Skip to content
Closed
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,7 @@ metadata:
app.kubernetes.io/component: crds
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/name: cert-manager
app.kubernetes.io/version: v1.19.4
app.kubernetes.io/version: v1.19.5
name: certificaterequests.cert-manager.io
spec:
group: cert-manager.io
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,7 @@ metadata:
app.kubernetes.io/component: crds
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/name: cert-manager
app.kubernetes.io/version: v1.19.4
app.kubernetes.io/version: v1.19.5
name: certificates.cert-manager.io
spec:
group: cert-manager.io
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,7 @@ metadata:
app.kubernetes.io/component: crds
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/name: cert-manager
app.kubernetes.io/version: v1.19.4
app.kubernetes.io/version: v1.19.5
name: challenges.acme.cert-manager.io
spec:
group: acme.cert-manager.io
Expand Down Expand Up @@ -408,7 +408,7 @@ spec:
description: |-
The IP address or hostname of an authoritative DNS server supporting
RFC2136 in the form host:port. If the host is an IPv6 address it must be
enclosed in square brackets (e.g [2001:db8::1]) ; port is optional.
enclosed in square brackets (e.g [2001:db8::1]); port is optional.
This field is required.
type: string
protocol:
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,7 @@ metadata:
app.kubernetes.io/component: crds
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/name: cert-manager
app.kubernetes.io/version: v1.19.4
app.kubernetes.io/version: v1.19.5
name: clusterissuers.cert-manager.io
spec:
group: cert-manager.io
Expand Down Expand Up @@ -521,7 +521,7 @@ spec:
description: |-
The IP address or hostname of an authoritative DNS server supporting
RFC2136 in the form host:port. If the host is an IPv6 address it must be
enclosed in square brackets (e.g [2001:db8::1]) ; port is optional.
enclosed in square brackets (e.g [2001:db8::1]); port is optional.
This field is required.
type: string
protocol:
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,7 @@ metadata:
app.kubernetes.io/component: crds
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/name: cert-manager
app.kubernetes.io/version: v1.19.4
app.kubernetes.io/version: v1.19.5
name: issuers.cert-manager.io
spec:
group: cert-manager.io
Expand Down Expand Up @@ -520,7 +520,7 @@ spec:
description: |-
The IP address or hostname of an authoritative DNS server supporting
RFC2136 in the form host:port. If the host is an IPv6 address it must be
enclosed in square brackets (e.g [2001:db8::1]) ; port is optional.
enclosed in square brackets (e.g [2001:db8::1]); port is optional.
This field is required.
type: string
protocol:
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,7 @@ metadata:
app.kubernetes.io/component: crds
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/name: cert-manager
app.kubernetes.io/version: v1.19.4
app.kubernetes.io/version: v1.19.5
name: orders.acme.cert-manager.io
spec:
group: acme.cert-manager.io
Expand Down
12 changes: 6 additions & 6 deletions assets/optional/cert-manager/manager/manager.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -75,25 +75,25 @@ spec:
- name: OPERATOR_NAME
value: cert-manager-operator
- name: RELATED_IMAGE_CERT_MANAGER_WEBHOOK
value: quay.io/jetstack/cert-manager-webhook:v1.19.4
value: quay.io/jetstack/cert-manager-webhook:v1.19.5
- name: RELATED_IMAGE_CERT_MANAGER_CA_INJECTOR
value: quay.io/jetstack/cert-manager-cainjector:v1.19.4
value: quay.io/jetstack/cert-manager-cainjector:v1.19.5
- name: RELATED_IMAGE_CERT_MANAGER_CONTROLLER
value: quay.io/jetstack/cert-manager-controller:v1.19.4
value: quay.io/jetstack/cert-manager-controller:v1.19.5
- name: RELATED_IMAGE_CERT_MANAGER_ACMESOLVER
value: quay.io/jetstack/cert-manager-acmesolver:v1.19.4
value: quay.io/jetstack/cert-manager-acmesolver:v1.19.5
- name: RELATED_IMAGE_CERT_MANAGER_ISTIOCSR
value: quay.io/jetstack/cert-manager-istio-csr:v0.16.0
- name: RELATED_IMAGE_CERT_MANAGER_TRUST_MANAGER
value: quay.io/jetstack/trust-manager:v0.20.3
- name: OPERAND_IMAGE_VERSION
value: 1.19.4
value: 1.19.5
- name: ISTIOCSR_OPERAND_IMAGE_VERSION
value: 0.16.0
- name: TRUSTMANAGER_OPERAND_IMAGE_VERSION
value: 0.20.3
- name: OPERATOR_IMAGE_VERSION
value: 1.19.0
value: 1.19.1
- name: OPERATOR_LOG_LEVEL
value: '2'
- name: TRUSTED_CA_CONFIGMAP_NAME
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -38,6 +38,7 @@ import (
"k8s.io/apimachinery/pkg/util/sets"
"k8s.io/apimachinery/pkg/util/uuid"
"k8s.io/apimachinery/pkg/util/wait"
"k8s.io/apiserver/pkg/server"
"k8s.io/apiserver/pkg/server/flagz"
"k8s.io/apiserver/pkg/server/healthz"
"k8s.io/apiserver/pkg/server/mux"
Expand Down Expand Up @@ -156,7 +157,8 @@ controller, and serviceaccounts controller.`,
fg.(featuregate.MutableFeatureGate).AddMetrics()
// add component version metrics
s.ComponentGlobalsRegistry.AddMetrics()
return Run(cmd.Context(), c.Complete(), cmd.Context().Done())
stopCh := server.SetupSignalHandler()
return Run(context.Background(), c.Complete(), stopCh)
},
Args: func(cmd *cobra.Command, args []string) error {
for _, arg := range args {
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -47,7 +47,6 @@ import (
logsapi "k8s.io/component-base/logs/api/v1"
"k8s.io/component-base/metrics"
cmoptions "k8s.io/controller-manager/options"
"k8s.io/klog/v2"
kubectrlmgrconfigv1alpha1 "k8s.io/kube-controller-manager/config/v1alpha1"
kubecontrollerconfig "k8s.io/kubernetes/cmd/kube-controller-manager/app/config"
"k8s.io/kubernetes/cmd/kube-controller-manager/names"
Expand Down Expand Up @@ -319,7 +318,7 @@ func (s *KubeControllerManagerOptions) Flags(allControllers []string, disabledBy
if !utilfeature.DefaultFeatureGate.Enabled(featuregate.Feature(clientgofeaturegate.WatchListClient)) {
ver := version.MustParse("1.34")
if err := utilfeature.DefaultMutableFeatureGate.OverrideDefaultAtVersion(featuregate.Feature(clientgofeaturegate.WatchListClient), true, ver); err != nil {
klog.Warning(fmt.Sprintf("unable to set %s feature gate, err: %v", clientgofeaturegate.WatchListClient, err))
panic(fmt.Sprintf("unable to set %s feature gate, err: %v", clientgofeaturegate.WatchListClient, err))
}
}

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -70,16 +70,17 @@ func main() {
Qualifiers: []string{withExcludedTestsFilter(`(name.contains('[Serial]') || labels.exists(l, l == '[Serial]')) && labels.exists(l, l == "Conformance")`)},
})

// AddGlobalSuite so the umbrella starts with zero qualifiers and inherits
// exclusively from its children via mergeParentQualifiers in origin.
kubeTestsExtension.AddGlobalSuite(e.Suite{
Name: "kubernetes/conformance",
// kubernetes/conformance is used by OCPT to run the minimal true upstream
// Kubernetes conformance tests, not the broader view OCP takes of what
// "conformance" means.
kubeTestsExtension.AddSuite(e.Suite{
Name: "kubernetes/conformance",
Qualifiers: []string{withExcludedTestsFilter(`labels.exists(l, l == "Conformance")`)},
})

kubeTestsExtension.AddSuite(e.Suite{
Name: "kubernetes/conformance/parallel",
Parents: []string{
"kubernetes/conformance",
"openshift/conformance/parallel",
},
Qualifiers: []string{withExcludedTestsFilter(`(!name.contains('[Serial]') && !labels.exists(l, l == '[Serial]'))`)},
Expand All @@ -88,7 +89,6 @@ func main() {
kubeTestsExtension.AddSuite(e.Suite{
Name: "kubernetes/conformance/serial",
Parents: []string{
"kubernetes/conformance",
"openshift/conformance/serial",
},
Qualifiers: []string{withExcludedTestsFilter(`(name.contains('[Serial]') || labels.exists(l, l == '[Serial]'))`)},
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -21,8 +21,10 @@ import (
ingressadmission "k8s.io/kubernetes/openshift-kube-apiserver/admission/route"
"k8s.io/kubernetes/openshift-kube-apiserver/admission/route/hostassignment"
projectnodeenv "k8s.io/kubernetes/openshift-kube-apiserver/admission/scheduler/nodeenv"
"k8s.io/kubernetes/openshift-kube-apiserver/admission/scheduler/nodeselectoradjuster"
schedulerpodnodeconstraints "k8s.io/kubernetes/openshift-kube-apiserver/admission/scheduler/podnodeconstraints"
"k8s.io/kubernetes/openshift-kube-apiserver/admission/storage/csiinlinevolumesecurity"
"k8s.io/kubernetes/openshift-kube-apiserver/admission/storage/performantsecuritypolicy"
)

func RegisterOpenshiftKubeAdmissionPlugins(plugins *admission.Plugins) {
Expand All @@ -42,6 +44,10 @@ func RegisterOpenshiftKubeAdmissionPlugins(plugins *admission.Plugins) {
externalipranger.RegisterExternalIP(plugins)
restrictedendpoints.RegisterRestrictedEndpoints(plugins)
csiinlinevolumesecurity.Register(plugins)
performantsecuritypolicy.Register(plugins)
if nodeselectoradjuster.IsStandalone() {
nodeselectoradjuster.Register(plugins)
}
}

var (
Expand All @@ -58,23 +64,31 @@ var (
)

// openshiftAdmissionPluginsForKubeBeforeMutating are the admission plugins to add after kube admission, before mutating webhooks
openshiftAdmissionPluginsForKubeBeforeMutating = []string{
"autoscaling.openshift.io/ClusterResourceOverride",
managementcpusoverride.PluginName, // "autoscaling.openshift.io/ManagementCPUsOverride"
"authorization.openshift.io/RestrictSubjectBindings",
"autoscaling.openshift.io/RunOnceDuration",
"scheduling.openshift.io/PodNodeConstraints",
"scheduling.openshift.io/OriginPodNodeEnvironment",
"network.openshift.io/ExternalIPRanger",
"network.openshift.io/RestrictedEndpointsAdmission",
imagepolicyapiv1.PluginName, // "image.openshift.io/ImagePolicy"
"security.openshift.io/SecurityContextConstraint",
"security.openshift.io/SCCExecRestrictions",
"route.openshift.io/IngressAdmission",
hostassignment.PluginName, // "route.openshift.io/RouteHostAssignment"
csiinlinevolumesecurity.PluginName, // "storage.openshift.io/CSIInlineVolumeSecurity"
mixedcpus.PluginName, // "autoscaling.openshift.io/MixedCPUs"
}
openshiftAdmissionPluginsForKubeBeforeMutating = func() []string {
plugins := []string{
"autoscaling.openshift.io/ClusterResourceOverride",
managementcpusoverride.PluginName, // "autoscaling.openshift.io/ManagementCPUsOverride"
"authorization.openshift.io/RestrictSubjectBindings",
"autoscaling.openshift.io/RunOnceDuration",
"scheduling.openshift.io/PodNodeConstraints",
"scheduling.openshift.io/OriginPodNodeEnvironment",
"network.openshift.io/ExternalIPRanger",
"network.openshift.io/RestrictedEndpointsAdmission",
imagepolicyapiv1.PluginName, // "image.openshift.io/ImagePolicy"
"security.openshift.io/SecurityContextConstraint",
"security.openshift.io/SCCExecRestrictions",
"route.openshift.io/IngressAdmission",
hostassignment.PluginName, // "route.openshift.io/RouteHostAssignment"
csiinlinevolumesecurity.PluginName, // "storage.openshift.io/CSIInlineVolumeSecurity"
managednode.PluginName, // "autoscaling.openshift.io/ManagedNode"
mixedcpus.PluginName, // "autoscaling.openshift.io/MixedCPUs"
performantsecuritypolicy.PluginName, // "storage.openshift.io/PerformantSecurityPolicy"
}
if nodeselectoradjuster.IsStandalone() {
plugins = append(plugins, nodeselectoradjuster.PluginName) // "scheduling.openshift.io/NodeSelectorAdjuster"
}
return plugins
}()

// openshiftAdmissionPluginsForKubeAfterResourceQuota are the plugins to add after ResourceQuota plugin
openshiftAdmissionPluginsForKubeAfterResourceQuota = []string{
Expand Down
Original file line number Diff line number Diff line change
@@ -0,0 +1,32 @@
diff a/deps/github.com/openshift/kubernetes/openshift-kube-apiserver/admission/admissionenablement/register.go b/deps/github.com/openshift/kubernetes/openshift-kube-apiserver/admission/admissionenablement/register.go (rejected hunks)
@@ -24,7 +23,6 @@ import (
projectnodeenv "k8s.io/kubernetes/openshift-kube-apiserver/admission/scheduler/nodeenv"
schedulerpodnodeconstraints "k8s.io/kubernetes/openshift-kube-apiserver/admission/scheduler/podnodeconstraints"
"k8s.io/kubernetes/openshift-kube-apiserver/admission/storage/csiinlinevolumesecurity"
- "k8s.io/kubernetes/openshift-kube-apiserver/admission/storage/performantsecuritypolicy"
)

func RegisterOpenshiftKubeAdmissionPlugins(plugins *admission.Plugins) {
@@ -45,7 +42,6 @@ func RegisterOpenshiftKubeAdmissionPlugins(plugins *admission.Plugins) {
externalipranger.RegisterExternalIP(plugins)
restrictedendpoints.RegisterRestrictedEndpoints(plugins)
csiinlinevolumesecurity.Register(plugins)
- performantsecuritypolicy.Register(plugins)
}

var (
@@ -75,11 +71,9 @@ var (
"security.openshift.io/SecurityContextConstraint",
"security.openshift.io/SCCExecRestrictions",
"route.openshift.io/IngressAdmission",
- hostassignment.PluginName, // "route.openshift.io/RouteHostAssignment"
- csiinlinevolumesecurity.PluginName, // "storage.openshift.io/CSIInlineVolumeSecurity"
- managednode.PluginName, // "autoscaling.openshift.io/ManagedNode"
- mixedcpus.PluginName, // "autoscaling.openshift.io/MixedCPUs"
- performantsecuritypolicy.PluginName, // "storage.openshift.io/PerformantSecurityPolicy"
+ hostassignment.PluginName, // "route.openshift.io/RouteHostAssignment"
+ csiinlinevolumesecurity.PluginName, // "storage.openshift.io/CSIInlineVolumeSecurity"
+ mixedcpus.PluginName, // "autoscaling.openshift.io/MixedCPUs"
}

// openshiftAdmissionPluginsForKubeAfterResourceQuota are the plugins to add after ResourceQuota plugin
Original file line number Diff line number Diff line change
@@ -0,0 +1,112 @@
package nodeselectoradjuster

// The NodeSelectorAdjuster admission plugin adds the
// node-role.kubernetes.io/control-plane node selector to qualifying pods. It only
// activates on standalone OpenShift clusters, detected by
// POD_NAMESPACE=openshift-kube-apiserver. On hosted control plane (HCP)
// clusters the plugin does not register itself and takes no action, allowing
// qualifying pods to be scheduled on data plane worker nodes without
// modification.

import (
"context"
"fmt"
"io"
"os"

corev1 "k8s.io/api/core/v1"
"k8s.io/apiserver/pkg/admission"
coreapi "k8s.io/kubernetes/pkg/apis/core"
)

const (
// PluginName is the name used to identify this plugin in the admission chain.
PluginName = "scheduling.openshift.io/NodeSelectorAdjuster"

// controlPlaneRoleKey is the node role label used as a node selector key
controlPlaneRoleKey = "node-role.kubernetes.io/control-plane"

// vpaOperatorLabelKey / vpaOperatorLabelValue identify the VPA operator pod.
vpaOperatorLabelKey = "k8s-app"
vpaOperatorLabelValue = "vertical-pod-autoscaler-operator"
// vpaOperatorNamespace is the namespace the VPA operator is expected to run in.
vpaOperatorNamespace = "openshift-vertical-pod-autoscaler"

// standaloneEnvVar is the environment variable checked at start-up.
// It is injected by the downward API and reflects the namespace the
// kube-apiserver pod runs in.
standaloneEnvVar = "POD_NAMESPACE"
// standaloneEnvValue is the namespace used by the kube-apiserver on a
// standalone OpenShift cluster.
standaloneEnvValue = "openshift-kube-apiserver"
)

// IsStandalone reports whether the current process is running inside a standalone
// OpenShift cluster. It is checked once at start-up to decide whether the plugin
// should register itself.
func IsStandalone() bool {
return os.Getenv(standaloneEnvVar) == standaloneEnvValue
}

// Register adds the plugin to the admission plugin registry. It must only be
// called when IsStandalone() returns true.
func Register(plugins *admission.Plugins) {
plugins.Register(PluginName, func(_ io.Reader) (admission.Interface, error) {
return &nodeSelectorAdjuster{
Handler: admission.NewHandler(admission.Create),
}, nil
})
}

// nodeSelectorAdjuster implements admission.MutationInterface.
type nodeSelectorAdjuster struct {
*admission.Handler
}

var _ admission.MutationInterface = &nodeSelectorAdjuster{}

// Admit examines newly-created Pod objects and, for qualifying pods, adds the control-plane
// node selector so that they run on control-plane nodes on standalone clusters.
func (p *nodeSelectorAdjuster) Admit(_ context.Context, attr admission.Attributes, _ admission.ObjectInterfaces) error {
if attr.GetResource().GroupResource() != corev1.Resource("pods") || attr.GetSubresource() != "" {
return nil
}

pod, ok := attr.GetObject().(*coreapi.Pod)
if !ok {
return admission.NewForbidden(attr, fmt.Errorf("unexpected object type: %T", attr.GetObject()))
}

if !requiresNodeSelectorAdjustment(pod) {
return nil
}

addControlPlaneNodeSelector(pod)
return nil
}

// ValidateInitialization satisfies admission.InitializationValidator. The plugin
// has no external dependencies to validate.
func (p *nodeSelectorAdjuster) ValidateInitialization() error {
return nil
}

// requiresNodeSelectorAdjustment returns true when the pod carries a label that
// opts it in to control-plane node placement and lives in a namespace where that
// label is expected. Currently the VPA operator pod opts in via its well-known
// label. Future control-plane-adjacent Day 2 operators can be added here.
func requiresNodeSelectorAdjustment(pod *coreapi.Pod) bool {
if pod.Labels[vpaOperatorLabelKey] == vpaOperatorLabelValue &&
pod.Namespace == vpaOperatorNamespace {
return true
}
return false
}

// addControlPlaneNodeSelector ensures spec.nodeSelector contains the control-plane role key.
func addControlPlaneNodeSelector(pod *coreapi.Pod) {
if pod.Spec.NodeSelector == nil {
pod.Spec.NodeSelector = map[string]string{}
}
pod.Spec.NodeSelector[controlPlaneRoleKey] = ""
}
Loading