pull from upstream#3
Open
fvalle1 wants to merge 1743 commits into
Open
Conversation
hetzner: upgrade CCM to v1.31.0
hetzner: upgrade CSI driver to v2.20.2
kops toolbox dump fixes
Disable kube-proxy when Calico runs in eBPF mode
VFS used to fall back to listing every EC2 region via DescribeRegions and fanning out one GetBucketLocation per region whenever the initial GetBucketLocation failed (cross-account buckets). That pulled the entire EC2 SDK into every kops binary purely for one call. HeadBucket can be called against any region in the partition: S3 returns the bucket region in BucketRegion on success and in the x-amz-bucket-region response header on cross-region 301 redirects. One call replaces the fanout and drops the EC2 SDK from the channels binary (~28 MB smaller).
vfs: Use HeadBucket to resolve S3 bucket region
Used only for two well-known tag constants(kubernetes.io/role/elb and kubernetes.io/role/internal-elb), shrinking the kops binary by ~4MB.
aws: Drop cloud-provider-aws dependency
Cloud.DeregisterInstance failures were logged but the node-groups loop continued, leaving every worker tainted with kops.k8s.io/scheduled-for-update. Mark these errors exitable so the roll bails out on the first failure.
Abort rolling update on load balancer deregister failure
Nodeup uses curl which does not support s3://, so accepting such URLs silently leads to nodes failing to boot. Validate the scheme upfront.
The kops create instancegroup command applies a kops.k8s.io/instancegroup node label so workloads can target a specific instance group via affinity or label selectors. Instance groups generated by kops create cluster did not receive this label, leaving the two code paths inconsistent.
aws: allow disabling NTH enableScheduledEventDraining in Queue Processor mode
Signed-off-by: Ciprian Hacman <ciprian@hakman.dev>
Reject non-http(s) URLs for assets.fileRepository
Align instancegroup node label across create cluster/instancegroup
aws: apply onDemandAllocationStrategy to ASG mixed instances policy
aws: propagate taints without value to ASG tags
A single-file hostPath mount binds to the source inode at mount time, so when something rewrites the kubeconfig the container keeps reading the orphaned inode. Mounting the parent directory matches what kube-scheduler and kube-controller-manager already do.
kube-proxy: bind-mount kubeconfig directory instead of the file
Signed-off-by: Ciprian Hacman <ciprian@hakman.dev>
kOps sets --cloud-provider=external for every cloud on all supported Kubernetes versions (1.31+), so no in-tree cloud provider is ever initialized. The --cloud-config flag and the in-tree-cloud.config file it points to are read only by an in-tree provider, so they have been a no-op on every supported version.
Author
|
@Paolo-Beci @iliy27 let's rebase this :) |
e2e: trim job name
Remove the unused in-tree cloud config
The Azure cloud-controller-manager and CSI drivers will read their cloud config from the azure-cloud-provider Secret instead of a file on disk. This addon publishes that Secret, built from the cluster spec, as a shared dependency applied before the components that consume it.
Signed-off-by: Arnaud Meukam <ameukam@gmail.com>
gVisor (runsc) was previously installable on any instance group role. Restrict it to nodes with role Node: reject cluster/IG configs that enable gVisor on control plane, apiserver, or bastion roles, strip the gVisor config from non-worker nodeup configs, and only apply the gVisor node label and RuntimeClass addon when a worker has it enabled. Also harden nil handling for cluster.Spec.Containerd in nodeup config and bootstrapchannelbuilder. Update release notes and add tests across validation, nodeup config, gvisor builder, and instancegroup spec.
Signed-off-by: Arnaud Meukam <ameukam@gmail.com>
Bumps [actions/checkout](https://github.com/actions/checkout) from 6.0.2 to 6.0.3. - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](actions/checkout@de0fac2...df4cb1c) --- updated-dependencies: - dependency-name: actions/checkout dependency-version: 6.0.3 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>
feat: add gVisor RuntimeClass support for containerd
…ctions/checkout-6.0.3 build(deps): bump actions/checkout from 6.0.2 to 6.0.3
Surface Calico's Felix NFTablesMode (Disabled, Enabled, Auto) as a field on CalicoNetworkingSpec and propagate it to the calico-node DaemonSet via FELIX_NFTABLESMODE. When left unset, the upstream Calico chart default applies, preserving existing behavior. On distributions where iptables is only present as a shim over nftables (e.g. RHEL10+, Rocky10+), routing Felix's data plane through iptables-nft / nft_compat has produced BGP session flapping and broken pod networking on GCE. This field lets clusters opt their Calico install into native nftables on those nodes.
Calico: add NFTablesMode setting
Signed-off-by: Ciprian Hacman <ciprian@hakman.dev>
etcd-manager: switch to go-runner-based distroless image
kube-proxy: assert buildPod command in unit test
gVisor: add HasGVisor() helper function
…nect dump: add --node-dump-timeout flag for per-node dump timeout
scaltest: Default node dump timeout to 5m in scalability run-test.sh
…ity scenario Signed-off-by: Jefftree <jeffrey.ying86@live.com>
Signed-off-by: Jefftree <jeffrey.ying86@live.com>
Support etcd 3.7.0-rc.0 and allow overriding the etcd version in the scalability scenario
Enable misspell in golangci-lint
e2e: Filter random AZ selection by instance type availability
azure: Use IMDS attested metadata document for node identity
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
12 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
No description provided.