Merge branch 'master' into update-cluster-spec-document-with-custom-metrics-flag

docs/cluster_spec.md

@@ -203,6 +203,20 @@ spec:
   kubelet:
     enableCustomMetrics: true
 ```
+### kubeScheduler
+
+This block contains configurations for `kube-scheduler`.  See https://kubernetes.io/docs/admin/kube-scheduler/
+
+ ```yaml
+ spec:
+   kubeScheduler:
+     policyConfigMap: scheduler-policy
+     policyConfigMapNamespace: default
+```
+
+Will resulting to running kube-scheduler with the arguments `--policy-configmap=scheduler-policy --policy-configmap-namespace=default`.
+
+Note that as of Kubernetes 1.8.0 kube-scheduler does not reload its configuration from configmap automatically. You will need to ssh into the master instance and restart the Docker container manually. Also, this option is not supported during cluster creation, only during updates.
 
 ####  Feature Gates
 

docs/releases/1.7.1.md

@@ -1,15 +1,12 @@
-**Kops 1.7.1 is not released yet**
+*Please see [1.7-NOTES.md](1.7-NOTES.md) for known issues, significant changes, and required actions for 1.7.*
 
-*Please see [1.7-NOTES.md](1.7-NOTES.md) for known issues*
+This document describes the changes since 1.7.0.
 
-# Required Actions
+# Significant changes
 
-* Existing Calico users on clusters that were created prior to kops 1.7.1
-  need to be updated for the new "DefaultDeny" behavior for Kubernetes NetworkPolicies.
-  See the *Changes to k8s-policy* section in the
-  [Calico release notes](https://github.com/projectcalico/calico/releases/tag/v2.4.0)
-  for help.
+* kube-dns has been updated with the hotfix for CVE-2017-14491.  For more details, please see [CVE Advisory](kops/docs/advisories/cve_2017_14491.md).
 
-Features:
-* Upgrade Calico to v2.4.1 (thanks @tmjd)
+# Full changelist
 
+* Update images in CI tests (thanks @justinsb)
+* Update kube-dns to 1.14.5 for CVE-2017-14491 (thanks @mikesplain)

docs/releases/1.8-NOTES.md

@@ -7,6 +7,15 @@ is not recommended, but will be the default value for existing clusters or clust
 `kops create cluster` with `--networking flannel` will use `vxlan`, `--networking flannel-vxlan`
 or `--networking flannel-udp` can be specified to explicitly choose a backend mode.
 
+# Required Actions
+
+* Existing Calico users on clusters that were created prior to kops 1.8.0
+  need to be updated for the new "DefaultDeny" behavior for Kubernetes NetworkPolicies.
+  See the *Changes to k8s-policy* section in the
+  [Calico release notes](https://github.com/projectcalico/calico/releases/tag/v2.4.0)
+  for help.
+
 # Full changelist
 
 * ExperimentalCriticalPodAnnotation feature gate is now enabled by default in kubelet [@andreychernih](https://github.com/andreychernih) [#3345](https://github.com/kubernetes/kops/pull/3345)
+* Upgrade Calico to v2.4.1 (thanks @tmjd)

hack/make-gendocs.sh

@@ -0,0 +1,48 @@
+#!/bin/bash
+
+# Copyright 2016 The Kubernetes Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# Build openapi-gen executables from vendor-ed dependencies
+
+. $(dirname "${BASH_SOURCE}")/common.sh
+
+WORK_DIR=`mktemp -d`
+
+function cleanup {
+  rm -rf "$WORK_DIR"
+}
+trap cleanup EXIT
+
+mkdir -p ${WORK_DIR}/go/
+ln -s ${GOPATH}/src/k8s.io/kops/vendor/ ${WORK_DIR}/go/src
+
+GOPATH=${WORK_DIR}/go/ go install k8s.io/code-generator/cmd/openapi-gen
+cp ${WORK_DIR}/go/bin/openapi-gen ${GOPATH}/bin/
+
+# Install the apiserver-builder commands
+GOPATH=${WORK_DIR}/go/ go install github.com/kubernetes-incubator/apiserver-builder/cmd/...
+cp ${WORK_DIR}/go/bin/openapi-gen ${GOPATH}/bin/
+
+# Install the reference docs commands (apiserver-builder commands invoke these)
+GOPATH=${WORK_DIR}/go/ go install github.com/kubernetes-incubator/reference-docs/gen-apidocs/...
+cp ${WORK_DIR}/go/bin/openapi-gen ${GOPATH}/bin/
+
+# More code generators
+GOPATH=${WORK_DIR}/go/ go install k8s.io/code-generator/cmd/lister-gen
+cp ${WORK_DIR}/go/bin/lister-gen ${GOPATH}/bin/
+
+GOPATH=${WORK_DIR}/go/ go install k8s.io/code-generator/cmd/informer-gen
+cp ${WORK_DIR}/go/bin/informer-gen ${GOPATH}/bin/
+

pkg/apis/kops/componentconfig.go

@@ -330,6 +330,10 @@ type KubeSchedulerConfig struct {
 	Image string `json:"image,omitempty"`
 	// LeaderElection defines the configuration of leader election client.
 	LeaderElection *LeaderElectionConfiguration `json:"leaderElection,omitempty"`
+	// PolicyConfigMap is the name of configmap to use for scheduler policy
+	PolicyConfigMap string `json:"policyConfigMap,omitempty" flag:"policy-configmap"`
+	// PolicyConfigMapNamespace is the namespace containing the configmap
+	PolicyConfigMapNamespace string `json:"policyConfigMapNamespace,omitempty" flag:"policy-configmap-namespace"`
 }
 
 // LeaderElectionConfiguration defines the configuration of leader election

pkg/apis/kops/v1alpha1/componentconfig.go

@@ -330,6 +330,10 @@ type KubeSchedulerConfig struct {
 	Image string `json:"image,omitempty"`
 	// LeaderElection defines the configuration of leader election client.
 	LeaderElection *LeaderElectionConfiguration `json:"leaderElection,omitempty"`
+	// PolicyConfigMap is the name of configmap to use for scheduler policy
+	PolicyConfigMap string `json:"policyConfigMap,omitempty" flag:"policy-configmap"`
+	// PolicyConfigMapNamespace is the namespace containing the configmap
+	PolicyConfigMapNamespace string `json:"policyConfigMapNamespace,omitempty" flag:"policy-configmap-namespace"`
 }
 
 // LeaderElectionConfiguration defines the configuration of leader election

pkg/apis/kops/v1alpha1/zz_generated.conversion.go

@@ -2003,6 +2003,8 @@ func autoConvert_v1alpha1_KubeSchedulerConfig_To_kops_KubeSchedulerConfig(in *Ku
 	} else {
 		out.LeaderElection = nil
 	}
+	out.PolicyConfigMap = in.PolicyConfigMap
+	out.PolicyConfigMapNamespace = in.PolicyConfigMapNamespace
 	return nil
 }
 
@@ -2024,6 +2026,8 @@ func autoConvert_kops_KubeSchedulerConfig_To_v1alpha1_KubeSchedulerConfig(in *ko
 	} else {
 		out.LeaderElection = nil
 	}
+	out.PolicyConfigMap = in.PolicyConfigMap
+	out.PolicyConfigMapNamespace = in.PolicyConfigMapNamespace
 	return nil
 }
 

pkg/apis/kops/v1alpha2/componentconfig.go

@@ -331,6 +331,10 @@ type KubeSchedulerConfig struct {
 	Image string `json:"image,omitempty"`
 	// LeaderElection defines the configuration of leader election client.
 	LeaderElection *LeaderElectionConfiguration `json:"leaderElection,omitempty"`
+	// PolicyConfigMap is the name of configmap to use for scheduler policy
+	PolicyConfigMap string `json:"policyConfigMap,omitempty" flag:"policy-configmap"`
+	// PolicyConfigMapNamespace is the namespace containing the configmap
+	PolicyConfigMapNamespace string `json:"policyConfigMapNamespace,omitempty" flag:"policy-configmap-namespace"`
 }
 
 // LeaderElectionConfiguration defines the configuration of leader election

pkg/apis/kops/v1alpha2/zz_generated.conversion.go

@@ -2265,6 +2265,8 @@ func autoConvert_v1alpha2_KubeSchedulerConfig_To_kops_KubeSchedulerConfig(in *Ku
 	} else {
 		out.LeaderElection = nil
 	}
+	out.PolicyConfigMap = in.PolicyConfigMap
+	out.PolicyConfigMapNamespace = in.PolicyConfigMapNamespace
 	return nil
 }
 
@@ -2286,6 +2288,8 @@ func autoConvert_kops_KubeSchedulerConfig_To_v1alpha2_KubeSchedulerConfig(in *ko
 	} else {
 		out.LeaderElection = nil
 	}
+	out.PolicyConfigMap = in.PolicyConfigMap
+	out.PolicyConfigMapNamespace = in.PolicyConfigMapNamespace
 	return nil
 }
 

pkg/model/components/BUILD.bazel

@@ -36,6 +36,7 @@ go_test(
     srcs = [
         "kubecontrollermanager_test.go",
         "kubelet_test.go",
+        "kubescheduler_test.go",
     ],
     library = ":go_default_library",
     deps = [

pkg/model/components/kubescheduler.go

@@ -17,6 +17,8 @@ limitations under the License.
 package components
 
 import (
+	"fmt"
+
 	"k8s.io/kops/pkg/apis/kops"
 	"k8s.io/kops/upup/pkg/fi"
 	"k8s.io/kops/upup/pkg/fi/loader"
@@ -37,6 +39,10 @@ func (b *KubeSchedulerOptionsBuilder) BuildOptions(o interface{}) error {
 
 	config := clusterSpec.KubeScheduler
 
+	if config.PolicyConfigMap != "" && b.IsKubernetesLT("v1.7.0") {
+		return fmt.Errorf("policyConfigMap is only supported in Kubernetes 1.7.0 or later")
+	}
+
 	if config.LogLevel == 0 {
 		// TODO: No way to set to 0?
 		config.LogLevel = 2

pkg/model/components/kubescheduler_test.go

@@ -0,0 +1,135 @@
+/*
+Copyright 2017 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package components
+
+import (
+	"testing"
+
+	api "k8s.io/kops/pkg/apis/kops"
+	"k8s.io/kops/pkg/apis/kops/util"
+	"k8s.io/kops/pkg/assets"
+)
+
+func buildSchedulerConfigMapCluster() *api.Cluster {
+	return &api.Cluster{
+		Spec: api.ClusterSpec{
+			CloudProvider:     "aws",
+			KubernetesVersion: "v1.4.0",
+			KubeScheduler: &api.KubeSchedulerConfig{
+				PolicyConfigMap: "scheduler-config",
+			},
+		},
+	}
+}
+
+func Test_Build_Scheduler_Without_PolicyConfigMap(t *testing.T) {
+	versions := []string{"v1.6.0", "v1.6.4", "v1.7.0", "v1.7.4"}
+	b := assets.NewAssetBuilder(nil)
+
+	for _, v := range versions {
+
+		c := buildCluster()
+
+		version, err := util.ParseKubernetesVersion(v)
+
+		if err != nil {
+			t.Fatalf("unexpected error from ParseKubernetesVersion %s: %v", v, err)
+		}
+
+		ks := &KubeSchedulerOptionsBuilder{
+			&OptionsContext{
+				AssetBuilder:      b,
+				KubernetesVersion: *version,
+			},
+		}
+
+		spec := c.Spec
+
+		spec.KubernetesVersion = v
+		err = ks.BuildOptions(&spec)
+
+		if err != nil {
+			t.Fatalf("unexpected error from BuildOptions: %v", err)
+		}
+	}
+
+}
+func Test_Build_Scheduler_PolicyConfigMap_Unsupported_Version(t *testing.T) {
+	versions := []string{"v1.6.0", "v1.6.4"}
+	b := assets.NewAssetBuilder(nil)
+
+	for _, v := range versions {
+
+		c := buildSchedulerConfigMapCluster()
+
+		version, err := util.ParseKubernetesVersion(v)
+
+		if err != nil {
+			t.Fatalf("unexpected error from ParseKubernetesVersion %s: %v", v, err)
+		}
+
+		ks := &KubeSchedulerOptionsBuilder{
+			&OptionsContext{
+				AssetBuilder:      b,
+				KubernetesVersion: *version,
+			},
+		}
+
+		spec := c.Spec
+
+		spec.KubernetesVersion = v
+		err = ks.BuildOptions(&spec)
+
+		if err == nil {
+			t.Fatalf("error is expected, but none are returned")
+		}
+	}
+
+}
+
+func Test_Build_Scheduler_PolicyConfigMap_Supported_Version(t *testing.T) {
+	versions := []string{"v1.7.0", "v1.7.4", "v1.8.0"}
+	b := assets.NewAssetBuilder(nil)
+
+	for _, v := range versions {
+
+		c := buildSchedulerConfigMapCluster()
+
+		version, err := util.ParseKubernetesVersion(v)
+
+		if err != nil {
+			t.Fatalf("unexpected error from ParseKubernetesVersion %s: %v", v, err)
+		}
+
+		ks := &KubeSchedulerOptionsBuilder{
+			&OptionsContext{
+				AssetBuilder:      b,
+				KubernetesVersion: *version,
+			},
+		}
+
+		spec := c.Spec
+
+		spec.KubernetesVersion = v
+		err = ks.BuildOptions(&spec)
+
+		if err != nil {
+			t.Fatalf("unexpected error from BuildOptions %s: %v", v, err)
+		}
+	}
+
+}