We want to be able to use "dns=none" (without peer-to-peer gossip)
even for clusters that have the k8s.local extension. These were
previously called "gossip clusters", but really that is an
implementation; what actually matters to users is that they don't rely
on writing records into a DNS zone (such as Route53).
In order to verify that the caller is running on the specified node,
we source the expected IP address from the cloud, and require that the
node set up a simple challenge/response server to answer requests.
Because the challenge server runs on a port outside of the nodePort
range, this also makes it harder for pods to impersonate their host
nodes - though we do combine this with TPM and similar functionality
where it is available.
By default the cluster autoscaler takes DaemonSet-managed pods'
resource requests into consideration when computing a node's resource
utilization. Allow toggling its "--ignore-daemonsets-utilization"
command-line flag via a new field in the Cluster
spec—"clusterAutoscaler.ignoreDaemonSetsUtilization." Setting that
field to true causes the autoscaler to ignore such daemon pods'
requests, such that it will more likely judge a node running only
daemon pods as being underutilized and shut down its hosting machine.
We split out the "add to a slice" logic, as this is then easier to
reason about.
Should be a no-op in terms of valid inputs, might avoid some crashes
with invalid inputs.
This passes the acutal cluster name to the cinder-csi-plugin, so that
the plugin will add the name as metadata to the backing volume in
OpenStack.
Effectively, the change will help to better identify which volume in
OpenStack belongs to which cluster, which is especially helpful when
running multiple clusters in one OpenStack tenant/project.
Setting the cluster name in both - the controller and the nodeserver -
will ensure that dynamic and ephemeral volumes will receive the correct
metadata.
This will allow setting the option `ignore-volume-microversion` for the
cinder-csi-plugin.
Setting this is necessary for older OpenStack APIs so that OCCP can
create PVs.
Note: This will work with cinder-csi-plugin >= 1.25.
For reference:
* https://github.com/kubernetes/cloud-provider-openstack/pull/1986/
When a pod is deleted, the route to its IP is replaced with an unreachable route.
When a pod is created, the route is replaced with a route to the pod veth (so if an unreachable existed, it's replaced).
Ref:
- https://github.com/cilium/cilium/pull/18505
Kubernetes Prow Robot