DO NOT MERGE: Update to tip of kubernetes/kubernetes #1613

chore: os.SEEK_END os.SEEK_SET and use b.Logf(...) instead of b.Log(f…

Remove invalid merge key

…plane

…/config/server

DRA: implement e2e node tests

…trolplane package

…ntrolplane

…controlplane

…plane-1 kube-apiserver/cmd: stratify construction to follow options/config/server pattern

Signed-off-by: Madhav Jivrajani <madhav.jiv@gmail.com>

…scheduler_scheduling_attempt_duration_seconds feature(scheduler_perf): distinguish result in scheduler_scheduling_attempt_duration_seconds metric result

…nit-xml Add flag to prune PASSED subtests in junit xml and have top level tests

Signed-off-by: Jeremy Rickard <jeremyrrickard@gmail.com>

Fixes issue 115945 by moving the cleanup code in AfterEach into DeferCleanup. Cleanup stanzas are now paired with their setup stanzas within the body of the BeforeEach and are now guarenteed to run in the correct order. Prior to this there was no guarantee that the goroutine to recycle unbound PVs had finished before the AfterEach began.

Signed-off-by: Jeremy Rickard <jeremyrrickard@gmail.com>

Cleanup: use Set instead of map in endpointSlice utils

…as-storage-layer-reviewer storage: Add MadhavJivrajani as reviewer

…ggered job

…her-testing storage: Cleanup cacher testing

Fix flaky persistent volumes e2e test

TestTimeoutRequestHeaders and TestTimeoutWithLogging are designed to catch data races on request headers and include an HTTP handler that triggers timeout then repeatedly mutates request headers. Sometimes, the request header mutation loop could complete before the timeout filter observed the timeout, resulting in a test failure. The mutation loop now runs until the test ends.

…-e2e re-send the shutdown signal in case the dbus restart is not done

[go] Bump images, versions and deps to use Go 1.20.5

Signed-off-by: Jeremy Rickard <jeremyrrickard@gmail.com>

…elay Ensure Job sync invocations are batched by 1s periods

fix eviction failing test for nil feature gates assignment

…tables-go1205 bump distroless-iptables to v0.2.5

Some use-cases are not actually wrong

deprecate CephFS plugin from available in-tree drivers.

dryrun: Don't reuse current object for conversion

Volume names are validated to be unique and always have been. The cited issues are all about apply getting messed up, not the aspiserver allowing dups. ``` $ k create -f /tmp/bad.yaml The Deployment "bad-volumes-test" is invalid: spec.template.spec.volumes[1].name: Duplicate value: "config" $ k apply --server-side -f /tmp/bad.yaml Error from server: failed to create typed patch object (default/bad-volumes-test; apps/v1, Kind=Deployment): .spec.template.spec.volumes: duplicate entries for key [name="config"] $ k apply -f /tmp/bad.yaml -o json | jq '.spec.template.spec.volumes' The Deployment "bad-volumes-test" is invalid: spec.template.spec.volumes[1].name: Duplicate value: "config" ```

Promote test for StorageV1CSIDriver Endpoints + 3 Endpoints

kubelet/volumemanager: sort unmounted volumes in error message

Fix warnings on "duplicate" env vars

Thes plugins are deprecated in earlier version of Kubernetes, however the PVspec was not validated and provided enough warning that, these are deprecated plugins. This commit add the warning and unit tests for the same. Signed-off-by: Humble Chirammal <humble.devassy@gmail.com>

The parameters are needed to build the test binaries, e.g. `e2e_node.test` `ginkgo` etc. Signed-off-by: Dave Chen <dave.chen@arm.com>

Return deprecation warning for storageOS,PhotonPD,ScaleIO..etc

…uling-one-score feature(schedule_one): use heap to find the highest score node

kube-proxy: remove log warning about not using config file

kube-proxy startup node IP detection

…ume-names Remove unreachable warning on volume name dup

Ginkgo changed the noColor command line arg to be no-color and will issue the following warning: You're using deprecated Ginkgo functionality: ============================================= --noColor is deprecated, use --no-color instead Fix this by changing all occurrences accordingly.

…up-probe Remove StartupProbe on debug with pod copy

…ging-plugin-interpodaffinity Migrated `pkg/scheduler/framework/plugins/interpodaffinity` to contextual logging

move pkg/util/ipset inside pkg/proxy/ipvs

Signed-off-by: Bridget Kromhout <bridget@kromhout.org>

Add SataQiu as a test/e2e/lifecycle approver

…rovider-approvers Updates chairs, tech leads for sig cloud provider

This test requires consistent CPU consumption for 3 minutes to pass. Consumption on a single Pod is more consistent than split across multiple Pods: no temporary usage drops in aggregate.

…-rename feat: rename PodHasNetwork to PodReadyToStartContainers

Once DeferCleanup for the worker goroutine is invoked, there's no need to continue doing anything anymore in that goroutine and it can return immediately, without reporting the "context canceled" error because there is no other reason for that.

When running iscsi test, use dbus socket from the host. targetcli uses the socket for synchronization. Recent Fedoras can run dbus only via systemd, which is cumbersome here.

…rplate.py Cleanup boilerpate.py

remove unused pv informer from expand_controller

…loud-node-ip-annotation Set the node-ips annotation correctly with CloudDualStackNodeIPs

…tenv Replace os.Setenv with testing.T.Setenv in tests

kubelet: mark '--azure-container-registry-config' flag as deprecated

undeprecate kubelet --provider-id flag

fix a typo in test/e2e/apimachinery/resource_quota.go

add --concurrent-cron-job-syncs flag for kube-controller-manager

Update --image-gc-low-threshold option's description

…erver-url-for-func Export DefaultServerUrlFor utility function

Remove undesired verbose fields from log

…cy-comments Update podFailurePolicy comment from alpha-level to beta

Remove unused `getSeccompProfilePath` helper function

…st-fix e2e storage: terminate worker quietly on test completion

Set memory.oom.group if using cgroups v2 unified mode so all processes in the container will be killed together in the event of an OOM kill.

…port use the cgroup aware OOM killer if available

Signed-off-by: Jeremy Rickard <jeremyrrickard@gmail.com>

cleanup: delete unused AuditDynamicOptions in apiserver

Update typo in k8s.po in line 2170

Fix the flaky legacy_service_account_token_clean_up_test.

When running kubeadm / installing k8s early during boot, the CA certificate can be generated before time is synchronised and time is jumped backward. Make notBefore 1 hour in the past to accept small clock jump. Signed-off-by: Etienne Champetier <e.champetier@ateme.com>

…hing-bot-go11910 Update publishing-bot rules for release branches to Go 1.19.10

Update Kind details for DRA e2e

Co-authored-by: Antonio Ojea <antonio.ojea.garcia@gmail.com>

Make etcd component status consistent with health probes

…test-grpc-timeout DRA: E2E Node: test GRPC timeout

apf: refactor bootstrap ensure strategy

iscsi: use dbus from the host

fix Cronjob status.lastSuccessfulTime not populated by a manually triggered job

Pass the mandatory parameters to build arm64 binaries

Ensure timeout test handlers don't complete before timing out.

Signed-off-by: Monis Khan <mok@microsoft.com>

gofumpt is a superset of go fmt, enabling some more strict formatting rules, mostly to improve code readability. No functional or code change, just formatting. Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>

Commit 44bea35 added a code to return unwrapped fs.ErrNotExist error in case filepath.EvalSymlinks failed a wrapped one. This never worked because of a copy/paste bug. Fix this. Fixes: 44bea35 Cc: Manu Gupta <manugupt1@gmail.com> Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>

Add some test cases for isMountPointMatch, to prepare for its rework. Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>

Here's before/after comparison. [kir@kir-rhat mount-utils]$ benchstat before after name old time/op new time/op delta IsMountPointMatch-4 707ns ± 1% 40ns ± 1% -94.39% (p=0.008 n=5+5) name old alloc/op new alloc/op delta IsMountPointMatch-4 264B ± 0% 0B -100.00% (p=0.008 n=5+5) name old allocs/op new allocs/op delta IsMountPointMatch-4 11.0 ± 0% 0.0 -100.00% (p=0.008 n=5+5) Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>

1. Background. Since the dawn of times mount-utils package tries to work around the bug in the Linux kernel, which results in occasional incomplete read of mountinfo entries (from either /proc/mounts or /proc/PID/mountinfo). The workaround used is to read the whole file twice and compare the two blobs. If they differ, try again. The kernel bug is manifesting when mountinfo read is performed concurrently with an unmount, and can easily be reproduced by running lots of mounts and unmounts in parallel with the code reading mountinfo. For one such reproducer, see https://github.com/kolyshkin/procfs-test. On a Kubernetes node with lots of short-lived containers, mounts and unmounts are quite frequent. This leads to the occasional bug, and surely results in much more re-reads of mountinfo, because the workaround assumes its content is more-or-less static. The good news is, this bug was finally fixed by kernel commit 9f6c61f96f2d97, which made its way into Linux 5.8. 2. The issue. The code still read every file at least twice, and up to 10 times. The chance of re-reading is higher if there is a mount or unmount going on at the same time. The result is higher system and kernel load, and degraded performance. 3. The fix. As the re-reading is not necessary for newer kernels, let's check the kernel version and skip the workaround if running Linux >= 5.8. Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>

It has been deprecated since Go 1.16. Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>

io/ioutil is deprecated since Go 1.16. Besides, we now have a nice t.TempDir() function which simplifies things a lot. Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>

Mostly "return value is not checked". Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>

…dpoints Remove csidriver endpoints from pending_eligible_endpoints.yaml

refactor: simplify RunScorePlugins for readability + performance

Signed-off-by: Ziqi Zhao <zhaoziqi9146@gmail.com>

Change-Id: Ia2dacdc1d8fd3e369b9dcc0ec8b2653f3a834057

remove helper function for unused storage feature in pkg/proxy/util

Update CLI help text for grammar and consistency

Change-Id: I63e192b1ce9da7d8bb04f8be1a6e19ec6fbbfa5a

…-contextual-logging Migrated pkg/controller/job to contextual logging

Bump iscsi test server image

…racePeriodSeconds cleanup: remove ProbeTerminationGracePeriod feature tag on test

…havior-tests e2e: deflake a HPA CPU test by stabilizing cpu consumption

…racePeriod-bug fix terminationGracePeriod blocked by preStop

Added e2e_node test for sigkilled pods exit code and exit reason check

Removed NodeFeature:DynamicResourceAllocation label from the tests to fix cos-cgroupv1/v2-containerd-node-e2e-serial CI jobs. It turned out that labeling DRA Node tests as NodeFeature was a mistake. Re-labeling with NodeAlphaFeature would not work either. It would fail certain containerd jobs as DRA requires containerd >= 1.7

Signed-off-by: Davanum Srinivas <davanum@gmail.com>

…ty_checks kmsv2: add sanity checks and refine probing logic

use ingress-gce-glbc v1.23.1 image for CI

check before you sudo on AWS EC2 instances

…e-NodeFeature DRA Node E2E: remove NodeFeature label

…flags Update container runtime flags to use containerd instead of docker

…gible_endpoints.yaml-to-match-APISnoop Update pending_eligible_endpoints.yaml to match APISnoop

…g-cleaning Mount utils spring cleaning and optimization

Signed-off-by: bzsuni <bingzhe.sun@daocloud.io>

Return name instead whole volume when error occurred in csi-translation

…deprecation-warning Fix ginkgo noColor deprecation warning

Make CA valid 1 hour in the past

Add warnings for big number of completions and parallelism

AddOrUpdateTaintOnNode: if node does not exists, return an error

…eBug added known issue for 1.27 release

…indows Added support for image credential provider for windows and arm64 on gce

…ff-cleanup Cleanup job controller handling of backoff

…_updates Updating names from webhookconversion to conversionwebhook for apiserver

- drop versions < 1.22 in the etcd map - use 3.5.9-0 for >= 1.22 versions - make the minimum version for external etcd 3.4.13-4 and max 3.5.9-0 - update images_test to not rely on a pinned etcd version in tests note: the image 3.4.18-0 was never released in registry.k8s.io!

Signed-off-by: ialidzhikov <i.alidjikov@gmail.com>

[dependencies] update prometheus/client_golang v1.14.0 to v1.16.0

…-fixup kubeadm: drop older etcd versions from kubeadm support

Update toplogy keyset initialization

…-duration Make use of `k8s.io/utils/pointer.Duration`

…tests Replace deprecated sets.Int with sets.Set[int] in Job integration tests

…efault-backoff Set small DefaultJobPodFailureBackOff in Job integration tests

Change-Id: I27da7cae741935da6f0815639a54bfd597a2a6c6

Change-Id: Idf4d0ed7e09cf14323567381de158041236680b0

…pectations Fix race in logging expectations

Signed-off-by: Davanum Srinivas <davanum@gmail.com>

…for-e2e-node-jobs Do not prepull images for e2e-node jobs

…amespaces handle event errors caused due to terminating namespaces

OpenShift-Rebase-Source: 29eea3c

…oups for internal load balancers UPSTREAM: 84466: legacy-cloud-providers/gce/gce_fake.go: NewFakeGCECloud: make sure that the secondary zone is also part of managedZones UPSTREAM: 84466: gce: ensureInternalInstanceGroups: reuse instance-groups for internal load balancers UPSTREAM: 84466: gce: add ExternalInstanceGroupsPrefix to filter instance groups that will be re-used for ILB backend UPSTREAM: 84466: gce: skip ensureInstanceGroup for a zone that has no remaining nodes for k8s managed IG OpenShift-Rebase-Source: a58245a

OpenShift-Rebase-Source: 5a2488c

UPSTREAM: <carry>: filter out RBR and SCC paths from OpenAPI UPSTREAM: <carry>: filter out RBR and SCC paths from OpenAPI Revise as per openshift/kubernetes-apiserver#12 OpenShift-Rebase-Source: 26005f1

UPSTREAM: <carry>: prevent apiservice registration by CRD controller when delegating UPSTREAM: <carry>: prevent CRD registration from fighting with APIServices UPSTREAM: <carry>: always delegate namespaced resources OpenShift-Rebase-Source: d4cd0ba

…en it exists OpenShift-Rebase-Source: 1a1d469

…trap SDN when SDN is down UPSTREAM: <carry>: use hardcoded rest mapper from library-go OpenShift-Rebase-Source: a00f75d

Extend the NodeLogQuery feature to support oc adm node-logs options: - Default NodeLogQuery feature gate to true - Add support for --since, --until, --case-sensitive, --output, options

Fix handling of the "until" parameter when generating the journalctl command. This was incorrectly being passed with the "since" value.

…signer to token controller :100644 100644 b32534e... 3e694fc... M pkg/controller/serviceaccount/tokens_controller.go OpenShift-Rebase-Source: 891b28f

…ontroller-manager UPSTREAM: <carry>: (squash) kube-controller-manager: allow running bare kube-controller-manager UPSTREAM: <carry>: kube-controller-manager: allow running bare kube-controller-manager UPSTREAM: <carry>: (squash) remove egressnetworkpolicies from gc ignored resources egressnetworkpolicies should not be in garbage collector ignored resources, so users can delete them using "--cascade=foreground" flag. Signed-off-by: Flavio Fernandes <flaviof@redhat.com> OpenShift-Rebase-Source: 6c1dee4 UPSTREAM: <carry>: (squash) kube-controller-manager: allow running bare kube-controller-manager

…rces from quota OpenShift-Rebase-Source: 7d2a074

…ly to admission plugin OpenShift-Rebase-Source: dd3aeca

…options UPSTREAM: <carry>: kube-apiserver: allow rewiring OpenShift-Rebase-Source: 56b49c9 OpenShift-Rebase-Source: bcf574c

OpenShift-Rebase-Source: 2260f01

The upstream can't enable this, but we need to do so in order to properly validate that cluster upgrades retain availability. OpenShift-Rebase-Source: 0385e16

UPSTREAM: <carry>: openshift-kube-apiserver: enabled conversion gen for admission configs UPSTREAM: <carry>: openshift-kube-apiserver/admission: fix featuregates resource name UPSTREAM: <carry>: openshift-kube-apiserver/admission: add missing FeatureSets UPSTREAM: <carry>: openshift-kube-apiserver: use github.com/openshift/apiserver-library-go/pkg/labelselector UPSTREAM: <carry>: openshift authenticator: don't allow old-style tokens UPSTREAM: <carry>: oauth-authn: support sha256 prefixed tokens UPSTREAM: <carry>: oauth-token-authn: switch to sha256~ prefix UPSTREAM: <carry>: oauth-token-authn: add sha256~ support to bootstrap authenticator UPSTREAM: <drop>: remove the openshift authenticator from the apiserver In 4.8, we moved the authenticator to be configured via webhookTokenAuthenticators to an endpoint in the oauth-apiserver, this should now be safe to remove. UPSTREAM: <carry>: set ResourceQuotaValidationOptions to true When PodAffinityNamespaceSelector goes to beta or GA this might affect how our ClusterResourceQuota might work UPSTREAM: <carry>: simplify the authorizer patch to allow the flags to function UPSTREAM: <carry>: eliminate unnecessary closure in openshift configuration wiring UPSTREAM: <carry>: add crdvalidation for apiserver.spec.tlsSecurityProfile UPSTREAM: <carry>: openshift-kube-apiserver: Add custom resource validation for network spec UPSTREAM: <carry>: stop overriding flags that are explicitly set UPSTREAM: <carry>: add readyz check for openshift apiserver availability UPSTREAM: <carry>: wait for oauth-apiserver accessibility UPSTREAM: <carry>: provide a new admission plugin to mutate management pods CPUs requests The ManagementCPUOverride admission plugin replaces pod container CPU requests with a new management resource. It applies to all pods that: 1. are in an allowed namespace 2. and have the workload annotation. It also sets the new management resource request and limit and set resource annotation that CRI-O can recognize and apply the relevant changes. For more information, see - openshift/enhancements#703 Conditions for CPUs requests deletion: 1. The namespace should have allowed annotation "workload.openshift.io/allowed": "management" 2. The pod should have management annotation: "workload.openshift.io/management": "{"effect": "PreferredDuringScheduling"}" 3. All nodes under the cluster should have new management resource - "management.workload.openshift.io/cores" 4. The CPU request deletion will not change the pod QoS class UPSTREAM: <carry>: Does not prevent pod creation because of no nodes reason when it runs under the regular cluster Check the `cluster` infrastructure resource status to be sure that we run on top of a SNO cluster and in case if the pod runs on top of regular cluster, exit before node existence check. UPSTREAM: <carry>: do not mutate pods when it has a container with both CPU request and limit Removing the CPU request from the container that has a CPU limit will result in the defaulter to set the CPU request back equals to the CPU limit. UPSTREAM: <carry>: Reject the pod creation when we can not decide the cluster type It is possible a race condition between pod creation and the update of the infrastructure resource status with correct values under Status.ControlPlaneTopology and Status.InfrastructureTopology. UPSTREAM: <carry>: add CRD validation for dnses Add an admission plugin that validates the dnses.operator.openshift.io custom resource. For now, the plugin only validates the DNS pod node-placement parameters. This commit fixes bug 1967745. https://bugzilla.redhat.com/show_bug.cgi?id=1967745 * openshift-kube-apiserver/admission/customresourcevalidation/attributes.go (init): Install operatorv1 into supportedObjectsScheme. * openshift-kube-apiserver/admission/customresourcevalidation/customresourcevalidationregistration/cr_validation_registration.go (AllCustomResourceValidators, RegisterCustomResourceValidation): Register the new plugin. * openshift-kube-apiserver/admission/customresourcevalidation/dns/validate_dns.go: New file. (PluginName): New const. (Register): New function. Register the plugin. (toDNSV1): New function. Convert a runtime object to a versioned DNS. (dnsV1): New type to represent a runtime object that is validated as a versioned DNS. (ValidateCreate, ValidateUpdate, ValidateStatusUpdate): New methods. Implement the ObjectValidator interface, using the validateDNSSpecCreate and validateDNSSpecUpdate helpers. (validateDNSSpecCreate, validateDNSSpecUpdate): New functions. Validate a DNS, using the validateDNSSpec helper. (validateDNSSpec): New function. Validate the spec field of a DNS, using the validateDNSNodePlacement helper. (validateDNSNodePlacement): New function. Validate the node selector and tolerations in a DNS's node-placement parameters, using validateTolerations. (validateTolerations): New function. Validate a slice of corev1.Toleration. * openshift-kube-apiserver/admission/customresourcevalidation/dns/validate_dns_test.go: New file. (TestFailValidateDNSSpec): Verify that validateDNSSpec rejects invalid DNS specs. (TestSucceedValidateDNSSpec): Verify that validateDNSSpec accepts valid DNS specs. * vendor/*: Regenerate. UPSTREAM: <carry>: prevent the kubecontrollermanager service-ca from getting less secure UPSTREAM: <carry>: allow SCC to be disabled on a per-namespace basis UPSTREAM: <carry>: verify required http2 cipher suites In the Apiserver admission, we need to return an error if the required http2 cipher suites are missing from a custom tlsSecurityProfile. Currently, custom cipher suites missing ECDHE_RSA_WITH_AES_128_GCM_SHA256 or ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 result in invalid http2 Server configuration causing the apiservers to crash. See: go/x/net/http2.ConfigureServer for futher information. UPSTREAM: <carry>: drop the warning to use --keep-annotations When a user runs the `oc debug` command for the pod with the management resource, we will inform him that he should pass `--keep-annotations` parameter to the debug command. UPSTREAM: <carry>: admission/managementcpusoverride: cover the roll-back case During the upgrade and roll-back flow 4.7->4.8->4.7, the topology related fields under the infrastructure can be empty because the old API does not support them. The code will equal the empty infrastructure section with the current one. When the status has some other non-empty field, and topology fields are empty, we assume that the cluster currently passes via roll-back and not via the clean install. UPSTREAM: <carry>: Remove pod warning annotation when workload partitioning is disabled UPSTREAM: <carry>: use new access token inactivity timeout field. UPSTREAM: <carry>: apirequestcount validation UPSTREAM: <carry>: Added config node object validation for extreme latency profiles UPSTREAM: <carry>: Add Upstream validation in the DNS admission check patches UPSTREAM: <carry>: Make RestrictedEndpointsAdmission check NotReadyAddresses UPSTREAM: <carry>: Make RestrictedEndpointsAdmission restrict EndpointSlices as well Moved SkipSystemMasterAuthorizers to the authorizer. UPSTREAM: <carry>: Add validation plugin for CRD-based route parity. UPSTREAM: <carry>: Add host assignment plugin for CRD-based routes. UPSTREAM: <carry>: Apply shared defaulters to CRD-based routes. Signed-off-by: Artyom Lukianov <alukiano@redhat.com> Signed-off-by: Damien Grisonnet <dgrisonn@redhat.com> Signed-off-by: Swarup Ghosh <swghosh@redhat.com> OpenShift-Rebase-Source: 932411e OpenShift-Rebase-Source: 1899555 OpenShift-Rebase-Source: 453583e OpenShift-Rebase-Source: bf7e23e UPSTREAM: <carry>: STOR-829: Add CSIInlineVolumeSecurity admission plugin The CSIInlineVolumeSecurity admission plugin inspects inline CSI volumes on pod creation and compares the security.openshift.io/csi-ephemeral-volume-profile label on the CSIDriver object to the pod security profile on the namespace. OpenShift-Rebase-Source: a65c34b UPSTREAM: <carry>: add icsp,idms,itms validation reject creating icsp with idms/itms exist Reject icsp with idms.itms resources exists. According to the discuusion resolution https://docs.google.com/document/d/13h6IJn8wlzXdiPMvCWlMEHOXXqEZ9_GYOl02Wldb3z8/edit?usp=sharing, one of current icsp or new mirror setting crd should be rejected if a user tries to use them on the same cluster. Signed-off-by: Qi Wang <qiwan@redhat.com> UPSTREAM: <carry>: node admission plugin for cpu partitioning The ManagedNode admission plugin makes the Infrastructure.Status.CPUPartitioning field authoritative. This validates that nodes that wish to join the cluster are first configured to properly handle workload pinning For more information see - openshift/enhancements#1213 Signed-off-by: ehila <ehila@redhat.com>

…ndler chain UPSTREAM: <carry>: use lifeCycleSignals for isTerminating OpenShift-Rebase-Source: a736659

UPSTREAM: <carry>: apiserver: log new connections during termination UPSTREAM: <carry>: apiserver: create LateConnections events on events in the last 20% of graceful termination time UPSTREAM: <carry>: apiserver: log source in LateConnections event UPSTREAM: <carry>: apiserver: skip local IPs and probes for LateConnections UPSTREAM: <carry>: only create valid LateConnections/GracefulTermination events UPSTREAM: <carry>: kube-apiserver: log non-probe requests before ready UPSTREAM: <carry>: apiserver: create hasBeenReadyCh channel UPSTREAM: <carry>: kube-apiserver: log non-probe requests before ready UPSTREAM: <carry>: kube-apiserver: log non-probe requests before ready UPSTREAM: <carry>: fix termination event(s) validation failures UPSTREAM: <carry>: during the rebase collapse to create termination event it makes recording termination events a non-blocking operation. previously closing delayedStopCh might have been delayed on preserving data in the storage. the delayedStopCh is important as it signals the HTTP server to start the shutdown procedure. it also sets a hard timeout of 3 seconds for the storage layer since we are bypassing the API layer. UPSTREAM: <carry>: rename termination events to use lifecycleSignals OpenShift-Rebase-Source: 15b2d2e

OpenShift-Rebase-Source: 439ec41

OpenShift-Rebase-Source: a137009

OpenShift-Rebase-Source: b9a8eb6

UPSTREAM: <carry>: Remove a redundant output in the tests This line is not necessary for our test usage and should not be an issue in OpenShift (openshift-tests already verifies this correctly). UPSTREAM: <carry>: Remove excessive logging during e2e upgrade test This line makes the upgrade log output unreadable and provides no value during the set of tests it's used in: ``` Jan 12 20:49:25.628: INFO: cluster upgrade is Progressing: Working towards registry.svc.ci.openshift.org/ci-op-jbtg7jjb/release@sha256:144e73d125cce620bdf099be9a85225ade489a95622a70075d264ea3ff79219c: downloading update Jan 12 20:49:26.692: INFO: Poke("http://a74e3476115ce4d2d817a1e5ea608dad-802917831.us-east-1.elb.amazonaws.com:80/echo?msg=hello"): success Jan 12 20:49:28.727: INFO: Poke("http://a74e3476115ce4d2d817a1e5ea608dad-802917831.us-east-1.elb.amazonaws.com:80/echo?msg=hello"): success ``` OpenShift-Rebase-Source: 8e73298

…y running test OpenShift uses these function before any test is run and they cause NPE OpenShift-Rebase-Source: 834af76

…etup UPSTREAM: 90452: refactor/improve CRD publishing e2e tests in an HA setup OpenShift-Rebase-Source: 51aeef3 OpenShift-Rebase-Source: 7fbb6a4

UPSTREAM: <carry>: Copy hack scripts and tools from openshift/origin UPSTREAM: <carry>: Fix shellcheck failures for copied openshift-hack bash UPSTREAM: <carry>: Enable build, test and verify UPSTREAM: <carry>: Copy README content from origin UPSTREAM: <carry>: Copy watch-termination command from openshift/origin UPSTREAM: <carry>: Switch image and rpm build to golang 1.14 UPSTREAM: <carry>: Copy test annotation from origin UPSTREAM: <carry>: Build openshift-compatible kube e2e binary UPSTREAM: <carry>: Updating openshift-hack/images/hyperkube/Dockerfile.rhel baseimages to mach ocp-build-data config UPSTREAM: <carry>: Update test annotation rules UPSTREAM: <carry>: Enable k8s-e2e-serial UPSTREAM: <carry>: Update test annotation rules UPSTREAM: <carry>: Build with golang 1.15 UPSTREAM: <carry>: (squash) Stop installing recent bash and protoc from source UPSTREAM: <carry>: Add rebase instructions UPSTREAM: <carry>: (squash) Update README.openshift to reflect transition UPSTREAM: <carry>: (squash) Stop annotating origin tests with [Suite:openshift] The detection logic was error-prone (different results based on the repo existing in GOPATH vs not) and whether a test comes from origin can be inferred from the absence of the `[Suite:k8s]` tag. UPSTREAM: <carry>: (squash) Update hyperkube version UPSTREAM: <carry>: (squash) Update OpenShift docs UPSTREAM: <carry>: watch-termination: fix deletion race and write non-graceful message also to termination.log UPSTREAM: <carry>: watch-termination: avoid false positives of NonGracefulTermination events UPSTREAM: <carry>: (squash) remove servicecatalog e2e that was dropped upstream UPSTREAM: <carry>: (squash) Fix annotation rules UPSTREAM: <carry>: (squash) Fix image refs UPSTREAM: <carry>: Updating openshift-enterprise-hyperkube builder & base images to be consistent with ART Reconciling with https://github.com/openshift/ocp-build-data/tree/b0ab44b419faae6b18e639e780a1fa50a1df8521/images/openshift-enterprise-hyperkube.yml UPSTREAM: <carry>: (squash) Retry upstream flakes UPSTREAM: <carry>: (squash) Update test exclussions for 1.20.0 UPSTREAM: <carry>: (squash) Add detail to rebase doc - Add new section 'Maintaining this document' - Move checklist above the instructions to emphasize their importance - Add new section 'Reacting to new commits' - Mention that generated changes in carries should be dropped UPSTREAM: <carry>: Enable CSI snapshot e2e tests All images were uploaded to our quay.io mirror and the tests should succeed. UPSTREAM: <carry>: Stop skipping multi-az test (skipped upstream) UPSTREAM: <carry>: bump tag version & update rebase doc UPSTREAM: <carry>: update rebase doc & image UPSTREAM: <carry>: update rebase doc UPSTREAM: <carry>: update rebase doc UPSTREAM: <carry>: update rebase doc UPSTREAM: <carry>: Add Dockerfile to build pause image Ensuring the target directory exists before writing a file to it. UPSTREAM: <carry>: disable part of hack/verify-typecheck-providerless.sh due to our carry patches UPSTREAM: <carry>: Updating openshift-enterprise-pod images to be consistent with ART Reconciling with https://github.com/openshift/ocp-build-data/tree/691e628254f318ce56efda5edc7448ec743c37b8/images/openshift-enterprise-pod.yml UPSTREAM: <carry>: Updating openshift-enterprise-hyperkube images to be consistent with ART Reconciling with https://github.com/openshift/ocp-build-data/tree/691e628254f318ce56efda5edc7448ec743c37b8/images/openshift-enterprise-hyperkube.yml UPSTREAM: <carry>: Add process overlap detection event to watch-termination NOTE: Squash this to watch-termination commit on rebase. UPSTREAM: <carry>: openshift-hack/images/os/Dockerfile: Add io.openshift.build.versions, etc. For example, consider the current 4.10 RHCOS: $ oc image info -o json registry.ci.openshift.org/ocp/4.10:machine-os-content io.k8s.description: The Universal Base Image is designed and engineered to be the base layer for all of your containerized applications, middleware and utilities. This base image is freely redistributable, but Red Hat only supports Red Hat technologies through subscriptions for Red Hat products. This image is maintained by Red Hat and updated regularly. io.k8s.display-name: Red Hat Universal Base Image 8 io.openshift.build.version-display-names: machine-os=Red Hat Enterprise Linux CoreOS io.openshift.build.versions: machine-os=49.84.202109102026-0 io.openshift.expose-services: io.openshift.tags: base rhel8 A bunch of those seem to be inherited from the UBI base image, so we can leave them alone. But the io.openshift.build.* entries are RHCOS-specific, and are consumed by 'oc adm release new ...' [1,2] and friends to answer questions like "which RHCOS is in this release?": $ oc adm release info -o json quay.io/openshift-release-dev/ocp-release:4.8.12-x86_64 { "kubernetes": { "Version": "1.21.1", "DisplayName": "" }, "machine-os": { "Version": "48.84.202109100857-0", "DisplayName": "Red Hat Enterprise Linux CoreOS" } } Setting this label will avoid failures when consumers like driver-toolkit's version consumer [3]: name: 0.0.1-snapshot-machine-os bump into ci-tools-built machine-os-content images that lack the io.openshift.build.versions declaration of machine-os version [4]: error: unable to create a release: unknown version reference "machine-os" I've gone with generic testing values, so hopefully this is not something that local maintainers need to remember to bump for each OpenShift z stream. [1]: https://github.com/openshift/oc/blob/f94afb52dc8a3185b3b9eacaf92ec34d80f8708d/pkg/cli/admin/release/image_mapper.go#L328-L334 [2]: https://github.com/openshift/oc/blob/f94afb52dc8a3185b3b9eacaf92ec34d80f8708d/pkg/cli/admin/release/annotations.go#L19-L28 [3]: openshift/driver-toolkit@464acca#diff-4caed9b2b966a8fa7a016ae28976634a2d3d1b635c4e820d5c038b2305d6af53R18 [4]: https://prow.ci.openshift.org/view/gs/origin-ci-test/pr-logs/pull/openshift_kubernetes/959/pull-ci-openshift-kubernetes-master-images/1438398678602616832#1:build-log.txt%3A97 UPSTREAM: <carry>: update rebase doc UPSTREAM: <carry>: squash with the rest of tooling UPSTREAM: <carry>: Updating openshift-enterprise-pod images to be consistent with ART Reconciling with https://github.com/openshift/ocp-build-data/tree/5b89f5b601508a0bcc0399fd3f34b7aa2e86e90e/images/openshift-enterprise-pod.yml UPSTREAM: <carry>: Updating openshift-enterprise-hyperkube images to be consistent with ART Reconciling with https://github.com/openshift/ocp-build-data/tree/5b89f5b601508a0bcc0399fd3f34b7aa2e86e90e/images/openshift-enterprise-hyperkube.yml UPSTREAM: <carry>: rebase script UPSTREAM: <carry>: Fix networking-related test exclusions Tests that fail on openshift-sdn specifically should be tagged as such, so that they don't also get skipped when running under ovn-kubernetes or third-party network plugins. UPSTREAM: <carry>: Skip "subPath should be able to unmount" NFS test Due to a kernel bug https://bugzilla.redhat.com/show_bug.cgi?id=1854379 in Linux 5.7+ this test fails - the bind-mounted NFS share cannot be cleanly unmounted, gets "Stale file handle" error instead on umount. As a result this test is permafailing on Fedora CoreOS nodes. UPSTREAM: <carry>: Skip GlusterFS tests GlusterFS is not supported in 4.x, we've been running its tests just because we could. Now it does not work on IPv6 systems. E [MSGID: 101075] [common-utils.c:312:gf_resolve_ip6] 0-resolver: getaddrinfo failed (Address family for hostname not supported) UPSTREAM: <carry>: Skip GlusterFS tests The previous commit left two GlusterFS test still running: [sig-storage] Volumes GlusterFS should be mountable [Skipped:ibmcloud] [Suite:openshift/conformance/parallel] [Suite:k8s] [sig-storage] Dynamic Provisioning GlusterDynamicProvisioner should create and delete persistent volumes Skip it, we don't support Gluster and it does not work on ipv6 UPSTREAM: <carry>: 1.22 alpha & other tests disablement UPSTREAM: <carry>: 1.21 alpha & other tests disablement UPSTREAM: <carry>: Enable GenerciEphemeralVolume tests UPSTREAM: <carry>: Re-enable [Feature:NetworkPolicy] tests which were wrongly disabled in rebase UPSTREAM: <carry>: Reenable NetworkPolicy test UPSTREAM: <carry>: Conformance tests (sysctls) should be run We have to run this test for conformance, and the tests pass. Reenable this block which has been disabled for 2 releases (but appears to work fine). UPSTREAM: <carry>: Don't force-disable IPv6, dual-stack, and SCTP tests Instead, openshift-tests will enable or disable them depending on cluster configuration. UPSTREAM: <carry>: update Multi-AZ Cluster Volumes test name This test was renamed upstream in kubernetes@006dc74 UPSTREAM: <carry>: re-enable networking tests after rebase During a bump to k8 ver. 1.22.0, networking tests were disabled to accomplish the bump. This disabled netpol and older network tests. Netpol tests will be enabled in a following PR and therefore only partially fixes BZ. This commit partially fixes bug 1986307. https://bugzilla.redhat.com/show_bug.cgi?id=1986307 UPSTREAM: <drop>: update test annotate rules UPSTREAM: <carry>: Add DOWNSTREAM_OWNERS UPSTREAM: <carry>: clarify downstream approver rules UPSTREAM: <carry>: copy extensions into resulting image UPSTREAM: <carry>: update rebase doc UPSTREAM: <carry>: Fix conformance and serial tests by stopping node cordoning Master nodes already have `master` taint which cannot be tolerated by normal workloads. If we manually cordon the master nodes again, some of the control plane components cannot get rescheduled unless they have toleration to the `node.kubernetes.io/unschedulable` taint. Even if we have the toleration in the pod spec, because of the backwards compability issues scheduler will ignore nodes which have `unschedulable` field set. IOW: - Cordoning master nodes is redundant as masters already have taints - Cordoning master nodes can cause issues which are hard to debug as control-plane components may be evicted/preempted during e2e run(highly unlikely but a possibility). So, let's stop cordoning master nodes. UPSTREAM: <carry>: enable internal traffic policy tests Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1986307 UPSTREAM: <carry>: update rebase doc UPSTREAM: <carry>: enable e2e test after 1.23 rebase in sdn Enable "[sig-network] Conntrack should be able to preserve UDP traffic when initial unready endpoints get ready" after 1.23 rebase in openshift/sdn UPSTREAM: <carry>: Unskip OCP SDN related tests Unskip networkPolicy tests concerning IpBlock and egress rules since both features have now been implemented. UPSTREAM: <carry>: enable should drop INVALID conntrack entries test UPSTREAM: <carry>: update e2es UPSTREAM: revert: <carry>: Unskip OCP SDN related tests These newly-enabled tests are breaking some CI, possibly due to race conditions in the tests. Re-disable them for now. This reverts commit aba8d20. UPSTREAM: <carry>: update hyperkube and image version UPSTREAM: <drop>: disable e2e tests - disable 'ProxyTerminatingEndpoints' feature e2e tests - disable [sig-network] [Feature:Topology Hints] should distribute endpoints evenly see https://bugzilla.redhat.com/show_bug.cgi?id=2079958 for more context UPSTREAM: <carry>: Add kubensenter to the openshift RPM This carry-patch adds the kubensenter script to the openshift-hyperkube RPM, by importing it via the new hack/update-kubensenter.sh script. UPSTREAM: <carry>: Skip session affinity timeout tests in 4.12 and higher the default CNI is OVNKubernetes and these two tests do not pass. Skip them. They are also skipping in the origin test suites for ovnk. UPSTREAM: <carry>: Update kubensenter to use exec instead of direct call Because kubelet relies on systemd's Type=notify mechanism, we don't need or want kubensenter to keep itself in the process tree. exec is best. UPSTREAM: <carry>: update to ginkgo v2 - squash to tooling UPSTREAM: <carry>: update rebase doc UPSTREAM: <carry>: allow annotating with a specific suite If a test specifies a suite, don't append another one to it. We want the ability to add tests to a particular suite without automatically being added to parallel conformance. UPSTREAM: <carry>: Ensure balanced brackets in annotated test names We recently started marking tests with apigroups, and in one case we missed the closing bracket on the annotation resulting in the test being erroneously skipped. This adds a check in the annotation generation, and errors when brackets are unbalanced. ``` Example: $ ./hack/verify-generated.sh FAILURE after 12.870s: hack/verify-generated.sh:13: executing '/home/stbenjam/go/src/github.com/openshift/origin/hack/update-generated.sh' expecting success: the command returned the wrong error code Standard output from the command: Nov 4 14:11:25.026: INFO: Enabling in-tree volume drivers Nov 4 14:11:25.026: INFO: Warning: deprecated ENABLE_STORAGE_GCE_PD_DRIVER used. This will be removed in a future release. Use --enabled-volume-drivers=gcepd instead Nov 4 14:11:25.026: INFO: Enabled gcepd and windows-gcepd in-tree volume drivers Standard error from the command: failed: unbalanced brackets in test name: [Top Level] [sig-scheduling][Early] The openshift-console console pods [apigroup:console.openshift.io should be scheduled on different nodes ^ ``` UPSTREAM: <carry>: add CSI migration feature gates for vSphere and Azure File This commit is the next natural step for commits 2d9a8f9 and d37e84c. It introduces custom feature gates to enable the CSI migration in vSphere and Azure File plugins. See openshift/enhancements#549 for details. Stop <carrying> the patch when CSI migration becomes GA (i.e. features.CSIMigrationAzureFile / features.CSIMigrationVSphere are GA). UPSTREAM: <carry>: Skip in-tree topology tests win Azure Disk migrated to CSI Skip test that depend on in-tree Azure Disk volume plugin that (wrongly) uses failure domains for value of "topology.kubernetes.io/zone" label in Azure regions that don't have availability zones. Our e2e tests blindly use that label and expect that a volume provisioned in such a "zone" can be used only by nodes in that "zone" (= topology domain). This is false, Azure Disk CSI driver can use such a volume in any zone and therefore the test may randomly fail. See https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=2066865 UPSTREAM: <carry>: Stop ignoring generated openapi definitions openshift/origin needs to be able to vendor these definitions so they need to be committed. Signed-off-by: astoycos <astoycos@redhat.com> Signed-off-by: Jamo Luhrsen <jluhrsen@gmail.com> Signed-off-by: Jim Ramsay <jramsay@redhat.com> Signed-off-by: Martin Kennelly <mkennell@redhat.com> Signed-off-by: Mohamed Mahmoud <mmahmoud@redhat.com> Signed-off-by: Riccardo Ravaioli <rravaiol@redhat.com> OpenShift-Rebase-Source: 514f181 OpenShift-Rebase-Source: 87e220b OpenShift-Rebase-Source: b25e156 OpenShift-Rebase-Source: 2256387 OpenShift-Rebase-Source: e4d66c1 OpenShift-Rebase-Source: 5af594b UPSTREAM: <carry>: disable tests for features in alpha UPSTREAM: <carry>: disable tests dependent on StackDriver UPSTREAM: <carry>: add default sysctls for kubelet in rpm UPSTREAM: <carry>: add new approvers UPSTREAM: <carry>: update rebase doc UPSTREAM: <carry>: update hyperkube image version UPSTREAM: <carry>: update hyperkube image version Updated builder as well. UPSTREAM: <carry>: add missing generated file UPSTREAM: <carry>: Add OpenShift tooling, images, configs and docs

OpenShift-Rebase-Source: 7bf2f1f

… allowed node labels Server side validation of node labels was added in kubernetes#90307. We only disabled kubelet-side validation before to make our node role labels work. UPSTREAM: <carry>: add control plane to allow roles OpenShift-Rebase-Source: 38bfed3 OpenShift-Rebase-Source: aff4434

OpenShift-Rebase-Source: e1e2042

… one UPSTREAM: <carry>: kube-apiserver: set up separate signal handler functions to ignore further signals This patches the changes from openshift#558 to provide these new functions without changing the behavior for other repos that depend on them, such as library-go. OpenShift-Rebase-Source: 63ed200

…gated apiservers OpenShift-Rebase-Source: d8adc09

OpenShift-Rebase-Source: 5ab0f5e

…lures of important pods UPSTREAM: <carry>: provide unique reason for pod probe event during termination OpenShift-Rebase-Source: 01542fc

…ocalhost to force KS to use localhost set the following flag in kubescheduler (oc edit kubescheduler cluster) unsupportedConfigOverrides: arguments: unsupported-kube-api-over-localhost:: - "true" UPSTREAM: <carry>: allows for switching KS to talk to Kube API over localhost-squash to other This commit is addendum to openshift@04eabe5 to stop using cc and start relying on scheduler config options OpenShift-Rebase-Source: aa9dde2 UPSTREAM: <carry>: allows for switching KS to talk to Kube API over localhost

UPSTREAM: <carry>: management workloads enhancement 741 UPSTREAM: <carry>: lower verbosity of managed workloads logging Support for managed workloads was introduced by PR#627. However, the the CPU manager reconcile loop now seems to flood kubelet log with "reconcileState: skipping pod; pod is managed" warnings. Lower the verbosity of these log messages. UPSTREAM: <carry>: set correctly static pods CPUs when workload partitioning is disabled UPSTREAM: <carry>: Remove reserved CPUs from default set Remove reserved CPUs from default set when workload partitioning is enabled. Co-Authored-By: Brent Rowsell <browsell@redhat.com> Signed-off-by: Artyom Lukianov <alukiano@redhat.com> Signed-off-by: Don Penney <dpenney@redhat.com> OpenShift-Rebase-Source: b762ced OpenShift-Rebase-Source: 63cf793 OpenShift-Rebase-Source: 32af64c UPSTREAM: <carry>: add management support to kubelet

OpenShift-Rebase-Source: 4d74b77

…localhost to force KCM to use localhost set the following flag in kubecontrollermanager (oc edit kubecontrollermanager cluster) unsupportedConfigOverrides: extendedArguments: unsupported-kube-api-over-localhost: - "true" OpenShift-Rebase-Source: 036b11c UPSTREAM: <carry>: allows for switching KCM to talk to Kube API over localhost

OpenShift since 3.x has injected the service serving certificate ca (service ca) bundle into service account token secrets. This was intended to ensure that all pods would be able to easily verify connections to endpoints secured with service serving certificates. Since breaking customer workloads is not an option, and there is no way to ensure that customers are not relying on the service ca bundle being mounted at /var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt, it is necessary to continue mounting the service ca bundle in the same location in the bound token projected volumes enabled by the BoundServiceAccountTokenVolume feature (enabled by default in 1.21). A new controller is added to create a configmap per namespace that is annotated for service ca injection. The controller is derived from the controller that creates configmaps for the root ca. The service account admission controller is updated to include a source for the new configmap in the default projected volume definition. UPSTREAM: <carry>: <squash> Add unit testing for service ca configmap publishing This commit should be squashed with: UPSTREAM: <carry>: Ensure service ca is mounted for projected tokens OpenShift-Rebase-Source: d69d054

… to apiserver_request_total UPSTREAM: <carry>: apiserver: add cluster-policy-controller to system client in apiserver_request_total OpenShift-Rebase-Source: d86823d UPSTREAM: <carry>: apiserver: add system_client=kube-{apiserver,cm,s} to apiserver_request_total Fix TestOpenAPIRequestMetrics unit test.

OpenShift-Rebase-Source: 6386eb2

…olumn The logic is not exressible via JSONPath. Hence, if we want this, we have to help a little with this custom column writer. OpenShift-Rebase-Source: 633a422

Upstream worked on under kubernetes#102868 OpenShift-Rebase-Source: 5032546

…iserver OpenShift-Rebase-Source: fb90ed6

…gration test OpenShift-Rebase-Source: 2f4c829 UPSTREAM: 103612: tolerate additional, but congruent, events for integration test

…a.crt for migration compatibility OpenShift-Rebase-Source: bf2b5fa

…ted edit role" OpenShift has an admission controller to prevent restricted Endpoints changes, and there's no reason to block non-restricted changes (such as modifying the annotations of an Endpoints, which is done by "oc idle"). This reverts commit 416efda. OpenShift-Rebase-Source: 239b9ed

UPSTREAM: <carry>: change opt-in due to upstream revert OpenShift-Rebase-Source: cd08005

OpenShift-Rebase-Source: 3b2555a

… for GC and Namespace controllers In general, setting the header will result in getting 429 when the server hasn't been ready. This prevents certain controllers like GC, Namespace from accidentally removing resources when the caches haven't been fully synchronized. OpenShift-Rebase-Source: 2ebf199

UPSTREAM: <carry>: Force releasing the lock on exit for KS squash with UPSTREAM: <carry>: Release lock on KCM and KS termination OpenShift-Rebase-Source: fc91252 UPSTREAM: <carry>: Release lock on KCM and KS termination

OpenShift-Rebase-Source: 2e5064e

In the tests, we oftentimes create pods directly by the administrative user and so their SCC-related privileges are being used to create the pods. The PSa label syncher however works by introspecting SAs in each namespace, and since the SAs in the direct pod creation use-cases don't have the SCC-related privileges, the labelsyncer evaluates these namespaces as "restricted" because only the "restricted-v2" SCC is ever assigned in the namespaces. This breaks tests where pods are created directly. OpenShift-Rebase-Source: 4b7ae56

…vice account token should be auto-generated OpenShift-Rebase-Source: a031438

…eady OpenShift-Rebase-Source: fc3523f

… changes that SCC will eventually make to the pod UPSTREAM: <carry>: pod-security: don't fail on SCC admission error If we propagate SCC admission error during pod extraction to PodSecurity admission, the latter will log the error instead of continuing with unmutated pod spec, and so we will not get a validation error in either the audit logs or as a warning. OpenShift-Rebase-Source: 6fe5c8f OpenShift-Rebase-Source: b4e019f UPSTREAM: <carry>: SCC pod extractor: assume default SA if SA is empty

UPSTREAM: <carry>: disable failing dnsPolicy test

We can drop this patch after the following two PRs merge (or their equivalent): * kubernetes#115342 * kubernetes#113145 UPSTREAM: <carry>: kubelet: fix readiness probes with pod termination

We need this in order to be able to retrieve better reports from PodSecurityViolation alerts. UPSTREAM: <carry>: PSa metrics: unset ocp_namespace on non-platform namespaces

…aged is enabled Previously, cpu load balancing was enabled in cri-o by manually changing the sched_domain of cpus in sysfs. However, RHEL 9 dropped support for this knob, instead requiring it be changed in cgroups directly. To enable cpu load balancing on cgroupv1, the specified cgroup must have cpuset.sched_load_balance set to 0, as well as all of that cgroup's parents, plus all of the cgroups that contain a subset of the cpus that load balancing is disabled for. By default, all cpusets inherit the set from their parent and sched_load_balance as 1. Since we need to keep the cpus that need load balancing disabled in the root cgroup, all slices will inherit the full cpuset. Rather than rebalancing every cgroup whenever a new guaranteed cpuset cgroup is created, the approach this PR takes is to set load balancing to disabled for all slices. Since slices definitionally don't have any processes in them, setting load balancing won't affect the actual scheduling decisions of the kernel. All it will do is open the opportunity for CRI-O to set the actually set load balancing to disabled for containers that request it. Signed-off-by: Peter Hunt <pehunt@redhat.com>

UPSTREAM: <carry>: Change annotation mechanics to allow injecting testMaps and filter out tests UPSTREAM: <carry>: Move k8s-specific rules to our fork UPSTREAM: <carry>: Create minimal wrapper needed to run k8s e2e tests

If it is useful we will combine this with the following carry: 20caad9: UPSTREAM: 115328: annotate early and late requests

…util/managedfields Some of the code we use in openshift-tests was recently made internal in kubernetes#115065. This patch exposes the code we need there.

…rs from lb when unready workaround to mitigate issue: kubernetes-sigs/cloud-provider-azure#3500 bug: https://issues.redhat.com/browse/OCPBUGS-7359 UPSTREAM: <carry>: legacy-cloud-providers: azure: use kube-proxy based health probes by default See issue: kubernetes-sigs/cloud-provider-azure#3499 bug: https://issues.redhat.com/browse/OCPBUGS-7359

…hen using static cpu manager policy There are situations where cpu load balance disabling is desired when the kubelet is not in managed state. Instead of using that condition, set the cpu load balancing parameter for new slices when the cpu policy is static Signed-off-by: Peter Hunt <pehunt@redhat.com>

Add CSI mock volume tests. In upstream these tests were moved to a different package, so we stopped generating their names in OpenShift. This patch fixes that.

Disable CSI mock tests for SELinux and RecoverVolumeExpansionFailure, which are alpha features and require additional work to get enabled.

…options

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

DO NOT MERGE: Update to tip of kubernetes/kubernetes #1613

DO NOT MERGE: Update to tip of kubernetes/kubernetes #1613

Commits on Jun 7, 2023

Commits on Jun 8, 2023

Commits on Jun 9, 2023

Commits on Jun 10, 2023

Commits on Jun 11, 2023

Commits on Jun 12, 2023

Commits on Jun 13, 2023

Commits on Jun 14, 2023

Commits on Jun 15, 2023

Commits on Jun 16, 2023

Commits on Jun 18, 2023

Commits on Jun 19, 2023

Commits on Jun 20, 2023