[WIP] WRKLDS-1449: Rebase 1.31.0 #2055
Conversation
Allow calling Stop multiple times on RetryWatcher
Signed-off-by: Nadia Pinaeva <[email protected]>
objects. Change the order of operations to stop current iteration if no changes to the service chains are needed. Bump syncProxy frequency to 1 hour. In a test kind cluster creation of 10K services, 2 endpoints each, takes ~25m before the fix and ~9min after. Maximum memory usage during creation is ~650MiB and 260MiB respectively. Another important metric is the time it takes to create 1 new service when 10K svc already exist. It used to take ~8m before the fix, with partialSync it takes ~141ms. Signed-off-by: Nadia Pinaeva <[email protected]>
Signed-off-by: Nadia Pinaeva <[email protected]>
a masked proc mount has traditionally been used to prevent untrusted containers from accessing leaky kernel APIs. However, within a user namespace, typical ID checks protect better than masked proc. Further, allowing unmasked proc with a user namespace gives access to a container mounting sub procs, which opens avenues for container-in-container use cases. Update PSS for baseline to allow a container to access an unmasked /proc, if it's in a user namespace and if the UserNamespacesPodSecurityStandards feature is enabled. Signed-off-by: Peter Hunt <[email protected]>
make sure to cleanup after setting RelaxPolicyForUserNamespacePods setup test variables to be a little more terse and similar between tests cleanup Allowed checking Signed-off-by: Peter Hunt <[email protected]>
…ubelet-attach-failed report an event to pod if kubelet does attach operation failed
KEP-24: Update AppArmor feature gates to GA stage.
…orage-quota pkg/volume/*: Enable quotas in user namespace
KEP-4569: Kubelet option to disable cgroup v1 support
PSA: allow container_engine_t selinux type
…-4191-to-beta KEP-4191: Split Image Filesystem promotion to Beta
integration tests: split Wardle aggregation test API server running
run NoSNAT network test between pods without any feature tag
The actual name has the k8s.io suffix.
The names aren't actually special for validation. They are acceptable with and without the feature gate, the only difference is that they don't do anything when the feature is enabled.
Dynamic resource allocation is similar to storage in the sense that users create ResourceClaim objects to request resources, same as with persistent volume claims. The actual resource usage is only known when allocating claims, but some limits can already be enforced at admission time: - "count/resourceclaims.resource.k8s.io" limits the number of ResourceClaim objects in a namespace; this is a generic feature that is already supported also without this commit. - "resourceclaims" is *not* an alias - use "count/resourceclaims.resource.k8s.io" instead. - <device-class-name>.deviceclass.resource.k8s.io/devices limits the number of ResourceClaim objects in a namespace such that the number of devices requested through those objects with that class does not exceed the limit. A single request may cause the allocation of multiple devices. For exact counts, the quota limit is based on the sum of those exact counts. For requests asking for "all" matching devices, the maximum number of allocated devices per claim is used as a worst-case upper bound. Requests asking for "admin access" contribute to the quota. DRA quota: remove admin mode exception
Signed-off-by: Vinayak Goyal <[email protected]>
Fixes kubernetes#126180 As the ProcMountType feature is disabled by default in beta and relies on the UserNamespacesSupport feature, which is also set to false in beta, running this test is unnecessary. Signed-off-by: Sohan Kunkerkar <[email protected]>
[kep-3751] pvc bind pv with vac
[kube-proxy: nftables] Implement partial sync.
[go] Bump images, dependencies and versions to go 1.23rc2
Revert debug steps and logs for kubernetes#123760
…tor-internal-config Kube proxy refactor internal config
Signed-off-by: Yuki Iwai <[email protected]>
DRA: resource quotas
…-invalidca Validate CABundle when writing CRD
…umbing-split Step 12 - Add generic controlplane example
…tionAnnotation mark volume.beta.kubernetes.io/mount-options as deprecated
…eline PSA: allow procMount type Unmasked in baseline
|
@bertinatto: This PR was included in a payload test run from openshift/cluster-kube-apiserver-operator#1734
See details on https://pr-payload-tests.ci.openshift.org/runs/ci/0b598920-7469-11ef-9c63-71b9e21015ab-0 |
|
@bertinatto: This PR was included in a payload test run from openshift/cluster-kube-apiserver-operator#1734
See details on https://pr-payload-tests.ci.openshift.org/runs/ci/20d87720-7469-11ef-82d7-d33fe11b194c-0 |
|
@bertinatto: This PR was included in a payload test run from openshift/cluster-kube-apiserver-operator#1734
See details on https://pr-payload-tests.ci.openshift.org/runs/ci/26abb4f0-7469-11ef-9a6a-53e3c3f05abb-0 |
|
@bertinatto: This PR was included in a payload test run from openshift/cluster-kube-apiserver-operator#1734
See details on https://pr-payload-tests.ci.openshift.org/runs/ci/2cfc3910-7469-11ef-9c8b-59f9d1ec94f0-0 |
|
testing a revert of kubernetes#124736 /payload-job periodic-ci-openshift-release-master-nightly-4.18-e2e-aws-ovn-single-node |
|
@atiratree: trigger 5 job(s) for the /payload-(with-prs|job|aggregate|job-with-prs|aggregate-with-prs) command
See details on https://pr-payload-tests.ci.openshift.org/runs/ci/2fc7fc70-74db-11ef-9567-582e7dbd1876-0 |
|
/payload-job periodic-ci-openshift-release-master-nightly-4.18-e2e-aws-ovn-single-node-serial |
|
@atiratree: trigger 1 job(s) for the /payload-(with-prs|job|aggregate|job-with-prs|aggregate-with-prs) command
See details on https://pr-payload-tests.ci.openshift.org/runs/ci/4de43400-74f7-11ef-9240-e18a9c7f552c-0 |
atiratree
force-pushed
the
rebase-1.31.0
branch
from
3ecdd14 to
c927d61
Compare
|
testing reverts of APIServingWithRoutine feature /payload-job periodic-ci-openshift-release-master-nightly-4.18-e2e-aws-ovn-single-node |
|
@atiratree: trigger 4 job(s) for the /payload-(with-prs|job|aggregate|job-with-prs|aggregate-with-prs) command
See details on https://pr-payload-tests.ci.openshift.org/runs/ci/b39ed410-750d-11ef-87bf-fcd2b5a698cb-0 |
|
/payload-job periodic-ci-openshift-release-master-ci-4.18-e2e-azure-ovn-techpreview-serial |
|
@atiratree: trigger 1 job(s) for the /payload-(with-prs|job|aggregate|job-with-prs|aggregate-with-prs) command
See details on https://pr-payload-tests.ci.openshift.org/runs/ci/b4c81c60-750e-11ef-9e14-0f89e19675d7-0 |
|
/test unit |
atiratree
force-pushed
the
rebase-1.31.0
branch
from
c927d61 to
1318a14
Compare
…stConsistentReadFallback when ResilientWatchCacheInitialization is off
…herDontAcceptRequestsStopped when ResilientWatchCacheInitialization is off
atiratree
force-pushed
the
rebase-1.31.0
branch
from
1318a14 to
e5ff0db
Compare
|
@atiratree: The following test failed, say
Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
|
closing in favor of #2092 |
What type of PR is this?
What this PR does / why we need it:
Which issue(s) this PR fixes:
Fixes #
Special notes for your reviewer:
Does this PR introduce a user-facing change?
Additional documentation e.g., KEPs (Kubernetes Enhancement Proposals), usage docs, etc.: