[pull] master from kubernetes:master#1924
Open
pull[bot] wants to merge 8141 commits into
Open
Conversation
etcd-manager: Bump etcd patches and drop 3.4 support
Removes dead code that was unused, no behavior change:
- main.go: --remove-dns-names, --dns-update-interval, --zone,
--dns-internal-suffix, --cluster-id (parsed, never read);
also RootFS package var and KubeBoot.InternalDNSSuffix
- {GCE,OpenStack}CloudProvider: unused Project() method
- nodeup ProtokubeFlags: matching ClusterID, DNSInternalSuffix,
Zone fields and their populators.
Convert struct fields that were only used for construction-time validation/logging into local vars, and drop a redundant interface: - AWS: drop zone, deviceMap; imdsClient becomes a local - GCE: drop compute, project, zone, region, clusterName (only discovery and instanceName are read post-construction) - OpenStack: drop storageZone - DO: drop region, dropletID and the now-orphaned getMetadataRegion / getMetadataDropletID helpers and constants - Azure: replace the local 4-method client interface with the concrete *gossipazure.Client; the interface served only as a compile-time assertion with no test mocks
The flag was always set true by nodeup and protokube already gated the label-bootstrap call on k.Master. Remove the flag, the ProtokubeFlags / KubeBoot fields, and the inner gate; rely on k.Master alone.
The local TokenSource type just reimplemented what golang.org/x/oauth2 already provides.
gce: shrink etcd-cluster disk label to fit 63-char limit
protokube: drop unused flags, fields, and methods and cleanup
Bumps [actions/dependency-review-action](https://github.com/actions/dependency-review-action) from 4.9.0 to 5.0.0. - [Release notes](https://github.com/actions/dependency-review-action/releases) - [Commits](actions/dependency-review-action@2031cfc...a1d282b) --- updated-dependencies: - dependency-name: actions/dependency-review-action dependency-version: 5.0.0 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com>
The pod's priorityClassName was hardcoded to system-cluster-critical. Expose it as spec.externalDNS.priorityClassName so it can be overridden or dropped (set to ""). This lets the upgrade e2e presubmits drop the priorityClassName so `kops validate cluster` ignores the dns-controller pod while the new image hasn't side-loaded. Signed-off-by: Ciprian Hacman <ciprian@hakman.dev>
Signed-off-by: Ciprian Hacman <ciprian@hakman.dev>
dns-controller: make priorityClassName configurable
Signed-off-by: Ciprian Hacman <ciprian@hakman.dev>
…vider dns-controller: default Provider when ExternalDNS is partially set
e2e: add upgrade test for gossip
aws: Only set nodeAllocatableUpdatePeriodSeconds on K8s 1.35+
Enable workers to reach kops-controller via the internal API load balancer instead of resolving kops-controller.internal via gossip DNS, which broke when the gcediscovery resolver was removed in #15121.
…ctions/dependency-review-action-5.0.0 build(deps): bump actions/dependency-review-action from 4.9.0 to 5.0.0
gce: expose kops-controller on internal LB for gossip clusters
kubetest2-kops heartbeats the Boskos GCP project lease from a goroutine that dies when kubetest2 exits. The upgrade scenario then runs the long kops reconcile + rolling-update + e2e phases outside kubetest2, so the project sits unattended past the reaper's 30 min TTL and the cluster is silently destroyed mid-test. Refresh the lease before the reconcile and again before the ginkgo suite. No-op on non-GCE. Signed-off-by: Ciprian Hacman <ciprian@hakman.dev>
e2e: heartbeat Boskos lease during upgrade test
e2e: Improve resource dump reliability
Use protobuf
Signed-off-by: Ciprian Hacman <ciprian@hakman.dev>
scaletest: decouple client HTTP traffic for etcd events
Release notes for 1.36 (alpha)
chore: Add hashes for additional May releases
Add logs at v2 level to ensure we have slow pods data in logs
chore: upgrade containerd to v2.3.1
Upgrade kube-router to v2.10.0
The helm+kustomize migration switched the controller Deployment and
webhook Service selectors from {component, name} to the chart's
{instance, name}. A Deployment's spec.selector is immutable, so upgrading
from kops <1.36 has the apply rejected: the pod template is never updated,
the webhook Service loses its endpoints, and the mutating webhooks
(failurePolicy: Fail) time out, breaking target registration.
Pin both selectors back to the historical {component, name} labels and add
the component label to the pod template so it still satisfies the selector,
keeping upgrades working without touching the immutable field.
aws: pin LBC selectors to fix in-place upgrades
Signed-off-by: Ciprian Hacman <ciprian@hakman.dev>
Signed-off-by: Ciprian Hacman <ciprian@hakman.dev>
cert-manager: upgrade to v1.19.5 and set AWS_REGION for Route53 dns-01
etcd: add ListenClientHTTPURLs field to EtcdManagerSpec
A cluster spec applied with the top-level `authorization` field omitted (kops create -f / replace -f) defaulted to AlwaysAllow, while `kops create cluster` has always defaulted to RBAC. Align the v1alpha2 and v1alpha3 SetDefaults_ClusterSpec with the CLI: an omitted or empty authorization now defaults to RBAC. AlwaysAllow is still honored when set explicitly. Signed-off-by: Ciprian Hacman <ciprian@hakman.dev>
Default omitted authorization to RBAC instead of AlwaysAllow
kOps forbids setting masquerade (disableMasquerade) when Cilium ENI IPAM is used, erroring with "Masquerade must be enabled when ENI IPAM is used". This blocks users who want Cilium's upstream no-masquerade behavior for ENI (e.g. private-topology clusters with NAT-gateway egress, or clusters using VPC endpoints), forcing them to patch the cilium-config ConfigMap after the fact, which races new nodes during rolling updates. Remove the validation so masquerade can be set in either direction for ENI. The default is intentionally left unchanged (masquerade stays on): flipping it off by default breaks pod egress to external endpoints (e.g. IRSA -> STS) on public-topology clusters whose pod ENI IPs have no public address, as shown by a red pull-kops-e2e-cni-cilium-eni run. Users who can route pod egress without masquerading opt in via masquerade=false (or via extraConfig). Signed-off-by: Ciprian Hacman <ciprian@hakman.dev>
Apply errors were only logged, so a manifest the apiserver rejects (e.g. an immutable Deployment selector) left the cluster silently broken. /readyz now reflects the last apply outcome; the pod is system-node-critical, so a NotReady fails `kops validate cluster` and halts the rolling update before workers roll.
cilium: allow disabling masquerade in ENI IPAM mode
channels: surface addon apply failures via a readiness probe
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
10 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
See Commits and Changes for more details.
Created by
pull[bot]
Can you help keep this open source service alive? 💖 Please sponsor : )