From the listen godoc:
For TCP networks, if the host in the address parameter is empty or a
literal unspecified IP address, Listen listens on all available unicast
and anycast IP addresses of the local system.
Since the BindNetwork options is "tcp" by default, using an unspecified
address doesn't bind the listener to the IP family.
Kubernetes-commit: 05010d23ac7751a17aa26fb5cc011eb4f2127b1e
apiserver adds localhost to the alternateDNS field
if the bind address is 0.0.0.0.
This PR considers the IPv6 unspecified address too.
Kubernetes-commit: 29ec87f769c6494fad5c0a0c624efe2dc6eeab13
This change relaxes the KMS config cache size validation to allow
for negative values. The KMS code already treats all values <= 0 to
mean that the cache is disabled (zero is still a validation error).
Signed-off-by: Monis Khan <mok@vmware.com>
Kubernetes-commit: a16808f353afb6abf402c862d5f859b949d2027a
request_total is fully accumulating, fetch_total is mostly accumulating
except for the active label.
Kubernetes-commit: a84e883e4b39f6a040d479b5be89b0750f4e7bf1
Attempting to add ResourceVersion precondition to
eviction requests results in a conflict failure. This
is due to the fact that we apply a deletion timestamp
which mutates the underlying resource. The resource
version is then checked again later in the code.
This commit removes the ResourceVersion precondition
after the object has a deletion timestamp applied.
Related-Bug: https://github.com/kubernetes/kubernetes/issues/85485
Kubernetes-commit: 494629ef58c6d01607d610d3e757666356c0b18d
This commit responds to the comments on PR #85192 that were not yet
addressed at the time it merged, apart from the one fixed in PR
Generalized fairqueuing to allow for zero queues, to support a
priority level that limits concurrency but does no queuing.
Kubernetes-commit: b123a43e7117e977606bacd31d77f4a30d2ed212
The old name is too broad, we wanted a name that is more specific to
the actual feature.
This is an alpha gate, and no release has yet associated any
functionality with this gate.
Kubernetes-commit: 76d090e30f917888c5882228f7261ed31a34a2ab
(1) Replaced random-looking assortment of counter increments and
decrements with something hopefully more principalled-looking. Most
importantly, introduced the MutablePromise abstraction to neatly wrap
up the complicated business of unioning multiple sources of
unblocking.
(2) Improved debug logging.
(3) Somewhat more interesting test cases, and a bug fix wrt round
robin index.
Kubernetes-commit: 1c31b2bdc65377f502c2306dbdf32a802eb1afb7
b.N is adjusted by pkg/testing using an internal heuristic:
> The benchmark function must run the target code b.N times. During
> benchmark execution, b.N is adjusted until the benchmark function
> lasts long enough to be timed reliably.
Using b.N to seed other parameters makes the benchmark behavior
difficult to reason about. Before this change, thread count in the
CachedTokenAuthenticator benchmark is always 5000, and batch size is
almost always 1 when I run this locally. SimpleCache and StripedCache
benchmarks had similarly strange scaling.
After modifying CachedTokenAuthenticator to only adjust iterations based
on b.N, the batch chan was an point of contention and I wasn't able to
see any significant CPU consumption. This was fixed by using
ParallelBench to do the batching, rather than using a chan.
Kubernetes-commit: 43d34882c9b3612d933b97b6e470fd8d36fe492b
Instead of returning an error on the watch stream, if we can't properly
negotiate a watch serialization format we should error and return that
error to the client.
Kubernetes-commit: 9aad6aa54d824ba93a6670cd5a0cab6ad337e9f0
Also rename utilnet.ChooseBindAddress() to ResolveBindAddress(), to
better describe its functionality.
Kubernetes-commit: afa0b808f873b515c9d58a9ead788972ea7d2533
Clients should be able to identify when a namespace is being terminated and
take special action such as backing off or giving up. Add a helper for
getting the cause of an error and then add a special cause to the forbidden
error that namespace lifecycle admission returns. We can't change the forbidden
reason without potentially breaking older clients and so cause is the
appropriate tool.
Add `StatusCause` and `HasStatusCause` to the errors package to make checking
for causes simpler. Add `NamespaceTerminatingCause` to the v1 API as a constant.
Kubernetes-commit: a62c5b282fda7c0832d329cde45e5e0a836924e8
Reload SNI certificate cert and key file from disk every minute and notify
the dynamic certificate controller when they change, allowing serving
tls config to be updated.
Kubernetes-commit: d9adf535f35051be1d79d1309c72762939593d7c
Reload certificate cert and key file from disk every minute and notify
the dynamic certificate controller when they change, allowing serving
tls config to be updated.
Kubernetes-commit: 3f5fbfbfac281f40c11de2f57d58cc332affc37b
Clean up useless functions, only keep the basic function Deal
and the function DealIntoHand which will be used by Priority
and Fairness.
Improve some comments for constants and functions.
Introduce Dealer to combine parameters and methods into a whole.
Use fixed-size slice to improve performance.
Use math.Ceil and math.Log2 to calculate required entropy bits.
Make the given hand adaptive to handSize in DealIntoHand.
Signed-off-by: Bruce Ma <brucema19901024@gmail.com>
Kubernetes-commit: 7a3ca070cdd9804a22bf5db8a99576b09fc52484
Changes following up on shuffle sharding util package.
Made the validation checking function return a slice of error messages
rather than just a bit.
Replaced all the `int32` with `int` because this is intended for more
than just the priority-and-faireness feature and so should not be a
slave to its configuration datatypes.
Introduced ShuffleAndDealIntoHand, to make memory allocation the
caller's problem/privilege.
Made the hand uniformity tester avoid reflection, evaluate the
histogram against the expected range of counts, and run multiple test
cases, including one in which the number of hash values is a power of
two with four extra bits (as the validation check requires) and one in
which the deck size is not a power of two.
Kubernetes-commit: da0b647155912c6b1e6b971aa5685768915d810d
Implement several shuffle sharding functions including ShuffleAndDeal,
ShuffleAndDealToSlice.
Add benchmarks and tests for shuffle sharding to test performance,
correctness and distribution uniformity.
Signed-off-by: Bruce Ma <brucema19901024@gmail.com>
Kubernetes-commit: e97eaef4f65ec2cbfebf4fd9e726c9e2a6bf5499
We create and use a dynamic certificate provider for the SNI serving
certificates. Currently we only use static serving certificate
providers, so the files are not reloaded, but we should be able to move
to a provider that is able to reload later on.
Kubernetes-commit: 84bc6b151d0726db0c737443874577f044e0e9c8
Currently we record request metrics during the normal request flow and
we also manually invoke `Record` in the timeout handler to record
timeouts. This means that we effectively double count whenever we
timeout. This PR renames the `Record` function to `RecordRequestError`
to more accurately reflect the intended side-effect of the function
call.
Change-Id: Ie37fd0c1e501bd525640a434433d364a5fd6dde2
Kubernetes-commit: 4c6e7247878477a1f2efc26df7f141258010374f
We create and use a dynamic certificate provider for the main apiserver
serving certificates: SNI will be handled separately later. Currently we
only use static serving certificate providers, so the files are not
reloaded, but we should be able to move to a provider that is able to
reload later on.
Kubernetes-commit: 6f89f1027488aeba4af0786988c2fd2ace9a6f1d
It is possible to configure the token cache to cache failures. We
allow 1 MB of headers per request, meaning a malicious actor could
cause the cache to use a large amount of memory by filling it with
large invalid tokens. This change hashes the token before using it
as a key. Measures have been taken to prevent precomputation
attacks. SHA 256 is used as the hash to prevent collisions.
Signed-off-by: Monis Khan <mkhan@redhat.com>
Kubernetes-commit: 9a547bca8e6e15273bfafd3496aa6524fd7d35bd
This is super expensive and not needed at all since we don't have to
reparse the entire object. Remove all allocations but the first one.
Kubernetes-commit: 31c644a1e79c685b52683ed1e84964186a37f3ff
This change updates NewPrefixTransformers to not short-circuit on
the first transformer that has a matching prefix. If the same type
of encryption ProviderConfiguration is used more than once, they
will share the same prefix. A failure in the first one should not
prevent a later match from being attempted.
Added TestCBCKeyRotationWithOverlappingProviders unit test to
prevent regressions. Note that this test explicitly exercises this
flow using an EncryptionConfiguration object as the structure of the
resulting transformer is an important part of the check.
Signed-off-by: Monis Khan <mkhan@redhat.com>
Kubernetes-commit: 4dc16f29a7285a4bcaff1915728953d8a55e1b6e
longer assigned to me by blunderbuss.
Move myself to be an emeritus approver for the cluster directory.
Kubernetes-commit: 9d211ab352f78482fde7ec593b3dcacea9bcc139
If konnectivity service is enabled, the etcd client will now use it.
This did require moving a few methods to break circular dependencies.
Factored in feedback from lavalamp and wenjiaswe.
Kubernetes-commit: edbb0fa2fe2084d5d9ce0cf9dc0d1b2d820bb392
go fmt
make func private
refactor config_test
Two primary refactorings:
1. config test checkPath method is now each a distinct test
run (which makes it easier to see what is actually failing)
2. TestNewWithDelegate's root path check now parses the json output and
does a comparison against a list of expected paths (no more whitespace
and ordering issues when updating this test, yay).
go fmt
modify and simplify existing integration test for readyz/livez
simplify integration test
set default rbac policy rules for livez
rename a few functions and the entrypoint command line argument (and etcetera)
simplify interface for installing readyz and livez and make auto-register completion a bootstrapped check
untangle some of the nested functions, restructure the code
Kubernetes-commit: aa1b2d6d35c92a31be17357fc66cfc1eca8a67e0
The new etcd balancer (>3.3.14, 3.4.0) uses an asynchronous resolver for
endpoints. Without "WithBlock", the client may return before the
connection is up.
Signed-off-by: Gyuho Lee <leegyuho@amazon.com>
Kubernetes-commit: a254d0e2a67645948c9631d4bf11ef60aa26f5ae
go test ./vendor/k8s.io/apiserver/pkg/admission/plugin/webhook/validating -bench . -benchmem -run DoNotRun
go test ./vendor/k8s.io/apiserver/pkg/admission/plugin/webhook/mutating -bench . -benchmem -run DoNotRun
Kubernetes-commit: 27f535e26ad88fa30d5c0fcde4bc31897b9d521c
Got the proxy-server coming up in the master.
Added certs and have it comiung up with those certs.
Added a daemonset to run the network-agent.
Adding support for agent running as a sameon set on every node.
Added quick hack to test that proxy server/agent were correctly
tunneling traffic to the kubelet.
Added more WIP for reading network proxy configuration.
Get flags set correctly and fix connection services.
Adding missing ApplyTo
Added ConnectivityService.
Fixed build directives. Added connectivity service configuration.
Fixed log levels.
Fixed minor issues for feature turned off.
Fixed boilerplate and format.
Moved log dialer initialization earlier as per Liggits suggestion.
Fixed a few minor issues in the configuration for GCE.
Fixed scheme allocation
Adding unit test.
Added test for direct connectivity service.
Switching to injecting the Lookup method rather than using a Singleton.
First round of mikedaneses feedback.
Fixed deployment to use yaml and other changes suggested by MikeDanese.
Switched network proxy server/agent which are kebab-case not camelCase.
Picked up DIAL_RSP fix.
Factored in deads2k feedback.
Feedback from mikedanese
Factored in second round of feedback from David.
Fix path in verify.
Factored in anfernee's feedback.
First part of lavalamps feedback.
Factored in more changes from lavalamp and mikedanese.
Renamed network-proxy to konnectivity-server and konnectivity-agent.
Fixed tolerations and config file checking.
Added missing strptr
Finished lavalamps requested rename.
Disambiguating konnectivity service by renaming it egress selector.
Switched feature flag to KUBE_ENABLE_EGRESS_VIA_KONNECTIVITY_SERVICE
Kubernetes-commit: ebb65c5f4c51340f42c260cf00bde8629ed68d74
We don't have a lot of data on allocations and how much time it takes to
run apply or update on objects, so adding some benchmark will help us
investigate possible improvements.
Kubernetes-commit: 92cf3764f979e63317c8f483d8e841e0358599f4
The previous HTTP compression implementation functioned as a filter, which
required it to deal with a number of special cases that complicated the
implementation.
Instead, when we write an API object to a response, handle only that one
case. This will allow a more limited implementation that does not impact
other code flows.
Also, to prevent excessive CPU use on small objects, compression is
disabled on responses smaller than 128Kb in size.
Kubernetes-commit: 4ed2b9875d0498b5c577095075bda341e96fcec2
http.NewRequest can return an error. (Eg. error parsing url).
This will cause us to have a nil req object.
That in turn will become a SIGSEGV when we set the context.
Kubernetes-commit: ee2ad1d1fe55a3823311267f39e8b14e8b0c4c68
Normal files should have permissions 644 by default,
and does not require the last bit to be
executable
Signed-off-by: Odin Ugedal <odin@ugedal.com>
Kubernetes-commit: 35cb87f9cf71776e99a970dfff751cd29ba7ebfb
There was a typo, the test was there but the return was not.
Added test that exposes the difference.
Kubernetes-commit: 7056e216addc7203f24c37a95c5c14ad194dddca
add startup sequence duration and readyz endpoint
add rbac bootstrapping policy for readyz
add integration test around grace period and readyz
rename startup sequence duration flag
copy health checks to fields
rename health-check installed boolean, refactor clock injection logic
cleanup clock injection code
remove todo about poststarthook url registration from healthz
Kubernetes-commit: 54dcf5c9c46fc4782d4861936309349b5a71a1ac
David Eads