Merge remote-tracking branch 'origin/master' into release-1.28

Author: k8s-release-robot

CHANGELOG/CHANGELOG-1.28.md

@@ -574,7 +574,7 @@ var _ = SIGDescribe("kubelet", func() {
 				queryCommand := "\"/api/v1/nodes/" + nodeName + "/proxy/logs/?query=kubelet&tailLines=3\""
 				cmd := tk.KubectlCmd("get", "--raw", queryCommand)
 				result := runKubectlCommand(cmd)
-				logs := journalctlCommand("-u", "kubelet", "-n 3 --utc")
+				logs := journalctlCommandOnNode(nodeName, "-u kubelet -n 3 --utc")
 				if result != logs {
 					framework.Failf("Failed to receive the correct kubelet logs or the correct amount of lines of logs")
 				}
@@ -593,7 +593,7 @@ var _ = SIGDescribe("kubelet", func() {
 				queryCommand := "\"/api/v1/nodes/" + nodeName + "/proxy/logs/?query=kubelet&tailLines=3&boot=0&pattern=kubelet\""
 				cmd := tk.KubectlCmd("get", "--raw", queryCommand)
 				result := runKubectlCommand(cmd)
-				logs := journalctlCommand("-u", "kubelet", "-n 3 --utc")
+				logs := journalctlCommandOnNode(nodeName, "-u kubelet -n 3 --utc")
 				if result != logs {
 					framework.Failf("Failed to receive the correct kubelet logs")
 				}
@@ -613,7 +613,7 @@ var _ = SIGDescribe("kubelet", func() {
 				queryCommand := "\"/api/v1/nodes/" + nodeName + "/proxy/logs/?query=kubelet&tailLines=3&sinceTime=" + start.Format(time.RFC3339) + "\""
 				cmd := tk.KubectlCmd("get", "--raw", queryCommand)
 				result := runKubectlCommand(cmd)
-				logs := journalctlCommand("-u", "kubelet", "-n 3 --utc")
+				logs := journalctlCommandOnNode(nodeName, "-u kubelet -n 3 --utc")
 				if result != logs {
 					framework.Failf("Failed to receive the correct kubelet logs or the correct amount of lines of logs")
 				}
@@ -634,7 +634,7 @@ var _ = SIGDescribe("kubelet", func() {
 				queryCommand := "\"/api/v1/nodes/" + nodeName + "/proxy/logs/?query=kubelet&tailLines=3&sinceTime=" + start.Format(time.RFC3339) + "\""
 				cmd := tk.KubectlCmd("get", "--raw", queryCommand)
 				result := runKubectlCommand(cmd)
-				logs := journalctlCommand("-u", "kubelet", "--utc")
+				logs := journalctlCommandOnNode(nodeName, "-u kubelet --utc")
 				assertContains(result, logs)
 			}
 		})
@@ -672,13 +672,9 @@ func assertContains(expectedString string, result string) {
 	return
 }
 
-func journalctlCommand(arg ...string) string {
-	command := exec.Command("journalctl", arg...)
-	out, err := command.Output()
-	if err != nil {
-		framework.Logf("Command: %v\nError: %v", command, err)
-		framework.Failf("Error at running journalctl command")
-	}
-	framework.Logf("Journalctl output: %s", out)
-	return string(out)
+func journalctlCommandOnNode(nodeName string, args string) string {
+	result, err := e2essh.NodeExec(context.Background(), nodeName, "journalctl "+args, framework.TestContext.Provider)
+	framework.ExpectNoError(err)
+	e2essh.LogResult(result)
+	return result.Stdout
 }

test/e2e/apimachinery/webhook.go

@@ -8,13 +8,15 @@ description: >-
 
 ## Metrics (v1.28)
 
-<!-- (auto-generated 2023 Jul 20) -->
+<!-- (auto-generated 2023 Jul 25) -->
 <!-- (auto-generated v1.28) -->
 This page details the metrics that different Kubernetes components export. You can query the metrics endpoint for these 
 components using an HTTP scrape, and fetch the current metrics data in Prometheus format.
 
 ### List of Stable Kubernetes Metrics
 
+Stable metrics observe strict API contracts and no labels can be added or removed from stable metrics during their lifetime.
+
 <table class="table metrics" caption="This is the list of STABLE metrics emitted from core Kubernetes components">
 <thead>
 	<tr>
@@ -223,6 +225,8 @@ components using an HTTP scrape, and fetch the current metrics data in Prometheu
 
 ### List of Beta Kubernetes Metrics
 
+Beta metrics observe a looser API contract than its stable counterparts. No labels can be removed from beta metrics during their lifetime, however, labels can be added while the metric is in the beta stage. This offers the assurance that beta metrics will honor existing dashboards and alerts, while allowing for amendments in the future. 
+
 <table class="table metrics" caption="This is the list of BETA metrics emitted from core Kubernetes components">
 <thead>
 	<tr>
@@ -333,6 +337,8 @@ components using an HTTP scrape, and fetch the current metrics data in Prometheu
 
 ### List of Alpha Kubernetes Metrics
 
+Alpha metrics do not have any API guarantees. These metrics must be used at your own risk, subsequent versions of Kubernetes may remove these metrics altogether, or mutate the API in such a way that breaks existing dashboards and alerts. 
+
 <table class="table metrics" caption="This is the list of ALPHA metrics emitted from core Kubernetes components">
 <thead>
 	<tr>

test/e2e/node/kubelet.go

@@ -58,6 +58,8 @@ components using an HTTP scrape, and fetch the current metrics data in Prometheu
 
 ### List of Stable Kubernetes Metrics
 
+Stable metrics observe strict API contracts and no labels can be added or removed from stable metrics during their lifetime.
+
 <table class="table metrics" caption="This is the list of STABLE metrics emitted from core Kubernetes components">
 <thead>
 	<tr>
@@ -84,6 +86,8 @@ components using an HTTP scrape, and fetch the current metrics data in Prometheu
 
 ### List of Beta Kubernetes Metrics
 
+Beta metrics observe a looser API contract than its stable counterparts. No labels can be removed from beta metrics during their lifetime, however, labels can be added while the metric is in the beta stage. This offers the assurance that beta metrics will honor existing dashboards and alerts, while allowing for amendments in the future. 
+
 <table class="table metrics" caption="This is the list of BETA metrics emitted from core Kubernetes components">
 <thead>
 	<tr>
@@ -110,6 +114,8 @@ components using an HTTP scrape, and fetch the current metrics data in Prometheu
 
 ### List of Alpha Kubernetes Metrics
 
+Alpha metrics do not have any API guarantees. These metrics must be used at your own risk, subsequent versions of Kubernetes may remove these metrics altogether, or mutate the API in such a way that breaks existing dashboards and alerts. 
+
 <table class="table metrics" caption="This is the list of ALPHA metrics emitted from core Kubernetes components">
 <thead>
 	<tr>

test/instrumentation/documentation/documentation.md

@@ -24,6 +24,7 @@ import (
 	"io"
 	"net/http"
 	"net/http/httptest"
+	"strconv"
 	"sync"
 	"testing"
 	"time"
@@ -649,7 +650,16 @@ func TestMatchConditions_validation(t *testing.T) {
 			Expression: "oldObject == null",
 		}},
 		expectError: true,
-	}}
+	}, {
+		name:            "less than 65 match conditions should pass",
+		matchConditions: repeatedMatchConditions(64),
+		expectError:     false,
+	}, {
+		name:            "more than 64 match conditions should error",
+		matchConditions: repeatedMatchConditions(65),
+		expectError:     true,
+	},
+	}
 
 	dryRunCreate := metav1.CreateOptions{
 		DryRun: []string{metav1.DryRunAll},
@@ -952,3 +962,14 @@ func newMarkerPod(namespace string) *corev1.Pod {
 		},
 	}
 }
+
+func repeatedMatchConditions(size int) []admissionregistrationv1.MatchCondition {
+	matchConditions := make([]admissionregistrationv1.MatchCondition, 0, size)
+	for i := 0; i < size; i++ {
+		matchConditions = append(matchConditions, admissionregistrationv1.MatchCondition{
+			Name:       "repeated-" + strconv.Itoa(i),
+			Expression: "true",
+		})
+	}
+	return matchConditions
+}

test/instrumentation/documentation/main.go

@@ -94,7 +94,7 @@ resources:
       - name: key1
         secret: c2VjcmV0IGlzIHNlY3VyZQ==
 `
-	test, err := newTransformTest(t, encryptionConfig, false, "")
+	test, err := newTransformTest(t, encryptionConfig, false, "", nil)
 	if err != nil {
 		t.Fatalf("failed to start Kube API Server with encryptionConfig\n %s, error: %v", encryptionConfig, err)
 	}

test/integration/apiserver/admissionwebhook/match_conditions_test.go

@@ -28,7 +28,6 @@ import (
 	"fmt"
 	"math/rand"
 	"os"
-	"path"
 	"path/filepath"
 	"strings"
 	"testing"
@@ -49,6 +48,7 @@ import (
 	kmsapi "k8s.io/kms/apis/v1beta1"
 	"k8s.io/kubernetes/test/integration"
 	"k8s.io/kubernetes/test/integration/etcd"
+	"k8s.io/kubernetes/test/integration/framework"
 )
 
 const (
@@ -133,7 +133,7 @@ resources:
 `
 	providerName := "kms-provider"
 	pluginMock := mock.NewBase64Plugin(t, "@kms-provider.sock")
-	test, err := newTransformTest(t, encryptionConfig, false, "")
+	test, err := newTransformTest(t, encryptionConfig, false, "", nil)
 	if err != nil {
 		t.Fatalf("failed to start KUBE API Server with encryptionConfig\n %s, error: %v", encryptionConfig, err)
 	}
@@ -295,6 +295,7 @@ resources:
 // 10. confirm that cluster wide secret read still works
 // 11. confirm that api server can restart with last applied encryption config
 func TestEncryptionConfigHotReload(t *testing.T) {
+	storageConfig := framework.SharedEtcd()
 	encryptionConfig := `
 kind: EncryptionConfiguration
 apiVersion: apiserver.config.k8s.io/v1
@@ -309,7 +310,7 @@ resources:
 `
 	_ = mock.NewBase64Plugin(t, "@kms-provider.sock")
 	var restarted bool
-	test, err := newTransformTest(t, encryptionConfig, true, "")
+	test, err := newTransformTest(t, encryptionConfig, true, "", storageConfig)
 	if err != nil {
 		t.Fatalf("failed to start KUBE API Server with encryptionConfig\n %s, error: %v", encryptionConfig, err)
 	}
@@ -365,7 +366,7 @@ resources:
 	// start new KMS Plugin
 	_ = mock.NewBase64Plugin(t, "@new-kms-provider.sock")
 	// update encryption config
-	if err := os.WriteFile(path.Join(test.configDir, encryptionConfigFileName), []byte(encryptionConfigWithNewProvider), 0644); err != nil {
+	if err := os.WriteFile(filepath.Join(test.configDir, encryptionConfigFileName), []byte(encryptionConfigWithNewProvider), 0644); err != nil {
 		t.Fatalf("failed to update encryption config, err: %v", err)
 	}
 
@@ -377,8 +378,9 @@ resources:
 
 	// run storage migration
 	// get secrets
+	ctx := testContext(t)
 	secretsList, err := test.restClient.CoreV1().Secrets("").List(
-		context.TODO(),
+		ctx,
 		metav1.ListOptions{},
 	)
 	if err != nil {
@@ -388,7 +390,7 @@ resources:
 	for _, secret := range secretsList.Items {
 		// update secret
 		_, err = test.restClient.CoreV1().Secrets(secret.Namespace).Update(
-			context.TODO(),
+			ctx,
 			&secret,
 			metav1.UpdateOptions{},
 		)
@@ -399,7 +401,7 @@ resources:
 
 	// get configmaps
 	configmapsList, err := test.restClient.CoreV1().ConfigMaps("").List(
-		context.TODO(),
+		ctx,
 		metav1.ListOptions{},
 	)
 	if err != nil {
@@ -409,7 +411,7 @@ resources:
 	for _, configmap := range configmapsList.Items {
 		// update configmap
 		_, err = test.restClient.CoreV1().ConfigMaps(configmap.Namespace).Update(
-			context.TODO(),
+			ctx,
 			&configmap,
 			metav1.UpdateOptions{},
 		)
@@ -463,7 +465,7 @@ resources:
 `
 
 	// update encryption config and wait for hot reload
-	if err := os.WriteFile(path.Join(test.configDir, encryptionConfigFileName), []byte(encryptionConfigWithoutOldProvider), 0644); err != nil {
+	if err := os.WriteFile(filepath.Join(test.configDir, encryptionConfigFileName), []byte(encryptionConfigWithoutOldProvider), 0644); err != nil {
 		t.Fatalf("failed to update encryption config, err: %v", err)
 	}
 
@@ -472,7 +474,7 @@ resources:
 
 	// confirm that reading secrets still works
 	_, err = test.restClient.CoreV1().Secrets(testNamespace).Get(
-		context.TODO(),
+		ctx,
 		testSecret,
 		metav1.GetOptions{},
 	)
@@ -481,13 +483,13 @@ resources:
 	}
 
 	// make sure cluster wide secrets read still works
-	_, err = test.restClient.CoreV1().Secrets("").List(context.TODO(), metav1.ListOptions{})
+	_, err = test.restClient.CoreV1().Secrets("").List(ctx, metav1.ListOptions{})
 	if err != nil {
 		t.Fatalf("failed to list secrets, err: %v", err)
 	}
 
 	// make sure cluster wide configmaps read still works
-	_, err = test.restClient.CoreV1().ConfigMaps("").List(context.TODO(), metav1.ListOptions{})
+	_, err = test.restClient.CoreV1().ConfigMaps("").List(ctx, metav1.ListOptions{})
 	if err != nil {
 		t.Fatalf("failed to list configmaps, err: %v", err)
 	}
@@ -496,19 +498,28 @@ resources:
 	previousConfigDir := test.configDir
 	test.shutdownAPIServer()
 	restarted = true
-	test, err = newTransformTest(t, "", true, previousConfigDir)
+	test, err = newTransformTest(t, test.transformerConfig, true, previousConfigDir, storageConfig)
 	if err != nil {
 		t.Fatalf("failed to start KUBE API Server with encryptionConfig\n %s, error: %v", encryptionConfig, err)
 	}
 	defer test.cleanUp()
 
+	_, err = test.restClient.CoreV1().Secrets(testNamespace).Get(
+		ctx,
+		testSecret,
+		metav1.GetOptions{},
+	)
+	if err != nil {
+		t.Fatalf("failed to read secret, err: %v", err)
+	}
+
 	// confirm that reading cluster wide secrets still works after restart
-	if _, err = test.restClient.CoreV1().Secrets("").List(context.TODO(), metav1.ListOptions{}); err != nil {
+	if _, err = test.restClient.CoreV1().Secrets("").List(ctx, metav1.ListOptions{}); err != nil {
 		t.Fatalf("failed to list secrets, err: %v", err)
 	}
 
 	// make sure cluster wide configmaps read still works
-	if _, err = test.restClient.CoreV1().ConfigMaps("").List(context.TODO(), metav1.ListOptions{}); err != nil {
+	if _, err = test.restClient.CoreV1().ConfigMaps("").List(ctx, metav1.ListOptions{}); err != nil {
 		t.Fatalf("failed to list configmaps, err: %v", err)
 	}
 }
@@ -531,7 +542,7 @@ resources:
 		_ = mock.NewBase64Plugin(t, "@encrypt-all-kms-provider.sock")
 		defer featuregatetesting.SetFeatureGateDuringTest(t, feature.DefaultFeatureGate, "AllAlpha", true)()
 		defer featuregatetesting.SetFeatureGateDuringTest(t, feature.DefaultFeatureGate, "AllBeta", true)()
-		test, err := newTransformTest(t, encryptionConfig, false, "")
+		test, err := newTransformTest(t, encryptionConfig, false, "", nil)
 		if err != nil {
 			t.Fatalf("failed to start KUBE API Server with encryptionConfig")
 		}
@@ -643,7 +654,7 @@ resources:
 	_ = mock.NewBase64Plugin(t, "@kms-provider.sock")
 	_ = mock.NewBase64Plugin(t, "@encrypt-all-kms-provider.sock")
 
-	test, err := newTransformTest(t, encryptionConfig, false, "")
+	test, err := newTransformTest(t, encryptionConfig, false, "", nil)
 	if err != nil {
 		t.Fatalf("failed to start KUBE API Server with encryptionConfig\n %s, error: %v", encryptionConfig, err)
 	}
@@ -785,9 +796,8 @@ resources:
 `
 			_ = mock.NewBase64Plugin(t, "@kms-provider.sock")
 
-			test, err := newTransformTest(t, encryptionConfig, true, "")
+			test, err := newTransformTest(t, encryptionConfig, true, "", nil)
 			if err != nil {
-				test.cleanUp()
 				t.Fatalf("failed to start KUBE API Server with encryptionConfig\n %s, error: %v", encryptionConfig, err)
 			}
 			defer test.cleanUp()
@@ -950,7 +960,7 @@ resources:
 	pluginMock1 := mock.NewBase64Plugin(t, "@kms-provider-1.sock")
 	pluginMock2 := mock.NewBase64Plugin(t, "@kms-provider-2.sock")
 
-	test, err := newTransformTest(t, encryptionConfig, false, "")
+	test, err := newTransformTest(t, encryptionConfig, false, "", nil)
 	if err != nil {
 		t.Fatalf("failed to start kube-apiserver, error: %v", err)
 	}
@@ -1006,7 +1016,7 @@ resources:
 	pluginMock1 := mock.NewBase64Plugin(t, "@kms-provider-1.sock")
 	pluginMock2 := mock.NewBase64Plugin(t, "@kms-provider-2.sock")
 
-	test, err := newTransformTest(t, encryptionConfig, true, "")
+	test, err := newTransformTest(t, encryptionConfig, true, "", nil)
 	if err != nil {
 		t.Fatalf("Failed to start kube-apiserver, error: %v", err)
 	}