... to match the comment on that field.
Also generalized the test case generator to exercise the new
generality.
Kubernetes-commit: 2e97d3c8732147c3ba2f11d668f50b44e6374348
This change adds the TestListContinuationWithFilter test which
confirms that paging with a predicate that does not match everything
results in the correct amount of calls to TransformFromStorage and
KV.Get. The partial result of each paging call is also asserted.
Signed-off-by: Monis Khan <mok@vmware.com>
Kubernetes-commit: 002c75442d768d2bcc51047667354ff16bbfa2e8
The old flag name doesn't make sense with the renamed API Priority and
Fairness feature, and it's still safe to change the flag since it hasn't done
anything useful in a released k8s version yet.
Kubernetes-commit: 711c1e17209cc410440eecd3723e7b4906ca0e42
Beta OS/arch labels have been deprecated since 1.14.
This change replaces these labels with the GA ones.
Kubernetes-commit: bcd975aa6575ae37ec3be3481e44cd0dccd02337
- Add handlers for service account issuer metadata.
- Add option to manually override JWKS URI.
- Add unit and integration tests.
- Add a separate ServiceAccountIssuerDiscovery feature gate.
Additional notes:
- If not explicitly overridden, the JWKS URI will be based on
the API server's external address and port.
- The metadata server is configured with the validating key set rather
than the signing key set. This allows for key rotation because tokens
can still be validated by the keys exposed in the JWKs URL, even if the
signing key has been rotated (note this may still be a short window if
tokens have short lifetimes).
- The trust model of OIDC discovery requires that the relying party
fetch the issuer metadata via HTTPS; the trust of the issuer metadata
comes from the server presenting a TLS certificate with a trust chain
back to the from the relying party's root(s) of trust. For tests, we use
a local issuer (https://kubernetes.default.svc) for the certificate
so that workloads within the cluster can authenticate it when fetching
OIDC metadata. An API server cannot validly claim https://kubernetes.io,
but within the cluster, it is the authority for kubernetes.default.svc,
according to the in-cluster config.
Co-authored-by: Michael Taufen <mtaufen@google.com>
Kubernetes-commit: 5a176ac77241ff059f22609fc569ac219334238c
Downstreams assume process restarts when counters decrement. Currently,
the "active" label is expected to decrement but the "ok" and "error"
labels are intended to be handled as counters. This is unneccesary and
hard to deal with. This changes consolidate "blocking" and "in_flight"
tracking into a single guage, which allows fetch completion to be a pure
counter.
Kubernetes-commit: dc5934f58456d95b0264665871c0c48e16ee6469
I've also moved the deserialization of the object outside the benchmark
since we're not trying to benchmark the yaml parser.
Kubernetes-commit: a52776fbfb305374d87bb553739f712e055b2206
Added LockingWriteMultipleOnly and LockingWriteOnceOnly interfaces,
so that further extensions are possible (in this package or others).
Moved common SetLocked behavior into promisoid.
Made comments say things that were implied.
Kubernetes-commit: cbdd3a279e6161d73f2c4e8a2b916ae74b258621
Previously, a `decisionCancel` could overwrite a `decisionReject` or
`decisionExecute`, causing confusion. Now a request gets exactly one
decision and there is no confusion.
Also added write-once to the promise package and refactored.
Kubernetes-commit: 1c092bf635954bde9c9c363672fa156b9430206b
So that errors can be detected before resolving concurrency shares
into concurrency counts.
Kubernetes-commit: 1e170637c3ce6c4ccd378275d9e52192f4be12b7
This PR fixes oversights and adds validation that rejects writes
of wrong Spec values for the four mandatory objects.
Kubernetes-commit: ec5321c6a9f23e5ad26cf88a41fda9dba0c5ce89
Lowers probability of managedField population on create/update to 0%
until serialization/normalization issues are resolved
Kubernetes-commit: ba23aa98f6574bd1f9781f0d3e61d0496f16fc53
From the listen godoc:
For TCP networks, if the host in the address parameter is empty or a
literal unspecified IP address, Listen listens on all available unicast
and anycast IP addresses of the local system.
Since the BindNetwork options is "tcp" by default, using an unspecified
address doesn't bind the listener to the IP family.
Kubernetes-commit: 05010d23ac7751a17aa26fb5cc011eb4f2127b1e
apiserver adds localhost to the alternateDNS field
if the bind address is 0.0.0.0.
This PR considers the IPv6 unspecified address too.
Kubernetes-commit: 29ec87f769c6494fad5c0a0c624efe2dc6eeab13
This change relaxes the KMS config cache size validation to allow
for negative values. The KMS code already treats all values <= 0 to
mean that the cache is disabled (zero is still a validation error).
Signed-off-by: Monis Khan <mok@vmware.com>
Kubernetes-commit: a16808f353afb6abf402c862d5f859b949d2027a
request_total is fully accumulating, fetch_total is mostly accumulating
except for the active label.
Kubernetes-commit: a84e883e4b39f6a040d479b5be89b0750f4e7bf1
Attempting to add ResourceVersion precondition to
eviction requests results in a conflict failure. This
is due to the fact that we apply a deletion timestamp
which mutates the underlying resource. The resource
version is then checked again later in the code.
This commit removes the ResourceVersion precondition
after the object has a deletion timestamp applied.
Related-Bug: https://github.com/kubernetes/kubernetes/issues/85485
Kubernetes-commit: 494629ef58c6d01607d610d3e757666356c0b18d
This commit responds to the comments on PR #85192 that were not yet
addressed at the time it merged, apart from the one fixed in PR
Generalized fairqueuing to allow for zero queues, to support a
priority level that limits concurrency but does no queuing.
Kubernetes-commit: b123a43e7117e977606bacd31d77f4a30d2ed212
The old name is too broad, we wanted a name that is more specific to
the actual feature.
This is an alpha gate, and no release has yet associated any
functionality with this gate.
Kubernetes-commit: 76d090e30f917888c5882228f7261ed31a34a2ab
(1) Replaced random-looking assortment of counter increments and
decrements with something hopefully more principalled-looking. Most
importantly, introduced the MutablePromise abstraction to neatly wrap
up the complicated business of unioning multiple sources of
unblocking.
(2) Improved debug logging.
(3) Somewhat more interesting test cases, and a bug fix wrt round
robin index.
Kubernetes-commit: 1c31b2bdc65377f502c2306dbdf32a802eb1afb7
b.N is adjusted by pkg/testing using an internal heuristic:
> The benchmark function must run the target code b.N times. During
> benchmark execution, b.N is adjusted until the benchmark function
> lasts long enough to be timed reliably.
Using b.N to seed other parameters makes the benchmark behavior
difficult to reason about. Before this change, thread count in the
CachedTokenAuthenticator benchmark is always 5000, and batch size is
almost always 1 when I run this locally. SimpleCache and StripedCache
benchmarks had similarly strange scaling.
After modifying CachedTokenAuthenticator to only adjust iterations based
on b.N, the batch chan was an point of contention and I wasn't able to
see any significant CPU consumption. This was fixed by using
ParallelBench to do the batching, rather than using a chan.
Kubernetes-commit: 43d34882c9b3612d933b97b6e470fd8d36fe492b
Instead of returning an error on the watch stream, if we can't properly
negotiate a watch serialization format we should error and return that
error to the client.
Kubernetes-commit: 9aad6aa54d824ba93a6670cd5a0cab6ad337e9f0
Also rename utilnet.ChooseBindAddress() to ResolveBindAddress(), to
better describe its functionality.
Kubernetes-commit: afa0b808f873b515c9d58a9ead788972ea7d2533
Clients should be able to identify when a namespace is being terminated and
take special action such as backing off or giving up. Add a helper for
getting the cause of an error and then add a special cause to the forbidden
error that namespace lifecycle admission returns. We can't change the forbidden
reason without potentially breaking older clients and so cause is the
appropriate tool.
Add `StatusCause` and `HasStatusCause` to the errors package to make checking
for causes simpler. Add `NamespaceTerminatingCause` to the v1 API as a constant.
Kubernetes-commit: a62c5b282fda7c0832d329cde45e5e0a836924e8
Reload SNI certificate cert and key file from disk every minute and notify
the dynamic certificate controller when they change, allowing serving
tls config to be updated.
Kubernetes-commit: d9adf535f35051be1d79d1309c72762939593d7c
Monis Khan