/conformance/parallel] [Suite:k8s] [sig-storage] Dynamic Provisioning GlusterDynamicProvisioner should create and delete persistent volumes Skip it, we don't support Gluster and it does not work on ipv6 UPSTREAM: <carry>: 1.22 alpha & other tests disablement UPSTREAM: <carry>: 1.21 alpha & other tests disablement UPSTREAM: <carry>: Enable GenerciEphemeralVolume tests UPSTREAM: <carry>: Re-enable [Feature:NetworkPolicy] tests which were wrongly disabled in rebase UPSTREAM: <carry>: Reenable NetworkPolicy test Signed-off-by: Mohamed Mahmoud <mmahmoud@redhat.com> UPSTREAM: <carry>: Conformance tests (sysctls) should be run We have to run this test for conformance, and the tests pass. Reenable this block which has been disabled for 2 releases (but appears to work fine). UPSTREAM: <carry>: Don't force-disable IPv6, dual-stack, and SCTP tests Instead, openshift-tests will enable or disable them depending on cluster configuration. UPSTREAM: <carry>: update Multi-AZ Cluster Volumes test name This test was renamed upstream in kubernetes@006dc74 UPSTREAM: <carry>: re-enable networking tests after rebase During a bump to k8 ver. 1.22.0, networking tests were disabled to accomplish the bump. This disabled netpol and older network tests. Netpol tests will be enabled in a following PR and therefore only partially fixes BZ. This commit partially fixes bug 1986307. https://bugzilla.redhat.com/show_bug.cgi?id=1986307 Signed-off-by: Martin Kennelly <mkennell@redhat.com> UPSTREAM: <drop>: update test annotate rules openshift-rebase(v1.24):source=7725d540b11 UPSTREAM: <carry>: Add DOWNSTREAM_OWNERS UPSTREAM: <carry>: clarify downstream approver rules openshift-rebase(v1.24):source=d74d9a2173b UPSTREAM: <carry>: copy extensions into resulting image openshift-rebase(v1.24):source=0bca5f4fa8e UPSTREAM: <carry>: update rebase doc openshift-rebase(v1.24):source=9b19ca983f4 UPSTREAM: <carry>: Fix conformance and serial tests by stopping node cordoning Master nodes already have `master` taint which cannot be tolerated by normal workloads. If we manually cordon the master nodes again, some of the control plane components cannot get rescheduled unless they have toleration to the `node.kubernetes.io/unschedulable` taint. Even if we have the toleration in the pod spec, because of the backwards compability issues scheduler will ignore nodes which have `unschedulable` field set. IOW: - Cordoning master nodes is redundant as masters already have taints - Cordoning master nodes can cause issues which are hard to debug as control-plane components may be evicted/preempted during e2e run(highly unlikely but a possibility). So, let's stop cordoning master nodes. openshift-rebase(v1.24):source=9755d206dd5 UPSTREAM: <carry>: enable internal traffic policy tests Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1986307 Signed-off-by: Martin Kennelly <mkennell@redhat.com> openshift-rebase(v1.24):source=f921d48224f UPSTREAM: <carry>: update rebase doc openshift-rebase(v1.24):source=9119117160a UPSTREAM: <carry>: enable e2e test after 1.23 rebase in sdn Enable "[sig-network] Conntrack should be able to preserve UDP traffic when initial unready endpoints get ready" after 1.23 rebase in openshift/sdn Signed-off-by: Riccardo Ravaioli <rravaiol@redhat.com> openshift-rebase(v1.24):source=32ce0d0897c openshift-rebase(v1.24):source=32ce0d0897c openshift-rebase(v1.24):source=32ce0d0897c UPSTREAM: <carry>: Unskip OCP SDN related tests Unskip networkPolicy tests concerning IpBlock and egress rules since both features have now been implemented. Signed-off-by: astoycos <astoycos@redhat.com> openshift-rebase(v1.24):source=aba8d2093ce UPSTREAM: <carry>: enable should drop INVALID conntrack entries test Signed-off-by: Jamo Luhrsen <jluhrsen@gmail.com> openshift-rebase(v1.24):source=3f7f68a7ce3 openshift-rebase(v1.24):source=3f7f68a7ce3 openshift-rebase(v1.24):source=3f7f68a7ce3 UPSTREAM: <carry>: update e2es openshift-rebase(v1.24):source=96a18e04df7 UPSTREAM: revert: <carry>: Unskip OCP SDN related tests These newly-enabled tests are breaking some CI, possibly due to race conditions in the tests. Re-disable them for now. This reverts commit aba8d20. openshift-rebase(v1.24):source=d032c6e6463 UPSTREAM: <carry>: update hyperkube and image version UPSTREAM: <drop>: disable e2e tests - disable 'ProxyTerminatingEndpoints' feature e2e tests - disable [sig-network] [Feature:Topology Hints] should distribute endpoints evenly see https://bugzilla.redhat.com/show_bug.cgi?id=2079958 for more context UPSTREAM: <carry>: Add kubensenter to the openshift RPM This carry-patch adds the kubensenter script to the openshift-hyperkube RPM, by importing it via the new hack/update-kubensenter.sh script. Signed-off-by: Jim Ramsay <jramsay@redhat.com> UPSTREAM: <carry>: Skip session affinity timeout tests in 4.12 and higher the default CNI is OVNKubernetes and these two tests do not pass. Skip them. They are also skipping in the origin test suites for ovnk. Signed-off-by: Jamo Luhrsen <jluhrsen@gmail.com>

openshift-rebase(v1.24):source=d1e53633876

… allowed node labels Server side validation of node labels was added in kubernetes#90307. We only disabled kubelet-side validation before to make our node role labels work. openshift-rebase(v1.24):source=6da1c7d4562

openshift-rebase(v1.24):source=39aab47dea8

openshift/origin needs to be able to vendor these definitions so they need to be committed. openshift-rebase(v1.24):source=1ca04429c95

UPSTREAM: <carry>: Force releasing the lock on exit for KS squash with UPSTREAM: <carry>: Release lock on KCM and KS termination openshift-rebase(v1.24):source=93017a1df89 openshift-rebase(v1.24):source=93017a1df89 openshift-rebase(v1.24):source=93017a1df89

…belet logs endpoint Provide an administrator a streaming view of event logs on Windows machines without them having to implement a client side reader. The kubelet API for querying the Linux journal is re-used for invoking the Get-WinEvent cmdlet in a PowerShell. Parameters that have no functional equivalence in Get-WinEvent are ignored when assembling the command. Only available to cluster admins. openshift-rebase(v1.24):source=6a457760045

openshift-rebase(v1.24):source=b8796c6f7c3

… one UPSTREAM: <carry>: kube-apiserver: set up separate signal handler functions to ignore further signals This patches the changes from openshift#558 to provide these new functions without changing the behavior for other repos that depend on them, such as library-go. openshift-rebase(v1.24):source=bfea75be7a2

…gated apiservers openshift-rebase(v1.24):source=7d4d48c9482

openshift-rebase(v1.24):source=fc65be016bd

…lures of important pods openshift-rebase(v1.24):source=75bef3ca784 openshift-rebase(v1.24):source=75bef3ca784 openshift-rebase(v1.24):source=75bef3ca784 UPSTREAM: <carry>: provide unique reason for pod probe event during termination

…ocalhost to force KS to use localhost set the following flag in kubescheduler (oc edit kubescheduler cluster) unsupportedConfigOverrides: arguments: unsupported-kube-api-over-localhost:: - "true" openshift-rebase(v1.24):source=04eabe53d2a openshift-rebase(v1.24):source=04eabe53d2a openshift-rebase(v1.24):source=04eabe53d2a UPSTREAM: <carry>: allows for switching KS to talk to Kube API over localhost-squash to other This commit is addendum to openshift@04eabe5 to stop using cc and start relying on scheduler config options openshift-rebase(v1.24):source=f89b437f6f0

…t set of featuregates The volume plugin manager for openshfit's Attach Detach controller in kube-controller-manager uses a set of featuregates that are NOT the same as the the other controllers in KCM and the kubelet. This means these featuregates (if we kept the old names) would be inconsistent inside of a single binary. There are now separate featuregates for the volumepluginmanger when running in the Attach Detach controller to reflect this distintion. See openshift/enhancements#549 for details. Stop <carrying> the patch when CSI migration becomes GA (i.e. features.CSIMigrationAWS / features.CSIMigrationOpenStack are GA). UPSTREAM: <carry>: add CSI migration feature gates for GCE PD and Azure Disk This commit is the next natural step for commit 2d9a8f9. It introduces custom feature gates to enable the CSI migration in GCE PD and Azure Disk plugins. See openshift/enhancements#549 for details. Stop <carrying> the patch when CSI migration becomes GA (i.e. features.CSIMigrationAzureDisk / features.CSIMigrationGCE are GA). UPSTREAM: <carry>: Set CSI migration off when a test needs it In OCP we carry a patch that forces CSI migration to be enabled in Attach/Detach controller (ADC). Update ADC unit tests to disable the migration there when an unit test needs it disabled. openshift-rebase(v1.24):source=ec8a203cd68

UPSTREAM: <carry>: management workloads enhancement 741 UPSTREAM: <carry>: lower verbosity of managed workloads logging Support for managed workloads was introduced by PR#627. However, the the CPU manager reconcile loop now seems to flood kubelet log with "reconcileState: skipping pod; pod is managed" warnings. Lower the verbosity of these log messages. openshift-rebase(v1.24):source=9e63356d4a9

UPSTREAM: <carry>: simplify apirequest counter code UPSTREAM: <carry>: add more unit tests UPSTREAM: <carry>: fix SetRequestCountsForNode UPSTREAM: <carry>: switch to apirequestcount for all resources UPSTREAM: <carry>: temporarily bypass validation for apirequest count removedInRelease UPSTREAM: <carry>: apirequestcount to show dominators instead of fewest UPSTREAM: <carry>: keep apirequestcounts for non-persisted users between updates UPSTREAM: <carry>: properly honor the max number of users in spec UPSTREAM: <carry>: apirequest count with empty .status.removedInRelease UPSTREAM: <carry>: add apirequestcount useragent UPSTREAM: <carry>: limit cardinality of useragent for removedrequest handling UPSTREAM: <carry>: correct apirequestcount lock UPSTREAM: <carry>: apirequestcount: smear out CR updates over interval squash with UPSTREAM: <carry>: deprecateApiRequestHandler openshift-rebase(v1.24):source=f1b2addabc1 UPSTREAM: <carry>: update list of deprecated apis UPSTREAM: <carry>: update list of deprecated apis openshift-rebase(v1.24):source=5ef33bccf60 UPSTREAM: <carry>: fix request count log rotation - discover existing resource request logs on restart - prevent un-needed updates - fixup small typos - reduce chatter in apiserver logs openshift-rebase(v1.24):source=bbd16356c37 UPSTREAM: <carry>: update list of deprecated apis Update the list of deprecated APIs marked for removal base on the latest [Deprecated API Migration Guide](https://kubernetes.io/docs/reference/using-api/deprecation-guide). openshift-rebase(v1.24):source=0c3aeba7b49 UPSTREAM: <carry>: apirequestcount filter should skip non-resources openshift-rebase(v1.24):source=5b8b08c1629 UPSTREAM: <carry>: ignore invalid apirequestcounts openshift-rebase(v1.24):source=e23f142b9ed UPSTREAM: <carry>: update list of deprecated apis

…localhost to force KCM to use localhost set the following flag in kubecontrollermanager (oc edit kubecontrollermanager cluster) unsupportedConfigOverrides: extendedArguments: unsupported-kube-api-over-localhost: - "true" openshift-rebase(v1.24):source=0ac43f622c4 openshift-rebase(v1.24):source=0ac43f622c4 openshift-rebase(v1.24):source=0ac43f622c4

OpenShift since 3.x has injected the service serving certificate ca (service ca) bundle into service account token secrets. This was intended to ensure that all pods would be able to easily verify connections to endpoints secured with service serving certificates. Since breaking customer workloads is not an option, and there is no way to ensure that customers are not relying on the service ca bundle being mounted at /var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt, it is necessary to continue mounting the service ca bundle in the same location in the bound token projected volumes enabled by the BoundServiceAccountTokenVolume feature (enabled by default in 1.21). A new controller is added to create a configmap per namespace that is annotated for service ca injection. The controller is derived from the controller that creates configmaps for the root ca. The service account admission controller is updated to include a source for the new configmap in the default projected volume definition. UPSTREAM: <carry>: <squash> Add unit testing for service ca configmap publishing This commit should be squashed with: UPSTREAM: <carry>: Ensure service ca is mounted for projected tokens openshift-rebase(v1.24):source=efe0cfeaa21

… to apiserver_request_total UPSTREAM: <carry>: apiserver: add cluster-policy-controller to system client in apiserver_request_total openshift-rebase(v1.24):source=7fd9897d2cb

…phase and graceful termination phase openshift-rebase(v1.24):source=2f57c5b68bd

openshift-rebase(v1.24):source=2fac715cabd

…olumn The logic is not exressible via JSONPath. Hence, if we want this, we have to help a little with this custom column writer. openshift-rebase(v1.24):source=eddcc518beb openshift-rebase(v1.24):source=eddcc518beb openshift-rebase(v1.24):source=eddcc518beb

Upstream worked on under kubernetes#102868 openshift-rebase(v1.24):source=ebbd98c4af1

…iserver openshift-rebase(v1.24):source=07bf20738e9

…gration test openshift-rebase(v1.24):source=c83ceebb078

…a.crt for migration compatibility openshift-rebase(v1.24):source=791d41e279c

… reply with a cached value openshift-rebase(v1.24):source=9ebab947279

…getting false positives until the server becomes ready the availability checks depend on fully initialized SDN OpenShift carries a few reachability checks that affect /readyz protocol we skip posting failures to avoid getting false positives until the server becomes ready UPSTREAM: <carry>: skip posting failures to aggregated APIs to avoid getting false positives until the server becomes ready marks availability of the server before checking the aggregate APIs as it can change as we are running the checks. in that case, skip posting failures to avoid false positives. note on the next rebase please squash with the previous commit openshift-rebase(v1.24):source=30214940c21

openshift-rebase(v1.24):source=110aaa7c54c openshift-rebase(v1.24):source=110aaa7c54c openshift-rebase(v1.24):source=110aaa7c54c

…ted edit role" OpenShift has an admission controller to prevent restricted Endpoints changes, and there's no reason to block non-restricted changes (such as modifying the annotations of an Endpoints, which is done by "oc idle"). This reverts commit 416efda. openshift-rebase(v1.24):source=573d6345f81 openshift-rebase(v1.24):source=573d6345f81 openshift-rebase(v1.24):source=573d6345f81

openshift-rebase(v1.24):source=24428447834

openshift-rebase(v1.24):source=ea2d15e503c

…dresses UPSTREAM: <carry>: Make RestrictedEndpointsAdmission restrict EndpointSlices as well openshift-rebase(v1.24):source=819a64c501a

… for GC and Namespace controllers In general, setting the header will result in getting 429 when the server hasn't been ready. This prevents certain controllers like GC, Namespace from accidentally removing resources when the caches haven't been fully synchronized. openshift-rebase(v1.24):source=57afba23a2f openshift-rebase(v1.24):source=57afba23a2f openshift-rebase(v1.24):source=57afba23a2f

openshift-rebase(v1.24):source=4954e48523c

openshift-rebase(v1.24):source=4ac30cd9474

…ure File This commit is the next natural step for commits 2d9a8f9 and d37e84c. It introduces custom feature gates to enable the CSI migration in vSphere and Azure File plugins. See openshift/enhancements#549 for details. Stop <carrying> the patch when CSI migration becomes GA (i.e. features.CSIMigrationAzureFile / features.CSIMigrationVSphere are GA). openshift-rebase(v1.24):source=2701d71abb4

…time to unmount UPSTREAM: <carry>: Fix sync of PV deletion in PV controller Always queue PV deletion events immediately, without any wait. It does not affect dynamic de-provisioning / deletion of volumes, it's done on PVC deletion. This de-flakes unit tests, which expect that PV deletion is processed without waiting too much. This updates carry patch b24f93e. It still waits for 21 seconds after *PVC* deletion! UPSTREAM: <carry>: delay queuing deletion for PV to allow nodes some time to unmount openshift-rebase(v1.24):source=c5fd3449734

…etup openshift-rebase(v1.24):source=ce8d63d76a0

openshift-rebase(v1.24):source=ab75ff1a507

…tioning is disabled Signed-off-by: Artyom Lukianov <alukiano@redhat.com> openshift-rebase(v1.24):source=aa8752060b0

openshift-rebase(v1.24):source=d7b268fffba

…d to CSI Skip test that depend on in-tree Azure Disk volume plugin that (wrongly) uses failure domains for value of "topology.kubernetes.io/zone" label in Azure regions that don't have availability zones. Our e2e tests blindly use that label and expect that a volume provisioned in such a "zone" can be used only by nodes in that "zone" (= topology domain). This is false, Azure Disk CSI driver can use such a volume in any zone and therefore the test may randomly fail. See https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=2066865 openshift-rebase(v1.24):source=7871e95298a

In the tests, we oftentimes create pods directly by the administrative user and so their SCC-related privileges are being used to create the pods. The PSa label syncher however works by introspecting SAs in each namespace, and since the SAs in the direct pod creation use-cases don't have the SCC-related privileges, the labelsyncer evaluates these namespaces as "restricted" because only the "restricted-v2" SCC is ever assigned in the namespaces. This breaks tests where pods are created directly. openshift-rebase(v1.24):source=35dc012e1f5

…vice account token should be auto-generated

Remove reserved CPUs from default set when workload partitioning is enabled. Co-Authored-By: Brent Rowsell <browsell@redhat.com> Signed-off-by: Don Penney <dpenney@redhat.com>

…aren't causing problems when auto-attached by ginkgo

when we run verify-import-boss.sh it fails with the following error errors in package "k8s.io/kubernetes/cmd/kubeadm/app/phases/bootstraptoken/node": the following imports did not match any allowed prefix: gopkg.in/yaml.v3 k8s.io/kube-openapi/pkg/validation/spec note: this should be an upstream fix, not sure why we don't see this error in upstream, does upstream not run this job in verify? investigate and take proper action for this commit

…res lock to false

…space The main purpose of this change is to update the e2e Netpol tests to use the srandard CreateNamespace function from the Framework. Before this change, a custom Namespace creation function was used, with the following consequences: * Pod security admission settings had to be enforced locally (not using the centralized mechanism) * the custom function was brittle, not waiting for default Namespace ServiceAccount creation, causing tests to fail in some infrastructures * tests were not benefiting from standard framework capabilities: Namespace name generation, automatic Namespace deletion, etc. As part of this change, we also do the following: * clearly decouple responsibilities between the Model, which defines the K8s objects to be created, and the KubeManager, which has access to runtime information (actual Namespace names after their creation by the framework, Service IPs, etc.) * simplify / clean-up tests and remove as much unneeded logic / funtions as possible for easier long-term maintenance * remove the useFixedNamespaces compile-time constant switch, which aimed at re-using existing K8s resources across test cases. The reasons: a) it is currently broken as setting it to true causes most tests to panic on the master branch, b) it is not a good idea to have some switch like this which changes the behavior of the tests and is never exercised in CI, c) it cannot possibly work as different test cases have different Model requirements (e.g., the protocols list can differ) and hence different K8s resource requirements. For kubernetes#108298 Signed-off-by: Antonin Bas <abas@vmware.com>

This reverts commit 91ec31b.

This reverts commit b36786e.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

WIP: Rebase 1.25 #1357

WIP: Rebase 1.25 #1357

Commits on Aug 2, 2022

Commits on Aug 3, 2022

Commits on Aug 4, 2022

Commits on Aug 5, 2022

Commits on Aug 6, 2022

Commits on Aug 7, 2022

Commits on Aug 8, 2022

Commits on Aug 9, 2022

Commits on Aug 10, 2022

Commits on Aug 11, 2022

Commits on Aug 12, 2022

Commits on Aug 13, 2022

Commits on Aug 15, 2022

Commits on Aug 16, 2022

Commits on Aug 18, 2022

Commits on Aug 19, 2022

Commits on Aug 22, 2022

Commits on Aug 23, 2022

Commits on Aug 26, 2022