New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
OCPNODE-1892: Rebase 1.29.0 #1815
OCPNODE-1892: Rebase 1.29.0 #1815
Commits on Nov 1, 2023
-
Use golang library instead of mklink
Signed-off-by: James Sturtevant <jstur@microsoft.com>
Commits on Nov 2, 2023
-
Merge pull request kubernetes#121686 from logicalhan/update-inst-docs
update docs for v1.29 release (note this must be committed after code freeze)
-
Merge pull request kubernetes#119762 from AxeZhan/PollUntilContextCancel
wait.PollUntilContextCancel immediately executes condition once
-
test/e2e_kubeadm: add test for the kubeadm:cluster-admins CRB
Add a test that checks if the CRB (kubeadm:cluster-admins) used for binding admin.conf file users (part of the kubeadm:cluster-admins Group) to the "cluster-admins" ClusterRole exists in kubeadm clusters. It does that only for versions newer than the version when this feature was added.
-
Merge pull request kubernetes#121393 from mimowo/backoff-limit-per-in…
…dex-load-test Benchmark job with backoff limit per index
-
-
Merge pull request kubernetes#121674 from neolit123/1.29-super-admin-…
…conf test/e2e_kubeadm: add test for the kubeadm:cluster-admins CRB
-
Merge pull request kubernetes#121566 from mzaian/etcd-3510
etcd: Update to version 3.5.10
-
Merge pull request kubernetes#121653 from tkashem/apf-conformance-test
Add conformance tests for flowcontrol APIs
-
-
Merge pull request kubernetes#120616 from kannon92/kubelet-disk-api-c…
…hanges Kubelet disk api changes
-
Merge pull request kubernetes#121633 from mimowo/backoff-limit-per-in…
…dex-remaining-e2e-test Add remaining e2e tests for Job BackoffLimitPerIndex based on KEP
-
-
-
-
framework: add SSH support for Azure
Add Azure to the list of providers that support accessing nodes using SSH. Note: This will require a follow up PR adding the required environment variables, AZURE_SSH_KEY, KUBE_SSH_BASTION to the test configuration.
-
[StructuredAuthn] Ensure empty fields of user object are accessible by
CEL Signed-off-by: Anish Ramasekar <anish.ramasekar@gmail.com>
-
Commits on Nov 3, 2023
-
Merge pull request kubernetes#121705 from liggitt/authz-config-webhoo…
…k-test Add multi-webhook integration test
-
Merge pull request kubernetes#121709 from aramase/aramase/f/authn_use…
…r_info_fix [StructuredAuthn] Ensure empty fields of user object are accessible by CEL
-
Make EnablePodSchedulingReadiness public
Signed-off-by: kerthcet <kerthcet@gmail.com>
-
Add kubernetes.io/hostname to faked nodes in tests
Signed-off-by: kerthcet <kerthcet@gmail.com>
-
-
test/e2e_kubeadm/dns_addon_test.go: drop kube-dns tests
kube-dns as an alternative DNS addon to CoreDNS hasn't been supported since 1.22 when kubeadm's v1beta3 API was added. Remove the related tests from the e2e_kubeadm test framework.
-
-
-
Store nodes before calling EnsureLoadBalancer
I am having difficulties convincing myself if this is better or worse. I didn't implement this originally because I didn't want to store nodes that we weren't sure we've configured. However: if EnsureLoadBalancer fails we should retry the call from the service controller. Doing it like this might save us one update call from the node controller side for calls which have already started executing from the service controller's side...is this really that expensive at this point though? Is it really that dangerous to not do either, given that we retry failed calls? Ahhhhh!!! Opinions, please! Help, please!
-
Merge pull request kubernetes#121583 from bzsuni/fix/e2e/apimachinery
Fix the e2e bug related to the Garbage collector in api-machinery
-
Merge pull request kubernetes#121679 from bzsuni/fix/integration/apis…
…erver/discovery/service-go/WaitForReady Fix parameter passing error in function WaitForReady in file test/integration/apiserver/discovery
-
Merge pull request kubernetes#121717 from neolit123/1.29-cleanup-kube…
…-dns-service-e2e-tests test/e2e_kubeadm/dns_addon_test.go: drop kube-dns tests
-
-
scheduler: fix performance regression at -v3 + contextual logging
The logging instrumentation for contextual logging that was added for 1.29 slowed down the scheduler (i.e. logging verbosity <= 3) by a significant percentage (-28.66% for SchedulingBasic/5000Nodes at -v3) if (and only if!) contextual logging was enabled. Retrieving the logger from the context causes no measurable slowdown, it's only the various WithName/WithValues calls which cause this. By being more careful about when to use those, the performance impact can be avoided: - At -v3 or lower, only `WithValues("pod")` is used once per scheduling cycle. This has the intended effect that all log messages for the cycle include the pod information. Once contextual logging is GA, "pod" key/value pairs can be removed from all log calls. - At -v4 or higher, richer log entries get produced where `WithValues` is also used for the node (when applicable) and `WithName` is used for the current operation and plugin. With these changes, enabling contextual logging causes no measurable slowdown at -v3 or lower. At -v4, the slowdown depends on the test case (-30.51% throughput for SchedulingBasic/5000Nodes, no change for SchedulingCSIPVs/5000Nodes). For some unknown reason (measuring bias?), SchedulingCSIPVs/500Nodes has a ~3& *higher* throughput with contextual logging.
-
Merge pull request kubernetes#121394 from pohly/e2e-framework-test-la…
…bels e2e: test labels
-
Define ClusterTrustBundlePEM projected volume
This commit defines the ClusterTrustBundlePEM projected volume types. These types have been renamed from the KEP (PEMTrustAnchors) in order to leave open the possibility of a similar projection drawing from a yet-to-exist namespaced-scoped TrustBundle object, which came up during KEP discussion. * Add the projection field to internal and v1 APIs. * Add validation to ensure that usages of the project must specify a name and path. * Add TODO covering admission control to forbid mirror pods from using the projection. Part of KEP-3257.
-
-
-
-
-
-
Merge pull request kubernetes#121715 from pohly/scheduler-logging-wit…
…h-instrumentation scheduler: fix performance regression at -v3 + contextual logging
-
cmd/kubelet: fix overriding default KubeletConfig fields in drop-in c…
…onfigs if not set This commit resolves an issue where certain KubeletConfig fields, specifically: - FileCheckFrequency - VolumeStatsAggPeriod - EvictionPressureTransitionPeriod - Authorization.Mode - EvictionHard were inadvertently overridden when not explicitly set in drop-in configs. To retain the original values if they were absent in the drop-in configs, mergeKubeletConfigurations uses a JSON patch merge strategy to selectively merge configurations. It prevents essential configuration settings from being overridden, ensuring a more predictable behavior for users. Signed-off-by: Sohan Kunkerkar <sohank2602@gmail.com> Co-authored-by: Peter Hunt <pehunt@redhat.com>
-
test/e2e_node: add e2e test for Kubeletconfig drop-in dir
Signed-off-by: Sohan Kunkerkar <sohank2602@gmail.com> Co-authored-by: Peter Hunt <pehunt@redhat.com>
-
- Remove redundant tests - Fix formatting of the query command by using fmt.Sprintf to prevent spurious characters from being introduced - Fix running of the journalctl command on the node by add the default options - Restrict running the tests on a single node
-
-
-
Merge pull request kubernetes#121193 from sohankunkerkar/kubelet-conf…
…ig-dir Retarget drop-in kubelet configuration dir feature to Alpha
Commits on Nov 4, 2023
-
Merge pull request kubernetes#113374 from ahmedtd/kep-3257-projected-…
…types Implement ClusterTrustBundlePEM projected volume
-
Merge pull request kubernetes#121034 from alexzielenski/apiserver/api…
…extensions/ratcheting-oldself-create KEP-4008: CRDValidationRatcheting: Add support for optional `oldSelf`
-
Merge pull request kubernetes#121708 from aravindhp/add-azure-framewo…
…rk-ssh-provider framework: add SSH support for Azure
Commits on Nov 6, 2023
-
Unregister events in schedulingGates plugin
Signed-off-by: kerthcet <kerthcet@gmail.com>
-
kubeadm: ensure the kubelet and kube-apiserver wait checks go first
The addition of the "super-admin.conf" functionality required init.go's Client() to create RBAC rules on its first creation. However this created a problem with the "wait-control-plane" phase of "kubeadm init" where a client is needed to connect to the API server Discovery API's "/healthz" endpoint. The logic that ensures the RBAC became the step where the API server wait was polled for. To avoid this, introduce a new InitData function ClientWithoutBootstrap. In "wait-control-plane" use this client, which has no permissions (anonymous), but is sufficient to connect to the "/healthz". Pending changes here would be: - Stop using the "/healthz", instead a regular REST client from the kubelet cert/key can be constructed. - Make the wait for kubelet / API server linear (not in go routines).
-
Merge pull request kubernetes#121743 from neolit123/1.29-super-admin-…
…conf kubeadm: ensure the kubelet and kube-apiserver wait checks go first
-
Merge pull request kubernetes#121700 from kannon92/fix-summary-more
missed a few summary upper limits for major page faults
Commits on Nov 7, 2023
-
-
-
Self nominate Kevin Hannon for reviewer for job controller
I have been lead the PodReplacementPolicy KEP for alpha and I helped review/fix some issues in beta. https://github.com/kubernetes/kubernetes/pulls?q=+is%3Apr+reviewed-by%3Akannon92+label%3Asig%2Fapps+ I have also been an active reviewer and helped GA job tracking last release. I hope to continue reviewing Job related code.
-
Merge pull request kubernetes#121780 from HirazawaUi/fix-delete-colle…
…ction-test-failed fix test store delete collection function failed
-
self nominate aroradaman as sig-
proxy-reviewer Signed-off-by: Daman Arora <aroradaman@gmail.com>
-
Merge pull request kubernetes#121764 from mimowo/backoff-limit-per-in…
…dex-beta-api Fix API comment for the FailIndex Job pod failure policy action
-
Merge pull request kubernetes#121765 from mimowo/ready-pods-stable-api
Fix API comment for the Job ready field
Commits on Nov 8, 2023
-
Pass External Storage label parameters as individual arguments in fra…
…mework variadic function
-
[go] Bump images, dependencies and versions to go 1.21.4
Signed-off-by: cpanato <ctadeu@gmail.com>
-
Merge pull request kubernetes#121768 from borg-land/deadcode
test: introduce a Feature label for skipping KubeUp specific tests
-
-
-
-
-
Merge pull request kubernetes#121818 from liggitt/authz-config-rbac-a…
…nonymous Test authz config file with RBAC and anonymous auth
-
authz: add benchmark for webhook authorizer
Signed-off-by: Rita Zhang <rita.z.zhang@gmail.com>
Commits on Nov 9, 2023
-
Signed-off-by: Rita Zhang <rita.z.zhang@gmail.com>
-
Merge pull request kubernetes#121706 from kannon92/fix-oom-swap-fedora
Skip OOMKilled Jobs if Swap is enabled.
Commits on Nov 10, 2023
-
Merge pull request kubernetes#121677 from kerthcet/cleanup/remove-evnet
Unregister events in schedulingGates for performance
-
kubeadm: change SystemPrivilegedGroup in apiserve-kubelet-client.crt
The component connection between kube-apiserver and kubelet does not require the "O" field on the Subject to be set to the "system:masters" privileged group. It can be a less privileged group like "kubeadm:cluster-admins". Change the group in the apiserve-kubelet-client certificate specification. This cert is passed to --kubelet-client-certificate.
-
Merge pull request kubernetes#121837 from neolit123/1.29-remove-syste…
…m-masters-from-kubelet-client-cert kubeadm: change SystemPrivilegedGroup in apiserve-kubelet-client.crt
Commits on Nov 11, 2023
-
Merge pull request kubernetes#121841 from SataQiu/fix-renew-20231110
kubeadm: support updating certificate organization during 'kubeadm certs renew'
-
Fix "go test -count=2 ./pkg/proxy/iptables"
If you run the tests multiple times, the "partial restore failures" metric didn't get reset in between.
Commits on Nov 12, 2023
-
Merge pull request kubernetes#121801 from danwinship/iptables-test-count
Fix "go test -count=2 ./pkg/proxy/iptables"
Commits on Nov 13, 2023
-
-
e2e: avoid redundant labels in JUnit file
Because labels are currently typically added also to the spec texts, we don't need to write them separately. This redundancy got introduced in f2cfbf4 when registering all inline tags also as labels.
-
Merge pull request kubernetes#121852 from pohly/e2e-framework-test-la…
…bels-in-junit e2e: avoid redundant labels in JUnit file
-
Merge pull request kubernetes#121304 from claudiubelu/e2e-increase-me…
…mory-limits e2e: Increases the memory limit for downward API tests
-
Merge pull request kubernetes#121808 from cpanato/go-update-main
[go] Bump images, dependencies and versions to go 1.21.4
-
Merge pull request kubernetes#119652 from lixd/kubelet_image_gc
fix kubelet image gc
-
Merge pull request kubernetes#121718 from tkashem/apf-conformance
Promote flowcontrol tests to conformance
-
Merge pull request kubernetes#121779 from aroradaman/sig-network-revi…
…ewers self nominate aroradaman as sig-network-reviewer
-
-
add false matchCondition benchmark
Signed-off-by: Rita Zhang <rita.z.zhang@gmail.com>
-
Merge pull request kubernetes#121711 from pacoxu/fix-buildx
Fix buildx add --provenance=false for pause image build and windows servercore cache
-
Fix issue with client rate limiter when polling
Signed-off-by: James Sturtevant <jstur@microsoft.com>
-
Merge pull request kubernetes#121782 from kannon92/patch-1
Self nominate Kevin Hannon for reviewer for job controller
Commits on Nov 14, 2023
-
Merge pull request kubernetes#121707 from aravindhp/fix-node-log-view…
…er-e2e-test test: Fix NodeLogQuery tests
-
Bump distroless-iptables to v0.4.2
Signed-off-by: cpanato <ctadeu@gmail.com>
-
Merge pull request kubernetes#121822 from ritazh/webhookauthz-benchmark
[StructuredAuthz] Webhookauthz benchmark
-
Merge pull request kubernetes#121091 from alexanderConstantinescu/kcc…
…m-service-sync-fix KCCM: fix transient node addition + removal while syncing load balancers
-
Merge pull request kubernetes#121871 from cpanato/update-distroless
Bump distroless-iptables to v0.4.2
-
-
Update publishing-bot rules for active release branches that uses go1…
…20 to Go 1.20.11 Signed-off-by: cpanato <ctadeu@gmail.com>
-
Merge pull request kubernetes#121870 from cpanato/rulesup
Update publishing-bot rules for active release branches that uses go120 to Go 1.20.11
-
Signed-off-by: James Sturtevant <jstur@microsoft.com>
-
Signed-off-by: James Sturtevant <jstur@microsoft.com>
-
Merge pull request kubernetes#121875 from mborsz/gcloud
Use value(name) in gcloud compute instance-groups managed list-instances
-
Merge pull request kubernetes#121881 from cji/5528
Use golang library instead of mklink
-
Merge pull request kubernetes#121880 from borg-land/skip-a-broken-test
Add kubeup label instead of a feature label
-
improve default_servicecidr_controller startup
The default service-cidr controller blocks the apiserver because it needs to create the default ServiceCIDR so Services can be allocated. If the apiserver is started without the default ServiceCIDR any attempt to createa new Service will fail, and this is a breaking change for users and installers that does not retry on this operation. Instead of using a channel to signal the controller is ready, just implement two loops, a first one that verifies that is ready and that polls with a shorted interval, and leave the second loop with the existing interval. Change-Id: I54303af9faeaa9c5cce2a840b6b7b0320cd2f4ad
Commits on Nov 15, 2023
-
-
Merge pull request kubernetes#121878 from aojea/default_servicecidr_c…
…ontroller_startup improve default_servicecidr_controller startup
-
Merge pull request kubernetes#121861 from jsturtevant/update-waiting-…
…logic-hpa Fix issue with client rate limiter when polling
-
-
-
-
Merge pull request kubernetes#121739 from ty-dc/runc/update-to-1.1.10
bump runc to v1.1.10
Commits on Nov 16, 2023
-
Merge pull request kubernetes#121867 from lianghao208/preeption
feat: Support score extension function in preemption.
-
-
Merge pull request kubernetes#121851 from andyzhangx/fix-smb-IsCorrup…
…tedMnt fix: statle smb mount issue when smb file share is deleted and then unmount
Commits on Nov 17, 2023
-
Merge pull request kubernetes#121790 from pwschuurman/fix-framework-t…
…est-describe Pass External Storage label parameters as individual arguments in framework variadic function
-
Replace -E with --setenv for systemd-run parameter
Signed-off-by: Davanum Srinivas <davanum@gmail.com>
-
Merge pull request kubernetes#121943 from dims/replace-E-with-setenv-…
…for-systemd-run-parameter Replace -E with --setenv for systemd-run parameter
Commits on Nov 18, 2023
-
Merge pull request kubernetes#121948 from sanposhiho/patch-8
fix(framework): remove the mention about what happens with nil from EventsToRegister
-
fix flake on conformance e2e test ResourceQuota controller should app…
…ly changes to a resourcequota status The e2e test patch the status of a ResourceQuota resources and tries to verify the controller reset its status, however, the controller ignores the updates and only reconcile the objects every a predefined interval, by default 5 minutes. Since the test polls for 5 minutes, there are some edge cases that the time to reconcile the object by the reconcile loop is greater than 5 minutes failing the test. To take into account the time to reconcile the objects and the reconcile loop period, we increase by one minute the poll loop. Change-Id: I30f7fda36cdfb47c543b5b2b120e39f7d6c2442d
Commits on Nov 19, 2023
-
Merge pull request kubernetes#121951 from aojea/fix_rc_e2e
fix flake on Conformance test should ResourceQuota apply changes to a…
Commits on Nov 20, 2023
-
code-generator: fix invalid replace of klog
The replace statement must have come from a experimental draft PR. It wasn't meant to be merged as part of 878d037.
-
Merge pull request kubernetes#121963 from pohly/code-generator-klog-r…
…eplace-fix code-generator: fix invalid replace of klog
Commits on Nov 21, 2023
Commits on Nov 22, 2023
-
releng: update publishing bot rules for 1.29
Signed-off-by: Jeremy Rickard <jeremyrrickard@gmail.com>
-
api: run hack/update-api-spec.sh
Signed-off-by: Madhav Jivrajani <madhav.jiv@gmail.com>
-
Merge pull request kubernetes#122000 from MadhavJivrajani/fix-verify-…
…openapi api: run hack/update-api-spec.sh
-
Merge pull request kubernetes#121992 from jeremyrickard/bump-publishi…
…ng-129 releng: update publishing bot rules for 1.29
Commits on Nov 23, 2023
-
Fix verify target to not update env var if already set
Signed-off-by: Vyom-Yadav <jackhammervyom@gmail.com>
Commits on Nov 27, 2023
-
Merge pull request kubernetes#122020 from Vyom-Yadav/fixOverridingVar…
…InVerify Fix verify target to not update env var if already set
Commits on Nov 28, 2023
-
-
-
-
Remove scrape_error from resource_metrics_test due to deprecation
Signed-off-by: ruiwen-zhao <ruiwen@google.com>
Commits on Nov 29, 2023
-
Merge pull request kubernetes#121927 from alexanderConstantinescu/fix…
…-flaky-TestSlowNodeSync `TestSlowNodeSync`: attempt fixing flake by allowing informer cache to get populated
-
Merge pull request kubernetes#122095 from ruiwen-zhao/fix-test
Remove scrape_error from resource_metrics_test due to deprecation
Commits on Nov 30, 2023
Commits on Dec 5, 2023
Commits on Dec 6, 2023
-
Merge pull request kubernetes#122188 from kannon92/terminating-pod-beta
add beta comment for terminating pods and pod replacement policy
-
[go] Bump images, dependencies and versions to go 1.21.5
Signed-off-by: Marko Mudrinić <mudrinic.mare@gmail.com>
-
Merge pull request kubernetes#122201 from xmudrii/go1.21.5-1.20.12
[go] Bump images, dependencies and versions to go 1.21.5
-
Bump distroless-iptables to v0.4.2
Signed-off-by: Marko Mudrinić <mudrinic.mare@gmail.com>
-
Merge pull request kubernetes#122206 from xmudrii/update-distroless-1…
….21.5 Bump distroless-iptables to v0.4.2
Commits on Dec 7, 2023
Commits on Dec 8, 2023
-
UPSTREAM: 74956: apiserver: switch authorization to use protobuf client
OpenShift-Rebase-Source: 29eea3c
-
UPSTREAM: 84466: gce: ensureInternalInstanceGroups: reuse instance-gr…
…oups for internal load balancers UPSTREAM: 84466: legacy-cloud-providers/gce/gce_fake.go: NewFakeGCECloud: make sure that the secondary zone is also part of managedZones UPSTREAM: 84466: gce: ensureInternalInstanceGroups: reuse instance-groups for internal load balancers UPSTREAM: 84466: gce: add ExternalInstanceGroupsPrefix to filter instance groups that will be re-used for ILB backend UPSTREAM: 84466: gce: skip ensureInstanceGroup for a zone that has no remaining nodes for k8s managed IG OpenShift-Rebase-Source: a58245a
-
UPSTREAM: 93286: wait for apiservices on startup
OpenShift-Rebase-Source: 5a2488c
-
UPSTREAM: <carry>: filter out CustomResourceQuota paths from OpenAPI
UPSTREAM: <carry>: filter out RBR and SCC paths from OpenAPI UPSTREAM: <carry>: filter out RBR and SCC paths from OpenAPI Revise as per openshift/kubernetes-apiserver#12 OpenShift-Rebase-Source: 26005f1
-
UPSTREAM: <carry>: patch aggregator to allow delegating resources
UPSTREAM: <carry>: prevent apiservice registration by CRD controller when delegating UPSTREAM: <carry>: prevent CRD registration from fighting with APIServices UPSTREAM: <carry>: always delegate namespaced resources OpenShift-Rebase-Source: d4cd0ba
Commits on Dec 20, 2023
-
UPSTREAM: <carry>: remove apiservice from sync in CRD registration wh…
…en it exists OpenShift-Rebase-Source: 1a1d469
-
UPSTREAM: <carry>: hardcoded restmapper with a few entries to reboots…
…trap SDN when SDN is down UPSTREAM: <carry>: use hardcoded rest mapper from library-go OpenShift-Rebase-Source: a00f75d
-
UPSTREAM: <carry>: Extend NodeLogQuery feature
Extend the NodeLogQuery feature to support oc adm node-logs options: - Default NodeLogQuery feature gate to true - Add support for --since, --until, --case-sensitive, --output, options UPSTREAM: <carry>: Extend NodeLogQuery feature Fix handling of the "until" parameter when generating the journalctl command. This was incorrectly being passed with the "since" value.
-
UPSTREAM: <carry>: kube-controller-manager: add service serving cert …
…signer to token controller :100644 100644 b32534e... 3e694fc... M pkg/controller/serviceaccount/tokens_controller.go OpenShift-Rebase-Source: 891b28f
-
UPSTREAM: <carry>: kube-controller-manager: allow running bare kube-c…
…ontroller-manager UPSTREAM: <carry>: (squash) kube-controller-manager: allow running bare kube-controller-manager UPSTREAM: <carry>: kube-controller-manager: allow running bare kube-controller-manager UPSTREAM: <carry>: (squash) remove egressnetworkpolicies from gc ignored resources egressnetworkpolicies should not be in garbage collector ignored resources, so users can delete them using "--cascade=foreground" flag. Signed-off-by: Flavio Fernandes <flaviof@redhat.com> OpenShift-Rebase-Source: 6c1dee4 UPSTREAM: <carry>: (squash) kube-controller-manager: allow running bare kube-controller-manager UPSTREAM: <carry>: kube-controller-manager: allow running bare kube-controller-manager
-
UPSTREAM: <carry>: kube-controller-manager: exclude some origin resou…
…rces from quota OpenShift-Rebase-Source: 7d2a074
-
UPSTREAM: <carry>: kube-apiserver: add our immortal namespaces direct…
…ly to admission plugin OpenShift-Rebase-Source: dd3aeca
-
UPSTREAM: <carry>: openshift-kube-apiserver: add kube-apiserver patches
UPSTREAM: <carry>: openshift-kube-apiserver: enabled conversion gen for admission configs UPSTREAM: <carry>: openshift-kube-apiserver/admission: fix featuregates resource name UPSTREAM: <carry>: openshift-kube-apiserver/admission: add missing FeatureSets UPSTREAM: <carry>: openshift-kube-apiserver: use github.com/openshift/apiserver-library-go/pkg/labelselector UPSTREAM: <carry>: openshift authenticator: don't allow old-style tokens UPSTREAM: <carry>: oauth-authn: support sha256 prefixed tokens UPSTREAM: <carry>: oauth-token-authn: switch to sha256~ prefix UPSTREAM: <carry>: oauth-token-authn: add sha256~ support to bootstrap authenticator UPSTREAM: <drop>: remove the openshift authenticator from the apiserver In 4.8, we moved the authenticator to be configured via webhookTokenAuthenticators to an endpoint in the oauth-apiserver, this should now be safe to remove. UPSTREAM: <carry>: set ResourceQuotaValidationOptions to true When PodAffinityNamespaceSelector goes to beta or GA this might affect how our ClusterResourceQuota might work UPSTREAM: <carry>: simplify the authorizer patch to allow the flags to function UPSTREAM: <carry>: eliminate unnecessary closure in openshift configuration wiring UPSTREAM: <carry>: add crdvalidation for apiserver.spec.tlsSecurityProfile UPSTREAM: <carry>: openshift-kube-apiserver: Add custom resource validation for network spec UPSTREAM: <carry>: stop overriding flags that are explicitly set UPSTREAM: <carry>: add readyz check for openshift apiserver availability UPSTREAM: <carry>: wait for oauth-apiserver accessibility UPSTREAM: <carry>: provide a new admission plugin to mutate management pods CPUs requests The ManagementCPUOverride admission plugin replaces pod container CPU requests with a new management resource. It applies to all pods that: 1. are in an allowed namespace 2. and have the workload annotation. It also sets the new management resource request and limit and set resource annotation that CRI-O can recognize and apply the relevant changes. For more information, see - openshift/enhancements#703 Conditions for CPUs requests deletion: 1. The namespace should have allowed annotation "workload.openshift.io/allowed": "management" 2. The pod should have management annotation: "workload.openshift.io/management": "{"effect": "PreferredDuringScheduling"}" 3. All nodes under the cluster should have new management resource - "management.workload.openshift.io/cores" 4. The CPU request deletion will not change the pod QoS class UPSTREAM: <carry>: Does not prevent pod creation because of no nodes reason when it runs under the regular cluster Check the `cluster` infrastructure resource status to be sure that we run on top of a SNO cluster and in case if the pod runs on top of regular cluster, exit before node existence check. UPSTREAM: <carry>: do not mutate pods when it has a container with both CPU request and limit Removing the CPU request from the container that has a CPU limit will result in the defaulter to set the CPU request back equals to the CPU limit. UPSTREAM: <carry>: Reject the pod creation when we can not decide the cluster type It is possible a race condition between pod creation and the update of the infrastructure resource status with correct values under Status.ControlPlaneTopology and Status.InfrastructureTopology. UPSTREAM: <carry>: add CRD validation for dnses Add an admission plugin that validates the dnses.operator.openshift.io custom resource. For now, the plugin only validates the DNS pod node-placement parameters. This commit fixes bug 1967745. https://bugzilla.redhat.com/show_bug.cgi?id=1967745 * openshift-kube-apiserver/admission/customresourcevalidation/attributes.go (init): Install operatorv1 into supportedObjectsScheme. * openshift-kube-apiserver/admission/customresourcevalidation/customresourcevalidationregistration/cr_validation_registration.go (AllCustomResourceValidators, RegisterCustomResourceValidation): Register the new plugin. * openshift-kube-apiserver/admission/customresourcevalidation/dns/validate_dns.go: New file. (PluginName): New const. (Register): New function. Register the plugin. (toDNSV1): New function. Convert a runtime object to a versioned DNS. (dnsV1): New type to represent a runtime object that is validated as a versioned DNS. (ValidateCreate, ValidateUpdate, ValidateStatusUpdate): New methods. Implement the ObjectValidator interface, using the validateDNSSpecCreate and validateDNSSpecUpdate helpers. (validateDNSSpecCreate, validateDNSSpecUpdate): New functions. Validate a DNS, using the validateDNSSpec helper. (validateDNSSpec): New function. Validate the spec field of a DNS, using the validateDNSNodePlacement helper. (validateDNSNodePlacement): New function. Validate the node selector and tolerations in a DNS's node-placement parameters, using validateTolerations. (validateTolerations): New function. Validate a slice of corev1.Toleration. * openshift-kube-apiserver/admission/customresourcevalidation/dns/validate_dns_test.go: New file. (TestFailValidateDNSSpec): Verify that validateDNSSpec rejects invalid DNS specs. (TestSucceedValidateDNSSpec): Verify that validateDNSSpec accepts valid DNS specs. * vendor/*: Regenerate. UPSTREAM: <carry>: prevent the kubecontrollermanager service-ca from getting less secure UPSTREAM: <carry>: allow SCC to be disabled on a per-namespace basis UPSTREAM: <carry>: verify required http2 cipher suites In the Apiserver admission, we need to return an error if the required http2 cipher suites are missing from a custom tlsSecurityProfile. Currently, custom cipher suites missing ECDHE_RSA_WITH_AES_128_GCM_SHA256 or ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 result in invalid http2 Server configuration causing the apiservers to crash. See: go/x/net/http2.ConfigureServer for futher information. UPSTREAM: <carry>: drop the warning to use --keep-annotations When a user runs the `oc debug` command for the pod with the management resource, we will inform him that he should pass `--keep-annotations` parameter to the debug command. UPSTREAM: <carry>: admission/managementcpusoverride: cover the roll-back case During the upgrade and roll-back flow 4.7->4.8->4.7, the topology related fields under the infrastructure can be empty because the old API does not support them. The code will equal the empty infrastructure section with the current one. When the status has some other non-empty field, and topology fields are empty, we assume that the cluster currently passes via roll-back and not via the clean install. UPSTREAM: <carry>: Remove pod warning annotation when workload partitioning is disabled UPSTREAM: <carry>: use new access token inactivity timeout field. UPSTREAM: <carry>: apirequestcount validation UPSTREAM: <carry>: Added config node object validation for extreme latency profiles UPSTREAM: <carry>: Add Upstream validation in the DNS admission check patches UPSTREAM: <carry>: Make RestrictedEndpointsAdmission check NotReadyAddresses UPSTREAM: <carry>: Make RestrictedEndpointsAdmission restrict EndpointSlices as well Moved SkipSystemMasterAuthorizers to the authorizer. UPSTREAM: <carry>: Add validation plugin for CRD-based route parity. UPSTREAM: <carry>: Add host assignment plugin for CRD-based routes. UPSTREAM: <carry>: Apply shared defaulters to CRD-based routes. Signed-off-by: Artyom Lukianov <alukiano@redhat.com> Signed-off-by: Damien Grisonnet <dgrisonn@redhat.com> Signed-off-by: Swarup Ghosh <swghosh@redhat.com> OpenShift-Rebase-Source: 932411e OpenShift-Rebase-Source: 1899555 OpenShift-Rebase-Source: 453583e OpenShift-Rebase-Source: bf7e23e UPSTREAM: <carry>: STOR-829: Add CSIInlineVolumeSecurity admission plugin The CSIInlineVolumeSecurity admission plugin inspects inline CSI volumes on pod creation and compares the security.openshift.io/csi-ephemeral-volume-profile label on the CSIDriver object to the pod security profile on the namespace. OpenShift-Rebase-Source: a65c34b UPSTREAM: <carry>: add icsp,idms,itms validation reject creating icsp with idms/itms exist Reject icsp with idms.itms resources exists. According to the discuusion resolution https://docs.google.com/document/d/13h6IJn8wlzXdiPMvCWlMEHOXXqEZ9_GYOl02Wldb3z8/edit?usp=sharing, one of current icsp or new mirror setting crd should be rejected if a user tries to use them on the same cluster. Signed-off-by: Qi Wang <qiwan@redhat.com> UPSTREAM: <carry>: node admission plugin for cpu partitioning The ManagedNode admission plugin makes the Infrastructure.Status.CPUPartitioning field authoritative. This validates that nodes that wish to join the cluster are first configured to properly handle workload pinning For more information see - openshift/enhancements#1213 Signed-off-by: ehila <ehila@redhat.com> UPSTREAM: <carry>: kube-apiserver: allow injection of kube-apiserver options UPSTREAM: <carry>: kube-apiserver: allow rewiring OpenShift-Rebase-Source: 56b49c9 OpenShift-Rebase-Source: bcf574c UPSTREAM: <carry>: openshift-kube-apiserver: add kube-apiserver patches
-
UPSTREAM: <carry>: openshift-kube-apiserver: add openshift-kube-apise…
…rver code UPSTREAM: <carry>: openshift-kube-apiserver: enabled conversion gen for admission configs UPSTREAM: <carry>: openshift-kube-apiserver/admission: fix featuregates resource name UPSTREAM: <carry>: openshift-kube-apiserver/admission: add missing FeatureSets UPSTREAM: <carry>: openshift-kube-apiserver: use github.com/openshift/apiserver-library-go/pkg/labelselector UPSTREAM: <carry>: openshift authenticator: don't allow old-style tokens UPSTREAM: <carry>: oauth-authn: support sha256 prefixed tokens UPSTREAM: <carry>: oauth-token-authn: switch to sha256~ prefix UPSTREAM: <carry>: oauth-token-authn: add sha256~ support to bootstrap authenticator UPSTREAM: <drop>: remove the openshift authenticator from the apiserver In 4.8, we moved the authenticator to be configured via webhookTokenAuthenticators to an endpoint in the oauth-apiserver, this should now be safe to remove. UPSTREAM: <carry>: set ResourceQuotaValidationOptions to true When PodAffinityNamespaceSelector goes to beta or GA this might affect how our ClusterResourceQuota might work UPSTREAM: <carry>: simplify the authorizer patch to allow the flags to function UPSTREAM: <carry>: eliminate unnecessary closure in openshift configuration wiring UPSTREAM: <carry>: add crdvalidation for apiserver.spec.tlsSecurityProfile UPSTREAM: <carry>: openshift-kube-apiserver: Add custom resource validation for network spec UPSTREAM: <carry>: stop overriding flags that are explicitly set UPSTREAM: <carry>: add readyz check for openshift apiserver availability UPSTREAM: <carry>: wait for oauth-apiserver accessibility UPSTREAM: <carry>: provide a new admission plugin to mutate management pods CPUs requests The ManagementCPUOverride admission plugin replaces pod container CPU requests with a new management resource. It applies to all pods that: 1. are in an allowed namespace 2. and have the workload annotation. It also sets the new management resource request and limit and set resource annotation that CRI-O can recognize and apply the relevant changes. For more information, see - openshift/enhancements#703 Conditions for CPUs requests deletion: 1. The namespace should have allowed annotation "workload.openshift.io/allowed": "management" 2. The pod should have management annotation: "workload.openshift.io/management": "{"effect": "PreferredDuringScheduling"}" 3. All nodes under the cluster should have new management resource - "management.workload.openshift.io/cores" 4. The CPU request deletion will not change the pod QoS class UPSTREAM: <carry>: Does not prevent pod creation because of no nodes reason when it runs under the regular cluster Check the `cluster` infrastructure resource status to be sure that we run on top of a SNO cluster and in case if the pod runs on top of regular cluster, exit before node existence check. UPSTREAM: <carry>: do not mutate pods when it has a container with both CPU request and limit Removing the CPU request from the container that has a CPU limit will result in the defaulter to set the CPU request back equals to the CPU limit. UPSTREAM: <carry>: Reject the pod creation when we can not decide the cluster type It is possible a race condition between pod creation and the update of the infrastructure resource status with correct values under Status.ControlPlaneTopology and Status.InfrastructureTopology. UPSTREAM: <carry>: add CRD validation for dnses Add an admission plugin that validates the dnses.operator.openshift.io custom resource. For now, the plugin only validates the DNS pod node-placement parameters. This commit fixes bug 1967745. https://bugzilla.redhat.com/show_bug.cgi?id=1967745 * openshift-kube-apiserver/admission/customresourcevalidation/attributes.go (init): Install operatorv1 into supportedObjectsScheme. * openshift-kube-apiserver/admission/customresourcevalidation/customresourcevalidationregistration/cr_validation_registration.go (AllCustomResourceValidators, RegisterCustomResourceValidation): Register the new plugin. * openshift-kube-apiserver/admission/customresourcevalidation/dns/validate_dns.go: New file. (PluginName): New const. (Register): New function. Register the plugin. (toDNSV1): New function. Convert a runtime object to a versioned DNS. (dnsV1): New type to represent a runtime object that is validated as a versioned DNS. (ValidateCreate, ValidateUpdate, ValidateStatusUpdate): New methods. Implement the ObjectValidator interface, using the validateDNSSpecCreate and validateDNSSpecUpdate helpers. (validateDNSSpecCreate, validateDNSSpecUpdate): New functions. Validate a DNS, using the validateDNSSpec helper. (validateDNSSpec): New function. Validate the spec field of a DNS, using the validateDNSNodePlacement helper. (validateDNSNodePlacement): New function. Validate the node selector and tolerations in a DNS's node-placement parameters, using validateTolerations. (validateTolerations): New function. Validate a slice of corev1.Toleration. * openshift-kube-apiserver/admission/customresourcevalidation/dns/validate_dns_test.go: New file. (TestFailValidateDNSSpec): Verify that validateDNSSpec rejects invalid DNS specs. (TestSucceedValidateDNSSpec): Verify that validateDNSSpec accepts valid DNS specs. * vendor/*: Regenerate. UPSTREAM: <carry>: prevent the kubecontrollermanager service-ca from getting less secure UPSTREAM: <carry>: allow SCC to be disabled on a per-namespace basis UPSTREAM: <carry>: verify required http2 cipher suites In the Apiserver admission, we need to return an error if the required http2 cipher suites are missing from a custom tlsSecurityProfile. Currently, custom cipher suites missing ECDHE_RSA_WITH_AES_128_GCM_SHA256 or ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 result in invalid http2 Server configuration causing the apiservers to crash. See: go/x/net/http2.ConfigureServer for futher information. UPSTREAM: <carry>: drop the warning to use --keep-annotations When a user runs the `oc debug` command for the pod with the management resource, we will inform him that he should pass `--keep-annotations` parameter to the debug command. UPSTREAM: <carry>: admission/managementcpusoverride: cover the roll-back case During the upgrade and roll-back flow 4.7->4.8->4.7, the topology related fields under the infrastructure can be empty because the old API does not support them. The code will equal the empty infrastructure section with the current one. When the status has some other non-empty field, and topology fields are empty, we assume that the cluster currently passes via roll-back and not via the clean install. UPSTREAM: <carry>: Remove pod warning annotation when workload partitioning is disabled UPSTREAM: <carry>: use new access token inactivity timeout field. UPSTREAM: <carry>: apirequestcount validation UPSTREAM: <carry>: Added config node object validation for extreme latency profiles UPSTREAM: <carry>: Add Upstream validation in the DNS admission check patches UPSTREAM: <carry>: Make RestrictedEndpointsAdmission check NotReadyAddresses UPSTREAM: <carry>: Make RestrictedEndpointsAdmission restrict EndpointSlices as well Moved SkipSystemMasterAuthorizers to the authorizer. UPSTREAM: <carry>: Add validation plugin for CRD-based route parity. UPSTREAM: <carry>: Add host assignment plugin for CRD-based routes. UPSTREAM: <carry>: Apply shared defaulters to CRD-based routes. Signed-off-by: Artyom Lukianov <alukiano@redhat.com> Signed-off-by: Damien Grisonnet <dgrisonn@redhat.com> Signed-off-by: Swarup Ghosh <swghosh@redhat.com> OpenShift-Rebase-Source: 932411e OpenShift-Rebase-Source: 1899555 OpenShift-Rebase-Source: 453583e OpenShift-Rebase-Source: bf7e23e UPSTREAM: <carry>: STOR-829: Add CSIInlineVolumeSecurity admission plugin The CSIInlineVolumeSecurity admission plugin inspects inline CSI volumes on pod creation and compares the security.openshift.io/csi-ephemeral-volume-profile label on the CSIDriver object to the pod security profile on the namespace. OpenShift-Rebase-Source: a65c34b UPSTREAM: <carry>: add icsp,idms,itms validation reject creating icsp with idms/itms exist Reject icsp with idms.itms resources exists. According to the discuusion resolution https://docs.google.com/document/d/13h6IJn8wlzXdiPMvCWlMEHOXXqEZ9_GYOl02Wldb3z8/edit?usp=sharing, one of current icsp or new mirror setting crd should be rejected if a user tries to use them on the same cluster. Signed-off-by: Qi Wang <qiwan@redhat.com> UPSTREAM: <carry>: node admission plugin for cpu partitioning The ManagedNode admission plugin makes the Infrastructure.Status.CPUPartitioning field authoritative. This validates that nodes that wish to join the cluster are first configured to properly handle workload pinning For more information see - openshift/enhancements#1213 Signed-off-by: ehila <ehila@redhat.com> UPSTREAM: <carry>: kube-apiserver: allow injection of kube-apiserver options UPSTREAM: <carry>: kube-apiserver: allow rewiring OpenShift-Rebase-Source: 56b49c9 OpenShift-Rebase-Source: bcf574c UPSTREAM: <carry>: STOR-1270: Admission plugin to deny deletion of storages.operator.openshift.io UPSTREAM: <carry>: support for both icsp and idms objects Revert: openshift#1310 Add support for ICSP and IDMS objects living at the same time. Signed-off-by: Qi Wang <qiwan@redhat.com> UPSTREAM: <carry>: openshift-kube-apiserver: add openshift-kube-apisever code
-
UPSTREAM: <carry>: kube-apiserver: priorize some CRD groups over others
OpenShift-Rebase-Source: 2260f01
-
UPSTREAM: <carry>: Always test PDB's during service upgrade test
The upstream can't enable this, but we need to do so in order to properly validate that cluster upgrades retain availability. OpenShift-Rebase-Source: 0385e16
-
UPSTREAM: <carry>: kube-apiserver: wire through isTerminating into ha…
…ndler chain UPSTREAM: <carry>: use lifeCycleSignals for isTerminating OpenShift-Rebase-Source: a736659
-
UPSTREAM: <carry>: create termination events
UPSTREAM: <carry>: apiserver: log new connections during termination UPSTREAM: <carry>: apiserver: create LateConnections events on events in the last 20% of graceful termination time UPSTREAM: <carry>: apiserver: log source in LateConnections event UPSTREAM: <carry>: apiserver: skip local IPs and probes for LateConnections UPSTREAM: <carry>: only create valid LateConnections/GracefulTermination events UPSTREAM: <carry>: kube-apiserver: log non-probe requests before ready UPSTREAM: <carry>: apiserver: create hasBeenReadyCh channel UPSTREAM: <carry>: kube-apiserver: log non-probe requests before ready UPSTREAM: <carry>: kube-apiserver: log non-probe requests before ready UPSTREAM: <carry>: fix termination event(s) validation failures UPSTREAM: <carry>: during the rebase collapse to create termination event it makes recording termination events a non-blocking operation. previously closing delayedStopCh might have been delayed on preserving data in the storage. the delayedStopCh is important as it signals the HTTP server to start the shutdown procedure. it also sets a hard timeout of 3 seconds for the storage layer since we are bypassing the API layer. UPSTREAM: <carry>: rename termination events to use lifecycleSignals OpenShift-Rebase-Source: 15b2d2e
-
UPSTREAM: <carry>: bootstrap-rbac-policy: move over .well-known rules
OpenShift-Rebase-Source: 439ec41
-
UPSTREAM: <carry>: warn only about unknown feature gates
OpenShift-Rebase-Source: a137009
-
UPSTREAM: <carry>: disable AES24, not supported by FIPS
OpenShift-Rebase-Source: b9a8eb6
-
UPSTREAM: <carry>: Remove excessive e2e logging
UPSTREAM: <carry>: Remove a redundant output in the tests This line is not necessary for our test usage and should not be an issue in OpenShift (openshift-tests already verifies this correctly). UPSTREAM: <carry>: Remove excessive logging during e2e upgrade test This line makes the upgrade log output unreadable and provides no value during the set of tests it's used in: ``` Jan 12 20:49:25.628: INFO: cluster upgrade is Progressing: Working towards registry.svc.ci.openshift.org/ci-op-jbtg7jjb/release@sha256:144e73d125cce620bdf099be9a85225ade489a95622a70075d264ea3ff79219c: downloading update Jan 12 20:49:26.692: INFO: Poke("http://a74e3476115ce4d2d817a1e5ea608dad-802917831.us-east-1.elb.amazonaws.com:80/echo?msg=hello"): success Jan 12 20:49:28.727: INFO: Poke("http://a74e3476115ce4d2d817a1e5ea608dad-802917831.us-east-1.elb.amazonaws.com:80/echo?msg=hello"): success ``` OpenShift-Rebase-Source: 8e73298
-
UPSTREAM: <carry>: conditionally fill the UserAgent from the currentl…
…y running test OpenShift uses these function before any test is run and they cause NPE OpenShift-Rebase-Source: 834af76
-
UPSTREAM: <carry>: refactor/improve CRD publishing e2e tests in an HA…
-
UPSTREAM: <carry>: Add OpenShift tooling, images, configs and docs
UPSTREAM: <carry>: Copy hack scripts and tools from openshift/origin UPSTREAM: <carry>: Fix shellcheck failures for copied openshift-hack bash UPSTREAM: <carry>: Enable build, test and verify UPSTREAM: <carry>: Copy README content from origin UPSTREAM: <carry>: Copy watch-termination command from openshift/origin UPSTREAM: <carry>: Switch image and rpm build to golang 1.14 UPSTREAM: <carry>: Copy test annotation from origin UPSTREAM: <carry>: Build openshift-compatible kube e2e binary UPSTREAM: <carry>: Updating openshift-hack/images/hyperkube/Dockerfile.rhel baseimages to mach ocp-build-data config UPSTREAM: <carry>: Update test annotation rules UPSTREAM: <carry>: Enable k8s-e2e-serial UPSTREAM: <carry>: Update test annotation rules UPSTREAM: <carry>: Build with golang 1.15 UPSTREAM: <carry>: (squash) Stop installing recent bash and protoc from source UPSTREAM: <carry>: Add rebase instructions UPSTREAM: <carry>: (squash) Update README.openshift to reflect transition UPSTREAM: <carry>: (squash) Stop annotating origin tests with [Suite:openshift] The detection logic was error-prone (different results based on the repo existing in GOPATH vs not) and whether a test comes from origin can be inferred from the absence of the `[Suite:k8s]` tag. UPSTREAM: <carry>: (squash) Update hyperkube version UPSTREAM: <carry>: (squash) Update OpenShift docs UPSTREAM: <carry>: watch-termination: fix deletion race and write non-graceful message also to termination.log UPSTREAM: <carry>: watch-termination: avoid false positives of NonGracefulTermination events UPSTREAM: <carry>: (squash) remove servicecatalog e2e that was dropped upstream UPSTREAM: <carry>: (squash) Fix annotation rules UPSTREAM: <carry>: (squash) Fix image refs UPSTREAM: <carry>: Updating openshift-enterprise-hyperkube builder & base images to be consistent with ART Reconciling with https://github.com/openshift/ocp-build-data/tree/b0ab44b419faae6b18e639e780a1fa50a1df8521/images/openshift-enterprise-hyperkube.yml UPSTREAM: <carry>: (squash) Retry upstream flakes UPSTREAM: <carry>: (squash) Update test exclussions for 1.20.0 UPSTREAM: <carry>: (squash) Add detail to rebase doc - Add new section 'Maintaining this document' - Move checklist above the instructions to emphasize their importance - Add new section 'Reacting to new commits' - Mention that generated changes in carries should be dropped UPSTREAM: <carry>: Enable CSI snapshot e2e tests All images were uploaded to our quay.io mirror and the tests should succeed. UPSTREAM: <carry>: Stop skipping multi-az test (skipped upstream) UPSTREAM: <carry>: bump tag version & update rebase doc UPSTREAM: <carry>: update rebase doc & image UPSTREAM: <carry>: update rebase doc UPSTREAM: <carry>: update rebase doc UPSTREAM: <carry>: update rebase doc UPSTREAM: <carry>: Add Dockerfile to build pause image Ensuring the target directory exists before writing a file to it. UPSTREAM: <carry>: disable part of hack/verify-typecheck-providerless.sh due to our carry patches UPSTREAM: <carry>: Updating openshift-enterprise-pod images to be consistent with ART Reconciling with https://github.com/openshift/ocp-build-data/tree/691e628254f318ce56efda5edc7448ec743c37b8/images/openshift-enterprise-pod.yml UPSTREAM: <carry>: Updating openshift-enterprise-hyperkube images to be consistent with ART Reconciling with https://github.com/openshift/ocp-build-data/tree/691e628254f318ce56efda5edc7448ec743c37b8/images/openshift-enterprise-hyperkube.yml UPSTREAM: <carry>: Add process overlap detection event to watch-termination NOTE: Squash this to watch-termination commit on rebase. UPSTREAM: <carry>: openshift-hack/images/os/Dockerfile: Add io.openshift.build.versions, etc. For example, consider the current 4.10 RHCOS: $ oc image info -o json registry.ci.openshift.org/ocp/4.10:machine-os-content io.k8s.description: The Universal Base Image is designed and engineered to be the base layer for all of your containerized applications, middleware and utilities. This base image is freely redistributable, but Red Hat only supports Red Hat technologies through subscriptions for Red Hat products. This image is maintained by Red Hat and updated regularly. io.k8s.display-name: Red Hat Universal Base Image 8 io.openshift.build.version-display-names: machine-os=Red Hat Enterprise Linux CoreOS io.openshift.build.versions: machine-os=49.84.202109102026-0 io.openshift.expose-services: io.openshift.tags: base rhel8 A bunch of those seem to be inherited from the UBI base image, so we can leave them alone. But the io.openshift.build.* entries are RHCOS-specific, and are consumed by 'oc adm release new ...' [1,2] and friends to answer questions like "which RHCOS is in this release?": $ oc adm release info -o json quay.io/openshift-release-dev/ocp-release:4.8.12-x86_64 { "kubernetes": { "Version": "1.21.1", "DisplayName": "" }, "machine-os": { "Version": "48.84.202109100857-0", "DisplayName": "Red Hat Enterprise Linux CoreOS" } } Setting this label will avoid failures when consumers like driver-toolkit's version consumer [3]: name: 0.0.1-snapshot-machine-os bump into ci-tools-built machine-os-content images that lack the io.openshift.build.versions declaration of machine-os version [4]: error: unable to create a release: unknown version reference "machine-os" I've gone with generic testing values, so hopefully this is not something that local maintainers need to remember to bump for each OpenShift z stream. [1]: https://github.com/openshift/oc/blob/f94afb52dc8a3185b3b9eacaf92ec34d80f8708d/pkg/cli/admin/release/image_mapper.go#L328-L334 [2]: https://github.com/openshift/oc/blob/f94afb52dc8a3185b3b9eacaf92ec34d80f8708d/pkg/cli/admin/release/annotations.go#L19-L28 [3]: openshift/driver-toolkit@464acca#diff-4caed9b2b966a8fa7a016ae28976634a2d3d1b635c4e820d5c038b2305d6af53R18 [4]: https://prow.ci.openshift.org/view/gs/origin-ci-test/pr-logs/pull/openshift_kubernetes/959/pull-ci-openshift-kubernetes-master-images/1438398678602616832#1:build-log.txt%3A97 UPSTREAM: <carry>: update rebase doc UPSTREAM: <carry>: squash with the rest of tooling UPSTREAM: <carry>: Updating openshift-enterprise-pod images to be consistent with ART Reconciling with https://github.com/openshift/ocp-build-data/tree/5b89f5b601508a0bcc0399fd3f34b7aa2e86e90e/images/openshift-enterprise-pod.yml UPSTREAM: <carry>: Updating openshift-enterprise-hyperkube images to be consistent with ART Reconciling with https://github.com/openshift/ocp-build-data/tree/5b89f5b601508a0bcc0399fd3f34b7aa2e86e90e/images/openshift-enterprise-hyperkube.yml UPSTREAM: <carry>: rebase script UPSTREAM: <carry>: Fix networking-related test exclusions Tests that fail on openshift-sdn specifically should be tagged as such, so that they don't also get skipped when running under ovn-kubernetes or third-party network plugins. UPSTREAM: <carry>: Skip "subPath should be able to unmount" NFS test Due to a kernel bug https://bugzilla.redhat.com/show_bug.cgi?id=1854379 in Linux 5.7+ this test fails - the bind-mounted NFS share cannot be cleanly unmounted, gets "Stale file handle" error instead on umount. As a result this test is permafailing on Fedora CoreOS nodes. UPSTREAM: <carry>: Skip GlusterFS tests GlusterFS is not supported in 4.x, we've been running its tests just because we could. Now it does not work on IPv6 systems. E [MSGID: 101075] [common-utils.c:312:gf_resolve_ip6] 0-resolver: getaddrinfo failed (Address family for hostname not supported) UPSTREAM: <carry>: Skip GlusterFS tests The previous commit left two GlusterFS test still running: [sig-storage] Volumes GlusterFS should be mountable [Skipped:ibmcloud] [Suite:openshift/conformance/parallel] [Suite:k8s] [sig-storage] Dynamic Provisioning GlusterDynamicProvisioner should create and delete persistent volumes Skip it, we don't support Gluster and it does not work on ipv6 UPSTREAM: <carry>: 1.22 alpha & other tests disablement UPSTREAM: <carry>: 1.21 alpha & other tests disablement UPSTREAM: <carry>: Enable GenerciEphemeralVolume tests UPSTREAM: <carry>: Re-enable [Feature:NetworkPolicy] tests which were wrongly disabled in rebase UPSTREAM: <carry>: Reenable NetworkPolicy test UPSTREAM: <carry>: Conformance tests (sysctls) should be run We have to run this test for conformance, and the tests pass. Reenable this block which has been disabled for 2 releases (but appears to work fine). UPSTREAM: <carry>: Don't force-disable IPv6, dual-stack, and SCTP tests Instead, openshift-tests will enable or disable them depending on cluster configuration. UPSTREAM: <carry>: update Multi-AZ Cluster Volumes test name This test was renamed upstream in kubernetes@006dc74 UPSTREAM: <carry>: re-enable networking tests after rebase During a bump to k8 ver. 1.22.0, networking tests were disabled to accomplish the bump. This disabled netpol and older network tests. Netpol tests will be enabled in a following PR and therefore only partially fixes BZ. This commit partially fixes bug 1986307. https://bugzilla.redhat.com/show_bug.cgi?id=1986307 UPSTREAM: <drop>: update test annotate rules UPSTREAM: <carry>: Add DOWNSTREAM_OWNERS UPSTREAM: <carry>: clarify downstream approver rules UPSTREAM: <carry>: copy extensions into resulting image UPSTREAM: <carry>: update rebase doc UPSTREAM: <carry>: Fix conformance and serial tests by stopping node cordoning Master nodes already have `master` taint which cannot be tolerated by normal workloads. If we manually cordon the master nodes again, some of the control plane components cannot get rescheduled unless they have toleration to the `node.kubernetes.io/unschedulable` taint. Even if we have the toleration in the pod spec, because of the backwards compability issues scheduler will ignore nodes which have `unschedulable` field set. IOW: - Cordoning master nodes is redundant as masters already have taints - Cordoning master nodes can cause issues which are hard to debug as control-plane components may be evicted/preempted during e2e run(highly unlikely but a possibility). So, let's stop cordoning master nodes. UPSTREAM: <carry>: enable internal traffic policy tests Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1986307 UPSTREAM: <carry>: update rebase doc UPSTREAM: <carry>: enable e2e test after 1.23 rebase in sdn Enable "[sig-network] Conntrack should be able to preserve UDP traffic when initial unready endpoints get ready" after 1.23 rebase in openshift/sdn UPSTREAM: <carry>: Unskip OCP SDN related tests Unskip networkPolicy tests concerning IpBlock and egress rules since both features have now been implemented. UPSTREAM: <carry>: enable should drop INVALID conntrack entries test UPSTREAM: <carry>: update e2es UPSTREAM: revert: <carry>: Unskip OCP SDN related tests These newly-enabled tests are breaking some CI, possibly due to race conditions in the tests. Re-disable them for now. This reverts commit aba8d20. UPSTREAM: <carry>: update hyperkube and image version UPSTREAM: <drop>: disable e2e tests - disable 'ProxyTerminatingEndpoints' feature e2e tests - disable [sig-network] [Feature:Topology Hints] should distribute endpoints evenly see https://bugzilla.redhat.com/show_bug.cgi?id=2079958 for more context UPSTREAM: <carry>: Add kubensenter to the openshift RPM This carry-patch adds the kubensenter script to the openshift-hyperkube RPM, by importing it via the new hack/update-kubensenter.sh script. UPSTREAM: <carry>: Skip session affinity timeout tests in 4.12 and higher the default CNI is OVNKubernetes and these two tests do not pass. Skip them. They are also skipping in the origin test suites for ovnk. UPSTREAM: <carry>: Update kubensenter to use exec instead of direct call Because kubelet relies on systemd's Type=notify mechanism, we don't need or want kubensenter to keep itself in the process tree. exec is best. UPSTREAM: <carry>: update to ginkgo v2 - squash to tooling UPSTREAM: <carry>: update rebase doc UPSTREAM: <carry>: allow annotating with a specific suite If a test specifies a suite, don't append another one to it. We want the ability to add tests to a particular suite without automatically being added to parallel conformance. UPSTREAM: <carry>: Ensure balanced brackets in annotated test names We recently started marking tests with apigroups, and in one case we missed the closing bracket on the annotation resulting in the test being erroneously skipped. This adds a check in the annotation generation, and errors when brackets are unbalanced. ``` Example: $ ./hack/verify-generated.sh FAILURE after 12.870s: hack/verify-generated.sh:13: executing '/home/stbenjam/go/src/github.com/openshift/origin/hack/update-generated.sh' expecting success: the command returned the wrong error code Standard output from the command: Nov 4 14:11:25.026: INFO: Enabling in-tree volume drivers Nov 4 14:11:25.026: INFO: Warning: deprecated ENABLE_STORAGE_GCE_PD_DRIVER used. This will be removed in a future release. Use --enabled-volume-drivers=gcepd instead Nov 4 14:11:25.026: INFO: Enabled gcepd and windows-gcepd in-tree volume drivers Standard error from the command: failed: unbalanced brackets in test name: [Top Level] [sig-scheduling][Early] The openshift-console console pods [apigroup:console.openshift.io should be scheduled on different nodes ^ ``` UPSTREAM: <carry>: add CSI migration feature gates for vSphere and Azure File This commit is the next natural step for commits 2d9a8f9 and d37e84c. It introduces custom feature gates to enable the CSI migration in vSphere and Azure File plugins. See openshift/enhancements#549 for details. Stop <carrying> the patch when CSI migration becomes GA (i.e. features.CSIMigrationAzureFile / features.CSIMigrationVSphere are GA). UPSTREAM: <carry>: Skip in-tree topology tests win Azure Disk migrated to CSI Skip test that depend on in-tree Azure Disk volume plugin that (wrongly) uses failure domains for value of "topology.kubernetes.io/zone" label in Azure regions that don't have availability zones. Our e2e tests blindly use that label and expect that a volume provisioned in such a "zone" can be used only by nodes in that "zone" (= topology domain). This is false, Azure Disk CSI driver can use such a volume in any zone and therefore the test may randomly fail. See https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=2066865 UPSTREAM: <carry>: Stop ignoring generated openapi definitions openshift/origin needs to be able to vendor these definitions so they need to be committed. Signed-off-by: astoycos <astoycos@redhat.com> Signed-off-by: Jamo Luhrsen <jluhrsen@gmail.com> Signed-off-by: Jim Ramsay <jramsay@redhat.com> Signed-off-by: Martin Kennelly <mkennell@redhat.com> Signed-off-by: Mohamed Mahmoud <mmahmoud@redhat.com> Signed-off-by: Riccardo Ravaioli <rravaiol@redhat.com> OpenShift-Rebase-Source: 514f181 OpenShift-Rebase-Source: 87e220b OpenShift-Rebase-Source: b25e156 OpenShift-Rebase-Source: 2256387 OpenShift-Rebase-Source: e4d66c1 OpenShift-Rebase-Source: 5af594b UPSTREAM: <carry>: disable tests for features in alpha UPSTREAM: <carry>: disable tests dependent on StackDriver UPSTREAM: <carry>: add default sysctls for kubelet in rpm UPSTREAM: <carry>: add new approvers UPSTREAM: <carry>: update rebase doc UPSTREAM: <carry>: update hyperkube image version UPSTREAM: <carry>: update hyperkube image version Updated builder as well. UPSTREAM: <carry>: add missing generated file UPSTREAM: <carry>: Add OpenShift tooling, images, configs and docs UPSTREAM: <carry>: Add OpenShift tooling, images, configs and docs Add CSI mock volume tests. In upstream these tests were moved to a different package, so we stopped generating their names in OpenShift. This patch fixes that. UPSTREAM: <carry>: Add OpenShift tooling, images, configs and docs Disable CSI mock tests for SELinux and RecoverVolumeExpansionFailure, which are alpha features and require additional work to get enabled. UPSTREAM: <carry>: Add OpenShift tooling, images, configs and docs UPSTREAM: <carry>: update rebase doc UPSTREAM: <carry>: disable failing dnsPolicy test UPSTREAM: <carry>: disable failing dnsPolicy test UPSTREAM: <carry>: Create minimal wrapper needed to run k8s e2e tests UPSTREAM: <carry>: Change annotation mechanics to allow injecting testMaps and filter out tests UPSTREAM: <carry>: Move k8s-specific rules to our fork UPSTREAM: <carry>: Create minimal wrapper needed to run k8s e2e tests UPSTREAM: <carry>: Create minimal wrapper needed to run k8s e2e tests UPSTREAM: <carry>: Add OpenShift tooling, images, configs and docs Update the list of tests that should be skipped. UPSTREAM: <carry>: Force using host go always and use host libriaries UPSTREAM: <carry>: ignore vendor when generating code UPSTREAM: <carry>: ignore vendor when installing ncpu from hack/tools UPSTREAM: <carry>: move test rules from origin These were brought back in o/o PRs as follows: - netpol - openshift/origin#26775 - schedulerpreemption - openshift/origin#27874 UPSTREAM: <carry>: UserNamespacesSupport feature was rename to UserNamespacesStatelessPodsSupport See commit 531d38e. UPSTREAM: <carry>: allow apiserver-library-go to depend on k8s.io/kubernetes UPSTREAM: <carry>: Add OpenShift tooling, images, configs and docs Remove commitchecker. UPSTREAM: <carry>: Force using host go always and use host libriaries UPSTREAM: <carry>: Add OpenShift tooling, images, configs and docs Update builder images. UPSTREAM: <carry>: Add OpenShift tooling, images, configs and docs Bump builder and base images to OCP 4.15 and RHEL 9 (where possible). UPSTREAM: <carry>: Add OpenShift tooling, images, configs and docs Update REBASE.openshift.md file with new RHEL 9 images. UPSTREAM: <carry>: Add OpenShift tooling, images, configs and docs Remove "git rerere" suggestion. This has shown to be problematic in some cases. UPSTREAM: <carry>: Fix sporadic 141 errors in build-rpms "head" sometimes exits before "rpmspec" finishes piping it all its data. Workaround that by separating the rpmspec and head calls. UPSTREAM: <carry>: Disable e2e tests related to AdmissionWebhookMatchConditions UPSTREAM: <carry>: Add OpenShift tooling, images, configs and docs 1. Fix failure while running the verify.import-boss case 2. Add verify-govulncheck.sh to the excluded pattern This requires a new package to be installed on the fly and the same fails with the following error. `go: golang.org/x/vuln/cmd/govulncheck@v1.0.1: cannot query module due to -mod=vendor` The above error needs to be fixed before enabling this `govulncheck`
-
UPSTREAM: <carry>: export HandleFlags
OpenShift-Rebase-Source: 7bf2f1f
-
UPSTREAM: <carry>: noderestrictions: add node-role.kubernetes.io/* to…
… allowed node labels Server side validation of node labels was added in kubernetes#90307. We only disabled kubelet-side validation before to make our node role labels work. UPSTREAM: <carry>: add control plane to allow roles OpenShift-Rebase-Source: 38bfed3 OpenShift-Rebase-Source: aff4434
-
UPSTREAM: <carry>: Skip unit tests incompatible with openshift ci
OpenShift-Rebase-Source: e1e2042
-
UPSTREAM: <carry>: kube-apiserver: ignore SIGTERM/INT after the first…
… one UPSTREAM: <carry>: kube-apiserver: set up separate signal handler functions to ignore further signals This patches the changes from openshift#558 to provide these new functions without changing the behavior for other repos that depend on them, such as library-go. OpenShift-Rebase-Source: 63ed200
-
UPSTREAM: <carry>: use hardcoded metrics scraping authorizer for dele…
…gated apiservers OpenShift-Rebase-Source: d8adc09
-
UPSTREAM: <carry>: allow kubelet to self-authorize metrics scraping
OpenShift-Rebase-Source: 5ab0f5e
-
UPSTREAM: <carry>: provide events, messages, and bodies for probe fai…
…lures of important pods UPSTREAM: <carry>: provide unique reason for pod probe event during termination OpenShift-Rebase-Source: 01542fc
-
UPSTREAM: <carry>: allows for switching KS to talk to Kube API over l…
…ocalhost to force KS to use localhost set the following flag in kubescheduler (oc edit kubescheduler cluster) unsupportedConfigOverrides: arguments: unsupported-kube-api-over-localhost:: - "true" UPSTREAM: <carry>: allows for switching KS to talk to Kube API over localhost-squash to other This commit is addendum to openshift@04eabe5 to stop using cc and start relying on scheduler config options OpenShift-Rebase-Source: aa9dde2 UPSTREAM: <carry>: allows for switching KS to talk to Kube API over localhost
-
UPSTREAM: <carry>: add management support to kubelet
UPSTREAM: <carry>: management workloads enhancement 741 UPSTREAM: <carry>: lower verbosity of managed workloads logging Support for managed workloads was introduced by PR#627. However, the the CPU manager reconcile loop now seems to flood kubelet log with "reconcileState: skipping pod; pod is managed" warnings. Lower the verbosity of these log messages. UPSTREAM: <carry>: set correctly static pods CPUs when workload partitioning is disabled UPSTREAM: <carry>: Remove reserved CPUs from default set Remove reserved CPUs from default set when workload partitioning is enabled. Co-Authored-By: Brent Rowsell <browsell@redhat.com> Signed-off-by: Artyom Lukianov <alukiano@redhat.com> Signed-off-by: Don Penney <dpenney@redhat.com> OpenShift-Rebase-Source: b762ced OpenShift-Rebase-Source: 63cf793 OpenShift-Rebase-Source: 32af64c UPSTREAM: <carry>: add management support to kubelet
-
UPSTREAM: <carry>: APIRequestCount Handler
OpenShift-Rebase-Source: 4d74b77
-
UPSTREAM: <carry>: allows for switching KCM to talk to Kube API over …
…localhost to force KCM to use localhost set the following flag in kubecontrollermanager (oc edit kubecontrollermanager cluster) unsupportedConfigOverrides: extendedArguments: unsupported-kube-api-over-localhost: - "true" OpenShift-Rebase-Source: 036b11c UPSTREAM: <carry>: allows for switching KCM to talk to Kube API over localhost
-
UPSTREAM: <carry>: Ensure service ca is mounted for projected tokens
OpenShift since 3.x has injected the service serving certificate ca (service ca) bundle into service account token secrets. This was intended to ensure that all pods would be able to easily verify connections to endpoints secured with service serving certificates. Since breaking customer workloads is not an option, and there is no way to ensure that customers are not relying on the service ca bundle being mounted at /var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt, it is necessary to continue mounting the service ca bundle in the same location in the bound token projected volumes enabled by the BoundServiceAccountTokenVolume feature (enabled by default in 1.21). A new controller is added to create a configmap per namespace that is annotated for service ca injection. The controller is derived from the controller that creates configmaps for the root ca. The service account admission controller is updated to include a source for the new configmap in the default projected volume definition. UPSTREAM: <carry>: <squash> Add unit testing for service ca configmap publishing This commit should be squashed with: UPSTREAM: <carry>: Ensure service ca is mounted for projected tokens OpenShift-Rebase-Source: d69d054 UPSTREAM: <carry>: Ensure service ca is mounted for projected tokens
-
UPSTREAM: <carry>: apiserver: add system_client=kube-{apiserver,cm,s}…
… to apiserver_request_total UPSTREAM: <carry>: apiserver: add cluster-policy-controller to system client in apiserver_request_total OpenShift-Rebase-Source: d86823d UPSTREAM: <carry>: apiserver: add system_client=kube-{apiserver,cm,s} to apiserver_request_total Fix TestOpenAPIRequestMetrics unit test.
-
UPSTREAM: <carry>: emit event when readyz goes true
OpenShift-Rebase-Source: 6386eb2
-
UPSTREAM: <carry>: crd: add ClusterOperator condition message table c…
…olumn The logic is not exressible via JSONPath. Hence, if we want this, we have to help a little with this custom column writer. OpenShift-Rebase-Source: 633a422
-
UPSTREAM: <carry>: only chown if non-windows machine
Upstream worked on under kubernetes#102868 OpenShift-Rebase-Source: 5032546
-
UPSTREAM: <carry>: openshift's kube-apiserver is in openshift-kube-ap…
…iserver OpenShift-Rebase-Source: fb90ed6
-
UPSTREAM: 103612: tolerate additional, but congruent, events for inte…
…gration test OpenShift-Rebase-Source: 2f4c829 UPSTREAM: 103612: tolerate additional, but congruent, events for integration test
-
UPSTREAM: <carry>: add a way to inject a vulnerable, legacy service-c…
…a.crt for migration compatibility OpenShift-Rebase-Source: bf2b5fa
-
UPSTREAM: <carry>: Revert "Remove Endpoints write access from aggrega…
-
UPSTREAM: <carry>: skip posting failures to aggregated APIs to avoid …
…getting false positives until the server becomes ready the availability checks depend on fully initialized SDN OpenShift carries a few reachability checks that affect /readyz protocol we skip posting failures to avoid getting false positives until the server becomes ready UPSTREAM: <carry>: skip posting failures to aggregated APIs to avoid getting false positives until the server becomes ready marks availability of the server before checking the aggregate APIs as it can change as we are running the checks. in that case, skip posting failures to avoid false positives. note on the next rebase please squash with the previous commit UPSTREAM: <carry>: expose HasBeenReady lifecycle signal OpenShift-Rebase-Source: 8558e88
-
UPSTREAM: <carry>: send Retry-After when not ready with a caller opt in
UPSTREAM: <carry>: change opt-in due to upstream revert OpenShift-Rebase-Source: cd08005
-
UPSTREAM: <carry>: add max_housekeeping_interval
OpenShift-Rebase-Source: 3b2555a
-
UPSTREAM: <carry>: sets X-OpenShift-Internal-If-Not-Ready HTTP Header…
… for GC and Namespace controllers In general, setting the header will result in getting 429 when the server hasn't been ready. This prevents certain controllers like GC, Namespace from accidentally removing resources when the caches haven't been fully synchronized. OpenShift-Rebase-Source: 2ebf199
-
UPSTREAM: <carry>: Release lock on KCM and KS termination
UPSTREAM: <carry>: Force releasing the lock on exit for KS squash with UPSTREAM: <carry>: Release lock on KCM and KS termination OpenShift-Rebase-Source: fc91252 UPSTREAM: <carry>: Release lock on KCM and KS termination
-
UPSTREAM: <carry>: use console-public config map for console redirect
OpenShift-Rebase-Source: 2e5064e
-
UPSTREAM: <carry>: e2e-framework: don't autosync PodSecurity labels
In the tests, we oftentimes create pods directly by the administrative user and so their SCC-related privileges are being used to create the pods. The PSa label syncher however works by introspecting SAs in each namespace, and since the SAs in the direct pod creation use-cases don't have the SCC-related privileges, the labelsyncer evaluates these namespaces as "restricted" because only the "restricted-v2" SCC is ever assigned in the namespaces. This breaks tests where pods are created directly. OpenShift-Rebase-Source: 4b7ae56
-
UPSTREAM: <carry>: fix [sig-auth] ServiceAccounts no secret-based ser…
…vice account token should be auto-generated OpenShift-Rebase-Source: a031438
-
UPSTREAM: <carry>: optionally enable retry after until apiserver is r…
…eady OpenShift-Rebase-Source: fc3523f
-
UPSTREAM: <carry>: make the PSA workload admission warnings honor the…
… changes that SCC will eventually make to the pod UPSTREAM: <carry>: pod-security: don't fail on SCC admission error If we propagate SCC admission error during pod extraction to PodSecurity admission, the latter will log the error instead of continuing with unmutated pod spec, and so we will not get a validation error in either the audit logs or as a warning. OpenShift-Rebase-Source: 6fe5c8f OpenShift-Rebase-Source: b4e019f UPSTREAM: <carry>: SCC pod extractor: assume default SA if SA is empty
-
UPSTREAM: <carry>: PSa metrics: log platform namespaces in audit denies
We need this in order to be able to retrieve better reports from PodSecurityViolation alerts. UPSTREAM: <carry>: PSa metrics: unset ocp_namespace on non-platform namespaces
-
-
UPSTREAM: <carry>: disable load balancing on created cgroups when man…
…aged is enabled Previously, cpu load balancing was enabled in cri-o by manually changing the sched_domain of cpus in sysfs. However, RHEL 9 dropped support for this knob, instead requiring it be changed in cgroups directly. To enable cpu load balancing on cgroupv1, the specified cgroup must have cpuset.sched_load_balance set to 0, as well as all of that cgroup's parents, plus all of the cgroups that contain a subset of the cpus that load balancing is disabled for. By default, all cpusets inherit the set from their parent and sched_load_balance as 1. Since we need to keep the cpus that need load balancing disabled in the root cgroup, all slices will inherit the full cpuset. Rather than rebalancing every cgroup whenever a new guaranteed cpuset cgroup is created, the approach this PR takes is to set load balancing to disabled for all slices. Since slices definitionally don't have any processes in them, setting load balancing won't affect the actual scheduling decisions of the kernel. All it will do is open the opportunity for CRI-O to set the actually set load balancing to disabled for containers that request it. Signed-off-by: Peter Hunt <pehunt@redhat.com> UPSTREAM: <carry>: kubelet/cm: disable cpu load balancing on slices when using static cpu manager policy There are situations where cpu load balance disabling is desired when the kubelet is not in managed state. Instead of using that condition, set the cpu load balancing parameter for new slices when the cpu policy is static Signed-off-by: Peter Hunt <pehunt@redhat.com> UPSTREAM: <carry>: cm: reorder setting of sched_load_balance for sandbox slice If we call mgr.Apply() first, libcontainer's cpusetCopyIfNeeded() will copy the parent cpuset and set load balancing to 1 by default. This causes the kernel to set the cpus to not load balanced for a brief moment which causes churn. instead, create the cgroup and set load balance, then have Apply() copy the values into it. Signed-off-by: Peter Hunt <pehunt@redhat.com> UPSTREAM: <carry>: kubelet/cm: use MkdirAll when creating cpuset to ignore file exists error Signed-off-by: Peter Hunt <pehunt@redhat.com>
-
UPSTREAM: <carry>: add shutdown annotation to response header
If it is useful we will combine this with the following carry: 20caad9: UPSTREAM: 115328: annotate early and late requests
-
UPSTREAM: <carry>: Export internal code from k8s.io/apimachinery/pkg/…
…util/managedfields Some of the code we use in openshift-tests was recently made internal in kubernetes#115065. This patch exposes the code we need there.
-
-
UPSTREAM: <carry>: when only this kube-apiserver can fulfill the kube…
…rnetes.default.svc, don't wait for aggregated availability
-
UPSTREAM: <carry>: watch-termination: termination.log file with resti…
…cted permissions watch-termination uses lumberjack for loging. it creates permissive files by default 0644 and at the moment there is no way to specify permission while creating a file, the only way to workaround is to create a file before. this pr touches a file with restrictive permissions 0600 and relies on the fact that lumberjack respects and copies permission over if the file already exist
-
UPSTREAM: <carry>: merge v3 openapi discovery and specs for special g…
…roups that have kinds that are served by both CRDs and external apiservers (eg openshift-apiserver) this includes: - authorization.openshift.io (rolebindingrestrictions served by a CRD) - security.openshift.io (securitycontextconstraints served by a CRD) - quota.openshift.io (clusterresourcequotas served by a CRD) By merging all sources, we ensure that kinds served by a CRD will have openapi discovery and spec available even when openshift-apiserver is unavailable.
-
UPSTREAM: <carry>: selfsubjectaccessreview: grant user:full scope to …
…self-SARs that have user:check-access Otherwise, the request will inherit any scopes that an access token might have and the scopeAuthorizer will deny the access review if the scopes do not include user:full
-
UPSTREAM: <carry>: retry etcd Unavailable errors
This commit renews openshift#327 What has changed compared to the original PR is: - The retryClient interface has been adapted to storage.Interface. - The isRetriableEtcdError method has been completely changed; it seems that previously the error we wanted to retry was not being retried. Even the unit tests were failing. Overall, I still think this is not the correct fix. The proper fix should be added to the etcd client. UPSTREAM: <carry>: retry etcd Unavailable errors This is the second commit for the retry logic. This commit adds unit tests and slightly improves the logging. During a rebase squash with the previous one.
-
UPSTREAM: <carry>: Export cpu stats of ovs.slice via prometheus
When a PerformanceProfile configures a node for cpu partitioning, it also lets OVS use all the cpus available to burstable pods. To be able to do that, OVS was moved to its own slice and that slice needs to be re-added to cAdvisor for monitoring purposes.
-
UPSTREAM: <carry>: Do not allow nodes to set forbidden openshift labels
Signed-off-by: Harshal Patil <harpatil@redhat.com>
-
UPSTREAM: <carry>: advertise shared cpus for mixed cpus feature
Kubelet should advertise the shared cpus as extedned resources. This has the benefit of limiting the amount of containers that can request an access to the shared cpus. For more information see - openshift/enhancements#1396 Signed-off-by: Talor Itzhak <titzhak@redhat.com>
-
UPSTREAM: <carry>: add new admission for handling shared cpus
Adding a new mutation plugin that handles the following: 1. In case of `workload.openshift.io/enable-shared-cpus` request, it adds an annotation to hint runtime about the request. runtime is not aware of extended resources, hence we need the annotation. 2. It validates the pod's QoS class and return an error if it's not a guaranteed QoS class 3. It validates that no more than a single resource is being request. 4. It validates that the pod deployed in a namespace that has mixedcpus workloads allowed annotation. For more information see - openshift/enhancements#1396 Signed-off-by: Talor Itzhak <titzhak@redhat.com>
-
UPSTREAM: 122341: Fix CSI migration for vSphere volumes
Restore `migratedPlugins` entry for in-tree vSphere volumes and mark them as migrated. Otherwise the CSI volume plugin ignores in-tree vSphere volumes and they will never get attached / mounted by CSI migration. The entry in `migratedPlugins` was incorrectly removed during CSIMigrationvSphere feature gate removal.
-
UPSTREAM: <carry>: temporarily disable reporting e2e text bugs and en…
…force 2nd labeling to make tests work
-
-
-