- 11 Aug, 2017 3 commits
-
-
Klaus Ma authored
-
Kubernetes Submit Queue authored
Automatic merge from submit-queue FC volume plugin: Support WWID for volume identifier **What this PR does / why we need it**: This PR adds World Wide Identifier (WWID) parameter to FCVolumeSource as an unique volume identifier. **Which issue this PR fixes**: fixes #48639 **Special notes for your reviewer**: /cc @rootfs @jsafrane @msau42 **Release note**: ``` FC volume plugin: Support WWID for volume identifier ```
-
Kubernetes Submit Queue authored
Automatic merge from submit-queue Migrate to controller references helpers in meta/v1 **What this PR does / why we need it**: This is a follow up for #48319 that migrates all method usages to new methods in meta/v1. **Special notes for your reviewer**: Looking at each commit individually might be easier. **Release note**: ```release-note NONE ``` /sig api-machinery /kind cleanup
-
- 10 Aug, 2017 37 commits
-
-
Kubernetes Submit Queue authored
Automatic merge from submit-queue Fix my incorrect username My mistake - used goog username rather than github. Again, this is for kubectl extraction, currently blocked by need for many approvers in, e.g. #48580 #48581 #47011, etc.
-
Kubernetes Submit Queue authored
Automatic merge from submit-queue kubeadm: enhanced TLS validation for token-based discovery in `kubeadm join` **What this PR does / why we need it**: This PR implements enhanced TLS validation for `kubeadm join` when using token-based TLS discovery. Without this enhancement, `kubeadm join` has some less-than-ideal security properties. Specifically, in the case where a bootstrap token is compromised, the attacker can impersonate the API server to newly bootstrapping clients ([more discussion in the design proposal](https://docs.google.com/document/d/1SP4P7LJWSA8vUXj27UvKdVEdhpo5Fp0QHNo4TXvLQbw/edit?ts=5971498a)). The gist of this enhancement is to support public key pinning in the style of [RFC7469](https://tools.ietf.org/html/rfc7469#section-2.4). When bootstrapping, `kubeadm` can now be configured with a whitelist of root CA public keys. It can then validate that the cluster it connects to is operated by the owner of one of those public keys. These public key hashes are short enough that the entire `kubeadm join` command can still be copy-pasted relatively easily (not as easily as before, but ~160 characters). Using a public key hash rather than a hash over the entire certificate allows certificates to be reissued with updated expirations without invalidating existing key pins. This change adds two new command line flags (and associated config parameters): - **`--discovery-token-ca-cert-hash sha256:<hash>`:** Validates that the cluster root CA has a public key fingerprint that matches one of the specified values. If this flag is not passed when token-based discovery is being used, a warning is printed. This warning will become an error in 1.9. - **`--discovery-token-unsafe-skip-ca-verification`:** Disables the warning message when no keys are pinned. In 1.9, this flag will be required _unless_ `--discovery-token-unsafe-skip-ca-verification` is used. This is fully backwards compatible and client side (kubeadm) only. It will be a breaking change when the flag becomes required in v1.9. This validation is done after and in addition to the existing bootstrap token signing/MAC mechanism. #### Example from `kubeadm init`: ``` $ kubeadm init [...] You can now join any number of machines by running the following on each node as root: kubeadm join --token a66ae0.1f8a5ed9a210e187 192.168.42.10:6443 --discovery-token-ca-cert-hash sha256:547c102383c0f26387b961b4e9b8f842dc07c074c8316f238dbcf5563fc3ac35 ``` #### Example from `kubeadm join`: ``` $ kubeadm join --token a66ae0.1f8a5ed9a210e187 192.168.42.10:6443 --discovery-token-ca-cert-hash sha256:547c102383c0f26387b961b4e9b8f842dc07c074c8316f238dbcf5563fc3ac35 [kubeadm] WARNING: kubeadm is in beta, please do not use it for production clusters. [preflight] Running pre-flight checks [discovery] Trying to connect to API Server "192.168.42.10:6443" [discovery] Created cluster-info discovery client, requesting info from "https://192.168.42.10:6443" [discovery] Requesting info from "https://192.168.42.10:6443" again to validate TLS against the pinned public key [discovery] Cluster info signature and contents are valid and TLS certificate validates against pinned roots, will use API Server "192.168.42.10:6443" [discovery] Successfully established connection with API Server "192.168.42.10:6443" Node join complete: * Certificate signing request sent to master and response received. * Kubelet informed of new secure connection details. Run 'kubectl get nodes' on the master to see this machine join. ``` **Which issue this PR fixes**: ref https://github.com/kubernetes/features/issues/130 fixes: https://github.com/kubernetes/kubeadm/issues/365 **Special notes for your reviewer**: This was proposed and discussed briefly by SIG-cluster-lifecycle and SIG-auth. The design proposal is [in Google Docs](https://docs.google.com/document/d/1SP4P7LJWSA8vUXj27UvKdVEdhpo5Fp0QHNo4TXvLQbw/edit?ts=5971498a). There is a documentation change needed to explain the security properties of `kubeadm join` with and without `--discovery-token-ca-cert-hash`. This page should be linked by to by the warning message when you don't pass either of the new flags (I have it pointing [here](https://kubernetes.io/docs/admin/kubeadm/#kubeadm-join) for now, which I think will be the right place). I will follow up with this documentation shortly. **Release note**: ```release-note kubeadm: added enhanced TLS validation for token-based discovery in `kubeadm join` using a new `--discovery-token-ca-cert-hash` flag. ``` /cc @luxas @jbeda @ericchiang
-
Jeffrey Regan authored
My mistake - used goog username rather than github.
-
Matt Moyer authored
kubeadm: generated deepcopy for `k8s.io/kubernetes/cmd/kubeadm/app/apis/kubeadm` and `k8s.io/kubernetes/cmd/kubeadm/app/apis/kubeadm/v1alpha1`.
-
Matt Moyer authored
This change adds the `--discovery-token-ca-cert-hash` and `--discovery-token-unsafe-skip-ca-verification` flags for `kubeadm join` and corresponding fields on the kubeadm NodeConfiguration struct. These flags configure enhanced TLS validation for token-based discovery. The enhanced TLS validation works by pinning the public key hashes of the cluster CA. This is done by connecting to the `cluster-info` endpoint initially using an unvalidated/unsafe TLS connection. After the cluster info has been loaded, parsed, and validated with the existing symmetric signature/MAC scheme, the root CA is validated against the pinned public key set. A second request is made using validated/safe TLS using the newly-known CA and the result is validated to make sure the same `cluster-info` was returned from both requests. This validation prevents a class of attacks where a leaked bootstrap token (such as from a compromised worker node) allows an attacker to impersonate the API server. This change also update `kubeadm init` to print the correct `--discovery-token-ca-cert-hash` flag in the example `kubeadm join` command it prints at the end of initialization.
-
Matt Moyer authored
This change adds a `k8s.io/kubernetes/cmd/kubeadm/app/util/pubkeypin` package which implements x509 public key pinning in the style of RFC7469. This is the public key hash format used by the new `kubeadm join --discovery-token-ca-cert-hash` flag. Hashes are namespaced with a short type, with "sha256" being the only currently-supported format. Type "sha256" is a hex-encoded SHA-256 hash over the Subject Public Key Info (SPKI) object in DER-encoded ASN.1.
-
Kubernetes Submit Queue authored
Automatic merge from submit-queue Add Cluster Autoscaler scalability test suite This suite is intended for manually testing Cluster Autoscaler on large clusters. It isn't supposed to be run automatically (at least for now). It can be run on Kubemark (with #50440) with the following setup: - start Kubemark with NUM_NODES=1 (as we require there to be exactly 1 replica per hollow-node replication controller in this setup) - set kubemark-master machine type manually to appropriate type for the Kubemark cluster size. Maximum Kubemark cluster size reached in test run is defined by maxNodes constant, so for maxNodes=1000, please upgrade to n1-standard-32. Adjust if modifying maxNodes. - start Cluster Autoscaler pod in the external cluster using image built from version with Kubemark cloud provider (release pending) - for grabbing metrics from ClusterAutoscaler (with #50382), add "--include-cluster-autoscaler=true" parameter in addition to regular flags for gathering components' metrics/resource usage during e2e tests cc @bskiba
-
Kubernetes Submit Queue authored
Automatic merge from submit-queue Make ClusterID required for AWS. **What this PR does / why we need it**: Makes ClusterID required for AWS and provides a flag to run in un-tagged mode fixes #48954 **Release note**: ```release-note A cluster using the AWS cloud provider will need to label existing nodes and resources with a ClusterID or the kube-controller-manager will not start. To run without a ClusterID pass --allow-untagged-cloud=true to the kube-controller-manager on startup. ```
-
mtanino authored
-
Kubernetes Submit Queue authored
Automatic merge from submit-queue (batch tested with PRs 45186, 50440) Add functionality needed by Cluster Autoscaler to Kubemark Provider. Make adding nodes asynchronous. Add method for getting target size of node group. Add method for getting node group for node. Factor out some common code. **Release note**: ``` NONE ```
-
Kubernetes Submit Queue authored
Automatic merge from submit-queue (batch tested with PRs 45186, 50440) Retry fed-svc creation on diff NodePort during e2e tests **What this PR does / why we need it**: Currently in federated end2end tests, the creation of services are done with a randomize NodePort selection take is causing e2e test flakes if the creation of a federated service failed if the port is not available. Now the util.CreateService(...) function is retrying to create the service on different nodePort in case of error. The method retry until success or all possible NodePorts have been tested and also failed. **Which issue this PR fixes** fixes #44018
-
mtanino authored
This PR adds World Wide Identifier (WWID) parameter to FCVolumeSource as an unique volume identifier. fixes #48639
-
Kubernetes Submit Queue authored
Automatic merge from submit-queue (batch tested with PRs 50306, 49624) Add daemonset to all categories **What this PR does / why we need it**: We could get daemonset resource by running command `kubectl get all`. **Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes # fix https://github.com/kubernetes/kubernetes/issues/49620
-
Kubernetes Submit Queue authored
Automatic merge from submit-queue (batch tested with PRs 50306, 49624) simplify logic around LB deletion for servicecontroller **What this PR does / why we need it**: simplify logic around LB deletio **Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes # **Special notes for your reviewer**: discovered when aswering to #50299 **Release note**: ```release-note None ```
-
Aleksandra Malinowska authored
-
Beata Skiba authored
Make adding nodes asynchronous. Add method for getting target size of node group. Add method for getting node group for node. Factor out some common code.
-
Kubernetes Submit Queue authored
Automatic merge from submit-queue (batch tested with PRs 50386, 50374, 50444, 50382) Add grabbing Cluster Autoscaler metrics in e2e tests This adds: - collecting metrics from Cluster Autoscaler before & after e2e test run - --include-cluster-autoscaler opt-in flag - passing external cluster client to MetricsGrabber (required for Kubemark setup, as Cluster Autoscaler doesn't run on master in this case)
-
Kubernetes Submit Queue authored
Automatic merge from submit-queue (batch tested with PRs 50386, 50374, 50444, 50382) jsonpath: fix comments Minor fix to the comments. And avoid a named return value. **Release note**: ```release-note NONE ``` /cc @sttts
-
Kubernetes Submit Queue authored
Automatic merge from submit-queue (batch tested with PRs 50386, 50374, 50444, 50382) wires ban flunder admission plugin to the sample server **What this PR does / why we need it**: this PR wires ban flunder admission plugin to the sample server. **Release note**: ``` NONE ```
-
Kubernetes Submit Queue authored
Automatic merge from submit-queue (batch tested with PRs 50386, 50374, 50444, 50382) Add explicit API kind and version to the audit policy file on GCE Adds an explicit API version and kind to the audit policy file in GCE configuration scripts. It's a prerequisite for https://github.com/kubernetes/kubernetes/pull/49115 /cc @tallclair @piosz
-
Kubernetes Submit Queue authored
Automatic merge from submit-queue Update mrubin to matchstick in OWNERS **What this PR does / why we need it**: per https://github.com/kubernetes/kubernetes/issues/50048#issuecomment-320000920 **Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes # associated with #50048 **Special notes for your reviewer**: /assign @matchstick **Release note**: ```release-note NONE ```
-
Kubernetes Submit Queue authored
Automatic merge from submit-queue [Federation] Implement leader election for controller-manager **What this PR does / why we need it**: - Add cluster-selector for namespace - Add support for creating federation-only objects. - Ref #44631 - Implements leader election for controller-manager. Ref: #44283 **Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #44490 **Special notes for your reviewer**: This PR also fixes the issue #44490, which is about delay in initializing controller-manager due to unavailability of api-server. **Release note**: ```release-note federation: Support for leader-election among federation controller-manager instances introduced. ``` /cc @kubernetes/sig-federation-pr-reviews
-
Kubernetes Submit Queue authored
Automatic merge from submit-queue fix error message for scale **What this PR does / why we need it**: ref: https://github.com/kubernetes/kubernetes/blob/master/cmd/genutils/genutils_test.go#L33 **Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes # **Special notes for your reviewer**: **Release note**: ```release-note NONE ```
-
Nikhita Raghunath authored
avoid named return errors fix compile error
-
Aleksandra Malinowska authored
-
Kubernetes Submit Queue authored
Automatic merge from submit-queue (batch tested with PRs 49725, 50367, 50391, 48857, 50181) Use 'Infof' instead of 'Errorf' for a debug log **Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes # #50167 **Release note**: ```release-note NONE ```
-
Kubernetes Submit Queue authored
Automatic merge from submit-queue (batch tested with PRs 49725, 50367, 50391, 48857, 50181) Add e2e test for privileged containers **What this PR does / why we need it**: This PR adds node e2e test for privileged containers. **Which issue this PR fixes** Part of #44118. **Special notes for your reviewer**: **Release note**: ```release-note NONE ``` /assign @Random-Liu
-
Kubernetes Submit Queue authored
Automatic merge from submit-queue (batch tested with PRs 49725, 50367, 50391, 48857, 50181) New get-kube.sh option: KUBERNETES_SKIP_RELEASE_VALIDATION **What this PR does / why we need it**: This is an alternative solution to https://github.com/kubernetes/kubernetes/pull/49884. The goal is to be able to pull releases that were built by bazel jobs (both presubmit and postsubmit builds), which currently fail our regex validation against the version string. This implementation is a simple "I know what I'm doing" breakglass option to turn regex validation off, whereas https://github.com/kubernetes/kubernetes/pull/49884 was to extend our validation to support the new formats of bazel build jobs. I'm testing the waters to see if this is a more palatable solution. **Release note**: ```release-note New get-kube.sh option: KUBERNETES_SKIP_RELEASE_VALIDATION ``` CC @BenTheElder @fejta @ixdy
-
Kubernetes Submit Queue authored
Automatic merge from submit-queue (batch tested with PRs 49725, 50367, 50391, 48857, 50181) Don't call one of pointless conversions @kubernetes/sig-federation-pr-reviews
-
Kubernetes Submit Queue authored
Automatic merge from submit-queue Azure: Allow VNet to be in a separate Resource Group **What this PR does / why we need it**: This PR allows Kubernetes in an Azure context to use a VNet which is not in the same Resource Group as Kubernetes. We need this because currently Azure Cloud Provider driver assumes that it should have a VNet for himself but if there is one thing that should be shared amongst Azure resources it's a VNet cause, well, things might want to talk to each other in a private network, don't you think ? I guess this should we backported down to 1.6 branch. **Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #49577 **Release note**: ```release-note NONE ``` @kubernetes/sig-azure @kubernetes/sig-azure-pr-reviews
-
Kubernetes Submit Queue authored
Automatic merge from submit-queue (batch tested with PRs 49642, 50335, 50390, 49283, 46582) fix iptables mode hard code in e2e test Fixes #46078
-
Kubernetes Submit Queue authored
Automatic merge from submit-queue (batch tested with PRs 49642, 50335, 50390, 49283, 46582) fix bug when azure cloud provider configuration file is not specified **What this PR does / why we need it**: Current [Azure cloud provider](https://github.com/kubernetes/kubernetes/blob/master/pkg/cloudprovider/providers/azure/azure.go#L203) failed to [parse empty config file](https://github.com/kubernetes/kubernetes/blob/master/pkg/cloudprovider/plugins.go#L110-L124) when `--cloud-config` is not specified. [GetServicePrincipalToken](https://github.com/kubernetes/kubernetes/blob/master/pkg/cloudprovider/providers/azure/azure.go#L157-L199) will raise an error if no valid secrets/tokens are found. So we just need to return empty config obj if `--cloud-config` is not set. **Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #49228 **Special notes for your reviewer**: @githubvick **Release note**: ```release-note fix bug when azure cloud provider configuration file is not specified ```
-
Kubernetes Submit Queue authored
Automatic merge from submit-queue (batch tested with PRs 49642, 50335, 50390, 49283, 46582) Admit sysctls for other runtime. Fixes https://github.com/kubernetes/kubernetes/issues/50343. Admit sysctl for other runtimes. /cc @mikebrow @yujuhong @feiskyer @sttts
-
Kubernetes Submit Queue authored
Automatic merge from submit-queue (batch tested with PRs 49642, 50335, 50390, 49283, 46582) Improve GC discovery sync performance Improve GC discovery sync performance by only syncing when discovered resource diffs are detected. Before, the GC worker pool was shut down and monitors resynced unconditionally every sync period, leading to significant processing delays causing test flakes where otherwise reasonable GC timeouts were being exceeded. Related to https://github.com/kubernetes/kubernetes/issues/49966. /cc @kubernetes/sig-api-machinery-bugs ```release-note NONE ```
-
Kubernetes Submit Queue authored
Automatic merge from submit-queue (batch tested with PRs 49642, 50335, 50390, 49283, 46582) Add rbac.authorization.k8s.io/v1 xref https://github.com/kubernetes/features/issues/2 Promotes the rbac.authorization.k8s.io/v1beta1 API to v1 with no changes ```release-note The `rbac.authorization.k8s.io/v1beta1` API has been promoted to `rbac.authorization.k8s.io/v1` with no changes. The `rbac.authorization.k8s.io/v1alpha1` version is deprecated and will be removed in a future release. ```
-
Kubernetes Submit Queue authored
Automatic merge from submit-queue (batch tested with PRs 49615, 49321, 49982, 49788, 50355) Simplify hack/verify-flags-underscore.py **What this PR does / why we need it**: This PR removes the need for `hack/verify-flags/known-flags.txt` and verify-flags-underscore.py will always parse the flags from go files to check if they have underscore. It is much faster compared to earlier checks and it does its job to check for underscore in flags. Now: ``` # time ./hack/verify-flags-underscore.py real 0m1.638s user 0m1.560s sys 0m0.076s ``` Before: ``` # time ./hack/verify-flags-underscore.py real 0m22.585s user 0m22.464s sys 0m0.112s ``` It has become a pain to keep adding new flag to `known-flags.txt` whenever a new flag is introduced. with this PR this is step is not required anymore. **Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #40329 #50319 **Special notes for your reviewer**: **Release note**: ``` NONE ``` /cc @fejta @mtaufen
-
Kubernetes Submit Queue authored
Automatic merge from submit-queue (batch tested with PRs 49615, 49321, 49982, 49788, 50355) csr: add resync to csr approver fixes https://github.com/kubernetes/kubernetes/issues/49787 ```release-note Fix an issue where if a CSR is not approved initially by the SAR approver is not retried. ```
-