-
Notifications
You must be signed in to change notification settings - Fork 105
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[WIP] WRKLDS-1449: Rebase 1.31.0 #2055
Commits on Jul 23, 2024
-
Merge pull request kubernetes#126125 from mprahl/stop-idempotent
Allow calling Stop multiple times on RetryWatcher
Configuration menu - View commit details
-
Copy full SHA for fc03f3e - Browse repository at this point
Copy the full SHA fc03f3eView commit details -
[kube-proxy:nftables] cleanup: remove unused parameter and fix typo.
Signed-off-by: Nadia Pinaeva <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for dc13e42 - Browse repository at this point
Copy the full SHA dc13e42View commit details -
[kube-proxy:nftables] Add partialSync mode to only transact changed
objects. Change the order of operations to stop current iteration if no changes to the service chains are needed. Bump syncProxy frequency to 1 hour. In a test kind cluster creation of 10K services, 2 endpoints each, takes ~25m before the fix and ~9min after. Maximum memory usage during creation is ~650MiB and 260MiB respectively. Another important metric is the time it takes to create 1 new service when 10K svc already exist. It used to take ~8m before the fix, with partialSync it takes ~141ms. Signed-off-by: Nadia Pinaeva <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for 3ccf5b8 - Browse repository at this point
Copy the full SHA 3ccf5b8View commit details -
[kube-proxy:nftables] Add partial sync unit test.
Signed-off-by: Nadia Pinaeva <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for 2ec3929 - Browse repository at this point
Copy the full SHA 2ec3929View commit details -
PSA: allow procMount type Unmasked in baseline
a masked proc mount has traditionally been used to prevent untrusted containers from accessing leaky kernel APIs. However, within a user namespace, typical ID checks protect better than masked proc. Further, allowing unmasked proc with a user namespace gives access to a container mounting sub procs, which opens avenues for container-in-container use cases. Update PSS for baseline to allow a container to access an unmasked /proc, if it's in a user namespace and if the UserNamespacesPodSecurityStandards feature is enabled. Signed-off-by: Peter Hunt <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for 17521f0 - Browse repository at this point
Copy the full SHA 17521f0View commit details -
PSA: small cleanups for tests that use RelaxPolicyForUserNamespacePods
make sure to cleanup after setting RelaxPolicyForUserNamespacePods setup test variables to be a little more terse and similar between tests cleanup Allowed checking Signed-off-by: Peter Hunt <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for 7e750a6 - Browse repository at this point
Copy the full SHA 7e750a6View commit details -
Merge pull request kubernetes#124884 from carlory/report-event-when-k…
…ubelet-attach-failed report an event to pod if kubelet does attach operation failed
Configuration menu - View commit details
-
Copy full SHA for d7194eb - Browse repository at this point
Copy the full SHA d7194ebView commit details -
Merge pull request kubernetes#125257 from vinayakankugoyal/armor
KEP-24: Update AppArmor feature gates to GA stage.
Configuration menu - View commit details
-
Copy full SHA for 7590cb7 - Browse repository at this point
Copy the full SHA 7590cb7View commit details -
Merge pull request kubernetes#126014 from PannagaRao/kep-ephemeral-st…
…orage-quota pkg/volume/*: Enable quotas in user namespace
Configuration menu - View commit details
-
Copy full SHA for a4f9910 - Browse repository at this point
Copy the full SHA a4f9910View commit details -
Merge pull request kubernetes#126031 from harche/kubelet_cgroupv1_arg
KEP-4569: Kubelet option to disable cgroup v1 support
Configuration menu - View commit details
-
Copy full SHA for fbdfb9d - Browse repository at this point
Copy the full SHA fbdfb9dView commit details -
Merge pull request kubernetes#126165 from haircommander/selinux-engine_t
PSA: allow container_engine_t selinux type
Configuration menu - View commit details
-
Copy full SHA for 8e175c6 - Browse repository at this point
Copy the full SHA 8e175c6View commit details -
Merge pull request kubernetes#126205 from kwilczynski/feature/promote…
…-4191-to-beta KEP-4191: Split Image Filesystem promotion to Beta
Configuration menu - View commit details
-
Copy full SHA for fe24ebf - Browse repository at this point
Copy the full SHA fe24ebfView commit details -
Merge pull request kubernetes#126270 from stlaz/aggroapi-refactor
integration tests: split Wardle aggregation test API server running
Configuration menu - View commit details
-
Copy full SHA for 77c3859 - Browse repository at this point
Copy the full SHA 77c3859View commit details -
cap the num of nodes on the noSNAT test and remove slow and NoSNAT tag
run NoSNAT network test between pods without any feature tag
Configuration menu - View commit details
-
Copy full SHA for 046e976 - Browse repository at this point
Copy the full SHA 046e976View commit details -
Configuration menu - View commit details
-
Copy full SHA for b5c9496 - Browse repository at this point
Copy the full SHA b5c9496View commit details -
DRA quota: unit test case for resource.k8s.io quota names
The names aren't actually special for validation. They are acceptable with and without the feature gate, the only difference is that they don't do anything when the feature is enabled.
Configuration menu - View commit details
-
Copy full SHA for 1f43a80 - Browse repository at this point
Copy the full SHA 1f43a80View commit details -
DRA quota: add ResourceClaim v1.ResourceQuota limits
Dynamic resource allocation is similar to storage in the sense that users create ResourceClaim objects to request resources, same as with persistent volume claims. The actual resource usage is only known when allocating claims, but some limits can already be enforced at admission time: - "count/resourceclaims.resource.k8s.io" limits the number of ResourceClaim objects in a namespace; this is a generic feature that is already supported also without this commit. - "resourceclaims" is *not* an alias - use "count/resourceclaims.resource.k8s.io" instead. - <device-class-name>.deviceclass.resource.k8s.io/devices limits the number of ResourceClaim objects in a namespace such that the number of devices requested through those objects with that class does not exceed the limit. A single request may cause the allocation of multiple devices. For exact counts, the quota limit is based on the sum of those exact counts. For requests asking for "all" matching devices, the maximum number of allocated devices per claim is used as a worst-case upper bound. Requests asking for "admin access" contribute to the quota. DRA quota: remove admin mode exception
Configuration menu - View commit details
-
Copy full SHA for 299ecde - Browse repository at this point
Copy the full SHA 299ecdeView commit details -
Update AppArmor e2e tests to use Pod field instead of annotations.
Signed-off-by: Vinayak Goyal <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for b580eb1 - Browse repository at this point
Copy the full SHA b580eb1View commit details -
test/e2e/windows: drop securityContext test for ProcMount
Fixes kubernetes#126180 As the ProcMountType feature is disabled by default in beta and relies on the UserNamespacesSupport feature, which is also set to false in beta, running this test is unnecessary. Signed-off-by: Sohan Kunkerkar <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for c5b01a3 - Browse repository at this point
Copy the full SHA c5b01a3View commit details -
Merge pull request kubernetes#121902 from carlory/kep-3751-pv-controller
[kep-3751] pvc bind pv with vac
Configuration menu - View commit details
-
Copy full SHA for a00181d - Browse repository at this point
Copy the full SHA a00181dView commit details -
Merge pull request kubernetes#126013 from npinaeva/nft-incremental
[kube-proxy: nftables] Implement partial sync.
Configuration menu - View commit details
-
Copy full SHA for 4259096 - Browse repository at this point
Copy the full SHA 4259096View commit details -
Merge pull request kubernetes#126047 from cpanato/upgrade-go-123
[go] Bump images, dependencies and versions to go 1.23rc2
Configuration menu - View commit details
-
Copy full SHA for 67c7e77 - Browse repository at this point
Copy the full SHA 67c7e77View commit details -
Merge pull request kubernetes#126201 from aroradaman/revert-debug-steps
Revert debug steps and logs for kubernetes#123760
Configuration menu - View commit details
-
Copy full SHA for 9c2302d - Browse repository at this point
Copy the full SHA 9c2302dView commit details -
Merge pull request kubernetes#126293 from aroradaman/kube-proxy-refac…
…tor-internal-config Kube proxy refactor internal config
Configuration menu - View commit details
-
Copy full SHA for 6834a1e - Browse repository at this point
Copy the full SHA 6834a1eView commit details -
Job: Use type parameters instead of type casting for the ptr libraries
Signed-off-by: Yuki Iwai <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for 25c2731 - Browse repository at this point
Copy the full SHA 25c2731View commit details -
Merge pull request kubernetes#120611 from pohly/dra-resource-quotas
DRA: resource quotas
Configuration menu - View commit details
-
Copy full SHA for 05bb5f7 - Browse repository at this point
Copy the full SHA 05bb5f7View commit details -
Merge pull request kubernetes#124061 from Jefftree/conversion-webhook…
…-invalidca Validate CABundle when writing CRD
Configuration menu - View commit details
-
Copy full SHA for 04d2f33 - Browse repository at this point
Copy the full SHA 04d2f33View commit details -
Merge pull request kubernetes#124530 from sttts/sttts-controlplane-pl…
…umbing-split Step 12 - Add generic controlplane example
Configuration menu - View commit details
-
Copy full SHA for e83fca8 - Browse repository at this point
Copy the full SHA e83fca8View commit details -
Merge pull request kubernetes#124819 from carlory/add-warning-MountOp…
…tionAnnotation mark volume.beta.kubernetes.io/mount-options as deprecated
Configuration menu - View commit details
-
Copy full SHA for 13d9d7c - Browse repository at this point
Copy the full SHA 13d9d7cView commit details -
Merge pull request kubernetes#126163 from haircommander/procMount-bas…
…eline PSA: allow procMount type Unmasked in baseline
Configuration menu - View commit details
-
Copy full SHA for c01bc31 - Browse repository at this point
Copy the full SHA c01bc31View commit details -
Add labels to PVCollector bound/unbound PVC metrics for VolumeAttribu…
…tesClass Feature (kubernetes#126166) * Add labels to PVCollector bound/unbound PVC metrics * fixup! Add labels to PVCollector bound/unbound PVC metrics * wip: Fix 'Unknown Decorator' * fixup! Add labels to PVCollector bound/unbound PVC metrics
Configuration menu - View commit details
-
Copy full SHA for 16c2ad5 - Browse repository at this point
Copy the full SHA 16c2ad5View commit details -
Merge pull request kubernetes#126291 from haircommander/proc-mount-di…
…sable disable ProcMountType by default
Configuration menu - View commit details
-
Copy full SHA for ad80538 - Browse repository at this point
Copy the full SHA ad80538View commit details -
Merge pull request kubernetes#126108 from gnufied/changes-volume-reco…
…very Reduce state changes when expansion fails and mark certain failures as infeasible
Configuration menu - View commit details
-
Copy full SHA for 107f621 - Browse repository at this point
Copy the full SHA 107f621View commit details -
Merge pull request kubernetes#126145 from carlory/kep-3751-api
[KEP-3751] Promote VolumeAttributesClass to beta
Configuration menu - View commit details
-
Copy full SHA for c2fdeca - Browse repository at this point
Copy the full SHA c2fdecaView commit details -
Add KUBE_EMULATED_VERSION env variable to set the emulated-version of…
… scheduler and controller manager. Signed-off-by: Siyuan Zhang <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for e79d20d - Browse repository at this point
Copy the full SHA e79d20dView commit details -
Co-authored-by: Kevin Klues <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for 59daed7 - Browse repository at this point
Copy the full SHA 59daed7View commit details -
Configuration menu - View commit details
-
Copy full SHA for 35fbbc5 - Browse repository at this point
Copy the full SHA 35fbbc5View commit details -
Configuration menu - View commit details
-
Copy full SHA for 59555c6 - Browse repository at this point
Copy the full SHA 59555c6View commit details -
Configuration menu - View commit details
-
Copy full SHA for ac2c450 - Browse repository at this point
Copy the full SHA ac2c450View commit details -
Configuration menu - View commit details
-
Copy full SHA for c0d922e - Browse repository at this point
Copy the full SHA c0d922eView commit details -
Merge pull request kubernetes#126182 from sohankunkerkar/fix-procmount
test/e2e/windows: drop securityContext test for ProcMount
Configuration menu - View commit details
-
Copy full SHA for 320f1ab - Browse repository at this point
Copy the full SHA 320f1abView commit details -
Merge pull request kubernetes#126281 from saschagrunert/oci-volume-docs
[KEP-4639] Mention that `fsGroupChangePolicy` has no effect
Configuration menu - View commit details
-
Copy full SHA for f93fe41 - Browse repository at this point
Copy the full SHA f93fe41View commit details -
Merge pull request kubernetes#126290 from tenzen-y/use-type-parameter…
…s-instead-of-casting Job: Use type parameters instead of type casting for the ptr libraries
Configuration menu - View commit details
-
Copy full SHA for 2a372a9 - Browse repository at this point
Copy the full SHA 2a372a9View commit details -
Merge pull request kubernetes#125935 from gjkim42/fix-125880
Terminate restartable init containers ignoring not-started containers
Configuration menu - View commit details
-
Copy full SHA for fa4b8f3 - Browse repository at this point
Copy the full SHA fa4b8f3View commit details -
Allowing direct CEL reserved keyword usage in CRD (kubernetes#126188)
* automatically escape reserved keywords for direct usage * Add reserved keyword support in a ratcheting way, add tests. --------- Co-authored-by: Wenxue Zhao <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for a48a92c - Browse repository at this point
Copy the full SHA a48a92cView commit details -
Merge pull request kubernetes#126298 from vinayakankugoyal/apparmortest
Update AppArmor e2e tests to use both containers[*].securityContext.appArmorProfile field and annotations.
Configuration menu - View commit details
-
Copy full SHA for 1353c08 - Browse repository at this point
Copy the full SHA 1353c08View commit details
Commits on Jul 24, 2024
-
Configuration menu - View commit details
-
Copy full SHA for 16e8911 - Browse repository at this point
Copy the full SHA 16e8911View commit details -
Configuration menu - View commit details
-
Copy full SHA for 2253b53 - Browse repository at this point
Copy the full SHA 2253b53View commit details -
Configuration menu - View commit details
-
Copy full SHA for 3790ee2 - Browse repository at this point
Copy the full SHA 3790ee2View commit details -
Configuration menu - View commit details
-
Copy full SHA for 62f96d2 - Browse repository at this point
Copy the full SHA 62f96d2View commit details -
Merge pull request kubernetes#119019 from gjkim42/add-e2e-node-test-r…
…estarting-the-kubelet Add node serial e2e tests that simulate the kubelet restart
Configuration menu - View commit details
-
Copy full SHA for 638128e - Browse repository at this point
Copy the full SHA 638128eView commit details -
Merge pull request kubernetes#122628 from sanposhiho/pod-smaller-events
add(scheduler/framework): implement smaller Pod update events
Configuration menu - View commit details
-
Copy full SHA for 39a8079 - Browse repository at this point
Copy the full SHA 39a8079View commit details -
Merge pull request kubernetes#126303 from bart0sh/PR150-dra-refactor-…
…checkpoint-upstream DRA: refactor checkpointing
Configuration menu - View commit details
-
Copy full SHA for d97cf3a - Browse repository at this point
Copy the full SHA d97cf3aView commit details -
Merge pull request kubernetes#126306 from siyuanfoundation/env-var
Add KUBE_EMULATED_VERSION env variable to set the emulated-version of scheduler and controller manager.
Configuration menu - View commit details
-
Copy full SHA for 59776b5 - Browse repository at this point
Copy the full SHA 59776b5View commit details -
Merge pull request kubernetes#126308 from cici37/hotFix
Update with stdlib errors
Configuration menu - View commit details
-
Copy full SHA for 49ff255 - Browse repository at this point
Copy the full SHA 49ff255View commit details -
Merge pull request kubernetes#126243 from SergeyKanzhelev/devicePlugi…
…nFailures Implement resource health in pod status (KEP 4680)
Configuration menu - View commit details
-
Copy full SHA for 5af1710 - Browse repository at this point
Copy the full SHA 5af1710View commit details -
Merge pull request kubernetes#126294 from aojea/nosnat
e2e test for No SNAT
Configuration menu - View commit details
-
Copy full SHA for c75e30d - Browse repository at this point
Copy the full SHA c75e30dView commit details -
Merge pull request kubernetes#124430 from AllenXu93/fix-kubelet-resta…
…rt-notReady fix node notReady in first sync period after kubelet restart
Configuration menu - View commit details
-
Copy full SHA for 57d197f - Browse repository at this point
Copy the full SHA 57d197fView commit details -
Configuration menu - View commit details
-
Copy full SHA for c4851c6 - Browse repository at this point
Copy the full SHA c4851c6View commit details -
Fix runtime panic in imagevolume
CanSupport
methodThe following tests are failing right now: - ci-kubernetes-e2e-ec2-alpha-enabled-default - ci-kubernetes-e2e-gci-gce-alpha-enabled-default Because of: ``` goroutine 347 [running]: k8s.io/apimachinery/pkg/util/runtime.logPanic({0x33092b0, 0x4d6ed00}, {0x296a7e0, 0x4c20c10}) k8s.io/apimachinery/pkg/util/runtime/runtime.go:107 +0xbc k8s.io/apimachinery/pkg/util/runtime.handleCrash({0x33092b0, 0x4d6ed00}, {0x296a7e0, 0x4c20c10}, {0x4d6ed00, 0x0, 0x1000000004400a5?}) k8s.io/apimachinery/pkg/util/runtime/runtime.go:82 +0x5e k8s.io/apimachinery/pkg/util/runtime.HandleCrash({0x0, 0x0, 0xc000517be8?}) k8s.io/apimachinery/pkg/util/runtime/runtime.go:59 +0x108 panic({0x296a7e0?, 0x4c20c10?}) runtime/panic.go:770 +0x132 k8s.io/kubernetes/pkg/volume/image.(*imagePlugin).CanSupport(0xc00183d140?, 0xc0006a2600?) k8s.io/kubernetes/pkg/volume/image/image.go:52 +0x3 k8s.io/kubernetes/pkg/volume.(*VolumePluginMgr).FindPluginBySpec(0xc0008a1388, 0xc000f7ddb8) k8s.io/kubernetes/pkg/volume/plugins.go:637 +0x208 k8s.io/kubernetes/pkg/kubelet/volumemanager/cache.(*desiredStateOfWorld).AddPodToVolume(0xc000517bc0, {0xc000e94a50, 0x24}, 0xc00172b208, 0xc000f7ddb8, {0xc0017892a0, 0xe}, {0xc000a4d6ec, 0x3}, {0xc000978af0, ...}) k8s.io/kubernetes/pkg/kubelet/volumemanager/cache/desired_state_of_world.go:270 +0xf2 k8s.io/kubernetes/pkg/kubelet/volumemanager/populator.(*desiredStateOfWorldPopulator).processPodVolumes(0xc0003e6700, 0xc00172b208, 0xc00183ddd8) k8s.io/kubernetes/pkg/kubelet/volumemanager/populator/desired_state_of_world_populator.go:319 +0x685 k8s.io/kubernetes/pkg/kubelet/volumemanager/populator.(*desiredStateOfWorldPopulator).findAndAddNewPods(0xc0003e6700) k8s.io/kubernetes/pkg/kubelet/volumemanager/populator/desired_state_of_world_populator.go:204 +0x2dc k8s.io/kubernetes/pkg/kubelet/volumemanager/populator.(*desiredStateOfWorldPopulator).populatorLoop(0xc0003e6700) k8s.io/kubernetes/pkg/kubelet/volumemanager/populator/desired_state_of_world_populator.go:173 +0x18 k8s.io/apimachinery/pkg/util/wait.BackoffUntil.func1(0xc000905eb0?) k8s.io/apimachinery/pkg/util/wait/backoff.go:226 +0x33 k8s.io/apimachinery/pkg/util/wait.BackoffUntil(0xc00183df70, {0x32d7340, 0xc000a7be60}, 0x1, 0xc0000b2660) k8s.io/apimachinery/pkg/util/wait/backoff.go:227 +0xaf k8s.io/apimachinery/pkg/util/wait.JitterUntil(0xc000f8bf70, 0x5f5e100, 0x0, 0x1, 0xc0000b2660) k8s.io/apimachinery/pkg/util/wait/backoff.go:204 +0x7f k8s.io/apimachinery/pkg/util/wait.Until(...) k8s.io/apimachinery/pkg/util/wait/backoff.go:161 k8s.io/kubernetes/pkg/kubelet/volumemanager/populator.(*desiredStateOfWorldPopulator).Run(0xc0003e6700, {0x32e3228, 0xc000b3faa0}, 0xc0000b2660) k8s.io/kubernetes/pkg/kubelet/volumemanager/populator/desired_state_of_world_populator.go:158 +0x1a5 created by k8s.io/kubernetes/pkg/kubelet/volumemanager.(*volumeManager).Run in goroutine 335 k8s.io/kubernetes/pkg/kubelet/volumemanager/volume_manager.go:286 +0x14f ``` Fixes kubernetes#126317 Signed-off-by: Sascha Grunert <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for a43cc08 - Browse repository at this point
Copy the full SHA a43cc08View commit details -
Merge pull request kubernetes#125087 from carlory/volumeoptions
remove volumeoptions from VolumePlugin and BlockVolumePlugin
Configuration menu - View commit details
-
Copy full SHA for a145f15 - Browse repository at this point
Copy the full SHA a145f15View commit details -
Merge pull request kubernetes#126323 from saschagrunert/image-volume-…
…runtime-panic Fix runtime panic in imagevolume `CanSupport` method
Configuration menu - View commit details
-
Copy full SHA for ceb58a4 - Browse repository at this point
Copy the full SHA ceb58a4View commit details -
Add
ImageVolumeSource
e2e testsSigned-off-by: Sascha Grunert <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for bc45288 - Browse repository at this point
Copy the full SHA bc45288View commit details -
Merge pull request kubernetes#126220 from saschagrunert/image-volumes…
…ource-e2e [KEP-4639] Add `ImageVolumeSource` node e2e tests
Configuration menu - View commit details
-
Copy full SHA for ab470aa - Browse repository at this point
Copy the full SHA ab470aaView commit details -
Configuration menu - View commit details
-
Copy full SHA for 3999b98 - Browse repository at this point
Copy the full SHA 3999b98View commit details -
Configuration menu - View commit details
-
Copy full SHA for e3e56eb - Browse repository at this point
Copy the full SHA e3e56ebView commit details -
Configuration menu - View commit details
-
Copy full SHA for 9b16b0d - Browse repository at this point
Copy the full SHA 9b16b0dView commit details -
Configuration menu - View commit details
-
Copy full SHA for b5a62f1 - Browse repository at this point
Copy the full SHA b5a62f1View commit details -
Configuration menu - View commit details
-
Copy full SHA for c47ff1e - Browse repository at this point
Copy the full SHA c47ff1eView commit details -
Configuration menu - View commit details
-
Copy full SHA for e0c6987 - Browse repository at this point
Copy the full SHA e0c6987View commit details -
Signed-off-by: Dr. Stefan Schimanski <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for 68226b0 - Browse repository at this point
Copy the full SHA 68226b0View commit details -
Configuration menu - View commit details
-
Copy full SHA for fac7581 - Browse repository at this point
Copy the full SHA fac7581View commit details -
Configuration menu - View commit details
-
Copy full SHA for 42678f1 - Browse repository at this point
Copy the full SHA 42678f1View commit details -
Signed-off-by: Dr. Stefan Schimanski <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for a64418b - Browse repository at this point
Copy the full SHA a64418bView commit details -
Configuration menu - View commit details
-
Copy full SHA for e1ea24a - Browse repository at this point
Copy the full SHA e1ea24aView commit details -
Configuration menu - View commit details
-
Copy full SHA for 6407f32 - Browse repository at this point
Copy the full SHA 6407f32View commit details -
Review feedback: handle non-kube strategy correctly
Signed-off-by: Dr. Stefan Schimanski <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for 15affef - Browse repository at this point
Copy the full SHA 15affefView commit details -
Review feedback: fix context handling in LeaseCandidateGCController
Signed-off-by: Dr. Stefan Schimanski <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for a738daa - Browse repository at this point
Copy the full SHA a738daaView commit details -
Configuration menu - View commit details
-
Copy full SHA for 0c774d0 - Browse repository at this point
Copy the full SHA 0c774d0View commit details -
Configuration menu - View commit details
-
Copy full SHA for 919e7ab - Browse repository at this point
Copy the full SHA 919e7abView commit details -
Configuration menu - View commit details
-
Copy full SHA for 56b278d - Browse repository at this point
Copy the full SHA 56b278dView commit details -
Configuration menu - View commit details
-
Copy full SHA for 3e642ae - Browse repository at this point
Copy the full SHA 3e642aeView commit details -
Merge pull request kubernetes#126242 from bzsuni/bz/etcd/build/v3.5.15
Build etcd image of v3.5.15
Configuration menu - View commit details
-
Copy full SHA for 696ad19 - Browse repository at this point
Copy the full SHA 696ad19View commit details -
Merge pull request kubernetes#126335 from kannon92/split-filesystem-fix
[KEP-4191]: Move container fs check so that we only check if system is split
Configuration menu - View commit details
-
Copy full SHA for df69a52 - Browse repository at this point
Copy the full SHA df69a52View commit details -
Relax noise margin in TestOneWeightedHistogram
Signed-off-by: Mike Spreitzer <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for 77541c1 - Browse repository at this point
Copy the full SHA 77541c1View commit details -
Merge pull request kubernetes#126274 from ConnorJC3/flaky-vac-test
De-flake VAC tests by returning new PVC from WaitForVolumeModification
Configuration menu - View commit details
-
Copy full SHA for 6ac2067 - Browse repository at this point
Copy the full SHA 6ac2067View commit details
Commits on Jul 25, 2024
-
Update etcd from v3.5.14 to v3.5.15
Signed-off-by: bzsuni <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for 4ad2cd9 - Browse repository at this point
Copy the full SHA 4ad2cd9View commit details -
Merge pull request kubernetes#126282 from macsko/fix_scheduler_perf_t…
…ests_taking_too_long Init etcd and apiserver per test case in scheduler_perf integration tests
Configuration menu - View commit details
-
Copy full SHA for b95f9c3 - Browse repository at this point
Copy the full SHA b95f9c3View commit details -
kube-proxy: internal config: fuzz cidr values for unit tests
Signed-off-by: Daman Arora <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for 5359098 - Browse repository at this point
Copy the full SHA 5359098View commit details -
Configuration menu - View commit details
-
Copy full SHA for bdb51f2 - Browse repository at this point
Copy the full SHA bdb51f2View commit details -
set LocalStorageCapacityIsolationFSQuotaMonitoring to false by default
as the feature relies on UserNamespaces support, which is also off by default. Having it on by default won't do anything negative, except adding some needless checks as to whether the pod has hostUsers==true (impossible without the feature gate) Signed-off-by: Peter Hunt <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for eeae981 - Browse repository at this point
Copy the full SHA eeae981View commit details -
Configuration menu - View commit details
-
Copy full SHA for 087134c - Browse repository at this point
Copy the full SHA 087134cView commit details -
Configuration menu - View commit details
-
Copy full SHA for 08a74f2 - Browse repository at this point
Copy the full SHA 08a74f2View commit details -
I was workinng on updating a dependency, and noticed that running hack/update-vendor.sh resulted in a diff. Comitting the result as a PR. Signed-off-by: Sebastiaan van Stijn <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for aeb6074 - Browse repository at this point
Copy the full SHA aeb6074View commit details -
Merge pull request kubernetes#126353 from liggitt/fix-vendor
Fix verify-vendor script to check all go.mod and go.sum files
Configuration menu - View commit details
-
Copy full SHA for 9edabd6 - Browse repository at this point
Copy the full SHA 9edabd6View commit details -
Merge pull request kubernetes#124101 from haircommander/process_stats…
…-with-pid-fix kubelet: fix PID based eviction
Configuration menu - View commit details
-
Copy full SHA for e9d9a82 - Browse repository at this point
Copy the full SHA e9d9a82View commit details -
Merge pull request kubernetes#124012 from Jefftree/le-controller
Coordinated Leader Election
Configuration menu - View commit details
-
Copy full SHA for 5f5c02d - Browse repository at this point
Copy the full SHA 5f5c02dView commit details -
Merge pull request kubernetes#126324 from pacoxu/v1beta4-typo
fix a typo in kubeadm v1beta4 doc
Configuration menu - View commit details
-
Copy full SHA for 9a16c96 - Browse repository at this point
Copy the full SHA 9a16c96View commit details -
Merge pull request kubernetes#126355 from haircommander/fs-quotas-false
set LocalStorageCapacityIsolationFSQuotaMonitoring to false by default
Configuration menu - View commit details
-
Copy full SHA for c853ca4 - Browse repository at this point
Copy the full SHA c853ca4View commit details -
Merge pull request kubernetes#126356 from pacoxu/fix-etcd-build-windows
add workdir in etcd Dockerfile for windows
Configuration menu - View commit details
-
Copy full SHA for b4dcbbe - Browse repository at this point
Copy the full SHA b4dcbbeView commit details -
Merge pull request kubernetes#126333 from aroradaman/master
kube-proxy: internal config: fuzz cidr values for unit tests
Configuration menu - View commit details
-
Copy full SHA for bee5e03 - Browse repository at this point
Copy the full SHA bee5e03View commit details
Commits on Jul 26, 2024
-
kube-apiserver/leaderelection: remove broken printf
Signed-off-by: Dr. Stefan Schimanski <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for 87f4044 - Browse repository at this point
Copy the full SHA 87f4044View commit details -
Merge pull request kubernetes#126377 from sttts/sttts-cle-fix-TestPic…
…kBestStrategy kube-apiserver/leaderelection: remove broken printf
Configuration menu - View commit details
-
Copy full SHA for f44f7b7 - Browse repository at this point
Copy the full SHA f44f7b7View commit details -
Configuration menu - View commit details
-
Copy full SHA for b98817c - Browse repository at this point
Copy the full SHA b98817cView commit details -
Configuration menu - View commit details
-
Copy full SHA for 92e62bf - Browse repository at this point
Copy the full SHA 92e62bfView commit details -
Merge pull request kubernetes#126240 from bzsuni/bz/etcd/update/v3.5.15
Update etcd to v3.5.15
Configuration menu - View commit details
-
Copy full SHA for 3a8a60e - Browse repository at this point
Copy the full SHA 3a8a60eView commit details -
Configuration menu - View commit details
-
Copy full SHA for a1bbae8 - Browse repository at this point
Copy the full SHA a1bbae8View commit details -
Merge pull request kubernetes#125674 from flavianmissi/builds-doc
build: fix README instructions to load the output image tar
Configuration menu - View commit details
-
Copy full SHA for 86e2e26 - Browse repository at this point
Copy the full SHA 86e2e26View commit details -
[sample-apiserver] Fix: Use Correct Effective Version for kube (kuber…
…netes#125941) * Fix slice copy of VersionedSpecs in FeatureGate. Signed-off-by: Siyuan Zhang <[email protected]> * Update wardle to kube version mapping Signed-off-by: Siyuan Zhang <[email protected]> Signed-off-by: Feilian Xie <[email protected]> Co-authored-by: Feilian Xie <[email protected]> * Add cap to wardleEmulationVersionToKubeEmulationVersion. Signed-off-by: Siyuan Zhang <[email protected]> * Add integration test for default BanFlunder behavior in version 1.2 without Wardle feature gate. Signed-off-by: Siyuan Zhang <[email protected]> --------- Signed-off-by: Siyuan Zhang <[email protected]> Signed-off-by: Feilian Xie <[email protected]> Co-authored-by: Siyuan Zhang <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for ebdca53 - Browse repository at this point
Copy the full SHA ebdca53View commit details -
Merge pull request kubernetes#126386 from kannon92/126367-device-plug…
…in-label fix resource health status test failures in unlabeled jobs
Configuration menu - View commit details
-
Copy full SHA for 250f7b5 - Browse repository at this point
Copy the full SHA 250f7b5View commit details
Commits on Jul 27, 2024
-
Call non-blocking informerFactory.Start synchronously to avoid races
Signed-off-by: Dr. Stefan Schimanski <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for c7a1fa4 - Browse repository at this point
Copy the full SHA c7a1fa4View commit details -
informers: add comment that Start does not block
Signed-off-by: Dr. Stefan Schimanski <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for cd69335 - Browse repository at this point
Copy the full SHA cd69335View commit details -
Merge pull request kubernetes#126405 from sttts/sttts-sync-informerfa…
…ctory-start Call non-blocking informerFactory.Start synchronously to avoid races
Configuration menu - View commit details
-
Copy full SHA for ba6141a - Browse repository at this point
Copy the full SHA ba6141aView commit details -
kube-apiserver/leaderelection/test: fixing waiting for informer
Signed-off-by: Dr. Stefan Schimanski <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for 8c971c5 - Browse repository at this point
Copy the full SHA 8c971c5View commit details -
kube-apiserver/leaderelection/tests: use fake clock
Signed-off-by: Dr. Stefan Schimanski <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for b8045f9 - Browse repository at this point
Copy the full SHA b8045f9View commit details -
kube-apiserver/leaderelection/tests: fix test case PingTime should be…
… ahead of RenewTime
Configuration menu - View commit details
-
Copy full SHA for f173f0c - Browse repository at this point
Copy the full SHA f173f0cView commit details -
Merge pull request kubernetes#126344 from MikeSpreitzer/fix-120112
Relax noise margin in TestOneWeightedHistogram
Configuration menu - View commit details
-
Copy full SHA for 2aa468c - Browse repository at this point
Copy the full SHA 2aa468cView commit details -
Merge pull request kubernetes#126407 from Jefftree/fake-clock
Fix unit flake in leaderelection/TestReconcileElectionStep
Configuration menu - View commit details
-
Copy full SHA for a2106b5 - Browse repository at this point
Copy the full SHA a2106b5View commit details
Commits on Jul 29, 2024
-
kube-apiserver/leaderelection: remove klog noise
Signed-off-by: Dr. Stefan Schimanski <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for b13aab9 - Browse repository at this point
Copy the full SHA b13aab9View commit details -
kube-apiserver/leaderelection/test: clean up controller test
Signed-off-by: Dr. Stefan Schimanski <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for 3987d85 - Browse repository at this point
Copy the full SHA 3987d85View commit details -
Revert "Bump images, dependencies and versions to go 1.23rc2"
This reverts commit 9d5a7ff.
Configuration menu - View commit details
-
Copy full SHA for c203b12 - Browse repository at this point
Copy the full SHA c203b12View commit details -
Revert "Bump images, dependencies and versions to go 1.23rc1"
This reverts commit 5c269fe.
Configuration menu - View commit details
-
Copy full SHA for d1dfeed - Browse repository at this point
Copy the full SHA d1dfeedView commit details -
Revert distroless-iptables from v0.6.1 to v0.5.6
This commit will revert the distroless-iptables version from v0.6.1(built on go1.23rc2) to v0.5.6(built on go1.22.5). Signed-off-by: ArkaSaha30 <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for aa28bd6 - Browse repository at this point
Copy the full SHA aa28bd6View commit details -
Configuration menu - View commit details
-
Copy full SHA for 78d3830 - Browse repository at this point
Copy the full SHA 78d3830View commit details -
Configuration menu - View commit details
-
Copy full SHA for 9ee99a9 - Browse repository at this point
Copy the full SHA 9ee99a9View commit details -
Merge pull request kubernetes#126330 from ArkaSaha30/revert-to-go1.22
Revert to go1.22.5
Configuration menu - View commit details
-
Copy full SHA for 05934d6 - Browse repository at this point
Copy the full SHA 05934d6View commit details -
Merge pull request kubernetes#126428 from sttts/sttts-cle-controller-…
…test kube-apiserver/leaderelection/test: clean up controller test
Configuration menu - View commit details
-
Copy full SHA for 7a4c962 - Browse repository at this point
Copy the full SHA 7a4c962View commit details -
Fix kubelet cadvisor stats runtime panic
Fixing a kubelet runtime panic when the runtime returns incomplete data: ``` E0729 08:17:47.260393 5218 panic.go:115] "Observed a panic" panic="runtime error: index out of range [0] with length 0" panicGoValue="runtime.boundsError{x:0, y:0, signed:true, code:0x0}" stacktrace=< goroutine 174 [running]: k8s.io/apimachinery/pkg/util/runtime.logPanic({0x33631e8, 0x4ddf5c0}, {0x2c9bfe0, 0xc000a563f0}) k8s.io/apimachinery/pkg/util/runtime/runtime.go:107 +0xbc k8s.io/apimachinery/pkg/util/runtime.handleCrash({0x33631e8, 0x4ddf5c0}, {0x2c9bfe0, 0xc000a563f0}, {0x4ddf5c0, 0x0, 0x10000000043c9e5?}) k8s.io/apimachinery/pkg/util/runtime/runtime.go:82 +0x5e k8s.io/apimachinery/pkg/util/runtime.HandleCrash({0x0, 0x0, 0xc000ae08c0?}) k8s.io/apimachinery/pkg/util/runtime/runtime.go:59 +0x108 panic({0x2c9bfe0?, 0xc000a563f0?}) runtime/panic.go:785 +0x132 k8s.io/kubernetes/pkg/kubelet/stats.(*cadvisorStatsProvider).ImageFsStats(0xc000535d10, {0x3363348, 0xc000afa330}) k8s.io/kubernetes/pkg/kubelet/stats/cadvisor_stats_provider.go:277 +0xaba k8s.io/kubernetes/pkg/kubelet/images.(*realImageGCManager).GarbageCollect(0xc000a3c820, {0x33631e8?, 0x4ddf5c0?}, {0x0?, 0x0?, 0x4dbca20?}) k8s.io/kubernetes/pkg/kubelet/images/image_gc_manager.go:354 +0x1d3 k8s.io/kubernetes/pkg/kubelet.(*Kubelet).StartGarbageCollection.func2() k8s.io/kubernetes/pkg/kubelet/kubelet.go:1472 +0x58 k8s.io/apimachinery/pkg/util/wait.BackoffUntil.func1(0x30?) k8s.io/apimachinery/pkg/util/wait/backoff.go:226 +0x33 k8s.io/apimachinery/pkg/util/wait.BackoffUntil(0xc000add110, {0x3330380, 0xc000afa300}, 0x1, 0xc0000ac150) k8s.io/apimachinery/pkg/util/wait/backoff.go:227 +0xaf k8s.io/apimachinery/pkg/util/wait.JitterUntil(0xc000add110, 0x45d964b800, 0x0, 0x1, 0xc0000ac150) k8s.io/apimachinery/pkg/util/wait/backoff.go:204 +0x7f k8s.io/apimachinery/pkg/util/wait.Until(...) k8s.io/apimachinery/pkg/util/wait/backoff.go:161 created by k8s.io/kubernetes/pkg/kubelet.(*Kubelet).StartGarbageCollection in goroutine 1 k8s.io/kubernetes/pkg/kubelet/kubelet.go:1470 +0x247 ``` This commit fixes panics if: - `len(imageStats.ImageFilesystems) == 0` - `len(imageStats.ContainerFilesystems) == 0` - `imageStats.ImageFilesystems[0].FsId == nil` - `imageStats.ContainerFilesystems[0].FsId == nil` - `imageStats.ImageFilesystems[0].UsedBytes == nil` - `imageStats.ContainerFilesystems[0].UsedBytes == nil` It also fixes the wrapped `nil` error for the check: `err != nil || imageStats == nil` in case that `imageStats == nil`. Signed-off-by: Sascha Grunert <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for 50e430b - Browse repository at this point
Copy the full SHA 50e430bView commit details -
Rename kubelet CSR admission feature gate
Retitle the feature to the affirmative ("AllowInsecure...=false") instead of a double-negative ("Disable$NEWTHING...=false") for clarity Signed-off-by: Micah Hausler <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for a7af830 - Browse repository at this point
Copy the full SHA a7af830View commit details -
Merge pull request kubernetes#126441 from micahhausler/kubelet-cert-f…
…eature-gate-rename Rename kubelet CSR admission feature gate
Configuration menu - View commit details
-
Copy full SHA for aab56e9 - Browse repository at this point
Copy the full SHA aab56e9View commit details -
Merge pull request kubernetes#126429 from saschagrunert/kubelet-panic
Fix kubelet cadvisor stats runtime panic
Configuration menu - View commit details
-
Copy full SHA for e8588e6 - Browse repository at this point
Copy the full SHA e8588e6View commit details -
Configuration menu - View commit details
-
Copy full SHA for d092513 - Browse repository at this point
Copy the full SHA d092513View commit details -
Merge pull request kubernetes#126427 from pacoxu/fix-TestUpdateAlloca…
…tedResourcesStatus ignore order of containers status allocated resources
Configuration menu - View commit details
-
Copy full SHA for b5b2171 - Browse repository at this point
Copy the full SHA b5b2171View commit details
Commits on Jul 30, 2024
-
Merge pull request kubernetes#126431 from pacoxu/device-plugin-falure…
…s-pod-status skip if ResourceHealthStatus is disabled
Configuration menu - View commit details
-
Copy full SHA for 17d7d28 - Browse repository at this point
Copy the full SHA 17d7d28View commit details -
Signed-off-by: Dr. Stefan Schimanski <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for 634c9cd - Browse repository at this point
Copy the full SHA 634c9cdView commit details -
Merge pull request kubernetes#126446 from Jefftree/fix-leaderelection…
…-flake-testcontroller Use fake clock for controller/leaderelection:TestController
Configuration menu - View commit details
-
Copy full SHA for 0fc1671 - Browse repository at this point
Copy the full SHA 0fc1671View commit details -
Configuration menu - View commit details
-
Copy full SHA for 11ace3a - Browse repository at this point
Copy the full SHA 11ace3aView commit details -
Configuration menu - View commit details
-
Copy full SHA for 3596256 - Browse repository at this point
Copy the full SHA 3596256View commit details -
Configuration menu - View commit details
-
Copy full SHA for c838004 - Browse repository at this point
Copy the full SHA c838004View commit details -
Merge pull request kubernetes#126467 from serathius/fallback
Implement fallback for consistent reads from cache
Configuration menu - View commit details
-
Copy full SHA for 974f3d3 - Browse repository at this point
Copy the full SHA 974f3d3View commit details -
Move ConsistentListFromCache to Beta default again
This reverts commit aeb51a1.
Configuration menu - View commit details
-
Copy full SHA for 2ca56aa - Browse repository at this point
Copy the full SHA 2ca56aaView commit details
Commits on Jul 31, 2024
-
kube-up.sh: drop unnecessary legacy mirror config, enable injecting r…
…egistry.k8s.io mirror
Configuration menu - View commit details
-
Copy full SHA for d0ced54 - Browse repository at this point
Copy the full SHA d0ced54View commit details -
Merge pull request kubernetes#126470 from benluddy/apiservingwithrout…
…ine-alpha-disabled Move APIServingWithRoutine to alpha and disabled by default.
Configuration menu - View commit details
-
Copy full SHA for f9d2297 - Browse repository at this point
Copy the full SHA f9d2297View commit details -
Merge pull request kubernetes#126448 from BenTheElder/5k-mirror
kube-up.sh: drop unnecessary legacy mirror config, enable injecting registry mirror
Configuration menu - View commit details
-
Copy full SHA for 2a1d417 - Browse repository at this point
Copy the full SHA 2a1d417View commit details -
Configuration menu - View commit details
-
Copy full SHA for 9413cf2 - Browse repository at this point
Copy the full SHA 9413cf2View commit details -
Configuration menu - View commit details
-
Copy full SHA for f72233c - Browse repository at this point
Copy the full SHA f72233cView commit details -
Merge pull request kubernetes#126469 from serathius/beta2
Move ConsistentListFromCache to Beta default again
Configuration menu - View commit details
-
Copy full SHA for eb729d1 - Browse repository at this point
Copy the full SHA eb729d1View commit details -
Configuration menu - View commit details
-
Copy full SHA for 93a10a7 - Browse repository at this point
Copy the full SHA 93a10a7View commit details -
Make object transformation concurrent to remove watch cache scalabili…
…ty issue for conversion webhook Test by enabling consistent list from cache in storage version migrator stress test that uses conversion webhook that bottlenects events comming to watch cache. Set concurrency to 10, based on maximum/average transform latency when running stress test. In my testing max was about 60-100ms, while average was 6-10ms.
Configuration menu - View commit details
-
Copy full SHA for bb686f2 - Browse repository at this point
Copy the full SHA bb686f2View commit details -
Configuration menu - View commit details
-
Copy full SHA for 8855ca8 - Browse repository at this point
Copy the full SHA 8855ca8View commit details -
releng: update publishing bot rules for 1.31
Signed-off-by: mehabhalodiya <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for 017d7b8 - Browse repository at this point
Copy the full SHA 017d7b8View commit details -
Merge pull request kubernetes#126329 from serathius/concurrent-transf…
…ormation-chan-of-chan [chan of chan] Make object transformation concurrent to remove watch cache scalability issue for conversion webhook
Configuration menu - View commit details
-
Copy full SHA for c19d9ed - Browse repository at this point
Copy the full SHA c19d9edView commit details -
Merge pull request kubernetes#126489 from mehabhalodiya/bump-publishi…
…ng-131 releng: update publishing bot rules for 1.31
Configuration menu - View commit details
-
Copy full SHA for f8d5b20 - Browse repository at this point
Copy the full SHA f8d5b20View commit details -
Configuration menu - View commit details
-
Copy full SHA for cb08f03 - Browse repository at this point
Copy the full SHA cb08f03View commit details
Commits on Aug 1, 2024
-
Merge pull request kubernetes#126383 from Shubham82/correct_comment_f…
…or_StableLoadBalancerNodeSet Update the Comment for StableLoadBalancerNodeSet Feature Gate.
Configuration menu - View commit details
-
Copy full SHA for dbc2b0a - Browse repository at this point
Copy the full SHA dbc2b0aView commit details -
Configuration menu - View commit details
-
Copy full SHA for 12cc220 - Browse repository at this point
Copy the full SHA 12cc220View commit details
Commits on Aug 3, 2024
-
[kube-proxy] add log verbosity to endpoint topology hint loop - Take 2
Signed-off-by: Davanum Srinivas <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for 4fc6d8d - Browse repository at this point
Copy the full SHA 4fc6d8dView commit details -
Merge pull request kubernetes#126519 from dims/bjhaid-bjhaid-topology…
…-verbosity-take-2 [kube-proxy] add log verbosity to endpoint topology hint loop - Take 2
Configuration menu - View commit details
-
Copy full SHA for 00236ae - Browse repository at this point
Copy the full SHA 00236aeView commit details
Commits on Aug 4, 2024
-
Configuration menu - View commit details
-
Copy full SHA for 1d1cc29 - Browse repository at this point
Copy the full SHA 1d1cc29View commit details
Commits on Aug 6, 2024
-
Configuration menu - View commit details
-
Copy full SHA for 7734673 - Browse repository at this point
Copy the full SHA 7734673View commit details -
Configuration menu - View commit details
-
Copy full SHA for a24dafa - Browse repository at this point
Copy the full SHA a24dafaView commit details -
Configuration menu - View commit details
-
Copy full SHA for 60c4c2b - Browse repository at this point
Copy the full SHA 60c4c2bView commit details -
Configuration menu - View commit details
-
Copy full SHA for 3ea0248 - Browse repository at this point
Copy the full SHA 3ea0248View commit details
Commits on Aug 12, 2024
-
Configuration menu - View commit details
-
Copy full SHA for fad6c42 - Browse repository at this point
Copy the full SHA fad6c42View commit details -
Merge pull request kubernetes#126638 from soltysh/fix_wait
wait: don't lowercase condition in --for argument
Configuration menu - View commit details
-
Copy full SHA for 099a883 - Browse repository at this point
Copy the full SHA 099a883View commit details -
Configuration menu - View commit details
-
Copy full SHA for 57846e1 - Browse repository at this point
Copy the full SHA 57846e1View commit details
Commits on Aug 13, 2024
-
Configuration menu - View commit details
-
Copy full SHA for 9edcffc - Browse repository at this point
Copy the full SHA 9edcffcView commit details
Commits on Sep 13, 2024
-
Configuration menu - View commit details
-
Copy full SHA for 72bbd13 - Browse repository at this point
Copy the full SHA 72bbd13View commit details -
UPSTREAM: 74956: apiserver: switch authorization to use protobuf client
OpenShift-Rebase-Source: 29eea3c
Configuration menu - View commit details
-
Copy full SHA for 990b41a - Browse repository at this point
Copy the full SHA 990b41aView commit details -
UPSTREAM: 93286: wait for apiservices on startup
OpenShift-Rebase-Source: 5a2488c
Configuration menu - View commit details
-
Copy full SHA for f521823 - Browse repository at this point
Copy the full SHA f521823View commit details -
UPSTREAM: <carry>: filter out CustomResourceQuota paths from OpenAPI
UPSTREAM: <carry>: filter out RBR and SCC paths from OpenAPI UPSTREAM: <carry>: filter out RBR and SCC paths from OpenAPI Revise as per openshift/kubernetes-apiserver#12 OpenShift-Rebase-Source: 26005f1
Configuration menu - View commit details
-
Copy full SHA for e7cff88 - Browse repository at this point
Copy the full SHA e7cff88View commit details -
UPSTREAM: <carry>: patch aggregator to allow delegating resources
UPSTREAM: <carry>: prevent apiservice registration by CRD controller when delegating UPSTREAM: <carry>: prevent CRD registration from fighting with APIServices UPSTREAM: <carry>: always delegate namespaced resources OpenShift-Rebase-Source: d4cd0ba
Configuration menu - View commit details
-
Copy full SHA for ea724f8 - Browse repository at this point
Copy the full SHA ea724f8View commit details -
UPSTREAM: <carry>: remove apiservice from sync in CRD registration wh…
…en it exists OpenShift-Rebase-Source: 1a1d469
Configuration menu - View commit details
-
Copy full SHA for 8828bdf - Browse repository at this point
Copy the full SHA 8828bdfView commit details -
UPSTREAM: <carry>: hardcoded restmapper with a few entries to reboots…
…trap SDN when SDN is down UPSTREAM: <carry>: use hardcoded rest mapper from library-go OpenShift-Rebase-Source: a00f75d
Configuration menu - View commit details
-
Copy full SHA for 4b15d01 - Browse repository at this point
Copy the full SHA 4b15d01View commit details -
UPSTREAM: <carry>: Extend NodeLogQuery feature
Extend the NodeLogQuery feature to support oc adm node-logs options: - Default NodeLogQuery feature gate to true - Add support for --since, --until, --case-sensitive, --output, options UPSTREAM: <carry>: Extend NodeLogQuery feature Fix handling of the "until" parameter when generating the journalctl command. This was incorrectly being passed with the "since" value.
Configuration menu - View commit details
-
Copy full SHA for 5a6b52e - Browse repository at this point
Copy the full SHA 5a6b52eView commit details -
UPSTREAM: <carry>: kube-controller-manager: add service serving cert …
…signer to token controller :100644 100644 b32534e... 3e694fc... M pkg/controller/serviceaccount/tokens_controller.go OpenShift-Rebase-Source: 891b28f
Configuration menu - View commit details
-
Copy full SHA for faff1f5 - Browse repository at this point
Copy the full SHA faff1f5View commit details -
UPSTREAM: <carry>: kube-controller-manager: allow running bare kube-c…
…ontroller-manager UPSTREAM: <carry>: (squash) kube-controller-manager: allow running bare kube-controller-manager UPSTREAM: <carry>: kube-controller-manager: allow running bare kube-controller-manager UPSTREAM: <carry>: (squash) remove egressnetworkpolicies from gc ignored resources egressnetworkpolicies should not be in garbage collector ignored resources, so users can delete them using "--cascade=foreground" flag. Signed-off-by: Flavio Fernandes <[email protected]> OpenShift-Rebase-Source: 6c1dee4 UPSTREAM: <carry>: (squash) kube-controller-manager: allow running bare kube-controller-manager UPSTREAM: <carry>: kube-controller-manager: allow running bare kube-controller-manager UPSTREAM: <carry>: kube-controller-manager: allow running bare kube-controller-manager Fix garbage-collection for CRDs. These types are backed by a CRD and not by openshift-apiserver anymore. DefaultGarbageCollectionPolicy (Unsupported) does not work with CRDs. The `foregroundDeletion` finalizer was set on these CRD objects which blocks deletion indifinetelly as GC will ignore these resources.
Configuration menu - View commit details
-
Copy full SHA for 5836ed3 - Browse repository at this point
Copy the full SHA 5836ed3View commit details -
UPSTREAM: <carry>: kube-controller-manager: exclude some origin resou…
…rces from quota OpenShift-Rebase-Source: 7d2a074
Configuration menu - View commit details
-
Copy full SHA for 72ff444 - Browse repository at this point
Copy the full SHA 72ff444View commit details -
UPSTREAM: <carry>: kube-apiserver: add our immortal namespaces direct…
…ly to admission plugin OpenShift-Rebase-Source: dd3aeca
Configuration menu - View commit details
-
Copy full SHA for d57293b - Browse repository at this point
Copy the full SHA d57293bView commit details -
UPSTREAM: <carry>: openshift-kube-apiserver: add kube-apiserver patches
UPSTREAM: <carry>: openshift-kube-apiserver: enabled conversion gen for admission configs UPSTREAM: <carry>: openshift-kube-apiserver/admission: fix featuregates resource name UPSTREAM: <carry>: openshift-kube-apiserver/admission: add missing FeatureSets UPSTREAM: <carry>: openshift-kube-apiserver: use github.com/openshift/apiserver-library-go/pkg/labelselector UPSTREAM: <carry>: openshift authenticator: don't allow old-style tokens UPSTREAM: <carry>: oauth-authn: support sha256 prefixed tokens UPSTREAM: <carry>: oauth-token-authn: switch to sha256~ prefix UPSTREAM: <carry>: oauth-token-authn: add sha256~ support to bootstrap authenticator UPSTREAM: <drop>: remove the openshift authenticator from the apiserver In 4.8, we moved the authenticator to be configured via webhookTokenAuthenticators to an endpoint in the oauth-apiserver, this should now be safe to remove. UPSTREAM: <carry>: set ResourceQuotaValidationOptions to true When PodAffinityNamespaceSelector goes to beta or GA this might affect how our ClusterResourceQuota might work UPSTREAM: <carry>: simplify the authorizer patch to allow the flags to function UPSTREAM: <carry>: eliminate unnecessary closure in openshift configuration wiring UPSTREAM: <carry>: add crdvalidation for apiserver.spec.tlsSecurityProfile UPSTREAM: <carry>: openshift-kube-apiserver: Add custom resource validation for network spec UPSTREAM: <carry>: stop overriding flags that are explicitly set UPSTREAM: <carry>: add readyz check for openshift apiserver availability UPSTREAM: <carry>: wait for oauth-apiserver accessibility UPSTREAM: <carry>: provide a new admission plugin to mutate management pods CPUs requests The ManagementCPUOverride admission plugin replaces pod container CPU requests with a new management resource. It applies to all pods that: 1. are in an allowed namespace 2. and have the workload annotation. It also sets the new management resource request and limit and set resource annotation that CRI-O can recognize and apply the relevant changes. For more information, see - openshift/enhancements#703 Conditions for CPUs requests deletion: 1. The namespace should have allowed annotation "workload.openshift.io/allowed": "management" 2. The pod should have management annotation: "workload.openshift.io/management": "{"effect": "PreferredDuringScheduling"}" 3. All nodes under the cluster should have new management resource - "management.workload.openshift.io/cores" 4. The CPU request deletion will not change the pod QoS class UPSTREAM: <carry>: Does not prevent pod creation because of no nodes reason when it runs under the regular cluster Check the `cluster` infrastructure resource status to be sure that we run on top of a SNO cluster and in case if the pod runs on top of regular cluster, exit before node existence check. UPSTREAM: <carry>: do not mutate pods when it has a container with both CPU request and limit Removing the CPU request from the container that has a CPU limit will result in the defaulter to set the CPU request back equals to the CPU limit. UPSTREAM: <carry>: Reject the pod creation when we can not decide the cluster type It is possible a race condition between pod creation and the update of the infrastructure resource status with correct values under Status.ControlPlaneTopology and Status.InfrastructureTopology. UPSTREAM: <carry>: add CRD validation for dnses Add an admission plugin that validates the dnses.operator.openshift.io custom resource. For now, the plugin only validates the DNS pod node-placement parameters. This commit fixes bug 1967745. https://bugzilla.redhat.com/show_bug.cgi?id=1967745 * openshift-kube-apiserver/admission/customresourcevalidation/attributes.go (init): Install operatorv1 into supportedObjectsScheme. * openshift-kube-apiserver/admission/customresourcevalidation/customresourcevalidationregistration/cr_validation_registration.go (AllCustomResourceValidators, RegisterCustomResourceValidation): Register the new plugin. * openshift-kube-apiserver/admission/customresourcevalidation/dns/validate_dns.go: New file. (PluginName): New const. (Register): New function. Register the plugin. (toDNSV1): New function. Convert a runtime object to a versioned DNS. (dnsV1): New type to represent a runtime object that is validated as a versioned DNS. (ValidateCreate, ValidateUpdate, ValidateStatusUpdate): New methods. Implement the ObjectValidator interface, using the validateDNSSpecCreate and validateDNSSpecUpdate helpers. (validateDNSSpecCreate, validateDNSSpecUpdate): New functions. Validate a DNS, using the validateDNSSpec helper. (validateDNSSpec): New function. Validate the spec field of a DNS, using the validateDNSNodePlacement helper. (validateDNSNodePlacement): New function. Validate the node selector and tolerations in a DNS's node-placement parameters, using validateTolerations. (validateTolerations): New function. Validate a slice of corev1.Toleration. * openshift-kube-apiserver/admission/customresourcevalidation/dns/validate_dns_test.go: New file. (TestFailValidateDNSSpec): Verify that validateDNSSpec rejects invalid DNS specs. (TestSucceedValidateDNSSpec): Verify that validateDNSSpec accepts valid DNS specs. * vendor/*: Regenerate. UPSTREAM: <carry>: prevent the kubecontrollermanager service-ca from getting less secure UPSTREAM: <carry>: allow SCC to be disabled on a per-namespace basis UPSTREAM: <carry>: verify required http2 cipher suites In the Apiserver admission, we need to return an error if the required http2 cipher suites are missing from a custom tlsSecurityProfile. Currently, custom cipher suites missing ECDHE_RSA_WITH_AES_128_GCM_SHA256 or ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 result in invalid http2 Server configuration causing the apiservers to crash. See: go/x/net/http2.ConfigureServer for futher information. UPSTREAM: <carry>: drop the warning to use --keep-annotations When a user runs the `oc debug` command for the pod with the management resource, we will inform him that he should pass `--keep-annotations` parameter to the debug command. UPSTREAM: <carry>: admission/managementcpusoverride: cover the roll-back case During the upgrade and roll-back flow 4.7->4.8->4.7, the topology related fields under the infrastructure can be empty because the old API does not support them. The code will equal the empty infrastructure section with the current one. When the status has some other non-empty field, and topology fields are empty, we assume that the cluster currently passes via roll-back and not via the clean install. UPSTREAM: <carry>: Remove pod warning annotation when workload partitioning is disabled UPSTREAM: <carry>: use new access token inactivity timeout field. UPSTREAM: <carry>: apirequestcount validation UPSTREAM: <carry>: Added config node object validation for extreme latency profiles UPSTREAM: <carry>: Add Upstream validation in the DNS admission check patches UPSTREAM: <carry>: Make RestrictedEndpointsAdmission check NotReadyAddresses UPSTREAM: <carry>: Make RestrictedEndpointsAdmission restrict EndpointSlices as well Moved SkipSystemMasterAuthorizers to the authorizer. UPSTREAM: <carry>: Add validation plugin for CRD-based route parity. UPSTREAM: <carry>: Add host assignment plugin for CRD-based routes. UPSTREAM: <carry>: Apply shared defaulters to CRD-based routes. Signed-off-by: Artyom Lukianov <[email protected]> Signed-off-by: Damien Grisonnet <[email protected]> Signed-off-by: Swarup Ghosh <[email protected]> OpenShift-Rebase-Source: 932411e OpenShift-Rebase-Source: 1899555 OpenShift-Rebase-Source: 453583e OpenShift-Rebase-Source: bf7e23e UPSTREAM: <carry>: STOR-829: Add CSIInlineVolumeSecurity admission plugin The CSIInlineVolumeSecurity admission plugin inspects inline CSI volumes on pod creation and compares the security.openshift.io/csi-ephemeral-volume-profile label on the CSIDriver object to the pod security profile on the namespace. OpenShift-Rebase-Source: a65c34b UPSTREAM: <carry>: add icsp,idms,itms validation reject creating icsp with idms/itms exist Reject icsp with idms.itms resources exists. According to the discuusion resolution https://docs.google.com/document/d/13h6IJn8wlzXdiPMvCWlMEHOXXqEZ9_GYOl02Wldb3z8/edit?usp=sharing, one of current icsp or new mirror setting crd should be rejected if a user tries to use them on the same cluster. Signed-off-by: Qi Wang <[email protected]> UPSTREAM: <carry>: node admission plugin for cpu partitioning The ManagedNode admission plugin makes the Infrastructure.Status.CPUPartitioning field authoritative. This validates that nodes that wish to join the cluster are first configured to properly handle workload pinning For more information see - openshift/enhancements#1213 Signed-off-by: ehila <[email protected]> UPSTREAM: <carry>: kube-apiserver: allow injection of kube-apiserver options UPSTREAM: <carry>: kube-apiserver: allow rewiring OpenShift-Rebase-Source: 56b49c9 OpenShift-Rebase-Source: bcf574c UPSTREAM: <carry>: openshift-kube-apiserver: add kube-apiserver patches UPSTREAM: <carry>: openshift-kube-apiserver: add kube-apiserver patches initialize DefaultComponentGlobalsRegistry after feature gates have been parsed from the config
Configuration menu - View commit details
-
Copy full SHA for a935625 - Browse repository at this point
Copy the full SHA a935625View commit details -
UPSTREAM: <carry>: openshift-kube-apiserver: add openshift-kube-apise…
…rver code UPSTREAM: <carry>: openshift-kube-apiserver: enabled conversion gen for admission configs UPSTREAM: <carry>: openshift-kube-apiserver/admission: fix featuregates resource name UPSTREAM: <carry>: openshift-kube-apiserver/admission: add missing FeatureSets UPSTREAM: <carry>: openshift-kube-apiserver: use github.com/openshift/apiserver-library-go/pkg/labelselector UPSTREAM: <carry>: openshift authenticator: don't allow old-style tokens UPSTREAM: <carry>: oauth-authn: support sha256 prefixed tokens UPSTREAM: <carry>: oauth-token-authn: switch to sha256~ prefix UPSTREAM: <carry>: oauth-token-authn: add sha256~ support to bootstrap authenticator UPSTREAM: <drop>: remove the openshift authenticator from the apiserver In 4.8, we moved the authenticator to be configured via webhookTokenAuthenticators to an endpoint in the oauth-apiserver, this should now be safe to remove. UPSTREAM: <carry>: set ResourceQuotaValidationOptions to true When PodAffinityNamespaceSelector goes to beta or GA this might affect how our ClusterResourceQuota might work UPSTREAM: <carry>: simplify the authorizer patch to allow the flags to function UPSTREAM: <carry>: eliminate unnecessary closure in openshift configuration wiring UPSTREAM: <carry>: add crdvalidation for apiserver.spec.tlsSecurityProfile UPSTREAM: <carry>: openshift-kube-apiserver: Add custom resource validation for network spec UPSTREAM: <carry>: stop overriding flags that are explicitly set UPSTREAM: <carry>: add readyz check for openshift apiserver availability UPSTREAM: <carry>: wait for oauth-apiserver accessibility UPSTREAM: <carry>: provide a new admission plugin to mutate management pods CPUs requests The ManagementCPUOverride admission plugin replaces pod container CPU requests with a new management resource. It applies to all pods that: 1. are in an allowed namespace 2. and have the workload annotation. It also sets the new management resource request and limit and set resource annotation that CRI-O can recognize and apply the relevant changes. For more information, see - openshift/enhancements#703 Conditions for CPUs requests deletion: 1. The namespace should have allowed annotation "workload.openshift.io/allowed": "management" 2. The pod should have management annotation: "workload.openshift.io/management": "{"effect": "PreferredDuringScheduling"}" 3. All nodes under the cluster should have new management resource - "management.workload.openshift.io/cores" 4. The CPU request deletion will not change the pod QoS class UPSTREAM: <carry>: Does not prevent pod creation because of no nodes reason when it runs under the regular cluster Check the `cluster` infrastructure resource status to be sure that we run on top of a SNO cluster and in case if the pod runs on top of regular cluster, exit before node existence check. UPSTREAM: <carry>: do not mutate pods when it has a container with both CPU request and limit Removing the CPU request from the container that has a CPU limit will result in the defaulter to set the CPU request back equals to the CPU limit. UPSTREAM: <carry>: Reject the pod creation when we can not decide the cluster type It is possible a race condition between pod creation and the update of the infrastructure resource status with correct values under Status.ControlPlaneTopology and Status.InfrastructureTopology. UPSTREAM: <carry>: add CRD validation for dnses Add an admission plugin that validates the dnses.operator.openshift.io custom resource. For now, the plugin only validates the DNS pod node-placement parameters. This commit fixes bug 1967745. https://bugzilla.redhat.com/show_bug.cgi?id=1967745 * openshift-kube-apiserver/admission/customresourcevalidation/attributes.go (init): Install operatorv1 into supportedObjectsScheme. * openshift-kube-apiserver/admission/customresourcevalidation/customresourcevalidationregistration/cr_validation_registration.go (AllCustomResourceValidators, RegisterCustomResourceValidation): Register the new plugin. * openshift-kube-apiserver/admission/customresourcevalidation/dns/validate_dns.go: New file. (PluginName): New const. (Register): New function. Register the plugin. (toDNSV1): New function. Convert a runtime object to a versioned DNS. (dnsV1): New type to represent a runtime object that is validated as a versioned DNS. (ValidateCreate, ValidateUpdate, ValidateStatusUpdate): New methods. Implement the ObjectValidator interface, using the validateDNSSpecCreate and validateDNSSpecUpdate helpers. (validateDNSSpecCreate, validateDNSSpecUpdate): New functions. Validate a DNS, using the validateDNSSpec helper. (validateDNSSpec): New function. Validate the spec field of a DNS, using the validateDNSNodePlacement helper. (validateDNSNodePlacement): New function. Validate the node selector and tolerations in a DNS's node-placement parameters, using validateTolerations. (validateTolerations): New function. Validate a slice of corev1.Toleration. * openshift-kube-apiserver/admission/customresourcevalidation/dns/validate_dns_test.go: New file. (TestFailValidateDNSSpec): Verify that validateDNSSpec rejects invalid DNS specs. (TestSucceedValidateDNSSpec): Verify that validateDNSSpec accepts valid DNS specs. * vendor/*: Regenerate. UPSTREAM: <carry>: prevent the kubecontrollermanager service-ca from getting less secure UPSTREAM: <carry>: allow SCC to be disabled on a per-namespace basis UPSTREAM: <carry>: verify required http2 cipher suites In the Apiserver admission, we need to return an error if the required http2 cipher suites are missing from a custom tlsSecurityProfile. Currently, custom cipher suites missing ECDHE_RSA_WITH_AES_128_GCM_SHA256 or ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 result in invalid http2 Server configuration causing the apiservers to crash. See: go/x/net/http2.ConfigureServer for futher information. UPSTREAM: <carry>: drop the warning to use --keep-annotations When a user runs the `oc debug` command for the pod with the management resource, we will inform him that he should pass `--keep-annotations` parameter to the debug command. UPSTREAM: <carry>: admission/managementcpusoverride: cover the roll-back case During the upgrade and roll-back flow 4.7->4.8->4.7, the topology related fields under the infrastructure can be empty because the old API does not support them. The code will equal the empty infrastructure section with the current one. When the status has some other non-empty field, and topology fields are empty, we assume that the cluster currently passes via roll-back and not via the clean install. UPSTREAM: <carry>: Remove pod warning annotation when workload partitioning is disabled UPSTREAM: <carry>: use new access token inactivity timeout field. UPSTREAM: <carry>: apirequestcount validation UPSTREAM: <carry>: Added config node object validation for extreme latency profiles UPSTREAM: <carry>: Add Upstream validation in the DNS admission check patches UPSTREAM: <carry>: Make RestrictedEndpointsAdmission check NotReadyAddresses UPSTREAM: <carry>: Make RestrictedEndpointsAdmission restrict EndpointSlices as well Moved SkipSystemMasterAuthorizers to the authorizer. UPSTREAM: <carry>: Add validation plugin for CRD-based route parity. UPSTREAM: <carry>: Add host assignment plugin for CRD-based routes. UPSTREAM: <carry>: Apply shared defaulters to CRD-based routes. Signed-off-by: Artyom Lukianov <[email protected]> Signed-off-by: Damien Grisonnet <[email protected]> Signed-off-by: Swarup Ghosh <[email protected]> OpenShift-Rebase-Source: 932411e OpenShift-Rebase-Source: 1899555 OpenShift-Rebase-Source: 453583e OpenShift-Rebase-Source: bf7e23e UPSTREAM: <carry>: STOR-829: Add CSIInlineVolumeSecurity admission plugin The CSIInlineVolumeSecurity admission plugin inspects inline CSI volumes on pod creation and compares the security.openshift.io/csi-ephemeral-volume-profile label on the CSIDriver object to the pod security profile on the namespace. OpenShift-Rebase-Source: a65c34b UPSTREAM: <carry>: add icsp,idms,itms validation reject creating icsp with idms/itms exist Reject icsp with idms.itms resources exists. According to the discuusion resolution https://docs.google.com/document/d/13h6IJn8wlzXdiPMvCWlMEHOXXqEZ9_GYOl02Wldb3z8/edit?usp=sharing, one of current icsp or new mirror setting crd should be rejected if a user tries to use them on the same cluster. UPSTREAM: <carry>: node admission plugin for cpu partitioning The ManagedNode admission plugin makes the Infrastructure.Status.CPUPartitioning field authoritative. This validates that nodes that wish to join the cluster are first configured to properly handle workload pinning For more information see - openshift/enhancements#1213 UPSTREAM: <carry>: kube-apiserver: allow injection of kube-apiserver options UPSTREAM: <carry>: kube-apiserver: allow rewiring OpenShift-Rebase-Source: 56b49c9 OpenShift-Rebase-Source: bcf574c UPSTREAM: <carry>: STOR-1270: Admission plugin to deny deletion of storages.operator.openshift.io UPSTREAM: <carry>: support for both icsp and idms objects Revert: openshift#1310 Add support for ICSP and IDMS objects living at the same time. UPSTREAM: <carry>: openshift-kube-apiserver: add openshift-kube-apisever code UPSTREAM: <carry>: featureset validation moved to CEL UPSTREAM: <carry>: Add context to ObjectValidator TODO: add router validation logic to implement ctx add in ObjectValidator UPSTREAM: <carry>: loosen authentication.spec.type validation UPSTREAM: <carry>: openshift-kube-apiserver: add kube-apiserver patches pod .spec.nodeName should not override project node selector in podNodeEnvironment admission plugin UPSTREAM: <carry>: Fix sets.String and sets.Set[string] type mismatch libray-go uses the genetic Set while upstream still uses the deprecated sets.String in some part of its codes. UPSTREAM: <carry>: Add RouteExternalCertificate validation in Route ObjectValidator UPSTREAM: <carry>: Fix incorrect type casting in admission validate_apiserver UPSTREAM: <carry>: react to library-go changes UPSTREAM: <carry>: Update RouteExternalCertificate validation in Route ObjectValidator UPSTREAM: <carry>: APIRequestCount Handler OpenShift-Rebase-Source: 4d74b77
Configuration menu - View commit details
-
Copy full SHA for adfd458 - Browse repository at this point
Copy the full SHA adfd458View commit details -
UPSTREAM: <carry>: kube-apiserver: priorize some CRD groups over others
OpenShift-Rebase-Source: 2260f01
Configuration menu - View commit details
-
Copy full SHA for afa3dff - Browse repository at this point
Copy the full SHA afa3dffView commit details -
UPSTREAM: <carry>: kube-apiserver: wire through isTerminating into ha…
…ndler chain UPSTREAM: <carry>: use lifeCycleSignals for isTerminating OpenShift-Rebase-Source: a736659
Configuration menu - View commit details
-
Copy full SHA for f6ee327 - Browse repository at this point
Copy the full SHA f6ee327View commit details -
UPSTREAM: <carry>: create termination events
UPSTREAM: <carry>: apiserver: log new connections during termination UPSTREAM: <carry>: apiserver: create LateConnections events on events in the last 20% of graceful termination time UPSTREAM: <carry>: apiserver: log source in LateConnections event UPSTREAM: <carry>: apiserver: skip local IPs and probes for LateConnections UPSTREAM: <carry>: only create valid LateConnections/GracefulTermination events UPSTREAM: <carry>: kube-apiserver: log non-probe requests before ready UPSTREAM: <carry>: apiserver: create hasBeenReadyCh channel UPSTREAM: <carry>: kube-apiserver: log non-probe requests before ready UPSTREAM: <carry>: kube-apiserver: log non-probe requests before ready UPSTREAM: <carry>: fix termination event(s) validation failures UPSTREAM: <carry>: during the rebase collapse to create termination event it makes recording termination events a non-blocking operation. previously closing delayedStopCh might have been delayed on preserving data in the storage. the delayedStopCh is important as it signals the HTTP server to start the shutdown procedure. it also sets a hard timeout of 3 seconds for the storage layer since we are bypassing the API layer. UPSTREAM: <carry>: rename termination events to use lifecycleSignals OpenShift-Rebase-Source: 15b2d2e UPSTREAM: <carry>: extend termination events - we tie the shutdown events with the UID of the first (shutdown initiated), this provides us with a more deterministic way to compute shutdown duration from these events - move code snippets from the upstream file to openshift specific patch file, it reduces chance of code conflict
Configuration menu - View commit details
-
Copy full SHA for 5ce6921 - Browse repository at this point
Copy the full SHA 5ce6921View commit details -
UPSTREAM: <carry>: bootstrap-rbac-policy: move over .well-known rules
OpenShift-Rebase-Source: 439ec41
Configuration menu - View commit details
-
Copy full SHA for 178adb5 - Browse repository at this point
Copy the full SHA 178adb5View commit details -
UPSTREAM: <carry>: warn only about unknown feature gates
OpenShift-Rebase-Source: a137009
Configuration menu - View commit details
-
Copy full SHA for 0ebf8b8 - Browse repository at this point
Copy the full SHA 0ebf8b8View commit details -
UPSTREAM: <carry>: disable AES24, not supported by FIPS
OpenShift-Rebase-Source: b9a8eb6
Configuration menu - View commit details
-
Copy full SHA for 620b711 - Browse repository at this point
Copy the full SHA 620b711View commit details -
UPSTREAM: <carry>: Remove excessive e2e logging
UPSTREAM: <carry>: Remove a redundant output in the tests This line is not necessary for our test usage and should not be an issue in OpenShift (openshift-tests already verifies this correctly). UPSTREAM: <carry>: Remove excessive logging during e2e upgrade test This line makes the upgrade log output unreadable and provides no value during the set of tests it's used in: ``` Jan 12 20:49:25.628: INFO: cluster upgrade is Progressing: Working towards registry.svc.ci.openshift.org/ci-op-jbtg7jjb/release@sha256:144e73d125cce620bdf099be9a85225ade489a95622a70075d264ea3ff79219c: downloading update Jan 12 20:49:26.692: INFO: Poke("http://a74e3476115ce4d2d817a1e5ea608dad-802917831.us-east-1.elb.amazonaws.com:80/echo?msg=hello"): success Jan 12 20:49:28.727: INFO: Poke("http://a74e3476115ce4d2d817a1e5ea608dad-802917831.us-east-1.elb.amazonaws.com:80/echo?msg=hello"): success ``` OpenShift-Rebase-Source: 8e73298
Configuration menu - View commit details
-
Copy full SHA for f3a7db6 - Browse repository at this point
Copy the full SHA f3a7db6View commit details -
UPSTREAM: <carry>: conditionally fill the UserAgent from the currentl…
…y running test OpenShift uses these function before any test is run and they cause NPE OpenShift-Rebase-Source: 834af76
Configuration menu - View commit details
-
Copy full SHA for 9f5448a - Browse repository at this point
Copy the full SHA 9f5448aView commit details -
UPSTREAM: <carry>: refactor/improve CRD publishing e2e tests in an HA…
Configuration menu - View commit details
-
Copy full SHA for 9104c37 - Browse repository at this point
Copy the full SHA 9104c37View commit details -
UPSTREAM: <carry>: Add OpenShift tooling, images, configs and docs
UPSTREAM: <carry>: Copy hack scripts and tools from openshift/origin UPSTREAM: <carry>: Fix shellcheck failures for copied openshift-hack bash UPSTREAM: <carry>: Enable build, test and verify UPSTREAM: <carry>: Copy README content from origin UPSTREAM: <carry>: Copy watch-termination command from openshift/origin UPSTREAM: <carry>: Switch image and rpm build to golang 1.14 UPSTREAM: <carry>: Copy test annotation from origin UPSTREAM: <carry>: Build openshift-compatible kube e2e binary UPSTREAM: <carry>: Updating openshift-hack/images/hyperkube/Dockerfile.rhel baseimages to mach ocp-build-data config UPSTREAM: <carry>: Update test annotation rules UPSTREAM: <carry>: Enable k8s-e2e-serial UPSTREAM: <carry>: Build with golang 1.15 UPSTREAM: <carry>: (squash) Stop installing recent bash and protoc from source UPSTREAM: <carry>: Add rebase instructions UPSTREAM: <carry>: (squash) Update README.openshift to reflect transition UPSTREAM: <carry>: (squash) Stop annotating origin tests with [Suite:openshift] The detection logic was error-prone (different results based on the repo existing in GOPATH vs not) and whether a test comes from origin can be inferred from the absence of the `[Suite:k8s]` tag. UPSTREAM: <carry>: (squash) Update hyperkube version UPSTREAM: <carry>: (squash) Update OpenShift docs UPSTREAM: <carry>: watch-termination: fix deletion race and write non-graceful message also to termination.log UPSTREAM: <carry>: watch-termination: avoid false positives of NonGracefulTermination events UPSTREAM: <carry>: (squash) remove servicecatalog e2e that was dropped upstream UPSTREAM: <carry>: (squash) Fix annotation rules UPSTREAM: <carry>: (squash) Fix image refs UPSTREAM: <carry>: Updating openshift-enterprise-hyperkube builder & base images to be consistent with ART Reconciling with https://github.com/openshift/ocp-build-data/tree/b0ab44b419faae6b18e639e780a1fa50a1df8521/images/openshift-enterprise-hyperkube.yml UPSTREAM: <carry>: (squash) Retry upstream flakes UPSTREAM: <carry>: (squash) Update test exclussions for 1.20.0 UPSTREAM: <carry>: (squash) Add detail to rebase doc - Add new section 'Maintaining this document' - Move checklist above the instructions to emphasize their importance - Add new section 'Reacting to new commits' - Mention that generated changes in carries should be dropped UPSTREAM: <carry>: Enable CSI snapshot e2e tests All images were uploaded to our quay.io mirror and the tests should succeed. UPSTREAM: <carry>: Stop skipping multi-az test (skipped upstream) UPSTREAM: <carry>: bump tag version & update rebase doc UPSTREAM: <carry>: update rebase doc & image UPSTREAM: <carry>: Add Dockerfile to build pause image Ensuring the target directory exists before writing a file to it. UPSTREAM: <carry>: disable part of hack/verify-typecheck-providerless.sh due to our carry patches UPSTREAM: <carry>: Updating openshift-enterprise-pod images to be consistent with ART Reconciling with https://github.com/openshift/ocp-build-data/tree/691e628254f318ce56efda5edc7448ec743c37b8/images/openshift-enterprise-pod.yml UPSTREAM: <carry>: Updating openshift-enterprise-hyperkube images to be consistent with ART Reconciling with https://github.com/openshift/ocp-build-data/tree/691e628254f318ce56efda5edc7448ec743c37b8/images/openshift-enterprise-hyperkube.yml UPSTREAM: <carry>: Add process overlap detection event to watch-termination NOTE: Squash this to watch-termination commit on rebase. UPSTREAM: <carry>: openshift-hack/images/os/Dockerfile: Add io.openshift.build.versions, etc. For example, consider the current 4.10 RHCOS: $ oc image info -o json registry.ci.openshift.org/ocp/4.10:machine-os-content io.k8s.description: The Universal Base Image is designed and engineered to be the base layer for all of your containerized applications, middleware and utilities. This base image is freely redistributable, but Red Hat only supports Red Hat technologies through subscriptions for Red Hat products. This image is maintained by Red Hat and updated regularly. io.k8s.display-name: Red Hat Universal Base Image 8 io.openshift.build.version-display-names: machine-os=Red Hat Enterprise Linux CoreOS io.openshift.build.versions: machine-os=49.84.202109102026-0 io.openshift.expose-services: io.openshift.tags: base rhel8 A bunch of those seem to be inherited from the UBI base image, so we can leave them alone. But the io.openshift.build.* entries are RHCOS-specific, and are consumed by 'oc adm release new ...' [1,2] and friends to answer questions like "which RHCOS is in this release?": $ oc adm release info -o json quay.io/openshift-release-dev/ocp-release:4.8.12-x86_64 { "kubernetes": { "Version": "1.21.1", "DisplayName": "" }, "machine-os": { "Version": "48.84.202109100857-0", "DisplayName": "Red Hat Enterprise Linux CoreOS" } } Setting this label will avoid failures when consumers like driver-toolkit's version consumer [3]: name: 0.0.1-snapshot-machine-os bump into ci-tools-built machine-os-content images that lack the io.openshift.build.versions declaration of machine-os version [4]: error: unable to create a release: unknown version reference "machine-os" I've gone with generic testing values, so hopefully this is not something that local maintainers need to remember to bump for each OpenShift z stream. [1]: https://github.com/openshift/oc/blob/f94afb52dc8a3185b3b9eacaf92ec34d80f8708d/pkg/cli/admin/release/image_mapper.go#L328-L334 [2]: https://github.com/openshift/oc/blob/f94afb52dc8a3185b3b9eacaf92ec34d80f8708d/pkg/cli/admin/release/annotations.go#L19-L28 [3]: openshift/driver-toolkit@464acca#diff-4caed9b2b966a8fa7a016ae28976634a2d3d1b635c4e820d5c038b2305d6af53R18 [4]: https://prow.ci.openshift.org/view/gs/origin-ci-test/pr-logs/pull/openshift_kubernetes/959/pull-ci-openshift-kubernetes-master-images/1438398678602616832#1:build-log.txt%3A97 UPSTREAM: <carry>: update rebase doc UPSTREAM: <carry>: squash with the rest of tooling UPSTREAM: <carry>: Updating openshift-enterprise-pod images to be consistent with ART Reconciling with https://github.com/openshift/ocp-build-data/tree/5b89f5b601508a0bcc0399fd3f34b7aa2e86e90e/images/openshift-enterprise-pod.yml UPSTREAM: <carry>: Updating openshift-enterprise-hyperkube images to be consistent with ART Reconciling with https://github.com/openshift/ocp-build-data/tree/5b89f5b601508a0bcc0399fd3f34b7aa2e86e90e/images/openshift-enterprise-hyperkube.yml UPSTREAM: <carry>: rebase script UPSTREAM: <carry>: Fix networking-related test exclusions Tests that fail on openshift-sdn specifically should be tagged as such, so that they don't also get skipped when running under ovn-kubernetes or third-party network plugins. UPSTREAM: <carry>: Skip "subPath should be able to unmount" NFS test Due to a kernel bug https://bugzilla.redhat.com/show_bug.cgi?id=1854379 in Linux 5.7+ this test fails - the bind-mounted NFS share cannot be cleanly unmounted, gets "Stale file handle" error instead on umount. As a result this test is permafailing on Fedora CoreOS nodes. UPSTREAM: <carry>: Skip GlusterFS tests GlusterFS is not supported in 4.x, we've been running its tests just because we could. Now it does not work on IPv6 systems. E [MSGID: 101075] [common-utils.c:312:gf_resolve_ip6] 0-resolver: getaddrinfo failed (Address family for hostname not supported) UPSTREAM: <carry>: Skip GlusterFS tests The previous commit left two GlusterFS test still running: [sig-storage] Volumes GlusterFS should be mountable [Skipped:ibmcloud] [Suite:openshift/conformance/parallel] [Suite:k8s] [sig-storage] Dynamic Provisioning GlusterDynamicProvisioner should create and delete persistent volumes Skip it, we don't support Gluster and it does not work on ipv6 UPSTREAM: <carry>: 1.22 alpha & other tests disablement UPSTREAM: <carry>: 1.21 alpha & other tests disablement UPSTREAM: <carry>: Enable GenerciEphemeralVolume tests UPSTREAM: <carry>: Re-enable [Feature:NetworkPolicy] tests which were wrongly disabled in rebase UPSTREAM: <carry>: Reenable NetworkPolicy test UPSTREAM: <carry>: Conformance tests (sysctls) should be run We have to run this test for conformance, and the tests pass. Reenable this block which has been disabled for 2 releases (but appears to work fine). UPSTREAM: <carry>: Don't force-disable IPv6, dual-stack, and SCTP tests Instead, openshift-tests will enable or disable them depending on cluster configuration. UPSTREAM: <carry>: update Multi-AZ Cluster Volumes test name This test was renamed upstream in kubernetes@006dc74 UPSTREAM: <carry>: re-enable networking tests after rebase During a bump to k8 ver. 1.22.0, networking tests were disabled to accomplish the bump. This disabled netpol and older network tests. Netpol tests will be enabled in a following PR and therefore only partially fixes BZ. This commit partially fixes bug 1986307. https://bugzilla.redhat.com/show_bug.cgi?id=1986307 UPSTREAM: <drop>: update test annotate rules UPSTREAM: <carry>: Add DOWNSTREAM_OWNERS UPSTREAM: <carry>: clarify downstream approver rules UPSTREAM: <carry>: copy extensions into resulting image UPSTREAM: <carry>: update rebase doc UPSTREAM: <carry>: Fix conformance and serial tests by stopping node cordoning Master nodes already have `master` taint which cannot be tolerated by normal workloads. If we manually cordon the master nodes again, some of the control plane components cannot get rescheduled unless they have toleration to the `node.kubernetes.io/unschedulable` taint. Even if we have the toleration in the pod spec, because of the backwards compability issues scheduler will ignore nodes which have `unschedulable` field set. IOW: - Cordoning master nodes is redundant as masters already have taints - Cordoning master nodes can cause issues which are hard to debug as control-plane components may be evicted/preempted during e2e run(highly unlikely but a possibility). So, let's stop cordoning master nodes. UPSTREAM: <carry>: enable internal traffic policy tests Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1986307 UPSTREAM: <carry>: update rebase doc UPSTREAM: <carry>: enable e2e test after 1.23 rebase in sdn Enable "[sig-network] Conntrack should be able to preserve UDP traffic when initial unready endpoints get ready" after 1.23 rebase in openshift/sdn UPSTREAM: <carry>: Unskip OCP SDN related tests Unskip networkPolicy tests concerning IpBlock and egress rules since both features have now been implemented. UPSTREAM: <carry>: enable should drop INVALID conntrack entries test UPSTREAM: <carry>: update e2es UPSTREAM: revert: <carry>: Unskip OCP SDN related tests These newly-enabled tests are breaking some CI, possibly due to race conditions in the tests. Re-disable them for now. This reverts commit aba8d20. UPSTREAM: <carry>: update hyperkube and image version UPSTREAM: <drop>: disable e2e tests - disable 'ProxyTerminatingEndpoints' feature e2e tests - disable [sig-network] [Feature:Topology Hints] should distribute endpoints evenly see https://bugzilla.redhat.com/show_bug.cgi?id=2079958 for more context UPSTREAM: <carry>: Add kubensenter to the openshift RPM This carry-patch adds the kubensenter script to the openshift-hyperkube RPM, by importing it via the new hack/update-kubensenter.sh script. UPSTREAM: <carry>: Skip session affinity timeout tests in 4.12 and higher the default CNI is OVNKubernetes and these two tests do not pass. Skip them. They are also skipping in the origin test suites for ovnk. UPSTREAM: <carry>: Update kubensenter to use exec instead of direct call Because kubelet relies on systemd's Type=notify mechanism, we don't need or want kubensenter to keep itself in the process tree. exec is best. UPSTREAM: <carry>: update to ginkgo v2 - squash to tooling UPSTREAM: <carry>: update rebase doc UPSTREAM: <carry>: allow annotating with a specific suite If a test specifies a suite, don't append another one to it. We want the ability to add tests to a particular suite without automatically being added to parallel conformance. UPSTREAM: <carry>: Ensure balanced brackets in annotated test names We recently started marking tests with apigroups, and in one case we missed the closing bracket on the annotation resulting in the test being erroneously skipped. This adds a check in the annotation generation, and errors when brackets are unbalanced. ``` Example: $ ./hack/verify-generated.sh FAILURE after 12.870s: hack/verify-generated.sh:13: executing '/home/stbenjam/go/src/github.com/openshift/origin/hack/update-generated.sh' expecting success: the command returned the wrong error code Standard output from the command: Nov 4 14:11:25.026: INFO: Enabling in-tree volume drivers Nov 4 14:11:25.026: INFO: Warning: deprecated ENABLE_STORAGE_GCE_PD_DRIVER used. This will be removed in a future release. Use --enabled-volume-drivers=gcepd instead Nov 4 14:11:25.026: INFO: Enabled gcepd and windows-gcepd in-tree volume drivers Standard error from the command: failed: unbalanced brackets in test name: [Top Level] [sig-scheduling][Early] The openshift-console console pods [apigroup:console.openshift.io should be scheduled on different nodes ^ ``` UPSTREAM: <carry>: add CSI migration feature gates for vSphere and Azure File This commit is the next natural step for commits 2d9a8f9 and d37e84c. It introduces custom feature gates to enable the CSI migration in vSphere and Azure File plugins. See openshift/enhancements#549 for details. Stop <carrying> the patch when CSI migration becomes GA (i.e. features.CSIMigrationAzureFile / features.CSIMigrationVSphere are GA). UPSTREAM: <carry>: Skip in-tree topology tests win Azure Disk migrated to CSI Skip test that depend on in-tree Azure Disk volume plugin that (wrongly) uses failure domains for value of "topology.kubernetes.io/zone" label in Azure regions that don't have availability zones. Our e2e tests blindly use that label and expect that a volume provisioned in such a "zone" can be used only by nodes in that "zone" (= topology domain). This is false, Azure Disk CSI driver can use such a volume in any zone and therefore the test may randomly fail. See https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=2066865 UPSTREAM: <carry>: Stop ignoring generated openapi definitions openshift/origin needs to be able to vendor these definitions so they need to be committed. OpenShift-Rebase-Source: 514f181 OpenShift-Rebase-Source: 87e220b OpenShift-Rebase-Source: b25e156 OpenShift-Rebase-Source: 2256387 OpenShift-Rebase-Source: e4d66c1 OpenShift-Rebase-Source: 5af594b UPSTREAM: <carry>: disable tests for features in alpha UPSTREAM: <carry>: disable tests dependent on StackDriver UPSTREAM: <carry>: add default sysctls for kubelet in rpm UPSTREAM: <carry>: add new approvers UPSTREAM: <carry>: update rebase doc UPSTREAM: <carry>: update hyperkube image version Updated builder as well. UPSTREAM: <carry>: add missing generated file UPSTREAM: <carry>: Add OpenShift tooling, images, configs and docs Add CSI mock volume tests. In upstream these tests were moved to a different package, so we stopped generating their names in OpenShift. This patch fixes that. UPSTREAM: <carry>: Add OpenShift tooling, images, configs and docs Disable CSI mock tests for SELinux and RecoverVolumeExpansionFailure, which are alpha features and require additional work to get enabled. UPSTREAM: <carry>: Add OpenShift tooling, images, configs and docs UPSTREAM: <carry>: update rebase doc UPSTREAM: <carry>: disable failing dnsPolicy test UPSTREAM: <carry>: Create minimal wrapper needed to run k8s e2e tests UPSTREAM: <carry>: Change annotation mechanics to allow injecting testMaps and filter out tests UPSTREAM: <carry>: Move k8s-specific rules to our fork UPSTREAM: <carry>: Create minimal wrapper needed to run k8s e2e tests UPSTREAM: <carry>: Add OpenShift tooling, images, configs and docs Update the list of tests that should be skipped. UPSTREAM: <carry>: Force using host go always and use host libriaries UPSTREAM: <carry>: ignore vendor when generating code UPSTREAM: <carry>: ignore vendor when installing ncpu from hack/tools UPSTREAM: <carry>: move test rules from origin These were brought back in o/o PRs as follows: - netpol - openshift/origin#26775 - schedulerpreemption - openshift/origin#27874 UPSTREAM: <carry>: UserNamespacesSupport feature was rename to UserNamespacesStatelessPodsSupport See commit 531d38e. UPSTREAM: <carry>: allow apiserver-library-go to depend on k8s.io/kubernetes UPSTREAM: <carry>: Add OpenShift tooling, images, configs and docs Remove commitchecker. UPSTREAM: <carry>: Force using host go always and use host libriaries UPSTREAM: <carry>: Add OpenShift tooling, images, configs and docs Update builder images. UPSTREAM: <carry>: Add OpenShift tooling, images, configs and docs Bump builder and base images to OCP 4.15 and RHEL 9 (where possible). UPSTREAM: <carry>: Add OpenShift tooling, images, configs and docs Update REBASE.openshift.md file with new RHEL 9 images. UPSTREAM: <carry>: Add OpenShift tooling, images, configs and docs Remove "git rerere" suggestion. This has shown to be problematic in some cases. UPSTREAM: <carry>: Fix sporadic 141 errors in build-rpms "head" sometimes exits before "rpmspec" finishes piping it all its data. Workaround that by separating the rpmspec and head calls. UPSTREAM: <carry>: Disable e2e tests related to AdmissionWebhookMatchConditions UPSTREAM: <carry>: Add OpenShift tooling, images, configs and docs 1. Fix failure while running the verify.import-boss case 2. Add verify-govulncheck.sh to the excluded pattern This requires a new package to be installed on the fly and the same fails with the following error. `go: golang.org/x/vuln/cmd/[email protected]: cannot query module due to -mod=vendor` The above error needs to be fixed before enabling this `govulncheck` UPSTREAM: <carry>: switch to go1.21 UPSTREAM: <carry>: use snyk file UPSTREAM: <carry>: RPM: Split apiserver, scheduler, k-c-m, kubelet into subpackages This change should allow us to install a much smaller set of binaries into RHCOS while preserving functional compatibility with with anyone who installs `openshift-hyperkube` today as it requires all sub packages. Those wishing to have just the kubelet can begin installing `openshift-hyperkube-kubelet` -rwxr-xr-x. 2 root root 129M Jan 1 1970 /usr/bin/kube-apiserver -rwxr-xr-x. 2 root root 114M Jan 1 1970 /usr/bin/kube-controller-manager -rwxr-xr-x. 2 root root 54M Jan 1 1970 /usr/bin/kube-scheduler -rwxr-xr-x. 2 root root 105M Jan 1 1970 /usr/bin/kubelet -rwxr-xr-x. 2 root root 3.5K Jan 1 1970 /usr/bin/kubensenter Should save about 297M or 74% in most environments where the kubelet is all that's desired. It's not clear to me why these were ever in the RPM since OCP 4.x but this packaging should remain compatible as openshift-hyperkube depends on - openshift-kubelet - openshift-kube-apiserver - openshift-kube-scheduler - openshift-kube-controller-manager UPSTREAM: <carry>: openshift-hack/images/os: delete All the logic there is geared towards `machine-os-content` which is no longer used at all in the cluster. Nowadays, the container to modify is `rhel-coreos`, which is what is already being done in CI: https://github.com/openshift/release/blob/463a8f244ba0f807e76e6fdf974f98d24efd1ced/ci-operator/config/openshift/kubernetes/openshift-kubernetes-master.yaml#L87-L97 UPSTREAM: <carry>: Disable SCCs in k8s-e2e.test namespaces We want to run upstream e2e tests ignored by SCCs. Make sure the test namespaces have label security.openshift.io/disable-securitycontextconstraints: true and disabled podSecurityLabelSync. UPSTREAM: <carry>: Enable SELinux tests Now that k8s-e2e.test is not affected by SCCs, all SELinux tests should pass. UPSTREAM: <carry>: update test rules UPSTREAM: <carry>: permanently disable NodeLogQuery e2e test Tests require SSH configuration and is part of the parallel suite, which does not create the bastion host. Enabling the test would result in the bastion being created for every parallel test execution. Given that we have existing oc and WMCO tests that cover this functionality, we can safely disable it. UPSTREAM: <carry>: clean OpenShift tooling UPSTREAM: <carry>: Add Dockerfile to buld kube-apiserver for openshift-install architectures UPSTREAM: <carry>: Add OpenShift tooling, images, configs and docs UPSTREAM: <carry>: Create minimal wrapper needed to run k8s e2e tests UPSTREAM: <carry>: Add update go workspace step to the update flow Given we verify go workspace, we need to do `update-go-workspace` step during `make update` UPSTREAM: <carry>: Provide SCC access via RBAC UPSTREAM: <carry>: add native build to installer image This is needed for the s390x/ppc64le arches since we just cross-compile to linux amd/arm64. UPSTREAM: <carry>: update docker image to use go 1.22 UPSTREAM: <carry>: update rules.go UPSTREAM: <carry>: Skip eviction test on tainted nodes for SNO jobs UPSTREAM: <carry>: OCPBUGS-34102: force static build of linux binaries Setting `KUBE_STATIC_OVERRIDES` is necessary for the kubernetes build system to attempt a static build but we also need to set `GO_COMPLIANCE_EXCLUDE` so the `CGO_ENABLED` value is not overridden by the fips-or-die toolchain used to build the release payload. This fixes an issue when running the openshift-installer in centos7/rhel8 systems which fails with: ``` E0521 18:04:24.925722 2077 server.go:317] "unable to start the controlplane" err="unable to run command \"cluster-api/kube-apiserver\" to check for flag \"insecure-port\": exit status 1" logger="controller-runtime.test-env" tries=4 ERROR failed to fetch Cluster: failed to generate asset "Cluster": failed to create cluster: failed to run cluster api system: failed to run local control plane: unable to start control plane itself: failed to start the controlplane. ret\ ried 5 times: unable to run command "cluster-api/kube-apiserver" to check for flag "insecure-port": exit status 1 ``` because it's trying to run a dynamically-linked kube-apiserver binary. UPSTREAM: <carry>: inject k8s version from hyperkube Dockerfile Squash to openshift tooling. UPSTREAM: <carry>: sync imports and update test rules This should be suqashed with tooling. UPSTREAM: <carry>: use host etcd UPSTREAM: <carry>: skip storage tests UPSTREAM: <carry>: skip PodLifecycleSleepAction test UPSTREAM: <carry>: add tool to validate test packages imported UPSTREAM: <carry>: update test annotations for sno recent addition of upstream architecture package to openshift tests include.go is breaking conformance tests for sno should squash with tooling Signed-off-by: ehila <[email protected]> UPSTREAM: <carry>: Add OpenShift tooling, images, configs and docs bump images to 4.18 and kubernetes to 1.31.0 UPSTREAM: <carry>: Add OpenShift tooling, images, configs and docs update Disabled:Alpha test rules UPSTREAM: <carry>: Add OpenShift tooling, images, configs and docs disable verify-e2e-suites.sh UPSTREAM: <carry>: skip VolumeAttributesClass tests
Configuration menu - View commit details
-
Copy full SHA for c3a4fe9 - Browse repository at this point
Copy the full SHA c3a4fe9View commit details -
UPSTREAM: <carry>: export HandleFlags
OpenShift-Rebase-Source: 7bf2f1f
Configuration menu - View commit details
-
Copy full SHA for 73c4d66 - Browse repository at this point
Copy the full SHA 73c4d66View commit details -
UPSTREAM: <carry>: noderestrictions: add node-role.kubernetes.io/* to…
… allowed node labels Server side validation of node labels was added in kubernetes#90307. We only disabled kubelet-side validation before to make our node role labels work. UPSTREAM: <carry>: add control plane to allow roles OpenShift-Rebase-Source: 38bfed3 OpenShift-Rebase-Source: aff4434 UPSTREAM: <carry>: Do not allow nodes to set forbidden openshift labels Signed-off-by: Harshal Patil <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for 67dc219 - Browse repository at this point
Copy the full SHA 67dc219View commit details -
UPSTREAM: <carry>: kube-apiserver: ignore SIGTERM/INT after the first…
… one UPSTREAM: <carry>: kube-apiserver: set up separate signal handler functions to ignore further signals This patches the changes from openshift#558 to provide these new functions without changing the behavior for other repos that depend on them, such as library-go. OpenShift-Rebase-Source: 63ed200
Configuration menu - View commit details
-
Copy full SHA for 34d498e - Browse repository at this point
Copy the full SHA 34d498eView commit details -
UPSTREAM: <carry>: use hardcoded metrics scraping authorizer for dele…
…gated apiservers OpenShift-Rebase-Source: d8adc09
Configuration menu - View commit details
-
Copy full SHA for 529466e - Browse repository at this point
Copy the full SHA 529466eView commit details -
UPSTREAM: <carry>: allow kubelet to self-authorize metrics scraping
OpenShift-Rebase-Source: 5ab0f5e
Configuration menu - View commit details
-
Copy full SHA for a2f0abe - Browse repository at this point
Copy the full SHA a2f0abeView commit details -
UPSTREAM: <carry>: provide events, messages, and bodies for probe fai…
…lures of important pods UPSTREAM: <carry>: provide unique reason for pod probe event during termination OpenShift-Rebase-Source: 01542fc
Configuration menu - View commit details
-
Copy full SHA for 7b55518 - Browse repository at this point
Copy the full SHA 7b55518View commit details -
UPSTREAM: <carry>: allows for switching KS to talk to Kube API over l…
…ocalhost to force KS to use localhost set the following flag in kubescheduler (oc edit kubescheduler cluster) unsupportedConfigOverrides: arguments: unsupported-kube-api-over-localhost:: - "true" UPSTREAM: <carry>: allows for switching KS to talk to Kube API over localhost-squash to other This commit is addendum to openshift@04eabe5 to stop using cc and start relying on scheduler config options OpenShift-Rebase-Source: aa9dde2 UPSTREAM: <carry>: allows for switching KS to talk to Kube API over localhost
Configuration menu - View commit details
-
Copy full SHA for 2567b6a - Browse repository at this point
Copy the full SHA 2567b6aView commit details -
UPSTREAM: <carry>: add management support to kubelet
UPSTREAM: <carry>: management workloads enhancement 741 UPSTREAM: <carry>: lower verbosity of managed workloads logging Support for managed workloads was introduced by PR#627. However, the the CPU manager reconcile loop now seems to flood kubelet log with "reconcileState: skipping pod; pod is managed" warnings. Lower the verbosity of these log messages. UPSTREAM: <carry>: set correctly static pods CPUs when workload partitioning is disabled UPSTREAM: <carry>: Remove reserved CPUs from default set Remove reserved CPUs from default set when workload partitioning is enabled. Co-Authored-By: Brent Rowsell <[email protected]> Signed-off-by: Artyom Lukianov <[email protected]> Signed-off-by: Don Penney <[email protected]> OpenShift-Rebase-Source: b762ced OpenShift-Rebase-Source: 63cf793 OpenShift-Rebase-Source: 32af64c UPSTREAM: <carry>: add management support to kubelet UPSTREAM: <carry>: OCPBUGS-29520: fix cpu manager default cpuset check in workload partitioned env (this can be squashed to 04070bb UPSTREAM: : add management support to kubelet) Workload partitioning makes the separation between reserved and workload cpus more strict. It is therefore expected the reserved cpus are NOT part of the default cpuset and the existing check was overzealous. First execution of kubelet after reboot never gets here as the cpuset is computed on line 209. However a kubelet restart without reboot skips this code, recovers from state file and runs the check on line 220. This was uncovered by decoupling the cpu manager state file cleanup from kubelet restart, doing it only once at reboot as part of OCPBUGS-24366 UPSTREAM: <carry>: add management workload check for guaranteed qos when static pods have workload partitioning enabled we should not alter their resources if they are Guaranteed QoS, this change adds a check for Guaranteed QoS Signed-off-by: ehila <[email protected]> test: add unit tests for error states Signed-off-by: ehila <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for bc967e9 - Browse repository at this point
Copy the full SHA bc967e9View commit details -
UPSTREAM: <carry>: allows for switching KCM to talk to Kube API over …
…localhost to force KCM to use localhost set the following flag in kubecontrollermanager (oc edit kubecontrollermanager cluster) unsupportedConfigOverrides: extendedArguments: unsupported-kube-api-over-localhost: - "true" OpenShift-Rebase-Source: 036b11c UPSTREAM: <carry>: allows for switching KCM to talk to Kube API over localhost
Configuration menu - View commit details
-
Copy full SHA for 8c15efd - Browse repository at this point
Copy the full SHA 8c15efdView commit details -
UPSTREAM: <carry>: Ensure service ca is mounted for projected tokens
OpenShift since 3.x has injected the service serving certificate ca (service ca) bundle into service account token secrets. This was intended to ensure that all pods would be able to easily verify connections to endpoints secured with service serving certificates. Since breaking customer workloads is not an option, and there is no way to ensure that customers are not relying on the service ca bundle being mounted at /var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt, it is necessary to continue mounting the service ca bundle in the same location in the bound token projected volumes enabled by the BoundServiceAccountTokenVolume feature (enabled by default in 1.21). A new controller is added to create a configmap per namespace that is annotated for service ca injection. The controller is derived from the controller that creates configmaps for the root ca. The service account admission controller is updated to include a source for the new configmap in the default projected volume definition. UPSTREAM: <carry>: <squash> Add unit testing for service ca configmap publishing This commit should be squashed with: UPSTREAM: <carry>: Ensure service ca is mounted for projected tokens OpenShift-Rebase-Source: d69d054 UPSTREAM: <carry>: Ensure service ca is mounted for projected tokens
Configuration menu - View commit details
-
Copy full SHA for b99e4f0 - Browse repository at this point
Copy the full SHA b99e4f0View commit details -
UPSTREAM: <carry>: apiserver: add system_client=kube-{apiserver,cm,s}…
… to apiserver_request_total UPSTREAM: <carry>: apiserver: add cluster-policy-controller to system client in apiserver_request_total OpenShift-Rebase-Source: d86823d UPSTREAM: <carry>: apiserver: add system_client=kube-{apiserver,cm,s} to apiserver_request_total Fix TestOpenAPIRequestMetrics unit test.
Configuration menu - View commit details
-
Copy full SHA for eda46ce - Browse repository at this point
Copy the full SHA eda46ceView commit details -
UPSTREAM: <carry>: emit event when readyz goes true
OpenShift-Rebase-Source: 6386eb2
Configuration menu - View commit details
-
Copy full SHA for 6b5422f - Browse repository at this point
Copy the full SHA 6b5422fView commit details -
UPSTREAM: <carry>: crd: add ClusterOperator condition message table c…
…olumn The logic is not exressible via JSONPath. Hence, if we want this, we have to help a little with this custom column writer. OpenShift-Rebase-Source: 633a422
Configuration menu - View commit details
-
Copy full SHA for 4658af7 - Browse repository at this point
Copy the full SHA 4658af7View commit details -
UPSTREAM: 103612: tolerate additional, but congruent, events for inte…
…gration test OpenShift-Rebase-Source: 2f4c829 UPSTREAM: 103612: tolerate additional, but congruent, events for integration test
Configuration menu - View commit details
-
Copy full SHA for cfe883a - Browse repository at this point
Copy the full SHA cfe883aView commit details -
UPSTREAM: <carry>: add a way to inject a vulnerable, legacy service-c…
…a.crt for migration compatibility OpenShift-Rebase-Source: bf2b5fa
Configuration menu - View commit details
-
Copy full SHA for d557b28 - Browse repository at this point
Copy the full SHA d557b28View commit details -
UPSTREAM: <carry>: Revert "Remove Endpoints write access from aggrega…
Configuration menu - View commit details
-
Copy full SHA for e6071ea - Browse repository at this point
Copy the full SHA e6071eaView commit details -
UPSTREAM: <carry>: skip posting failures to aggregated APIs to avoid …
…getting false positives until the server becomes ready the availability checks depend on fully initialized SDN OpenShift carries a few reachability checks that affect /readyz protocol we skip posting failures to avoid getting false positives until the server becomes ready UPSTREAM: <carry>: skip posting failures to aggregated APIs to avoid getting false positives until the server becomes ready marks availability of the server before checking the aggregate APIs as it can change as we are running the checks. in that case, skip posting failures to avoid false positives. note on the next rebase please squash with the previous commit UPSTREAM: <carry>: expose HasBeenReady lifecycle signal OpenShift-Rebase-Source: 8558e88
Configuration menu - View commit details
-
Copy full SHA for ed4703c - Browse repository at this point
Copy the full SHA ed4703cView commit details -
UPSTREAM: <carry>: send Retry-After when not ready with a caller opt in
UPSTREAM: <carry>: change opt-in due to upstream revert OpenShift-Rebase-Source: cd08005
Configuration menu - View commit details
-
Copy full SHA for 4c24d6f - Browse repository at this point
Copy the full SHA 4c24d6fView commit details -
UPSTREAM: <carry>: add max_housekeeping_interval
OpenShift-Rebase-Source: 3b2555a
Configuration menu - View commit details
-
Copy full SHA for 3fcc5eb - Browse repository at this point
Copy the full SHA 3fcc5ebView commit details -
UPSTREAM: <carry>: sets X-OpenShift-Internal-If-Not-Ready HTTP Header…
… for GC and Namespace controllers In general, setting the header will result in getting 429 when the server hasn't been ready. This prevents certain controllers like GC, Namespace from accidentally removing resources when the caches haven't been fully synchronized. OpenShift-Rebase-Source: 2ebf199
Configuration menu - View commit details
-
Copy full SHA for 86d795d - Browse repository at this point
Copy the full SHA 86d795dView commit details -
UPSTREAM: <carry>: Release lock on KCM and KS termination
UPSTREAM: <carry>: Force releasing the lock on exit for KS squash with UPSTREAM: <carry>: Release lock on KCM and KS termination OpenShift-Rebase-Source: fc91252 UPSTREAM: <carry>: Release lock on KCM and KS termination
Configuration menu - View commit details
-
Copy full SHA for 7fc6ec8 - Browse repository at this point
Copy the full SHA 7fc6ec8View commit details -
UPSTREAM: <carry>: use console-public config map for console redirect
OpenShift-Rebase-Source: 2e5064e
Configuration menu - View commit details
-
Copy full SHA for 870a00f - Browse repository at this point
Copy the full SHA 870a00fView commit details -
UPSTREAM: <carry>: fix [sig-auth] ServiceAccounts no secret-based ser…
…vice account token should be auto-generated OpenShift-Rebase-Source: a031438 UPSTREAM: <carry>: fix [sig-auth] ServiceAccounts no secret-based service account token should be auto-generated
Configuration menu - View commit details
-
Copy full SHA for c4dd26e - Browse repository at this point
Copy the full SHA c4dd26eView commit details -
UPSTREAM: <carry>: optionally enable retry after until apiserver is r…
…eady OpenShift-Rebase-Source: fc3523f
Configuration menu - View commit details
-
Copy full SHA for abfd6a7 - Browse repository at this point
Copy the full SHA abfd6a7View commit details -
UPSTREAM: <carry>: make the PSA workload admission warnings honor the…
… changes that SCC will eventually make to the pod UPSTREAM: <carry>: pod-security: don't fail on SCC admission error If we propagate SCC admission error during pod extraction to PodSecurity admission, the latter will log the error instead of continuing with unmutated pod spec, and so we will not get a validation error in either the audit logs or as a warning. OpenShift-Rebase-Source: 6fe5c8f OpenShift-Rebase-Source: b4e019f UPSTREAM: <carry>: SCC pod extractor: assume default SA if SA is empty
Configuration menu - View commit details
-
Copy full SHA for 8f1249e - Browse repository at this point
Copy the full SHA 8f1249eView commit details -
UPSTREAM: <carry>: PSa metrics: log platform namespaces in audit denies
We need this in order to be able to retrieve better reports from PodSecurityViolation alerts. UPSTREAM: <carry>: PSa metrics: unset ocp_namespace on non-platform namespaces
Configuration menu - View commit details
-
Copy full SHA for 5357c7e - Browse repository at this point
Copy the full SHA 5357c7eView commit details -
UPSTREAM: 115328: annotate early and late requests
UPSTREAM: <carry>: add shutdown annotation to response header If it is useful we will combine this with the following carry: 20caad9: UPSTREAM: 115328: annotate early and late requests UPSTREAM: <carry>: add conditional shutdown response header
Configuration menu - View commit details
-
Copy full SHA for 678af6d - Browse repository at this point
Copy the full SHA 678af6dView commit details -
UPSTREAM: <carry>: disable load balancing on created cgroups when man…
…aged is enabled Previously, cpu load balancing was enabled in cri-o by manually changing the sched_domain of cpus in sysfs. However, RHEL 9 dropped support for this knob, instead requiring it be changed in cgroups directly. To enable cpu load balancing on cgroupv1, the specified cgroup must have cpuset.sched_load_balance set to 0, as well as all of that cgroup's parents, plus all of the cgroups that contain a subset of the cpus that load balancing is disabled for. By default, all cpusets inherit the set from their parent and sched_load_balance as 1. Since we need to keep the cpus that need load balancing disabled in the root cgroup, all slices will inherit the full cpuset. Rather than rebalancing every cgroup whenever a new guaranteed cpuset cgroup is created, the approach this PR takes is to set load balancing to disabled for all slices. Since slices definitionally don't have any processes in them, setting load balancing won't affect the actual scheduling decisions of the kernel. All it will do is open the opportunity for CRI-O to set the actually set load balancing to disabled for containers that request it. Signed-off-by: Peter Hunt <[email protected]> UPSTREAM: <carry>: kubelet/cm: disable cpu load balancing on slices when using static cpu manager policy There are situations where cpu load balance disabling is desired when the kubelet is not in managed state. Instead of using that condition, set the cpu load balancing parameter for new slices when the cpu policy is static Signed-off-by: Peter Hunt <[email protected]> UPSTREAM: <carry>: cm: reorder setting of sched_load_balance for sandbox slice If we call mgr.Apply() first, libcontainer's cpusetCopyIfNeeded() will copy the parent cpuset and set load balancing to 1 by default. This causes the kernel to set the cpus to not load balanced for a brief moment which causes churn. instead, create the cgroup and set load balance, then have Apply() copy the values into it. Signed-off-by: Peter Hunt <[email protected]> UPSTREAM: <carry>: kubelet/cm: use MkdirAll when creating cpuset to ignore file exists error Signed-off-by: Peter Hunt <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for adc3ed2 - Browse repository at this point
Copy the full SHA adc3ed2View commit details -
Configuration menu - View commit details
-
Copy full SHA for b94374e - Browse repository at this point
Copy the full SHA b94374eView commit details -
UPSTREAM: <carry>: Export internal code from k8s.io/apimachinery/pkg/…
…util/managedfields Some of the code we use in openshift-tests was recently made internal in kubernetes#115065. This patch exposes the code we need there.
Configuration menu - View commit details
-
Copy full SHA for fe70aa6 - Browse repository at this point
Copy the full SHA fe70aa6View commit details -
UPSTREAM: <carry>: when only this kube-apiserver can fulfill the kube…
…rnetes.default.svc, don't wait for aggregated availability
Configuration menu - View commit details
-
Copy full SHA for 1531d16 - Browse repository at this point
Copy the full SHA 1531d16View commit details -
UPSTREAM: <carry>: merge v3 openapi discovery and specs for special g…
…roups that have kinds that are served by both CRDs and external apiservers (eg openshift-apiserver) this includes: - authorization.openshift.io (rolebindingrestrictions served by a CRD) - security.openshift.io (securitycontextconstraints served by a CRD) - quota.openshift.io (clusterresourcequotas served by a CRD) By merging all sources, we ensure that kinds served by a CRD will have openapi discovery and spec available even when openshift-apiserver is unavailable.
Configuration menu - View commit details
-
Copy full SHA for 4fdf816 - Browse repository at this point
Copy the full SHA 4fdf816View commit details -
UPSTREAM: <carry>: selfsubjectaccessreview: grant user:full scope to …
…self-SARs that have user:check-access Otherwise, the request will inherit any scopes that an access token might have and the scopeAuthorizer will deny the access review if the scopes do not include user:full
Configuration menu - View commit details
-
Copy full SHA for f4ebd7f - Browse repository at this point
Copy the full SHA f4ebd7fView commit details -
UPSTREAM: <carry>: retry etcd Unavailable errors
This commit renews openshift#327 What has changed compared to the original PR is: - The retryClient interface has been adapted to storage.Interface. - The isRetriableEtcdError method has been completely changed; it seems that previously the error we wanted to retry was not being retried. Even the unit tests were failing. Overall, I still think this is not the correct fix. The proper fix should be added to the etcd client. UPSTREAM: <carry>: retry etcd Unavailable errors This is the second commit for the retry logic. This commit adds unit tests and slightly improves the logging. During a rebase squash with the previous one. UPSTREAM: <carry>: retry_etcdclient: expose retry logic functionality during rebase merge with: UPSTREAM: <carry>: retry etcd Unavailable errors
Configuration menu - View commit details
-
Copy full SHA for b740781 - Browse repository at this point
Copy the full SHA b740781View commit details -
UPSTREAM: <carry>: Export cpu stats of ovs.slice via prometheus
When a PerformanceProfile configures a node for cpu partitioning, it also lets OVS use all the cpus available to burstable pods. To be able to do that, OVS was moved to its own slice and that slice needs to be re-added to cAdvisor for monitoring purposes.
Configuration menu - View commit details
-
Copy full SHA for 5572ecc - Browse repository at this point
Copy the full SHA 5572eccView commit details -
UPSTREAM: <carry>: advertise shared cpus for mixed cpus feature
Kubelet should advertise the shared cpus as extedned resources. This has the benefit of limiting the amount of containers that can request an access to the shared cpus. For more information see - openshift/enhancements#1396 Signed-off-by: Talor Itzhak <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for c995379 - Browse repository at this point
Copy the full SHA c995379View commit details -
UPSTREAM: <carry>: temporarily disable reporting e2e text bugs and en…
…force 2nd labeling to make tests work
Configuration menu - View commit details
-
Copy full SHA for 5ef503a - Browse repository at this point
Copy the full SHA 5ef503aView commit details -
UPSTREAM: <carry>: add new admission for handling shared cpus
Adding a new mutation plugin that handles the following: 1. In case of `workload.openshift.io/enable-shared-cpus` request, it adds an annotation to hint runtime about the request. runtime is not aware of extended resources, hence we need the annotation. 2. It validates the pod's QoS class and return an error if it's not a guaranteed QoS class 3. It validates that no more than a single resource is being request. 4. It validates that the pod deployed in a namespace that has mixedcpus workloads allowed annotation. For more information see - openshift/enhancements#1396 Signed-off-by: Talor Itzhak <[email protected]> UPSTREAM: <carry>: Update management webhook pod admission logic Updating the logic for pod admission to allow a pod creation with workload partitioning annotations to be run in a namespace that has no workload allow annoations. The pod will be stripped of its workload annotations and treated as if it were normal, a warning annoation will be placed to note the behavior on the pod. Signed-off-by: ehila <[email protected]> UPSTREAM: <carry>: add support for cpu limits into management workloads Added support to allow workload partitioning to use the CPU limits for a container, to allow the runtime to make better decisions around workload cpu quotas we are passing down the cpu limit as part of the cpulimit value in the annotation. CRI-O will take that information and calculate the quota per node. This should support situations where workloads might have different cpu period overrides assigned. Updated kubelet for static pods and the admission webhook for regular to support cpu limits. Updated unit test to reflect changes. Signed-off-by: ehila <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for a3000d4 - Browse repository at this point
Copy the full SHA a3000d4View commit details -
UPSTREAM: <carry>: Add openshift feature gates to kube-apiserver - in…
…ject openshift feature gates into pkg/features Signed-off-by: Swarup Ghosh <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for 06c9e77 - Browse repository at this point
Copy the full SHA 06c9e77View commit details -
UPSTREAM: <carry>: allow type mutation for specific secrets
This is a short term fix, once we improve the cert rotation logic in library-go that does not depend on this hack, then we can remove this carry patch. squash with the previous PR during the rebase openshift#1924 squash with the previous PRs during the rebase openshift#1924 openshift#1929
Configuration menu - View commit details
-
Copy full SHA for 4c9404c - Browse repository at this point
Copy the full SHA 4c9404cView commit details -
UPSTREAM: 125337: ccm integration test for node status addresses and …
…provided-node-ip annotation UPSTREAM: 125337: document kubelet node-ip with cloud provider external The node.status.addresses logic grew organically and with weird semantics, this commit try to document existing semantics when the kubelet uses an external cloud provider and recover the same behavior existing pre-1.29. The node.status.addresses can be populated by the kubelet at startup or delegated to the external cloud provider. If the --node-ip flag is set to an IP in the node, the kubelet will add an annotation to the Node object that will be respected by the external cloud providers, no new IP addresses will be added for the same address type. If the IP set in the --node-ip flag is `0.0.0.0` or `::`, the kubelet will initialize the node with the default address of the corresponding IP family of the unspecified address, and the cloud-provider will override it later. UPSTREAM: 125337: add more testing for node.status.addresses UPSTREAM: 125337: Account for differences in fork test suite
Configuration menu - View commit details
-
Copy full SHA for 8c185d8 - Browse repository at this point
Copy the full SHA 8c185d8View commit details -
UPSTREAM: <carry>: bump cadvisor for 3516 upstream patches
Signed-off-by: Harshal Patil <[email protected]> UPSTREAM: <carry>: bump cadvisor version to fix missing network stats Signed-off-by: Peter Hunt <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for 0be0fda - Browse repository at this point
Copy the full SHA 0be0fdaView commit details -
Configuration menu - View commit details
-
Copy full SHA for d02fe41 - Browse repository at this point
Copy the full SHA d02fe41View commit details -
UPSTREAM: 126641: e1e/storage: update block device test to always spe…
…cify a valid path in the isEphemeral case, the pvcBlock doesn't have a filled in name, which means the DevicePath is "/mnt". When using the OCI runtime runc, this is valid because runc sanitizes the path, mounting it in `/mnt` in the container. However, the OCI runtime crun does not do this. One can argue the validity of passing a path structured like a directory as a block device, but ultimately from what I can see this wasn't intentional. As such, fix it by setting the mount to be based on the first Volume name, which both cases should have filled out. Signed-off-by: Peter Hunt <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for b915016 - Browse repository at this point
Copy the full SHA b915016View commit details -
UPSTREAM: 126994: Add required FieldManager for validatingadmissionpo…
…licy e2e This line would fail if the code path happened to execute, which may not happen in upstream, but does trigger occasionally in OpenShift testing.
Configuration menu - View commit details
-
Copy full SHA for 80e1d58 - Browse repository at this point
Copy the full SHA 80e1d58View commit details -
UPSTREAM: 126295: dynamiccertificates: denoise Kubelet logs by skippi…
…ng removal of non-existent file watchers This commit updates the DynamicFileCAContent controller to skip the removal of non-existent file watchers. Previously, the controller attempted to remove a file watch even if it didn't exist, which resulted in a flood of error messages being logged in the Kubelet logs. Signed-off-by: Sohan Kunkerkar <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for 4ed26dc - Browse repository at this point
Copy the full SHA 4ed26dcView commit details -
UPSTREAM: <carry>: annotate audit events for requests during unready …
…phase and graceful termination phase This reverts commit 85f0f2c.
Configuration menu - View commit details
-
Copy full SHA for 05fe02f - Browse repository at this point
Copy the full SHA 05fe02fView commit details -
UPSTREAM: 127243: Fix invalid label use in validatingadmissionpolicy e2e
If this fallback code was hit, it would always fail due to invalid text in a label.
Configuration menu - View commit details
-
Copy full SHA for 7c3f19e - Browse repository at this point
Copy the full SHA 7c3f19eView commit details -
UPSTREAM: <carry>: add etcd3RetryingProberMonitor for retrying etcd U…
…navailable errors for the etcd health checker client
Configuration menu - View commit details
-
Copy full SHA for 11fed00 - Browse repository at this point
Copy the full SHA 11fed00View commit details -
Configuration menu - View commit details
-
Copy full SHA for 49db130 - Browse repository at this point
Copy the full SHA 49db130View commit details -
Configuration menu - View commit details
-
Copy full SHA for c52e50f - Browse repository at this point
Copy the full SHA c52e50fView commit details -
UPSTREAM: 126846: Fix the localhost nodeport metrics test to not fail…
… under non-kube-proxy If the cluster is using a non-kube-proxy service proxy, the `curl` will presumably fail; this should not be considered a hard failure.
Configuration menu - View commit details
-
Copy full SHA for 68a0eff - Browse repository at this point
Copy the full SHA 68a0effView commit details -
UPSTREAM: 126920: add missing RBAC to statefulset-controller for Stat…
…efulSetAutoDeletePVC feature
Configuration menu - View commit details
-
Copy full SHA for 421fd9f - Browse repository at this point
Copy the full SHA 421fd9fView commit details
Commits on Sep 20, 2024
-
Configuration menu - View commit details
-
Copy full SHA for 7836a37 - Browse repository at this point
Copy the full SHA 7836a37View commit details -
UPSTREAM: 127492: pkg/storage/cacher/cacher_whitebox_test: deflake Te…
…stConsistentReadFallback when ResilientWatchCacheInitialization is off
Configuration menu - View commit details
-
Copy full SHA for 2c4bd6c - Browse repository at this point
Copy the full SHA 2c4bd6cView commit details -
UPSTREAM: 127493: storage/cacher/cacher_whitebox_test:deflake TestCac…
…herDontAcceptRequestsStopped when ResilientWatchCacheInitialization is off
Configuration menu - View commit details
-
Copy full SHA for 7106e83 - Browse repository at this point
Copy the full SHA 7106e83View commit details -
Configuration menu - View commit details
-
Copy full SHA for a8b0bc3 - Browse repository at this point
Copy the full SHA a8b0bc3View commit details -
Configuration menu - View commit details
-
Copy full SHA for 1d4b303 - Browse repository at this point
Copy the full SHA 1d4b303View commit details -
Configuration menu - View commit details
-
Copy full SHA for e5ff0db - Browse repository at this point
Copy the full SHA e5ff0dbView commit details