-
Notifications
You must be signed in to change notification settings - Fork 105
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
WIP: Rebase 1.31.0 #2086
base: master
Are you sure you want to change the base?
WIP: Rebase 1.31.0 #2086
Conversation
Allow calling Stop multiple times on RetryWatcher
Signed-off-by: Nadia Pinaeva <[email protected]>
objects. Change the order of operations to stop current iteration if no changes to the service chains are needed. Bump syncProxy frequency to 1 hour. In a test kind cluster creation of 10K services, 2 endpoints each, takes ~25m before the fix and ~9min after. Maximum memory usage during creation is ~650MiB and 260MiB respectively. Another important metric is the time it takes to create 1 new service when 10K svc already exist. It used to take ~8m before the fix, with partialSync it takes ~141ms. Signed-off-by: Nadia Pinaeva <[email protected]>
Signed-off-by: Nadia Pinaeva <[email protected]>
a masked proc mount has traditionally been used to prevent untrusted containers from accessing leaky kernel APIs. However, within a user namespace, typical ID checks protect better than masked proc. Further, allowing unmasked proc with a user namespace gives access to a container mounting sub procs, which opens avenues for container-in-container use cases. Update PSS for baseline to allow a container to access an unmasked /proc, if it's in a user namespace and if the UserNamespacesPodSecurityStandards feature is enabled. Signed-off-by: Peter Hunt <[email protected]>
make sure to cleanup after setting RelaxPolicyForUserNamespacePods setup test variables to be a little more terse and similar between tests cleanup Allowed checking Signed-off-by: Peter Hunt <[email protected]>
…ubelet-attach-failed report an event to pod if kubelet does attach operation failed
KEP-24: Update AppArmor feature gates to GA stage.
…orage-quota pkg/volume/*: Enable quotas in user namespace
KEP-4569: Kubelet option to disable cgroup v1 support
PSA: allow container_engine_t selinux type
…-4191-to-beta KEP-4191: Split Image Filesystem promotion to Beta
integration tests: split Wardle aggregation test API server running
run NoSNAT network test between pods without any feature tag
The actual name has the k8s.io suffix.
The names aren't actually special for validation. They are acceptable with and without the feature gate, the only difference is that they don't do anything when the feature is enabled.
Dynamic resource allocation is similar to storage in the sense that users create ResourceClaim objects to request resources, same as with persistent volume claims. The actual resource usage is only known when allocating claims, but some limits can already be enforced at admission time: - "count/resourceclaims.resource.k8s.io" limits the number of ResourceClaim objects in a namespace; this is a generic feature that is already supported also without this commit. - "resourceclaims" is *not* an alias - use "count/resourceclaims.resource.k8s.io" instead. - <device-class-name>.deviceclass.resource.k8s.io/devices limits the number of ResourceClaim objects in a namespace such that the number of devices requested through those objects with that class does not exceed the limit. A single request may cause the allocation of multiple devices. For exact counts, the quota limit is based on the sum of those exact counts. For requests asking for "all" matching devices, the maximum number of allocated devices per claim is used as a worst-case upper bound. Requests asking for "admin access" contribute to the quota. DRA quota: remove admin mode exception
Signed-off-by: Vinayak Goyal <[email protected]>
Fixes kubernetes#126180 As the ProcMountType feature is disabled by default in beta and relies on the UserNamespacesSupport feature, which is also set to false in beta, running this test is unnecessary. Signed-off-by: Sohan Kunkerkar <[email protected]>
[kep-3751] pvc bind pv with vac
[kube-proxy: nftables] Implement partial sync.
[go] Bump images, dependencies and versions to go 1.23rc2
Revert debug steps and logs for kubernetes#123760
…tor-internal-config Kube proxy refactor internal config
Signed-off-by: Yuki Iwai <[email protected]>
DRA: resource quotas
…-invalidca Validate CABundle when writing CRD
…umbing-split Step 12 - Add generic controlplane example
…tionAnnotation mark volume.beta.kubernetes.io/mount-options as deprecated
…eline PSA: allow procMount type Unmasked in baseline
/payload 4.18 nightly blocking |
@bertinatto: trigger 9 job(s) of type blocking for the nightly release of OCP 4.18
See details on https://pr-payload-tests.ci.openshift.org/runs/ci/b7567340-761d-11ef-84df-50166cba9980-0 trigger 73 job(s) of type informing for the nightly release of OCP 4.18
See details on https://pr-payload-tests.ci.openshift.org/runs/ci/b7567340-761d-11ef-84df-50166cba9980-1 |
1ed6048
to
17575c0
Compare
17575c0
to
1f5e924
Compare
1f5e924
to
a042354
Compare
a042354
to
94a9d6a
Compare
94a9d6a
to
f20585b
Compare
…stConsistentReadFallback when ResilientWatchCacheInitialization is off
…herDontAcceptRequestsStopped when ResilientWatchCacheInitialization is off
f20585b
to
e5ff0db
Compare
3134eee
to
917cc4f
Compare
@bertinatto: The following tests failed, say
Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
PR needs rebase. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
This is a PR to support testing of #2055.