Skip to content

Upstream commits to Origin from Kubernetes up to v1.1.1 #1

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
smarterclayton wants to merge 162 commits into from
Closed

Upstream commits to Origin from Kubernetes up to v1.1.1 #1

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
162 commits
Select commit Hold shift + click to select a range
13687a3
UPSTREAM: <carry>: Disable UIs for Kubernetes and etcd
deads2k Aug 11, 2015
bb278dd
UPSTREAM: <carry>: Allow pod start to be delayed in Kubelet
smarterclayton Aug 11, 2015
3db951b
UPSTREAM: <carry>: SCC
deads2k Oct 16, 2015
65777ff
UPSTREAM: <carry>: Add deprecated fields to migrate 1.0.0 k8s v1 data
liggitt Aug 11, 2015
0648831
UPSTREAM: <carry>: helper methods paralleling old latest fields
deads2k Oct 15, 2015
d590247
UPSTREAM: <carry>: reallow the ability to post across namespaces in api
Aug 11, 2015
57a8d00
UPSTREAM: <carry>: update describer for dockercfg secrets
deads2k Aug 11, 2015
e7b9935
UPSTREAM: <carry>: Disable --validate by default
0xmichalis Sep 24, 2015
a7d732b
UPSTREAM: <carry>: Back n forth downward/metadata conversions
deads2k Oct 16, 2015
8c80336
UPSTREAM: <carry>: support pointing oc exec to old openshift server
deads2k Aug 11, 2015
5998121
UPSTREAM: <carry>: v1beta3
deads2k Aug 11, 2015
7cf8537
UPSTREAM: <none>: Suppress aggressive output of warning
smarterclayton Aug 11, 2015
4553a4e
UPSTREAM: <none>: Hack date-time format on *util.Time
smarterclayton Aug 11, 2015
8f20103
UPSTREAM: <drop>: add back flag types to reduce noise during this rebase
deads2k Aug 11, 2015
b266d30
UPSTREAM: <drop>: make test pass with old codec
deads2k Oct 19, 2015
71d5846
UPSTREAM: <drop>: tweak generator to handle conversions in other pack…
deads2k Oct 16, 2015
17544af
UPSTREAM: 8890: Allowing ActiveDeadlineSeconds to be updated for a pod
deads2k Aug 11, 2015
5f13d4b
UPSTREAM: 15232: refactor logs to be composeable
deads2k Oct 15, 2015
ae72ee4
UPSTREAM: 12498: Re-add timeouts for kubelet which is not in the upst…
deads2k Aug 12, 2015
5acc7ac
UPSTREAM: 11827: allow permissive SA secret ref limitting
deads2k Jul 28, 2015
9a10122
UPSTREAM: 14496: deep-copies: Structs cannot be nil
0xmichalis Sep 24, 2015
1b0d7dd
UPSTREAM: 15451 <partial>: Add our types to kubectl get error
smarterclayton Oct 11, 2015
13d8c3d
UPSTREAM: TODO: expose ResyncPeriod function
deads2k Oct 15, 2015
1cfe029
UPSTREAM: 15807: Platform-specific setRLimit implementations
liggitt Oct 19, 2015
92a6987
UPSTREAM: 12221: Allow custom namespace creation in e2e framework
deads2k Oct 19, 2015
5e0b6a4
UPSTREAM: <drop>: disable kubectl apply until there's an impl
deads2k Oct 19, 2015
d4ac1ff
UPSTREAM: 15461: expose: Enable exposing multiport objects
0xmichalis Oct 12, 2015
de6c5cd
UPSTREAM: 15953: Return unmodified error from negotiate
smarterclayton Oct 20, 2015
53fbd9b
UPSTREAM: 15621: Correctly handle empty source
smarterclayton Oct 20, 2015
c91d255
UPSTREAM: 15958: add nonResourceURL detection
deads2k Oct 21, 2015
625e521
UPSTREAM: Proxy: do not send X-Forwarded-Host or X-Forwarded-Proto wi…
csrwng Oct 21, 2015
44230aa
UPSTREAM: 16084: Use NewFramework in all tests
smarterclayton Oct 22, 2015
58d03d8
UPSTREAM: 16042: fix missing error handling
deads2k Oct 22, 2015
e21ce55
UPSTREAM: 7f6f85bd7b47db239868bcd868ae3472373a4f05: fixes attach brok…
fabianofranz Oct 22, 2015
e9648ee
UPSTREAM: 15194: Avoid spurious "Hairpin setup failed..." errors
danwinship Oct 22, 2015
2e26584
UPSTREAM: 10707: logs: Use resource builder
0xmichalis Oct 20, 2015
6a04c06
UPSTREAM: 16067: Provide a RetryOnConflict helper for client libraries
soltysh Oct 22, 2015
fe9a3ef
UPSTREAM: <carry>: Back n forth downward/metadata conversions
soltysh Oct 23, 2015
93957cd
UPSTREAM: 15053: Support stdinOnce and fix attach
smarterclayton Oct 20, 2015
d8370b0
UPSTREAM: 15053<carry>: Conversions for v1beta3
smarterclayton Oct 20, 2015
22d6136
UPSTREAM: 11694: http proxy support for exec/pf
Oct 26, 2015
49595f1
UPSTREAM: 16286: Avoid CPU hotloop on client-closed websocket
liggitt Oct 26, 2015
dfaf1e9
UPSTREAM: 16109: expose attachable pod discovery in factory
fabianofranz Oct 26, 2015
c0b8217
UPSTREAM: 16241: Deflake wsstream stream_test.go
smarterclayton Oct 27, 2015
3056810
UPSTREAM: 15975: Validate names in BeforeCreate
liggitt Oct 21, 2015
97f05c5
UPSTREAM: 16441: Pass runtime.Object to Helper.Create/Replace
deads2k Oct 28, 2015
bd79bc7
UPSTREAM: 16445: Capitalize and expand UsageError message
smarterclayton Oct 28, 2015
47fcba9
UPSTREAM: 16482: stdin is not a file extension for bash completions
fabianofranz Oct 28, 2015
d0a8657
UPSTREAM: 15983: Store mirror pod hash in annotation
smarterclayton Oct 29, 2015
23d9bc9
UPSTREAM: 16080: Convert from old mirror pods (1.0 to 1.1)
smarterclayton Oct 29, 2015
569e33a
UPSTREAM: 15520: Move job to generalized label selector
soltysh Oct 29, 2015
d5cf453
UPSTREAM: 14991: Add Support for supplemental groups
pmorie Oct 22, 2015
b7a59d4
UPSTREAM: 14705: Inline some SecurityContext fields into PodSecurityC…
pmorie Oct 22, 2015
14c7866
UPSTREAM: 15352: FSGroup implementation
pmorie Oct 22, 2015
6e9d70c
UPSTREAM: 15791: Update master service ports and type via controller.
abutcher Oct 29, 2015
495c2cc
UPSTREAM: 16196: Fix e2e test flakes
soltysh Oct 29, 2015
7ae4eb5
UPSTREAM: 16234: Fix jobs unittest flakes
soltysh Oct 29, 2015
9a0d060
UPSTREAM: 16332: Remove invalid blank line when printing jobs
soltysh Oct 29, 2015
3dad0da
UPSTREAM: 15323: Support volume relabling for pods which specify an S…
pmorie Oct 28, 2015
fda87eb
UPSTREAM: <carry>: scc integration for PSC
Oct 26, 2015
8b10a97
UPSTREAM: <carry>: v1beta3 scc integration for PSC
Oct 26, 2015
919ab4f
UPSTREAM: <carry>: respect fuzzing defaults for v1beta3 SecurityContext
pmorie Oct 28, 2015
590d415
UPSTREAM: 15799: Fix PodPhase issue caused by backoff
0xmichalis Oct 29, 2015
85e6c1d
UPSTREAM: 16532: Allow log tail and log follow to be specified together
smarterclayton Oct 29, 2015
bb8596d
UPSTREAM: 16494: Remove dead pods upon stopping a job
soltysh Oct 30, 2015
b2ae51a
UPSTREAM: <carry>: Update v1beta3 PodLogOptions
0xmichalis Oct 26, 2015
25a1a67
UPSTREAM: 15961: Add streaming subprotocol negotation
Oct 30, 2015
f5d2ae3
UPSTREAM: 15900: Delete succeeded and failed pods immediately
smarterclayton Oct 30, 2015
f599fdc
UPSTREAM: 15930: Deletion of pods managed by old kubelets
smarterclayton Oct 30, 2015
458262c
UPSTREAM: <carry>: Update v1beta3
0xmichalis Oct 29, 2015
4281f27
UPSTREAM: 16137: Release node port correctly
smarterclayton Oct 30, 2015
ace7d15
UPSTREAM: <carry>: OpenShift 3.0.2 nodes report v1.1.0-alpha
smarterclayton Oct 30, 2015
1e568ac
UPSTREAM: 15706: HorizontalPodAutoscaler and Scale subresource APIs g…
DirectXMan12 Oct 30, 2015
7c415a3
UPSTREAM: 16068: Increase annotation size significantly
smarterclayton Oct 30, 2015
b76d0bf
UPSTREAM: 15236: Better error output from gluster
smarterclayton Oct 30, 2015
d4584ec
UPSTREAM: 15562: iSCSI use global path to mount
smarterclayton Oct 30, 2015
8755220
UPSTREAM: 15555: Use default port 3260 for iSCSI
smarterclayton Oct 30, 2015
8271459
UPSTREAM: 16032: check if /sbin/mount.nfs is present
smarterclayton Oct 30, 2015
e08adba
UPSTREAM: 16033: Mount returns verbose error
smarterclayton Oct 30, 2015
7f7120f
UPSTREAM: 15275: Kubelet reacts much faster to unhealthy containers
smarterclayton Oct 30, 2015
f13a5b5
UPSTREAM: 16223: Concurrency fixes in kubelet status manager
smarterclayton Oct 30, 2015
df7db79
UPSTREAM: 15845: Add service locator in service rest storage
smarterclayton Oct 30, 2015
804f223
UPSTREAM: 15733: Disable keepalive on liveness probes
smarterclayton Oct 30, 2015
af5616e
UPSTREAM: 15612: Bump cadvisor
jimmidyson Nov 2, 2015
9f85f25
UPSTREAM: 16667: Make Kubernetes HPA Controller use Namespacers
DirectXMan12 Oct 20, 2015
67f37cb
UPSTREAM: <drop>: allow specific, skewed group/versions
deads2k Oct 29, 2015
5c63cb6
UPSTREAM: 16537: attach must only allow a tty when container supports it
fabianofranz Oct 29, 2015
2723eb3
UPSTREAM: 16677: Add Validator for Scale Objects
DirectXMan12 Nov 2, 2015
08275b9
UPSTREAM: 16590: Create all streams before copying in exec/attach
Nov 2, 2015
f6069aa
UPSTREAM: <carry>: s/imagestraams/imagestreams/ in `oc get`
eparis Nov 2, 2015
4885c95
UPSTREAM: 16671: Customize HPA Heapster service namespace/name
DirectXMan12 Oct 27, 2015
ac087e3
UPSTREAM: 16570: Fix GetRequestInfo subresource parsing for proxy/red…
DirectXMan12 Oct 30, 2015
24412a5
UPSTREAM: 16711: Read error from failed upgrade attempts
liggitt Nov 3, 2015
40e332c
UPSTREAM: 15574: Validation on resource quota
smarterclayton Nov 3, 2015
7c4da3b
UPSTREAM: 15646: DaemonSet validation
smarterclayton Nov 3, 2015
f25aea9
UPSTREAM: 15745: Endpoint timeouts in the proxy are bad
smarterclayton Nov 3, 2015
5545798
UPSTREAM: 15414: Annotations for kube-proxy move to beta
smarterclayton Nov 3, 2015
feff68d
UPSTREAM: 15944: DaemonSet controller modifies the wrong fields
smarterclayton Nov 3, 2015
0e9d576
UPSTREAM: 16668: Fix hpa escalation
deads2k Nov 2, 2015
c2b428f
UPSTREAM: 16025: Fix NPE in describe of HPA
smarterclayton Nov 3, 2015
3964fba
UPSTREAM: 16044: Don't shadow error in cache.Store
smarterclayton Nov 3, 2015
92f5cab
UPSTREAM: 16052: Control /etc/hosts in the kubelet
smarterclayton Nov 3, 2015
969bd9b
UPSTREAM: 16174: NPE when checking for mounting /etc/hosts
smarterclayton Nov 3, 2015
0250139
UPSTREAM: 14182: Distinguish image registry unavailable and pull failure
derekwaynecarr Nov 3, 2015
7438222
UPSTREAM: 16191: Mirror pods don't show logs
smarterclayton Nov 3, 2015
4a5a64b
UPSTREAM: 16340: Kubelet pod status update is not correctly occuring
smarterclayton Nov 3, 2015
4cfb604
UPSTREAM: 16478: Daemon controller shouldn't place pods on not ready …
smarterclayton Nov 3, 2015
28ffc6b
UPSTREAM: 15997: Prevent NPE in resource printer on HPA
smarterclayton Nov 3, 2015
c5cde16
UPSTREAM:<carry>:scc priority field
Oct 30, 2015
7f5cdb5
UPSTREAM:<carry>:v1beta3 scc priority field
Oct 30, 2015
777e052
UPSTREAM: 16277: Fixed resetting last scale time in HPA status
DirectXMan12 Nov 3, 2015
6a81361
UPSTREAM: 16032: revert origin 03e50db: check if /sbin/mount.nfs is p…
markturansky Nov 3, 2015
28af30a
UPSTREAM: 16717: Ensure HPA has valid resource/name/subresource, vali…
liggitt Nov 3, 2015
99c156b
UPSTREAM: 15914: make kubelet images pulls serialized by default
derekwaynecarr Nov 3, 2015
c796164
UPSTREAM: 16749: Kubelet serialize image pulls had incorrect default
derekwaynecarr Nov 3, 2015
ce2dc57
UPSTREAM: 16384: Large memory allocation with key prefix generation
smarterclayton Nov 4, 2015
bdefa53
Revert 7fc8ab5b2696b533e6ac5bea003e5a0622bdbf58
liggitt Nov 4, 2015
6c58706
UPSTREAM: 16432: fixed pv binder race condition
markturansky Nov 4, 2015
54cdeab
UPSTREAM: 16859: Return a typed error for no-config
smarterclayton Nov 5, 2015
0c21f3b
UPSTREAM: 16818: Namespace controller should always get latest state …
derekwaynecarr Nov 4, 2015
42ee1ef
UPSTREAM: 15537: openstack: cache InstanceID and use it for volume ma…
jsafrane Nov 6, 2015
4f0c440
UPSTREAM: 16945: kubelet: Fallback to api server for pod status
0xmichalis Nov 6, 2015
eef8e75
UPSTREAM: 16964: Preserve int64 data when unmarshaling
liggitt Nov 6, 2015
720a03b
UPSTREAM: 16926: Enable specifying scheme/port for metrics client
liggitt Nov 6, 2015
1fb84a4
UPSTREAM: 16969: nsenter file writer mangles newlines
smarterclayton Nov 7, 2015
7bca963
UPSTREAM: 17017: stop jsonpath panicing on bad array length
deads2k Nov 9, 2015
7bc60c3
UPSTREAM: 17058: fix client cache for different versions
deads2k Nov 10, 2015
6df844b
UPSTREAM: revert: 0048df4: <carry>: Disable --validate by default
deads2k Nov 10, 2015
d69da46
UPSTREAM: 17061: Unnecessary updates to ResourceQuota when doing UPDATE
derekwaynecarr Nov 10, 2015
8fd671f
UPSTREAM:<carry>:default fsgroup/supgroup strategies to RunAsAny
Nov 10, 2015
3bd1bea
UPSTREAM:<carry>:v1beta3 default fsgroup/supgroup strategies to RunAsAny
Nov 10, 2015
5b1d984
UPSTREAM: 17236: fixes attach example
fabianofranz Nov 13, 2015
9d66678
UPSTREAM: 17239: debug filepath in config loader
fabianofranz Nov 13, 2015
75c7887
UPSTREAM: 17033: Fix default value for StreamingConnectionIdleTimeout
Nov 17, 2015
5716d60
UPSTREAM: 17567: handle the HEAD verb correctly for authorization
deads2k Nov 20, 2015
020a597
UPSTREAM: revert: 199adb7: <drop>: add back flag types to reduce nois…
fabianofranz Nov 5, 2015
8e9af27
UPSTREAM: 17590: correct homedir on windows
fabianofranz Nov 9, 2015
6672f1a
Use correct homedir on Windows
fabianofranz Nov 9, 2015
6c7de31
UPSTREAM: 17886: pod log location must validate container if provided
fabianofranz Nov 28, 2015
4af88de
UPSTREAM: 17973: Validate pod spec.nodeName
liggitt Nov 30, 2015
40c6c01
UPSTREAM: 18000: Fix test failure due to days-in-month check. Issue #…
0xmichalis Dec 1, 2015
1b13922
Upstream: 16728: lengthened pv controller sync period to 10m
markturansky Dec 2, 2015
53e4def
UPSTREAM: 17920: Fix frequent kubernetes endpoint updates during clus…
abutcher Dec 2, 2015
6c99a0f
UPSTREAM: drop: Fix kube e2e tests in origin. This commit is part of …
Dec 1, 2015
da6e1fe
UPSTREAM: drop: part of upstream kube PR #15843.
Dec 2, 2015
bd0c6a8
UPSTREAM: 18065: Fixed forbidden window enforcement in horizontal pod…
DirectXMan12 Dec 3, 2015
2564797
UPSTREAM: 14881: fix delta fifo & various fakes for go1.5.1
soltysh Dec 4, 2015
1f42e5c
UPSTREAM: revert: 97bd6c: <carry>: Allow pod start to be delayed in K…
Dec 4, 2015
1374892
UPSTREAM: 18522: Close web socket watches correctly
liggitt Dec 10, 2015
7d5f027
UPSTREAM: 14537: Add PersistentVolumeProvisionerController
markturansky Dec 15, 2015
795d45e
UPSTREAM: 18601: Implement AWS EBS dynamic provisioner.
jsafrane Dec 18, 2015
9d591cd
UPSTREAM: 18607: Implement OpenStack Cinder dynamic provisioner.
jsafrane Dec 18, 2015
acb4c73
UPSTREAM: 17747: Implement GCE PD disk creation.
jsafrane Dec 18, 2015
bddcbd2
UPSTREAM: 18621: Implement GCE PD dynamic provisioner.
jsafrane Dec 18, 2015
f76cdaf
UPSTREAM: 18165: fixes get --show-all
fabianofranz Dec 18, 2015
40d5ccf
UPSTREAM: <drop>: fixup for 14537
markturansky Dec 18, 2015
9be856b
UPSTREAM: 19481: make patch call update admission chain after applyin…
deads2k Jan 11, 2016
8b2386b
UPSTREAM: 18541: Allow node IP to be passed as optional config for ku…
Jan 12, 2016
2b79aeb
UPSTREAM: <carry>: Tolerate node ExternalID changes with no cloud pro…
DirectXMan12 Jan 12, 2016
ae7d8a7
UPSTREAM: <carry>: capability defaulting
Dec 22, 2015
ea7a08a
Remove v1beta3 code from Kube
smarterclayton Jan 18, 2016
7decc18
UPSTREAM: <carry>: continue to support v1beta3
smarterclayton Jan 18, 2016
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
The table of contents is too big for display.
Diff view
Diff view
  •  
  •  
  •  
60 changes: 47 additions & 13 deletions api/swagger-spec/v1.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12708,7 +12708,7 @@
},
"securityContext": {
"$ref": "v1.PodSecurityContext",
"description": "SecurityContext holds pod-level security attributes and common container settings"
"description": "SecurityContext holds pod-level security attributes and common container settings. Optional: Defaults to empty. See type description for default values of each field."
},
"imagePullSecrets": {
"type": "array",
Expand Down Expand Up @@ -12986,7 +12986,11 @@
},
"stdin": {
"type": "boolean",
"description": "Whether this container should allocate a buffer for stdin in the container runtime. Default is false."
"description": "Whether this container should allocate a buffer for stdin in the container runtime. If this is not set, reads from stdin in the container will always result in EOF. Default is false."
},
"stdinOnce": {
"type": "boolean",
"description": "Whether the container runtime should close the stdin channel after it has been opened by a single attach. When stdin is true the stdin stream will remain open across multiple attach sessions. If stdinOnce is set to true, stdin is opened on container start, is empty until the first client attaches to stdin, and then remains open and accepts data until the client disconnects, at which time stdin is closed and remains closed until the container is restarted. If this flag is false, a container processes that reads from stdin will never receive an EOF. Default is false"
},
"tty": {
"type": "boolean",
Expand Down Expand Up @@ -13194,28 +13198,28 @@
},
"v1.SecurityContext": {
"id": "v1.SecurityContext",
"description": "SecurityContext holds security configuration that will be applied to a container.",
"description": "SecurityContext holds security configuration that will be applied to a container. Some fields are present in both SecurityContext and PodSecurityContext. When both are set, the values in SecurityContext take precedence.",
"properties": {
"capabilities": {
"$ref": "v1.Capabilities",
"description": "The linux kernel capabilites that should be added or removed. Default to Container.Capabilities if left unset. More info: http://releases.k8s.io/HEAD/docs/design/security_context.md#security-context"
"description": "The capabilities to add/drop when running containers. Defaults to the default set of capabilities granted by the container runtime."
},
"privileged": {
"type": "boolean",
"description": "Run the container in privileged mode. Default to Container.Privileged if left unset. More info: http://releases.k8s.io/HEAD/docs/design/security_context.md#security-context"
"description": "Run container in privileged mode. Processes in privileged containers are essentially equivalent to root on the host. Defaults to false."
},
"seLinuxOptions": {
"$ref": "v1.SELinuxOptions",
"description": "SELinuxOptions are the labels to be applied to the container and volumes. Options that control the SELinux labels applied. More info: http://releases.k8s.io/HEAD/docs/design/security_context.md#security-context"
"description": "The SELinux context to be applied to the container. If unspecified, the container runtime will allocate a random SELinux context for each container. May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence."
},
"runAsUser": {
"type": "integer",
"format": "int64",
"description": "RunAsUser is the UID to run the entrypoint of the container process. The user id that runs the first process in the container. More info: http://releases.k8s.io/HEAD/docs/design/security_context.md#security-context"
"description": "The UID to run the entrypoint of the container process. Defaults to user specified in image metadata if unspecified. May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence."
},
"runAsNonRoot": {
"type": "boolean",
"description": "RunAsNonRoot indicates that the container should be run as a non-root user. If the RunAsUser field is not explicitly set then the kubelet may check the image for a specified user or perform defaulting to specify a user."
"description": "Indicates that the container must run as a non-root user. If true, the Kubelet will validate the image at runtime to ensure that it does not run as UID 0 (root) and fail to start the container if it does. If unset or false, no such validation will be performed. May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence."
}
}
},
Expand Down Expand Up @@ -13249,25 +13253,55 @@
"properties": {
"user": {
"type": "string",
"description": "User is a SELinux user label that applies to the container. More info: http://releases.k8s.io/HEAD/docs/user-guide/labels.md"
"description": "User is a SELinux user label that applies to the container."
},
"role": {
"type": "string",
"description": "Role is a SELinux role label that applies to the container. More info: http://releases.k8s.io/HEAD/docs/user-guide/labels.md"
"description": "Role is a SELinux role label that applies to the container."
},
"type": {
"type": "string",
"description": "Type is a SELinux type label that applies to the container. More info: http://releases.k8s.io/HEAD/docs/user-guide/labels.md"
"description": "Type is a SELinux type label that applies to the container."
},
"level": {
"type": "string",
"description": "Level is SELinux level label that applies to the container. More info: http://releases.k8s.io/HEAD/docs/user-guide/labels.md"
"description": "Level is SELinux level label that applies to the container."
}
}
},
"v1.PodSecurityContext": {
"id": "v1.PodSecurityContext",
"description": "PodSecurityContext holds pod-level security attributes and common container settings.",
"description": "PodSecurityContext holds pod-level security attributes and common container settings. Some fields are also present in container.securityContext. Field values of container.securityContext take precedence over field values of PodSecurityContext.",
"properties": {
"seLinuxOptions": {
"$ref": "v1.SELinuxOptions",
"description": "The SELinux context to be applied to all containers. If unspecified, the container runtime will allocate a random SELinux context for each container. May also be set in SecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence for that container."
},
"runAsUser": {
"type": "integer",
"format": "int64",
"description": "The UID to run the entrypoint of the container process. Defaults to user specified in image metadata if unspecified. May also be set in SecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence for that container."
},
"runAsNonRoot": {
"type": "boolean",
"description": "Indicates that the container must run as a non-root user. If true, the Kubelet will validate the image at runtime to ensure that it does not run as UID 0 (root) and fail to start the container if it does. If unset or false, no such validation will be performed. May also be set in SecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence."
},
"supplementalGroups": {
"type": "array",
"items": {
"$ref": "integer"
},
"description": "A list of groups applied to the first process run in each container, in addition to the container's primary GID. If unspecified, no groups will be added to any container."
},
"fsGroup": {
"type": "integer",
"format": "int64",
"description": "A special supplemental group that applies to all containers in a pod. Some volume types allow the Kubelet to change the ownership of that volume to be owned by the pod:\n\n1. The owning GID will be the FSGroup 2. The setgid bit is set (new files created in the volume will be owned by FSGroup) 3. The permission bits are OR'd with rw-rw "
}
}
},
"integer": {
"id": "integer",
"properties": {}
},
"v1.PodStatus": {
Expand Down
35 changes: 26 additions & 9 deletions cmd/kube-controller-manager/app/controllermanager.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -116,7 +116,7 @@ func NewCMServer() *CMServer {
NodeSyncPeriod: 10 * time.Second,
ResourceQuotaSyncPeriod: 10 * time.Second,
NamespaceSyncPeriod: 5 * time.Minute,
PVClaimBinderSyncPeriod: 10 * time.Second,
PVClaimBinderSyncPeriod: 10 * time.Minute,
HorizontalPodAutoscalerSyncPeriod: 30 * time.Second,
DeploymentControllerSyncPeriod: 30 * time.Second,
MinResyncPeriod: 12 * time.Hour,
Expand All @@ -129,6 +129,7 @@ func NewCMServer() *CMServer {
PersistentVolumeRecyclerIncrementTimeoutNFS: 30,
PersistentVolumeRecyclerMinimumTimeoutHostPath: 60,
PersistentVolumeRecyclerIncrementTimeoutHostPath: 30,
EnableHostPathProvisioning: false,
},
KubeApiQps: 20.0,
KubeApiBurst: 30,
Expand All @@ -147,6 +148,7 @@ type VolumeConfigFlags struct {
PersistentVolumeRecyclerPodTemplateFilePathHostPath string
PersistentVolumeRecyclerMinimumTimeoutHostPath int
PersistentVolumeRecyclerIncrementTimeoutHostPath int
EnableHostPathProvisioning bool
}

// AddFlags adds flags for a specific CMServer to the specified FlagSet
Expand All @@ -171,6 +173,7 @@ func (s *CMServer) AddFlags(fs *pflag.FlagSet) {
fs.StringVar(&s.VolumeConfigFlags.PersistentVolumeRecyclerPodTemplateFilePathHostPath, "pv-recycler-pod-template-filepath-hostpath", s.VolumeConfigFlags.PersistentVolumeRecyclerPodTemplateFilePathHostPath, "The file path to a pod definition used as a template for HostPath persistent volume recycling. This is for development and testing only and will not work in a multi-node cluster.")
fs.IntVar(&s.VolumeConfigFlags.PersistentVolumeRecyclerMinimumTimeoutHostPath, "pv-recycler-minimum-timeout-hostpath", s.VolumeConfigFlags.PersistentVolumeRecyclerMinimumTimeoutHostPath, "The minimum ActiveDeadlineSeconds to use for a HostPath Recycler pod. This is for development and testing only and will not work in a multi-node cluster.")
fs.IntVar(&s.VolumeConfigFlags.PersistentVolumeRecyclerIncrementTimeoutHostPath, "pv-recycler-timeout-increment-hostpath", s.VolumeConfigFlags.PersistentVolumeRecyclerIncrementTimeoutHostPath, "the increment of time added per Gi to ActiveDeadlineSeconds for a HostPath scrubber pod. This is for development and testing only and will not work in a multi-node cluster.")
fs.BoolVar(&s.VolumeConfigFlags.EnableHostPathProvisioning, "enable-hostpath-provisioner", s.VolumeConfigFlags.EnableHostPathProvisioning, "Enable HostPath PV provisioning when running without a cloud provider. This allows testing and development of provisioning features. HostPath provisioning is not supported in any way, won't work in a multi-node cluster, and should not be used for anything other than testing or development.")
fs.IntVar(&s.TerminatedPodGCThreshold, "terminated-pod-gc-threshold", s.TerminatedPodGCThreshold, "Number of terminated pods that can exist before the terminated pod garbage collector starts deleting terminated pods. If <= 0, the terminated pod garbage collector is disabled.")
fs.DurationVar(&s.HorizontalPodAutoscalerSyncPeriod, "horizontal-pod-autoscaler-sync-period", s.HorizontalPodAutoscalerSyncPeriod, "The period for syncing the number of pods in horizontal pod autoscaler.")
fs.DurationVar(&s.DeploymentControllerSyncPeriod, "deployment-controller-sync-period", s.DeploymentControllerSyncPeriod, "Period for syncing the deployments.")
Expand Down Expand Up @@ -201,7 +204,7 @@ func (s *CMServer) AddFlags(fs *pflag.FlagSet) {
fs.IntVar(&s.KubeApiBurst, "kube-api-burst", s.KubeApiBurst, "Burst to use while talking with kubernetes apiserver")
}

func (s *CMServer) resyncPeriod() time.Duration {
func (s *CMServer) ResyncPeriod() time.Duration {
factor := rand.Float64() + 1
return time.Duration(float64(s.MinResyncPeriod.Nanoseconds()) * factor)
}
Expand Down Expand Up @@ -247,14 +250,14 @@ func (s *CMServer) Run(_ []string) error {
glog.Fatal(server.ListenAndServe())
}()

go endpointcontroller.NewEndpointController(kubeClient, s.resyncPeriod).
go endpointcontroller.NewEndpointController(kubeClient, s.ResyncPeriod).
Run(s.ConcurrentEndpointSyncs, util.NeverStop)

go replicationcontroller.NewReplicationManager(kubeClient, s.resyncPeriod, replicationcontroller.BurstReplicas).
go replicationcontroller.NewReplicationManager(kubeClient, s.ResyncPeriod, replicationcontroller.BurstReplicas).
Run(s.ConcurrentRCSyncs, util.NeverStop)

if s.TerminatedPodGCThreshold > 0 {
go gc.New(kubeClient, s.resyncPeriod, s.TerminatedPodGCThreshold).
go gc.New(kubeClient, s.ResyncPeriod, s.TerminatedPodGCThreshold).
Run(util.NeverStop)
}

Expand Down Expand Up @@ -290,28 +293,42 @@ func (s *CMServer) Run(_ []string) error {
namespacecontroller.NewNamespaceController(kubeClient, s.EnableExperimental, s.NamespaceSyncPeriod).Run()

if s.EnableExperimental {
go daemon.NewDaemonSetsController(kubeClient, s.resyncPeriod).
go daemon.NewDaemonSetsController(kubeClient, s.ResyncPeriod).
Run(s.ConcurrentDSCSyncs, util.NeverStop)

go job.NewJobController(kubeClient, s.resyncPeriod).
go job.NewJobController(kubeClient, s.ResyncPeriod).
Run(s.ConcurrentJobSyncs, util.NeverStop)

podautoscaler.NewHorizontalController(kubeClient, metrics.NewHeapsterMetricsClient(kubeClient)).
podautoscaler.NewHorizontalController(kubeClient, kubeClient, kubeClient, metrics.NewHeapsterMetricsClient(kubeClient, "kube-system", "http", "heapster", "")).
Run(s.HorizontalPodAutoscalerSyncPeriod)

deployment.New(kubeClient).
Run(s.DeploymentControllerSyncPeriod)
}

volumePlugins := ProbeRecyclableVolumePlugins(s.VolumeConfigFlags)
provisioner, err := NewVolumeProvisioner(cloud, s.VolumeConfigFlags)
if err != nil {
glog.Fatal("A Provisioner could not be created, but one was expected. Provisioning will not work. This functionality is considered an early Alpha version.")
}

pvclaimBinder := persistentvolumecontroller.NewPersistentVolumeClaimBinder(kubeClient, s.PVClaimBinderSyncPeriod)
pvclaimBinder.Run()

pvRecycler, err := persistentvolumecontroller.NewPersistentVolumeRecycler(kubeClient, s.PVClaimBinderSyncPeriod, ProbeRecyclableVolumePlugins(s.VolumeConfigFlags))
pvRecycler, err := persistentvolumecontroller.NewPersistentVolumeRecycler(kubeClient, s.PVClaimBinderSyncPeriod, ProbeRecyclableVolumePlugins(s.VolumeConfigFlags), cloud)
if err != nil {
glog.Fatalf("Failed to start persistent volume recycler: %+v", err)
}
pvRecycler.Run()

if provisioner != nil {
pvController, err := persistentvolumecontroller.NewPersistentVolumeProvisionerController(persistentvolumecontroller.NewControllerClient(kubeClient), s.PVClaimBinderSyncPeriod, volumePlugins, provisioner, cloud)
if err != nil {
glog.Fatalf("Failed to start persistent volume provisioner controller: %+v", err)
}
pvController.Run()
}

var rootCA []byte

if s.RootCAFile != "" {
Expand Down
50 changes: 45 additions & 5 deletions cmd/kube-controller-manager/app/plugins.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -21,12 +21,21 @@ import (
// This should probably be part of some configuration fed into the build for a
// given binary target.

"fmt"

//Cloud providers
_ "k8s.io/kubernetes/pkg/cloudprovider/providers"

// Volume plugins
"k8s.io/kubernetes/pkg/cloudprovider"
"k8s.io/kubernetes/pkg/cloudprovider/providers/aws"
"k8s.io/kubernetes/pkg/cloudprovider/providers/gce"
"k8s.io/kubernetes/pkg/cloudprovider/providers/openstack"
"k8s.io/kubernetes/pkg/util/io"
"k8s.io/kubernetes/pkg/volume"
"k8s.io/kubernetes/pkg/volume/aws_ebs"
"k8s.io/kubernetes/pkg/volume/cinder"
"k8s.io/kubernetes/pkg/volume/gce_pd"
"k8s.io/kubernetes/pkg/volume/host_path"
"k8s.io/kubernetes/pkg/volume/nfs"

Expand All @@ -51,7 +60,7 @@ func ProbeRecyclableVolumePlugins(flags VolumeConfigFlags) []volume.VolumePlugin
RecyclerTimeoutIncrement: flags.PersistentVolumeRecyclerIncrementTimeoutHostPath,
RecyclerPodTemplate: volume.NewPersistentVolumeRecyclerPodTemplate(),
}
if err := attemptToLoadRecycler(flags.PersistentVolumeRecyclerPodTemplateFilePathHostPath, &hostPathConfig); err != nil {
if err := AttemptToLoadRecycler(flags.PersistentVolumeRecyclerPodTemplateFilePathHostPath, &hostPathConfig); err != nil {
glog.Fatalf("Could not create hostpath recycler pod from file %s: %+v", flags.PersistentVolumeRecyclerPodTemplateFilePathHostPath, err)
}
allPlugins = append(allPlugins, host_path.ProbeVolumePlugins(hostPathConfig)...)
Expand All @@ -61,18 +70,49 @@ func ProbeRecyclableVolumePlugins(flags VolumeConfigFlags) []volume.VolumePlugin
RecyclerTimeoutIncrement: flags.PersistentVolumeRecyclerIncrementTimeoutNFS,
RecyclerPodTemplate: volume.NewPersistentVolumeRecyclerPodTemplate(),
}
if err := attemptToLoadRecycler(flags.PersistentVolumeRecyclerPodTemplateFilePathNFS, &nfsConfig); err != nil {
if err := AttemptToLoadRecycler(flags.PersistentVolumeRecyclerPodTemplateFilePathNFS, &nfsConfig); err != nil {
glog.Fatalf("Could not create NFS recycler pod from file %s: %+v", flags.PersistentVolumeRecyclerPodTemplateFilePathNFS, err)
}
allPlugins = append(allPlugins, nfs.ProbeVolumePlugins(nfsConfig)...)

allPlugins = append(allPlugins, aws_ebs.ProbeVolumePlugins()...)
allPlugins = append(allPlugins, gce_pd.ProbeVolumePlugins()...)
allPlugins = append(allPlugins, cinder.ProbeVolumePlugins()...)

return allPlugins
}

// attemptToLoadRecycler tries decoding a pod from a filepath for use as a recycler for a volume.
// NewVolumeProvisioner returns a volume provisioner to use when running in a cloud or development environment.
// The beta implementation of provisioning allows 1 implied provisioner per cloud, until we allow configuration of many.
// We explicitly map clouds to volume plugins here which allows us to configure many later without backwards compatibility issues.
// Not all cloudproviders have provisioning capability, which is the reason for the bool in the return to tell the caller to expect one or not.
func NewVolumeProvisioner(cloud cloudprovider.Interface, flags VolumeConfigFlags) (volume.ProvisionableVolumePlugin, error) {
switch {
case cloud == nil && flags.EnableHostPathProvisioning:
return getProvisionablePluginFromVolumePlugins(host_path.ProbeVolumePlugins(volume.VolumeConfig{}))
case cloud != nil && aws_cloud.ProviderName == cloud.ProviderName():
return getProvisionablePluginFromVolumePlugins(aws_ebs.ProbeVolumePlugins())
case cloud != nil && gce_cloud.ProviderName == cloud.ProviderName():
return getProvisionablePluginFromVolumePlugins(gce_pd.ProbeVolumePlugins())
case cloud != nil && openstack.ProviderName == cloud.ProviderName():
return getProvisionablePluginFromVolumePlugins(cinder.ProbeVolumePlugins())
}
return nil, nil
}

func getProvisionablePluginFromVolumePlugins(plugins []volume.VolumePlugin) (volume.ProvisionableVolumePlugin, error) {
for _, plugin := range plugins {
if provisonablePlugin, ok := plugin.(volume.ProvisionableVolumePlugin); ok {
return provisonablePlugin, nil
}
}
return nil, fmt.Errorf("ProvisionablePlugin expected but not found in %#v: ", plugins)
}

// AttemptToLoadRecycler tries decoding a pod from a filepath for use as a recycler for a volume.
// If successful, this method will set the recycler on the config.
// If unsucessful, an error is returned.
func attemptToLoadRecycler(path string, config *volume.VolumeConfig) error {
// If unsuccessful, an error is returned. Function is exported for reuse downstream.
func AttemptToLoadRecycler(path string, config *volume.VolumeConfig) error {
if path != "" {
recyclerPod, err := io.LoadPodFromFile(path)
if err != nil {
Expand Down
Loading