1.36: Save SELinuxWarningController upgradeability to a ConfigMap#2714
1.36: Save SELinuxWarningController upgradeability to a ConfigMap#2714jsafrane wants to merge 2998 commits into
Conversation
…Policy is Always'
scheduler: fix race in DRA pending allocation sharing
Flaky test fix for 'should restart failing container when pod restartPolicy is Always'
Revert "Switch PLEGOnDemandRelist default to `false` for 1.36"
The kubelet status manager was not preserving the pod.status.nodeAllocatableResourceClaimStatuses field set by the scheduler during pod status merges. This caused the information to the to be destroyed by the kubelet's next status sync, making the field always appear empty. Add the same preservation pattern already used for ResourceClaimStatuses and ExtendedResourceClaimStatus to both mergePodStatus() and isPodStatusByKubeletEqual(). Signed-off-by: Antti Kervinen <antti.kervinen@intel.com>
Kubelet: Add alpha-2 stage implementation for UserNamespacesHostNetworkSupport feature gate
This commit introduces the DRAResourceClaimGranularStatusAuthorization feature gate (Beta in 1.36) to enforce fine-grained authorization checks on ResourceClaim status updates. Previously, 'update' permission on 'resourceclaims/status' allowed modifying the entire status. To enforce the principle of least privilege for DRA drivers and the scheduler, this change introduces synthetic subresources and verb prefixes: - 'resourceclaims/binding': Required to update 'status.allocation' and 'status.reservedFor'. - 'resourceclaims/driver': Required to update 'status.devices'. Evaluated on a per-driver basis using 'associated-node:<verb>' (for node-local ServiceAccounts) or 'arbitrary-node:<verb>' (for cluster-wide controllers).
Fine-grained Authorization for ResourceClaim Status Updates
Fix race condition in updating the PodStatus cache
…actuated resources Signed-off-by: ndixita <ndixita@google.com>
set InPlacePodLevelResourcesVerticalScaling to false if needed
…ager Metrics The Memory Manager Metrics BeforeEach asserts that zero pods are running on the node after a kubelet config update. This hard assertion flakes when a preceding serial test's namespace deletion hasn't completed yet — framework namespace cleanup is async and the kubelet restart in updateKubeletConfig can delay in-flight pod termination. CI logs show leftover pods from MemoryQoS tests (memqos-burstable, memqos-no-limit, etc.), Probe Stress tests (50-container pods), and Summary API PSI tests (memory-pressure-pod), all still Running when the assertion fires 4-7ms after the previous test finishes. Replace the immediate Expect(count).To(BeZero()) with an Eventually poll (2 minute timeout, 5 second interval) that gives pods time to drain after the kubelet restart. The existing printAllPodsOnNode diagnostic output is preserved inside the poll for debugging. Signed-off-by: Davanum Srinivas <davanum@gmail.com>
Pod events fix
…rics-cleanup e2e_node: wait for pod drain before asserting zero pods in Memory Manager Metrics
Fix flakiness in integration test for TopologyAwareScheduling with Basic Policy
…urce-test Deflake TestPodSubresourceAuth by waiting for effective permissions before testing
Signed-off-by: Alay Patel <alayp@nvidia.com>
…di-spec kep-5304: bump cdi spec version to 0.5.0
…deAllocatableResourceClaimStatuses kubelet: do not destroy nodeAllocatableResourceClaimStatuses
Signed-off-by: yashsingh74 <yashsingh1774@gmail.com>
Update CNI plugins to v1.9.1
Make cleanup aware of uid differences
The latest pause version is 3.10.2 but due to the introduction of the PATCH level version to the pause image (previously was only MAJOR.MINOR), various files have remained on an older version. Either 3.10 or 3.10.1. Our validation with build/dependencies.yaml ./hack/verify-external-dependencies.sh did not account for that.
Signed-off-by: Mujib Ahasan <ahasanmujib8@gmail.com>
Also prevent duplicate metric emissions
RouteExternalCertificate is now enabled by default. This update is removing references to this feature gate, hardcoding its value to true. This update is also a pre-requisite to remove it from openshift/cluster-ingress-operator. This feature gate was added in 1448e1c
…reating clients on each metrics scrape Signed-off-by: xigang <wangxigang2014@gmail.com>
Add a kubernetes/conformance suite that aggregates tests from kubernetes/conformance/parallel and kubernetes/conformance/serial, enabling `openshift-tests run kubernetes/conformance` to run all kubernetes conformance tests in a single invocation. Uses AddGlobalSuite (not AddSuite) so the umbrella starts with zero qualifiers and inherits exclusively from its children via the mergeParentQualifiers fixed-point loop in origin. AddSuite would prepend a catch-all source qualifier that bypasses the exclusion filters ([Disabled:], [Disruptive], [Slow], etc.) in the child qualifiers. Companion to openshift/origin#31261 which adds the Parents field and mergeParentQualifiers mechanism. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
…ce] label The kubernetes/conformance suite was incorrectly defined as an AddGlobalSuite parent umbrella with no qualifiers, inheriting everything from its children. This caused it to include OCP's broader view of conformance rather than just the upstream Kubernetes conformance tests. Change it to a standalone AddSuite that filters on the Conformance label, matching only the 428 true upstream conformance tests. Also remove kubernetes/conformance from the Parents of the parallel and serial suites so all three are standalone. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
…dalone clusters Add a new kube-apiserver admission plugin that adds the node-role.kubernetes.io/control-plane node selector to qualifying control-plane-adjacent Day 2 operator pods at admission time. On standalone OpenShift clusters, operators like the VPA operator must run on master nodes for security reasons (e.g., limiting blast radius of privilege escalation from a worker-node compromise). HCP clusters have a different security posture (using the cluster rather than the node as a security boundary) and no master nodes exist in the guest cluster, so the plugin must not activate. The plugin detects standalone clusters by checking POD_NAMESPACE=openshift-kube-apiserver at start-up. Currently the VPA operator pod (identified by the label k8s-app=vertical-pod-autoscaler-operator) is the only registered workload. The design is extensible to other control-plane-adjacent operators by adding label matchers to requiresNodeSelectorAdjustment(). Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Signed-off-by: jubittajohn <jujohn@redhat.com>
To be squashed with the following commit later:"UPSTREAM: <carry>: Add OpenShift tooling, images, configs and docs" Signed-off-by: jubittajohn <jujohn@redhat.com>
…er_manager_linux_test.go Squash into: UPSTREAM: <carry>: disable load balancing on created cgroups when managed is enabled
…s in flagz_test.go and statusz_test.go
Squash into: UPSTREAM: <carry>: apiserver: add system_client=kube-{apiserver,cm,s} to apiserver_request_total
…acheGC is enabled Squash into UPSTREAM: <carry>: create termination events
Squash into: UPSTREAM: <carry>: add management support to kubelet
Signed-off-by: jubittajohn <jujohn@redhat.com>
… driver when not enabled The upstream csi-hostpath-plugin.yaml manifest now includes a csi-snapshot-metadata sidecar container and volume (added in k/k#130918). Upstream PR k/k#137057 added conditional stripping of these when CapSnapshotMetadata is not enabled, but only for the upstream hostpathCSIDriver. The OpenShift-specific groupSnapshotHostpathCSIDriver was never updated, causing the driver pod to fail with "secret csi-snapshot-metadata-server-certs not found" and all csi-hostpath-groupsnapshot tests to fail in techpreview jobs. Signed-off-by: jubittajohn <jujohn@redhat.com>
Signed-off-by: Sai Ramesh Vanka <svanka@redhat.com>
Signed-off-by: jubittajohn <jujohn@redhat.com>
Signed-off-by: jubittajohn <jujohn@redhat.com>
…ConfigMap To upgrade OCP to Kubernetes 1.37 with SELinuxMount enabled, we need to ensure there are no user workloads that could get broken by the feature gate. SELinuxWarningController in KCP has the information and emits it as a metric. To mark the cluster un-upgradeable easily using API objects, store the information as a ConfigMap too. Reading metrics in an operator is too complicated.
|
Skipping CI for Draft Pull Request. |
|
/test images |
|
Important Review skippedToo many files! This PR contains 2742 files, which is 2442 over the limit of 300. To get a review, narrow the scope: ⚙️ Run configurationConfiguration used: Repository: openshift/coderabbit/.coderabbit.yaml Review profile: CHILL Plan: Enterprise Run ID: ⛔ Files ignored due to path filters (258)
📒 Files selected for processing (2742)
You can disable this status message by setting the Use the checkbox below for a quick retry:
✨ Finishing Touches🧪 Generate unit tests (beta)
|
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: jsafrane The full list of commands accepted by this bot can be found here. DetailsNeeds approval from an approver in each of these files:Approvers can indicate their approval by writing |
|
@jsafrane: all tests passed! Full PR test history. Your PR dashboard. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
|
Tested in the same way as #2671 (comment), with the same result. In 1.36, just only is needed: |
This is 1.36 Kubernetes rebase (#2653) with #2671 to test how it works in rebase.