From 32dcfcc2c8059b2b71020d776a75a9b01bbe0534 Mon Sep 17 00:00:00 2001 From: Peter Hunt Date: Mon, 25 Nov 2024 16:58:59 -0500 Subject: [PATCH 1/7] UPSTREAM: : features: add MinimumKubeletVersion feature Signed-off-by: Peter Hunt --- pkg/features/openshift_features.go | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/pkg/features/openshift_features.go b/pkg/features/openshift_features.go index 6325606ee8868..3ba55fdac903a 100644 --- a/pkg/features/openshift_features.go +++ b/pkg/features/openshift_features.go @@ -5,6 +5,7 @@ import ( ) var RouteExternalCertificate featuregate.Feature = "RouteExternalCertificate" +var MinimumKubeletVersion featuregate.Feature = "MinimumKubeletVersion" // registerOpenshiftFeatures injects openshift-specific feature gates func registerOpenshiftFeatures() { @@ -12,4 +13,8 @@ func registerOpenshiftFeatures() { Default: false, PreRelease: featuregate.Alpha, } + defaultKubernetesFeatureGates[MinimumKubeletVersion] = featuregate.FeatureSpec{ + Default: false, + PreRelease: featuregate.Alpha, + } } From e3be4e171294407c41f544a2e68257c6b9a385bf Mon Sep 17 00:00:00 2001 From: Peter Hunt Date: Mon, 18 Nov 2024 10:37:23 -0500 Subject: [PATCH 2/7] UPSTREAM: : vendor library-go and api changes for minimum kubelet verison Signed-off-by: Peter Hunt --- go.mod | 4 +- go.sum | 8 +- go.work.sum | 52 ++++++++ staging/src/k8s.io/api/go.sum | 4 +- .../src/k8s.io/apiextensions-apiserver/go.mod | 4 +- .../src/k8s.io/apiextensions-apiserver/go.sum | 8 +- staging/src/k8s.io/apiserver/go.mod | 2 +- staging/src/k8s.io/apiserver/go.sum | 6 +- staging/src/k8s.io/cloud-provider/go.mod | 2 +- staging/src/k8s.io/cloud-provider/go.sum | 6 +- staging/src/k8s.io/component-base/go.sum | 4 +- staging/src/k8s.io/component-helpers/go.sum | 4 +- staging/src/k8s.io/controller-manager/go.sum | 2 +- .../k8s.io/dynamic-resource-allocation/go.sum | 2 +- staging/src/k8s.io/kube-aggregator/go.mod | 2 +- staging/src/k8s.io/kube-aggregator/go.sum | 6 +- .../src/k8s.io/kube-controller-manager/go.sum | 2 +- staging/src/k8s.io/kubelet/go.sum | 2 +- .../src/k8s.io/pod-security-admission/go.mod | 2 +- .../src/k8s.io/pod-security-admission/go.sum | 6 +- staging/src/k8s.io/sample-apiserver/go.mod | 2 +- staging/src/k8s.io/sample-apiserver/go.sum | 6 +- .../api/config/v1/types_infrastructure.go | 26 +++- .../openshift/api/config/v1/types_node.go | 19 +++ .../api/config/v1/zz_generated.deepcopy.go | 5 + ..._generated.featuregated-crd-manifests.yaml | 4 +- .../v1/zz_generated.swagger_doc_generated.go | 16 +-- .../v1alpha1/types_cluster_image_policy.go | 1 + .../api/config/v1alpha1/types_image_policy.go | 1 + .../zz_generated.swagger_doc_generated.go | 4 +- .../openshift/api/features/features.go | 111 +++++++++++++++++- .../github.com/openshift/api/features/util.go | 28 +++++ .../api/kubecontrolplane/v1/types.go | 19 +++ .../v1/zz_generated.swagger_doc_generated.go | 1 + .../openshift/api/operator/v1/types.go | 42 ++++++- .../api/operator/v1/types_ingress.go | 22 +++- .../v1/zz_generated.swagger_doc_generated.go | 9 +- .../apiserver/node/minimum_kubelet_version.go | 80 +++++++++++++ vendor/modules.txt | 5 +- 39 files changed, 450 insertions(+), 79 deletions(-) create mode 100644 vendor/github.com/openshift/library-go/pkg/apiserver/node/minimum_kubelet_version.go diff --git a/go.mod b/go.mod index 6223ba07fbbde..4f695b2d3937f 100644 --- a/go.mod +++ b/go.mod @@ -49,10 +49,10 @@ require ( github.com/opencontainers/runc v1.1.13 github.com/opencontainers/selinux v1.11.0 github.com/openshift-eng/openshift-tests-extension v0.0.0-20241028125658-76ee2532d0bf - github.com/openshift/api v0.0.0-20241001152557-e415140e5d5f + github.com/openshift/api v0.0.0-20241101202457-04eb3fd119d2 github.com/openshift/apiserver-library-go v0.0.0-20241001175710-6064b62894a6 github.com/openshift/client-go v0.0.0-20241001162912-da6d55e4611f - github.com/openshift/library-go v0.0.0-20241107160307-0064ad7bd060 + github.com/openshift/library-go v0.0.0-20241122090744-c450187f381d github.com/pkg/errors v0.9.1 github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 github.com/prometheus/client_golang v1.19.1 diff --git a/go.sum b/go.sum index 092451a292b76..2719be2185b07 100644 --- a/go.sum +++ b/go.sum @@ -500,8 +500,8 @@ github.com/opencontainers/selinux v1.11.0 h1:+5Zbo97w3Lbmb3PeqQtpmTkMwsW5nRI3YaL github.com/opencontainers/selinux v1.11.0/go.mod h1:E5dMC3VPuVvVHDYmi78qvhJp8+M586T4DlDRYpFkyec= github.com/openshift-eng/openshift-tests-extension v0.0.0-20241028125658-76ee2532d0bf h1:WY0VzsbhiQQNcS8Y9AXuiqqY8YHljePp1QhrIrue4+c= github.com/openshift-eng/openshift-tests-extension v0.0.0-20241028125658-76ee2532d0bf/go.mod h1:1OhaNsaU9vuy/dlYZLEve7bgE2Ed+yTV5VSbYvGXt4s= -github.com/openshift/api v0.0.0-20241001152557-e415140e5d5f h1:ya1OmyZm3LIIxI3U9VE9Nyx3ehCHgBwxyFUPflYPWls= -github.com/openshift/api v0.0.0-20241001152557-e415140e5d5f/go.mod h1:Shkl4HanLwDiiBzakv+con/aMGnVE2MAGvoKp5oyYUo= +github.com/openshift/api v0.0.0-20241101202457-04eb3fd119d2 h1:CguNy+2KzhJ3a3i7e4Bgm/ByfQpSSSPYmF9NLZskoUs= +github.com/openshift/api v0.0.0-20241101202457-04eb3fd119d2/go.mod h1:Shkl4HanLwDiiBzakv+con/aMGnVE2MAGvoKp5oyYUo= github.com/openshift/apiserver-library-go v0.0.0-20241001175710-6064b62894a6 h1:Wban+ggY6sbg611SQSOeavUeug2cRJGz0rEeXxTxIH0= github.com/openshift/apiserver-library-go v0.0.0-20241001175710-6064b62894a6/go.mod h1:9Anrq7+DZmmw1Brchx4zmh26hAZbe6Dv7bGXRclnhYI= github.com/openshift/build-machinery-go v0.0.0-20240613134303-8359781da660/go.mod h1:8jcm8UPtg2mCAsxfqKil1xrmRMI3a+XU2TZ9fF8A7TE= @@ -509,8 +509,8 @@ github.com/openshift/client-go v0.0.0-20241001162912-da6d55e4611f h1:FRc0bVNWpri github.com/openshift/client-go v0.0.0-20241001162912-da6d55e4611f/go.mod h1:KiZi2mJRH1TOJ3FtBDYS6YvUL30s/iIXaGSUrSa36mo= github.com/openshift/google-cadvisor v0.49.0-openshift-4.17-2 h1:ls1C5cvJbA5CbOwbA4Nx/W+tRvXgKDc9XT81bg3sxCA= github.com/openshift/google-cadvisor v0.49.0-openshift-4.17-2/go.mod h1:s6Fqwb2KiWG6leCegVhw4KW40tf9f7m+SF1aXiE8Wsk= -github.com/openshift/library-go v0.0.0-20241107160307-0064ad7bd060 h1:jiDC7d8d+jmjv2WfiMY0+Uf55q11MGyYkGGqXnfqWTU= -github.com/openshift/library-go v0.0.0-20241107160307-0064ad7bd060/go.mod h1:9B1MYPoLtP9tqjWxcbUNVpwxy68zOH/3EIP6c31dAM0= +github.com/openshift/library-go v0.0.0-20241122090744-c450187f381d h1:cxEFBp0kZlqTrwnOTg5aCWaGt60A4xiovQKpSdWg25M= +github.com/openshift/library-go v0.0.0-20241122090744-c450187f381d/go.mod h1:l/3SegTa9x+ry2J213bh7+DBofXOOvdrqU4JC9ktJa0= github.com/openshift/onsi-ginkgo/v2 v2.6.1-0.20241008152707-25bf9f14db44 h1:dKUAGq29JBk2oRn955gnnz3sG/UhlkUKh1ISleLiews= github.com/openshift/onsi-ginkgo/v2 v2.6.1-0.20241008152707-25bf9f14db44/go.mod h1:rlwLi9PilAFJ8jCg9UE1QP6VBpd6/xj3SRC0d6TU0To= github.com/opentracing/opentracing-go v1.1.0/go.mod h1:UkNAQd3GIcIGf0SeVgPpRdFStlNbqXla1AfSYxPUl2o= diff --git a/go.work.sum b/go.work.sum index e085e445af670..1bb68fd6c117e 100644 --- a/go.work.sum +++ b/go.work.sum @@ -389,12 +389,17 @@ github.com/census-instrumentation/opencensus-proto v0.4.1 h1:iKLQ0xPNFxR/2hzXZMr github.com/cespare/xxhash v1.1.0 h1:a6HrQnmkObjyL+Gs60czilIUGqrzKutQD6XZog3p+ko= github.com/cespare/xxhash/v2 v2.1.1/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs= github.com/chromedp/cdproto v0.0.0-20230802225258-3cf4e6d46a89 h1:aPflPkRFkVwbW6dmcVqfgwp1i+UWGFH6VgR1Jim5Ygc= +github.com/chromedp/cdproto v0.0.0-20230802225258-3cf4e6d46a89/go.mod h1:GKljq0VrfU4D5yc+2qA6OVr8pmO/MBbPEWqWQ/oqGEs= github.com/chromedp/chromedp v0.9.2 h1:dKtNz4kApb06KuSXoTQIyUC2TrA0fhGDwNZf3bcgfKw= +github.com/chromedp/chromedp v0.9.2/go.mod h1:LkSXJKONWTCHAfQasKFUZI+mxqS4tZqhmtGzzhLsnLs= github.com/chromedp/sysutil v1.0.0 h1:+ZxhTpfpZlmchB58ih/LBHX52ky7w2VhQVKQMucy3Ic= +github.com/chromedp/sysutil v1.0.0/go.mod h1:kgWmDdq8fTzXYcKIBqIYvRRTnYb9aNS9moAV0xufSww= github.com/chzyer/logex v1.1.10 h1:Swpa1K6QvQznwJRcfTfQJmTE72DqScAa40E+fbHEXEE= +github.com/chzyer/logex v1.2.1/go.mod h1:JLbx6lG2kDbNRFnfkgvh4eRJRPX1QCoOIWomwysCBrQ= github.com/chzyer/readline v0.0.0-20180603132655-2972be24d48e h1:fY5BOSpyZCqRo5OhCuC+XN+r/bBCmeuuJtjz+bCNIf8= github.com/chzyer/readline v1.5.1 h1:upd/6fQk4src78LMRzh5vItIt361/o4uq553V8B5sGI= github.com/chzyer/test v0.0.0-20180213035817-a1ea475d72b1 h1:q763qf9huN11kDQavWsoZXJNW3xEE4JJyHa5Q25/sd8= +github.com/chzyer/test v1.0.0/go.mod h1:2JlltgoNkt4TW/z9V/IzDdFaMTM2JPIi26O1pF38GC8= github.com/client9/misspell v0.3.4 h1:ta993UF76GwbvJcIo3Y68y/M3WxlpEHPWIGDkJYwzJI= github.com/cncf/udpa/go v0.0.0-20191209042840-269d4d468f6f h1:WBZRG4aNOuI15bLRrCgN8fCq8E5Xuty6jGbmSNEvSsU= github.com/cncf/udpa/go v0.0.0-20201120205902-5459f2c99403/go.mod h1:WmhPx2Nbnhtbo57+VJT5O0JRkEi1Wbu0z5j0R8u5Hbk= @@ -419,6 +424,7 @@ github.com/dgryski/go-sip13 v0.0.0-20181026042036-e10d5fee7954 h1:RMLoZVzv4GliuW github.com/distribution/distribution/v3 v3.0.0-20230511163743-f7717b7855ca h1:yGaIDzPWkgU+yRvI2x/rGdOU1hl6bLZzm0mETEUSHwk= github.com/docker/go-metrics v0.0.1 h1:AgB/0SvBxihN0X8OR4SjsblXkbMvalQ8cjmtKQ2rQV8= github.com/docker/libtrust v0.0.0-20160708172513-aabc10ec26b7 h1:UhxFibDNY/bfvqU5CAUmr9zpesgbU6SWc8/B4mflAE4= +github.com/emicklei/go-restful/v3 v3.9.0/go.mod h1:6n3XBCmQQb25CM2LCACGz8ukIrRry+4bhvbpWn3mrbc= github.com/envoyproxy/go-control-plane v0.9.9-0.20210217033140-668b12f5399d/go.mod h1:cXg6YxExXjJnVBQHBLXeUAgxn2UodCpnH306RInaBQk= github.com/envoyproxy/go-control-plane v0.9.10-0.20210907150352-cf90f659a021/go.mod h1:AFq3mo9L8Lqqiid3OhADV3RfLJnjiw63cSpi+fDTRC0= github.com/envoyproxy/go-control-plane v0.11.1 h1:wSUXTlLfiAQRWs2F+p+EKOY9rUyis1MyGqJ2DIk5HpM= @@ -428,6 +434,7 @@ github.com/envoyproxy/protoc-gen-validate v1.0.4 h1:gVPz/FMfvh57HdSJQyvBtF00j8JU github.com/envoyproxy/protoc-gen-validate v1.1.0 h1:tntQDh69XqOCOZsDz0lVJQez/2L6Uu2PdjCQwWCJ3bM= github.com/evanphx/json-patch v4.12.0+incompatible h1:4onqiflcdA9EOZ4RxV643DvftH5pOlLGNtQ5lPWQu84= github.com/fatih/color v1.7.0 h1:DkWD4oS2D8LGGgTQ6IvwJJXSL5Vp2ffcQg58nFV38Ys= +github.com/felixge/fgprof v0.9.3/go.mod h1:RdbpDgzqYVh/T9fPELJyV7EYJuHB55UTEULNun8eiPw= github.com/felixge/fgprof v0.9.4 h1:ocDNwMFlnA0NU0zSB3I52xkO4sFXk80VK9lXjLClu88= github.com/flynn/go-shlex v0.0.0-20150515145356-3f9db97f8568 h1:BHsljHzVlRcyQhjrss6TZTdY2VfCqZPbv5k3iBFa2ZQ= github.com/fvbommel/sortorder v1.1.0 h1:fUmoe+HLsBTctBDoaBwpQo5N+nrCp8g/BjKb/6ZQmYw= @@ -437,10 +444,15 @@ github.com/go-gl/glfw/v3.3/glfw v0.0.0-20200222043503-6f7a984d4dc4 h1:WtGNWLvXpe github.com/go-kit/kit v0.9.0 h1:wDJmvq38kDhkVxi50ni9ykkdUr1PKgqKOoi01fa0Mdk= github.com/go-kit/log v0.2.1 h1:MRVx0/zhvdseW+Gza6N9rVzU/IVzaeE1SFI4raAhmBU= github.com/go-logfmt/logfmt v0.5.1 h1:otpy5pqBCBZ1ng9RQ0dPu4PN7ba75Y/aA+UpowDyNVA= +github.com/go-logr/logr v1.2.0/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A= +github.com/go-logr/logr v1.4.1/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY= github.com/go-stack/stack v1.8.0 h1:5SgMzNM5HxrEjV0ww2lTmX6E2Izsfxas4+YHWRs3Lsk= github.com/gobwas/httphead v0.1.0 h1:exrUm0f4YX0L7EBwZHuCF4GDp8aJfVeBrlLQrs6NqWU= +github.com/gobwas/httphead v0.1.0/go.mod h1:O/RXo79gxV8G+RqlR/otEwx4Q36zl9rqC5u12GKvMCM= github.com/gobwas/pool v0.2.1 h1:xfeeEhW7pwmX8nuLVlqbzVc7udMDrwetjEv+TZIz1og= +github.com/gobwas/pool v0.2.1/go.mod h1:q8bcK0KcYlCgd9e7WYLm9LpyS+YeLd8JVDW6WezmKEw= github.com/gobwas/ws v1.2.1 h1:F2aeBZrm2NDsc7vbovKrWSogd4wvfAxg0FQ89/iqOTk= +github.com/gobwas/ws v1.2.1/go.mod h1:hRKAFb8wOxFROYNsT1bqfWnhX+b5MFeJM9r2ZSwg/KY= github.com/goccy/go-json v0.9.11/go.mod h1:6MelG93GURQebXPDq3khkgXZkazVtN9CRI+MGFi0w8I= github.com/goccy/go-json v0.10.2 h1:CrxCmQqYDkv1z7lO7Wbh2HN93uovUHgrECaO5ZrCXAU= github.com/goccy/go-json v0.10.2/go.mod h1:6MelG93GURQebXPDq3khkgXZkazVtN9CRI+MGFi0w8I= @@ -475,6 +487,9 @@ github.com/google/martian v2.1.0+incompatible h1:/CP5g8u/VJHijgedC/Legn3BAbAaWPg github.com/google/martian/v3 v3.2.1 h1:d8MncMlErDFTwQGBK1xhv026j9kqhvw1Qv9IbWT1VLQ= github.com/google/martian/v3 v3.3.2 h1:IqNFLAmvJOgVlpdEBiQbDc2EwKW77amAycfTuWKdfvw= github.com/google/martian/v3 v3.3.2/go.mod h1:oBOf6HBosgwRXnUGWUB05QECsc6uvmMiJ3+6W4l/CUk= +github.com/google/pprof v0.0.0-20211214055906-6f57359322fd/go.mod h1:KgnwoLYCZ8IQu3XUZ8Nc/bM9CCZFOyjUNOSygVozoDg= +github.com/google/pprof v0.0.0-20240227163752-401108e1b7e7/go.mod h1:czg5+yv1E0ZGTi6S6vVK1mke0fV+FaUhNGcd6VRS9Ik= +github.com/google/pprof v0.0.0-20240727154555-813a5fbdbec8/go.mod h1:K1liHPHnj73Fdn/EKuT8nrFqBihUSKXoLYU0BuatOYo= github.com/google/renameio v0.1.0 h1:GOZbcHa3HfsPKPlmyPyN2KEohoMXOhdMbHrvbpl2QaA= github.com/google/s2a-go v0.1.4/go.mod h1:Ej+mSEMGRnqRzjc7VtF+jdBwYG5fuJfiZ8ELkjEwM0A= github.com/google/s2a-go v0.1.7 h1:60BLSyTrOV4/haCDW4zb1guZItoSq8foHCXrAnjBo/o= @@ -488,6 +503,8 @@ github.com/googleapis/gax-go/v2 v2.12.2/go.mod h1:61M8vcyyXR2kqKFxKrfA22jaA8JGF7 github.com/gopherjs/gopherjs v0.0.0-20181017120253-0766667cb4d1 h1:EGx4pi6eqNxGaHF6qqu48+N2wcFQ5qg5FXgOdqsJ5d8= github.com/gorilla/mux v1.8.1 h1:TuBL49tXwgrFYWhqrNgrUNEY92u81SPhu7sTdzQEiWY= github.com/grpc-ecosystem/grpc-gateway/v2 v2.19.1/go.mod h1:5SN9VR2LTsRFsrEC6FHgRbTWrTHu6tqPeKxEQv15giM= +github.com/haircommander/library-go v0.0.0-20241105220324-e0b20315efcb h1:nDqC32XQYdnMShoVFfP/pgZ2V88WEbNNln37MaQz6cg= +github.com/haircommander/library-go v0.0.0-20241105220324-e0b20315efcb/go.mod h1:l/3SegTa9x+ry2J213bh7+DBofXOOvdrqU4JC9ktJa0= github.com/hashicorp/consul/api v1.1.0 h1:BNQPM9ytxj6jbjjdRPioQ94T6YXriSopn0i8COv6SRA= github.com/hashicorp/consul/sdk v0.1.1 h1:LnuDWGNsoajlhGyHJvuWW6FVqRl8JOTPqS6CPTsYjhY= github.com/hashicorp/errwrap v1.0.0 h1:hLrqtEDnRye3+sgx6z4qVLNuviH3MR5aQ0ykNJa/UYA= @@ -511,9 +528,13 @@ github.com/iancoleman/strcase v0.2.0/go.mod h1:iwCmte+B7n89clKwxIoIXy/HfoL7AsD47 github.com/iancoleman/strcase v0.3.0 h1:nTXanmYxhfFAMjZL34Ov6gkzEsSJZ5DbhxWjvSASxEI= github.com/iancoleman/strcase v0.3.0/go.mod h1:iwCmte+B7n89clKwxIoIXy/HfoL7AsD47ZCWhYzw7ho= github.com/ianlancetaylor/demangle v0.0.0-20200824232613-28f6c0f3b639 h1:mV02weKRL81bEnm8A0HT1/CAelMQDBuQIfLw8n+d6xI= +github.com/ianlancetaylor/demangle v0.0.0-20210905161508-09a460cdf81d/go.mod h1:aYm2/VgdVmcIU8iMfdMvDMsRAQjcfZSKFby6HOFvi/w= +github.com/ianlancetaylor/demangle v0.0.0-20230524184225-eabc099b10ab/go.mod h1:gx7rwoVhcfuVKG5uya9Hs3Sxj7EIvldVofAWIUtGouw= github.com/ianlancetaylor/demangle v0.0.0-20240312041847-bd984b5ce465 h1:KwWnWVWCNtNq/ewIX7HIKnELmEx2nDP42yskD/pi7QE= github.com/jmespath/go-jmespath v0.4.0 h1:BEgLn5cpjn8UN1mAw4NjwDrS35OdebyEtFe+9YPoQUg= github.com/jpillora/backoff v1.0.0 h1:uvFg412JmmHBHw7iwprIxkPMI+sGQ4kzOWsMeHnm2EA= +github.com/json-iterator/go v1.1.6/go.mod h1:+SdeFBvtyEkXs7REEP0seUULqWtbJapLOCVDaaPEHmU= +github.com/json-iterator/go v1.1.7/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/uOdHXbAo4= github.com/jstemmer/go-junit-report v0.0.0-20190106144839-af01ea7f8024 h1:rBMNdlhTLzJjJSDIjNEXX1Pz3Hmwmz91v+zycvx9PJc= github.com/jstemmer/go-junit-report v0.9.1 h1:6QPYqodiu3GuPL+7mfx+NwDdp2eTkp9IfEUpgAwUN0o= github.com/jtolds/gls v4.20.0+incompatible h1:xdiiI2gbIgH/gLH7ADydsJ1uDOEzR8yvV7C0MuV77Wo= @@ -530,6 +551,7 @@ github.com/klauspost/cpuid/v2 v2.2.5/go.mod h1:Lcz8mBdAVJIBVzewtcLocK12l3Y+JytZY github.com/konsorten/go-windows-terminal-sequences v1.0.1 h1:mweAR1A6xJ3oS2pRaGiHgQ4OO8tzTaLawm8vnODuwDk= github.com/kr/logfmt v0.0.0-20140226030751-b84e30acd515 h1:T+h1c/A9Gawja4Y9mFVWj2vyii2bbUNDw3kt9VxK2EY= github.com/kr/pty v1.1.1 h1:VkoXIwSboBpnk99O/KFauAEILuNHv5DVFKZMBN/gUgw= +github.com/ledongthuc/pdf v0.0.0-20220302134840-0c2507a12d80/go.mod h1:imJHygn/1yfhB7XSJJKlFZKl/J+dCPAknuiaGOshXAs= github.com/lyft/protoc-gen-star/v2 v2.0.3 h1:/3+/2sWyXeMLzKd1bX+ixWKgEMsULrIivpDsuaF441o= github.com/lyft/protoc-gen-star/v2 v2.0.3/go.mod h1:amey7yeodaJhXSbf/TlLvWiqQfLOSpEk//mLlc+axEk= github.com/magiconair/properties v1.8.0 h1:LLgXmsheXeRoUOBOjtwPQCWIYqM/LU1ayDtDePerRcY= @@ -546,11 +568,14 @@ github.com/mitchellh/go-testing-interface v1.0.0 h1:fzU/JVNcaqHQEcVFAKeR41fkiLdI github.com/mitchellh/gox v0.4.0 h1:lfGJxY7ToLJQjHHwi0EX6uYBdK78egf954SQl13PQJc= github.com/mitchellh/iochan v1.0.0 h1:C+X3KsSTLFVBr/tK1eYN/vs4rJcvsiLU338UhYPJWeY= github.com/mitchellh/mapstructure v1.1.2 h1:fmNYVwqnSfB9mZU6OS2O6GsXM+wcskZDuKQzvN1EDeE= +github.com/modern-go/reflect2 v0.0.0-20180701023420-4b7aa43c6742/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0= +github.com/modern-go/reflect2 v1.0.1/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0= github.com/morikuni/aec v1.0.0 h1:nP9CBfwrvYnBRgY6qfDQkygYDmYwOilePFkwzv4dU8A= github.com/mwitkow/go-conntrack v0.0.0-20190716064945-2f068394615f h1:KUppIJq7/+SVif2QVs3tOP0zanoHgBEVAwHxUSIzRqU= github.com/oklog/ulid v1.3.1 h1:EGfNDEx6MqHz8B3uNV6QAib1UR2Lm97sHi3ocA6ESJ4= github.com/openshift/build-machinery-go v0.0.0-20240613134303-8359781da660 h1:F0zE2bmdVvaEd18VXuGYQdJJ1FYJu4MIDW9PYZWc9No= github.com/opentracing/opentracing-go v1.1.0 h1:pWlfV3Bxv7k65HYwkikxat0+s3pV4bsqf19k25Ur8rU= +github.com/orisano/pixelmatch v0.0.0-20220722002657-fb0b55479cde/go.mod h1:nZgzbfBr3hhjoZnS66nKrHmduYNpc34ny7RK4z5/HM0= github.com/pascaldekloe/goe v0.0.0-20180627143212-57f6aae5913c h1:Lgl0gzECD8GnQ5QCWA8o6BtfL6mDH5rQgM4/fX3avOs= github.com/pelletier/go-toml v1.2.0 h1:T5zMGML61Wp+FlcbWjRDT7yAxhJNAiPPLOFECq181zc= github.com/pierrec/lz4/v4 v4.1.15/go.mod h1:gZWDp/Ze/IJXGXf23ltt2EXimqmTUXEy0GFuRQyBid4= @@ -561,7 +586,13 @@ github.com/pkg/profile v1.7.0 h1:hnbDkaNWPCLMO9wGLdBFTIZvzDrDfBM2072E1S9gJkA= github.com/planetscale/vtprotobuf v0.6.1-0.20240319094008-0393e58bdf10 h1:GFCKgmp0tecUJ0sJuv4pzYCqS9+RGSn52M3FUwPs+uo= github.com/posener/complete v1.1.1 h1:ccV59UEOTzVDnDUEFdT95ZzHVZ+5+158q8+SJb2QV5w= github.com/prometheus-operator/prometheus-operator/pkg/apis/monitoring v0.74.0 h1:AHzMWDxNiAVscJL6+4wkvFRTpMnJqiaZFEKA/osaBXE= +github.com/prometheus/client_golang v1.0.0/go.mod h1:db9x61etRT2tGnBNRi70OPL5FsnadC4Ky3P0J6CfImo= +github.com/prometheus/client_golang v1.1.0/go.mod h1:I1FGZT9+L76gKKOs5djB6ezCbFQP1xR9D75/vuwEF3g= github.com/prometheus/client_model v0.5.0/go.mod h1:dTiFglRmd66nLR9Pv9f0mZi7B7fk5Pm3gvsjB5tr+kI= +github.com/prometheus/common v0.4.1/go.mod h1:TNfzLD0ON7rHzMJeJkieUDPYmFC7Snx/y86RQel1bk4= +github.com/prometheus/common v0.6.0/go.mod h1:eBmuwkDJBwy6iBfxCBob6t6dR6ENT/y+J+Zk0j9GMYc= +github.com/prometheus/procfs v0.0.2/go.mod h1:TjEm7ze935MbeOT/UhFTIMYKhuLP4wbCsTZCD3I8kEA= +github.com/prometheus/procfs v0.0.3/go.mod h1:4A/X28fw3Fc593LaREMrKMqOKvUAntwMDaekg4FpcdQ= github.com/prometheus/tsdb v0.7.1 h1:YZcsG11NqnK4czYLrWd9mpEuAJIHVQLwdrleYfszMAA= github.com/robfig/cron v1.2.0 h1:ZjScXvvxeQ63Dbyxy76Fj3AT3Ut0aKsyd2/tl3DTMuQ= github.com/rogpeppe/fastuuid v1.2.0 h1:Ppwyp6VYCF1nvBTXL3trRso7mXMlRrw9ooo375wvi2s= @@ -622,6 +653,7 @@ golang.org/x/lint v0.0.0-20210508222113-6edffad5e616 h1:VLliZ0d+/avPrXXH+OakdXhp golang.org/x/lint v0.0.0-20210508222113-6edffad5e616/go.mod h1:3xt1FjdF8hUf6vQPIChWIBhFzV8gjjsPE/fR3IyQdNY= golang.org/x/mobile v0.0.0-20190719004257-d2bd2a29d028 h1:4+4C/Iv2U4fMZBiMCc98MG1In4gJY5YRhtpDNeDeHWs= golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4= +golang.org/x/net v0.0.0-20190613194153-d28f0bde5980/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20190628185345-da137c7871d7/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg= golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c= @@ -633,14 +665,22 @@ golang.org/x/net v0.21.0/go.mod h1:bIjVDfnllIU7BJ2DNgfnXvpSvtn8VRwhlsaeUTyUS44= golang.org/x/net v0.22.0/go.mod h1:JKghWKKOSdJwpW2GEx0Ja7fmaKnMsbu+MWVZTokSYmg= golang.org/x/net v0.23.0/go.mod h1:JKghWKKOSdJwpW2GEx0Ja7fmaKnMsbu+MWVZTokSYmg= golang.org/x/net v0.25.0/go.mod h1:JkAGAh7GEvH74S6FOH42FLoXpXbE/aqXSrIQjXgsiwM= +golang.org/x/net v0.26.0/go.mod h1:5YKkiSynbBIh3p6iOc/vibscux0x38BZDkn8sCUPxHE= +golang.org/x/net v0.28.0/go.mod h1:yqtgsTWOOnlGLG9GFRrK3++bGOUEkNBoHZc8MEDWPNg= golang.org/x/oauth2 v0.8.0/go.mod h1:yr7u4HXZRm1R1kBWqr/xKNqewf0plRYoB7sla+BCIXE= golang.org/x/oauth2 v0.13.0/go.mod h1:/JMhi4ZRXAf4HG9LiNmxvk+45+96RUlVThiH8FzNBn0= golang.org/x/oauth2 v0.16.0/go.mod h1:hqZ+0LWXsiVoZpeld6jVt06P3adbS2Uu911W1SsJv2o= golang.org/x/oauth2 v0.17.0/go.mod h1:OzPDGQiuQMguemayvdylqddI7qcD9lnSDb+1FiwQ5HA= +golang.org/x/oauth2 v0.21.0/go.mod h1:XYTD2NtWslqkgxebSiOHnXEap4TF09sJSc7H1sXbhtI= golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.6.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk= +golang.org/x/sync v0.7.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk= +golang.org/x/sys v0.0.0-20190801041406-cbf593c0f2f3/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20211007075335-d3039528d8ac/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20220310020820-b874c991c1a5/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.8.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.10.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.11.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= @@ -649,6 +689,9 @@ golang.org/x/sys v0.16.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= golang.org/x/sys v0.17.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= golang.org/x/sys v0.18.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= golang.org/x/sys v0.20.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= +golang.org/x/sys v0.22.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= +golang.org/x/sys v0.23.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= +golang.org/x/sys v0.24.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= golang.org/x/telemetry v0.0.0-20240208230135-b75ee8823808 h1:+Kc94D8UVEVxJnLXp/+FMfqQARZtWHfVrcRtcG8aT3g= golang.org/x/telemetry v0.0.0-20240228155512-f48c80bd79b2 h1:IRJeR9r1pYWsHKTRe/IInb7lYvbBVIqOgsX/u0mbOWY= golang.org/x/telemetry v0.0.0-20240521205824-bda55230c457 h1:zf5N6UOrA487eEFacMePxjXAJctxKmyjKUsjA11Uzuk= @@ -660,6 +703,8 @@ golang.org/x/text v0.11.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE= golang.org/x/text v0.12.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE= golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU= golang.org/x/text v0.15.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU= +golang.org/x/text v0.16.0/go.mod h1:GhwF1Be+LQoKShO3cGOHzqOgRrGaYc9AvblQOmPVHnI= +golang.org/x/text v0.17.0/go.mod h1:BuEKDfySbSR4drPmRPG/7iBdf8hvFMuRexcpahXilzY= golang.org/x/time v0.5.0 h1:o7cqy6amK/52YcAKIPlM3a+Fpj35zvRj2TP+e1xFSfk= golang.org/x/time v0.5.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM= golang.org/x/tools v0.13.0/go.mod h1:HvlwmtVNQAhOuCjW7xxvovg8wbNq7LwfXh/k7wXUl58= @@ -688,6 +733,7 @@ google.golang.org/genproto/googleapis/api v0.0.0-20240221002015-b0ce06bbee7c/go. google.golang.org/genproto/googleapis/api v0.0.0-20240227224415-6ceb2ff114de/go.mod h1:5iCWqnniDlqZHrd3neWVTOwvh/v6s3232omMecelax8= google.golang.org/genproto/googleapis/api v0.0.0-20240311132316-a219d84964c2/go.mod h1:O1cOfN1Cy6QEYr7VxtjOyP5AdAuR0aJ/MYZaaof623Y= google.golang.org/genproto/googleapis/api v0.0.0-20240513163218-0867130af1f8/go.mod h1:vPrPUTsDCYxXWjP7clS81mZ6/803D8K4iM9Ma27VKas= +google.golang.org/genproto/googleapis/api v0.0.0-20240528184218-531527333157/go.mod h1:99sLkeliLXfdj2J75X3Ho+rrVCaJze0uwN7zDDkjPVU= google.golang.org/genproto/googleapis/bytestream v0.0.0-20230530153820-e85fd2cbaebc h1:g3hIDl0jRNd9PPTs2uBzYuaD5mQuwOkZY0vSc0LR32o= google.golang.org/genproto/googleapis/bytestream v0.0.0-20240304161311-37d4d3c04a78 h1:YqFWYZXim8bG9v68xU8WjTZmYKb5M5dMeSOWIp6jogI= google.golang.org/genproto/googleapis/bytestream v0.0.0-20240304161311-37d4d3c04a78/go.mod h1:vh/N7795ftP0AkN1w8XKqN4w1OdUKXW5Eummda+ofv8= @@ -707,6 +753,8 @@ google.golang.org/genproto/googleapis/rpc v0.0.0-20240509183442-62759503f434/go. google.golang.org/genproto/googleapis/rpc v0.0.0-20240513163218-0867130af1f8/go.mod h1:I7Y+G38R2bu5j1aLzfFmQfTcU/WnFuqDwLZAbvKTKpM= google.golang.org/genproto/googleapis/rpc v0.0.0-20240521202816-d264139d666e/go.mod h1:EfXuqaE1J41VCDicxHzUDm+8rk+7ZdXzHV0IhO/I6s0= google.golang.org/genproto/googleapis/rpc v0.0.0-20240528184218-531527333157/go.mod h1:EfXuqaE1J41VCDicxHzUDm+8rk+7ZdXzHV0IhO/I6s0= +google.golang.org/genproto/googleapis/rpc v0.0.0-20240701130421-f6361c86f094/go.mod h1:Ue6ibwXGpU+dqIcODieyLOcgj7z8+IcskoNIgZxtrFY= +google.golang.org/genproto/googleapis/rpc v0.0.0-20240814211410-ddb44dafa142/go.mod h1:UqMtugtsSgubUsoxbuAoiCXvqvErP7Gf0so0mK9tHxU= google.golang.org/grpc v1.37.0/go.mod h1:NREThFqKR1f3iQ6oBuvc5LadQuXVGo9rkm5ZGrQdJfM= google.golang.org/grpc v1.45.0/go.mod h1:lN7owxKUQEqMfSyQikvvk5tf/6zMPsrK+ONuO11+0rQ= google.golang.org/grpc v1.55.0/go.mod h1:iYEXKGkEBhg1PjZQvoYEVPTDkHo1/bjTnfwTeGONTY8= @@ -721,6 +769,7 @@ google.golang.org/grpc v1.63.0/go.mod h1:WAX/8DgncnokcFUldAxq7GeB5DXHDbMF+lLvDom google.golang.org/grpc v1.63.2/go.mod h1:WAX/8DgncnokcFUldAxq7GeB5DXHDbMF+lLvDomNkRA= google.golang.org/grpc v1.64.0 h1:KH3VH9y/MgNQg1dE7b3XfVK0GsPSIzJwdF617gUSbvY= google.golang.org/grpc v1.64.0/go.mod h1:oxjF8E3FBnjp+/gVFYdWacaLDx9na1aqy9oovLpxQYg= +google.golang.org/grpc v1.65.0/go.mod h1:WgYC2ypjlB0EiQi6wdKixMqukr6lBc0Vo+oOgjrM5ZQ= google.golang.org/grpc/cmd/protoc-gen-go-grpc v1.1.0 h1:M1YKkFIboKNieVO5DLUEVzQfGwJD30Nv2jfUgzb5UcE= google.golang.org/grpc/cmd/protoc-gen-go-grpc v1.1.0/go.mod h1:6Kw0yEErY5E/yWrBtf03jp27GLLJujG4z/JK95pnjjw= google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc= @@ -737,6 +786,9 @@ gotest.tools/v3 v3.0.3 h1:4AuOwCGf4lLR9u3YOe2awrHygurzhO/HeQ6laiA6Sx0= honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc h1:/hemPrYIhOhy8zYrNj+069zDB68us2sMGsfkFJO0iZs= honnef.co/go/tools v0.0.1-2019.2.3 h1:3JgtbtFHMiCmsznwGVTUWbgGov+pVqnlf1dEJTNAXeM= honnef.co/go/tools v0.0.1-2020.1.4 h1:UoveltGrhghAA7ePc+e+QYDHXrBps2PqFZiHkGR/xK8= +k8s.io/gengo v0.0.0-20220902162205-c0856e24416d h1:U9tB195lKdzwqicbJvyJeOXV7Klv+wNAWENRnXEGi08= +k8s.io/klog/v2 v2.80.1/go.mod h1:y1WjHnz7Dj687irZUWR/WLkLc5N1YHtjLdmgWjndZn0= +k8s.io/utils v0.0.0-20240711033017-18e509b52bc8/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0= rsc.io/binaryregexp v0.2.0 h1:HfqmD5MEmC0zvwBuF187nq9mdnXjXsSivRiXN7SmRkE= rsc.io/quote/v3 v3.1.0 h1:9JKUTTIUgS6kzR9mK1YuGKv6Nl+DijDNIc0ghT58FaY= rsc.io/sampler v1.3.0 h1:7uVkIFmeBqHfdjD+gZwtXXI+RODJ2Wc4O7MPEh/QiW4= diff --git a/staging/src/k8s.io/api/go.sum b/staging/src/k8s.io/api/go.sum index f1b49733ce3b4..5449a34c4144a 100644 --- a/staging/src/k8s.io/api/go.sum +++ b/staging/src/k8s.io/api/go.sum @@ -124,11 +124,11 @@ github.com/opencontainers/runc v1.1.13/go.mod h1:R016aXacfp/gwQBYw2FDGa9m+n6atbL github.com/opencontainers/runtime-spec v1.0.3-0.20220909204839-494a5a6aca78/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0= github.com/opencontainers/selinux v1.11.0/go.mod h1:E5dMC3VPuVvVHDYmi78qvhJp8+M586T4DlDRYpFkyec= github.com/openshift-eng/openshift-tests-extension v0.0.0-20241028125658-76ee2532d0bf/go.mod h1:1OhaNsaU9vuy/dlYZLEve7bgE2Ed+yTV5VSbYvGXt4s= -github.com/openshift/api v0.0.0-20241001152557-e415140e5d5f/go.mod h1:Shkl4HanLwDiiBzakv+con/aMGnVE2MAGvoKp5oyYUo= +github.com/openshift/api v0.0.0-20241101202457-04eb3fd119d2/go.mod h1:Shkl4HanLwDiiBzakv+con/aMGnVE2MAGvoKp5oyYUo= github.com/openshift/apiserver-library-go v0.0.0-20241001175710-6064b62894a6/go.mod h1:9Anrq7+DZmmw1Brchx4zmh26hAZbe6Dv7bGXRclnhYI= github.com/openshift/client-go v0.0.0-20241001162912-da6d55e4611f/go.mod h1:KiZi2mJRH1TOJ3FtBDYS6YvUL30s/iIXaGSUrSa36mo= github.com/openshift/google-cadvisor v0.49.0-openshift-4.17-2/go.mod h1:s6Fqwb2KiWG6leCegVhw4KW40tf9f7m+SF1aXiE8Wsk= -github.com/openshift/library-go v0.0.0-20241107160307-0064ad7bd060/go.mod h1:9B1MYPoLtP9tqjWxcbUNVpwxy68zOH/3EIP6c31dAM0= +github.com/openshift/library-go v0.0.0-20241122090744-c450187f381d/go.mod h1:l/3SegTa9x+ry2J213bh7+DBofXOOvdrqU4JC9ktJa0= github.com/openshift/onsi-ginkgo/v2 v2.6.1-0.20241008152707-25bf9f14db44/go.mod h1:rlwLi9PilAFJ8jCg9UE1QP6VBpd6/xj3SRC0d6TU0To= github.com/peterbourgon/diskv v2.0.1+incompatible/go.mod h1:uqqh8zWWbv1HBMNONnaR/tNboyR3/BZd58JJSHlUSCU= github.com/pkg/diff v0.0.0-20210226163009-20ebb0f2a09e/go.mod h1:pJLUxLENpZxwdsKMEsNbx1VGcRFpLqf3715MtcvvzbA= diff --git a/staging/src/k8s.io/apiextensions-apiserver/go.mod b/staging/src/k8s.io/apiextensions-apiserver/go.mod index 442595cbfb6ae..3cadd978d9e1a 100644 --- a/staging/src/k8s.io/apiextensions-apiserver/go.mod +++ b/staging/src/k8s.io/apiextensions-apiserver/go.mod @@ -12,7 +12,7 @@ require ( github.com/google/go-cmp v0.6.0 github.com/google/gofuzz v1.2.0 github.com/google/uuid v1.6.0 - github.com/openshift/api v0.0.0-20241001152557-e415140e5d5f + github.com/openshift/api v0.0.0-20241101202457-04eb3fd119d2 github.com/spf13/cobra v1.8.1 github.com/spf13/pflag v1.0.5 github.com/stretchr/testify v1.9.0 @@ -78,7 +78,7 @@ require ( github.com/modern-go/reflect2 v1.0.2 // indirect github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f // indirect - github.com/openshift/library-go v0.0.0-20241107160307-0064ad7bd060 // indirect + github.com/openshift/library-go v0.0.0-20241122090744-c450187f381d // indirect github.com/pkg/errors v0.9.1 // indirect github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect github.com/prometheus/client_golang v1.19.1 // indirect diff --git a/staging/src/k8s.io/apiextensions-apiserver/go.sum b/staging/src/k8s.io/apiextensions-apiserver/go.sum index 9a8cf8943eba1..2fae809f0e25a 100644 --- a/staging/src/k8s.io/apiextensions-apiserver/go.sum +++ b/staging/src/k8s.io/apiextensions-apiserver/go.sum @@ -344,14 +344,14 @@ github.com/opencontainers/runc v1.1.13/go.mod h1:R016aXacfp/gwQBYw2FDGa9m+n6atbL github.com/opencontainers/runtime-spec v1.0.3-0.20220909204839-494a5a6aca78/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0= github.com/opencontainers/selinux v1.11.0/go.mod h1:E5dMC3VPuVvVHDYmi78qvhJp8+M586T4DlDRYpFkyec= github.com/openshift-eng/openshift-tests-extension v0.0.0-20241028125658-76ee2532d0bf/go.mod h1:1OhaNsaU9vuy/dlYZLEve7bgE2Ed+yTV5VSbYvGXt4s= -github.com/openshift/api v0.0.0-20241001152557-e415140e5d5f h1:ya1OmyZm3LIIxI3U9VE9Nyx3ehCHgBwxyFUPflYPWls= -github.com/openshift/api v0.0.0-20241001152557-e415140e5d5f/go.mod h1:Shkl4HanLwDiiBzakv+con/aMGnVE2MAGvoKp5oyYUo= +github.com/openshift/api v0.0.0-20241101202457-04eb3fd119d2 h1:CguNy+2KzhJ3a3i7e4Bgm/ByfQpSSSPYmF9NLZskoUs= +github.com/openshift/api v0.0.0-20241101202457-04eb3fd119d2/go.mod h1:Shkl4HanLwDiiBzakv+con/aMGnVE2MAGvoKp5oyYUo= github.com/openshift/apiserver-library-go v0.0.0-20241001175710-6064b62894a6/go.mod h1:9Anrq7+DZmmw1Brchx4zmh26hAZbe6Dv7bGXRclnhYI= github.com/openshift/build-machinery-go v0.0.0-20240613134303-8359781da660/go.mod h1:8jcm8UPtg2mCAsxfqKil1xrmRMI3a+XU2TZ9fF8A7TE= github.com/openshift/client-go v0.0.0-20241001162912-da6d55e4611f/go.mod h1:KiZi2mJRH1TOJ3FtBDYS6YvUL30s/iIXaGSUrSa36mo= github.com/openshift/google-cadvisor v0.49.0-openshift-4.17-2/go.mod h1:s6Fqwb2KiWG6leCegVhw4KW40tf9f7m+SF1aXiE8Wsk= -github.com/openshift/library-go v0.0.0-20241107160307-0064ad7bd060 h1:jiDC7d8d+jmjv2WfiMY0+Uf55q11MGyYkGGqXnfqWTU= -github.com/openshift/library-go v0.0.0-20241107160307-0064ad7bd060/go.mod h1:9B1MYPoLtP9tqjWxcbUNVpwxy68zOH/3EIP6c31dAM0= +github.com/openshift/library-go v0.0.0-20241122090744-c450187f381d h1:cxEFBp0kZlqTrwnOTg5aCWaGt60A4xiovQKpSdWg25M= +github.com/openshift/library-go v0.0.0-20241122090744-c450187f381d/go.mod h1:l/3SegTa9x+ry2J213bh7+DBofXOOvdrqU4JC9ktJa0= github.com/openshift/onsi-ginkgo/v2 v2.6.1-0.20241008152707-25bf9f14db44 h1:dKUAGq29JBk2oRn955gnnz3sG/UhlkUKh1ISleLiews= github.com/openshift/onsi-ginkgo/v2 v2.6.1-0.20241008152707-25bf9f14db44/go.mod h1:rlwLi9PilAFJ8jCg9UE1QP6VBpd6/xj3SRC0d6TU0To= github.com/opentracing/opentracing-go v1.1.0/go.mod h1:UkNAQd3GIcIGf0SeVgPpRdFStlNbqXla1AfSYxPUl2o= diff --git a/staging/src/k8s.io/apiserver/go.mod b/staging/src/k8s.io/apiserver/go.mod index d2b07c87355d9..e7a40d457263c 100644 --- a/staging/src/k8s.io/apiserver/go.mod +++ b/staging/src/k8s.io/apiserver/go.mod @@ -20,7 +20,7 @@ require ( github.com/grpc-ecosystem/go-grpc-prometheus v1.2.0 github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f - github.com/openshift/library-go v0.0.0-20241107160307-0064ad7bd060 + github.com/openshift/library-go v0.0.0-20241122090744-c450187f381d github.com/spf13/pflag v1.0.5 github.com/stretchr/testify v1.9.0 go.etcd.io/etcd/api/v3 v3.5.14 diff --git a/staging/src/k8s.io/apiserver/go.sum b/staging/src/k8s.io/apiserver/go.sum index 08f8911275ab0..13ae038c79431 100644 --- a/staging/src/k8s.io/apiserver/go.sum +++ b/staging/src/k8s.io/apiserver/go.sum @@ -345,13 +345,13 @@ github.com/opencontainers/runc v1.1.13/go.mod h1:R016aXacfp/gwQBYw2FDGa9m+n6atbL github.com/opencontainers/runtime-spec v1.0.3-0.20220909204839-494a5a6aca78/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0= github.com/opencontainers/selinux v1.11.0/go.mod h1:E5dMC3VPuVvVHDYmi78qvhJp8+M586T4DlDRYpFkyec= github.com/openshift-eng/openshift-tests-extension v0.0.0-20241028125658-76ee2532d0bf/go.mod h1:1OhaNsaU9vuy/dlYZLEve7bgE2Ed+yTV5VSbYvGXt4s= -github.com/openshift/api v0.0.0-20241001152557-e415140e5d5f/go.mod h1:Shkl4HanLwDiiBzakv+con/aMGnVE2MAGvoKp5oyYUo= +github.com/openshift/api v0.0.0-20241101202457-04eb3fd119d2/go.mod h1:Shkl4HanLwDiiBzakv+con/aMGnVE2MAGvoKp5oyYUo= github.com/openshift/apiserver-library-go v0.0.0-20241001175710-6064b62894a6/go.mod h1:9Anrq7+DZmmw1Brchx4zmh26hAZbe6Dv7bGXRclnhYI= github.com/openshift/build-machinery-go v0.0.0-20240613134303-8359781da660/go.mod h1:8jcm8UPtg2mCAsxfqKil1xrmRMI3a+XU2TZ9fF8A7TE= github.com/openshift/client-go v0.0.0-20241001162912-da6d55e4611f/go.mod h1:KiZi2mJRH1TOJ3FtBDYS6YvUL30s/iIXaGSUrSa36mo= github.com/openshift/google-cadvisor v0.49.0-openshift-4.17-2/go.mod h1:s6Fqwb2KiWG6leCegVhw4KW40tf9f7m+SF1aXiE8Wsk= -github.com/openshift/library-go v0.0.0-20241107160307-0064ad7bd060 h1:jiDC7d8d+jmjv2WfiMY0+Uf55q11MGyYkGGqXnfqWTU= -github.com/openshift/library-go v0.0.0-20241107160307-0064ad7bd060/go.mod h1:9B1MYPoLtP9tqjWxcbUNVpwxy68zOH/3EIP6c31dAM0= +github.com/openshift/library-go v0.0.0-20241122090744-c450187f381d h1:cxEFBp0kZlqTrwnOTg5aCWaGt60A4xiovQKpSdWg25M= +github.com/openshift/library-go v0.0.0-20241122090744-c450187f381d/go.mod h1:l/3SegTa9x+ry2J213bh7+DBofXOOvdrqU4JC9ktJa0= github.com/openshift/onsi-ginkgo/v2 v2.6.1-0.20241008152707-25bf9f14db44 h1:dKUAGq29JBk2oRn955gnnz3sG/UhlkUKh1ISleLiews= github.com/openshift/onsi-ginkgo/v2 v2.6.1-0.20241008152707-25bf9f14db44/go.mod h1:rlwLi9PilAFJ8jCg9UE1QP6VBpd6/xj3SRC0d6TU0To= github.com/opentracing/opentracing-go v1.1.0/go.mod h1:UkNAQd3GIcIGf0SeVgPpRdFStlNbqXla1AfSYxPUl2o= diff --git a/staging/src/k8s.io/cloud-provider/go.mod b/staging/src/k8s.io/cloud-provider/go.mod index dbf0d9456a8cc..d4fec72abe873 100644 --- a/staging/src/k8s.io/cloud-provider/go.mod +++ b/staging/src/k8s.io/cloud-provider/go.mod @@ -60,7 +60,7 @@ require ( github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect github.com/modern-go/reflect2 v1.0.2 // indirect github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect - github.com/openshift/library-go v0.0.0-20241107160307-0064ad7bd060 // indirect + github.com/openshift/library-go v0.0.0-20241122090744-c450187f381d // indirect github.com/pkg/errors v0.9.1 // indirect github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect github.com/prometheus/client_golang v1.19.1 // indirect diff --git a/staging/src/k8s.io/cloud-provider/go.sum b/staging/src/k8s.io/cloud-provider/go.sum index 3d71c4a1795da..44d863f35b267 100644 --- a/staging/src/k8s.io/cloud-provider/go.sum +++ b/staging/src/k8s.io/cloud-provider/go.sum @@ -162,11 +162,11 @@ github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3I github.com/opencontainers/image-spec v1.0.2/go.mod h1:BtxoFyWECRxE4U/7sNtV5W15zMzWCbyJoFRP3s7yZA0= github.com/opencontainers/runc v1.1.13/go.mod h1:R016aXacfp/gwQBYw2FDGa9m+n6atbLWrYY8hNMT/sA= github.com/opencontainers/selinux v1.11.0/go.mod h1:E5dMC3VPuVvVHDYmi78qvhJp8+M586T4DlDRYpFkyec= -github.com/openshift/api v0.0.0-20241001152557-e415140e5d5f/go.mod h1:Shkl4HanLwDiiBzakv+con/aMGnVE2MAGvoKp5oyYUo= +github.com/openshift/api v0.0.0-20241101202457-04eb3fd119d2/go.mod h1:Shkl4HanLwDiiBzakv+con/aMGnVE2MAGvoKp5oyYUo= github.com/openshift/build-machinery-go v0.0.0-20240613134303-8359781da660/go.mod h1:8jcm8UPtg2mCAsxfqKil1xrmRMI3a+XU2TZ9fF8A7TE= github.com/openshift/client-go v0.0.0-20241001162912-da6d55e4611f/go.mod h1:KiZi2mJRH1TOJ3FtBDYS6YvUL30s/iIXaGSUrSa36mo= -github.com/openshift/library-go v0.0.0-20241107160307-0064ad7bd060 h1:jiDC7d8d+jmjv2WfiMY0+Uf55q11MGyYkGGqXnfqWTU= -github.com/openshift/library-go v0.0.0-20241107160307-0064ad7bd060/go.mod h1:9B1MYPoLtP9tqjWxcbUNVpwxy68zOH/3EIP6c31dAM0= +github.com/openshift/library-go v0.0.0-20241122090744-c450187f381d h1:cxEFBp0kZlqTrwnOTg5aCWaGt60A4xiovQKpSdWg25M= +github.com/openshift/library-go v0.0.0-20241122090744-c450187f381d/go.mod h1:l/3SegTa9x+ry2J213bh7+DBofXOOvdrqU4JC9ktJa0= github.com/openshift/onsi-ginkgo/v2 v2.6.1-0.20241008152707-25bf9f14db44 h1:dKUAGq29JBk2oRn955gnnz3sG/UhlkUKh1ISleLiews= github.com/openshift/onsi-ginkgo/v2 v2.6.1-0.20241008152707-25bf9f14db44/go.mod h1:rlwLi9PilAFJ8jCg9UE1QP6VBpd6/xj3SRC0d6TU0To= github.com/peterbourgon/diskv v2.0.1+incompatible/go.mod h1:uqqh8zWWbv1HBMNONnaR/tNboyR3/BZd58JJSHlUSCU= diff --git a/staging/src/k8s.io/component-base/go.sum b/staging/src/k8s.io/component-base/go.sum index 7641b85fd88b3..d7e4715986d25 100644 --- a/staging/src/k8s.io/component-base/go.sum +++ b/staging/src/k8s.io/component-base/go.sum @@ -167,11 +167,11 @@ github.com/opencontainers/runc v1.1.13/go.mod h1:R016aXacfp/gwQBYw2FDGa9m+n6atbL github.com/opencontainers/runtime-spec v1.0.3-0.20220909204839-494a5a6aca78/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0= github.com/opencontainers/selinux v1.11.0/go.mod h1:E5dMC3VPuVvVHDYmi78qvhJp8+M586T4DlDRYpFkyec= github.com/openshift-eng/openshift-tests-extension v0.0.0-20241028125658-76ee2532d0bf/go.mod h1:1OhaNsaU9vuy/dlYZLEve7bgE2Ed+yTV5VSbYvGXt4s= -github.com/openshift/api v0.0.0-20241001152557-e415140e5d5f/go.mod h1:Shkl4HanLwDiiBzakv+con/aMGnVE2MAGvoKp5oyYUo= +github.com/openshift/api v0.0.0-20241101202457-04eb3fd119d2/go.mod h1:Shkl4HanLwDiiBzakv+con/aMGnVE2MAGvoKp5oyYUo= github.com/openshift/apiserver-library-go v0.0.0-20241001175710-6064b62894a6/go.mod h1:9Anrq7+DZmmw1Brchx4zmh26hAZbe6Dv7bGXRclnhYI= github.com/openshift/client-go v0.0.0-20241001162912-da6d55e4611f/go.mod h1:KiZi2mJRH1TOJ3FtBDYS6YvUL30s/iIXaGSUrSa36mo= github.com/openshift/google-cadvisor v0.49.0-openshift-4.17-2/go.mod h1:s6Fqwb2KiWG6leCegVhw4KW40tf9f7m+SF1aXiE8Wsk= -github.com/openshift/library-go v0.0.0-20241107160307-0064ad7bd060/go.mod h1:9B1MYPoLtP9tqjWxcbUNVpwxy68zOH/3EIP6c31dAM0= +github.com/openshift/library-go v0.0.0-20241122090744-c450187f381d/go.mod h1:l/3SegTa9x+ry2J213bh7+DBofXOOvdrqU4JC9ktJa0= github.com/openshift/onsi-ginkgo/v2 v2.6.1-0.20241008152707-25bf9f14db44 h1:dKUAGq29JBk2oRn955gnnz3sG/UhlkUKh1ISleLiews= github.com/openshift/onsi-ginkgo/v2 v2.6.1-0.20241008152707-25bf9f14db44/go.mod h1:rlwLi9PilAFJ8jCg9UE1QP6VBpd6/xj3SRC0d6TU0To= github.com/peterbourgon/diskv v2.0.1+incompatible/go.mod h1:uqqh8zWWbv1HBMNONnaR/tNboyR3/BZd58JJSHlUSCU= diff --git a/staging/src/k8s.io/component-helpers/go.sum b/staging/src/k8s.io/component-helpers/go.sum index 51a82b2d83716..5db6626f17dd9 100644 --- a/staging/src/k8s.io/component-helpers/go.sum +++ b/staging/src/k8s.io/component-helpers/go.sum @@ -138,11 +138,11 @@ github.com/opencontainers/runc v1.1.13/go.mod h1:R016aXacfp/gwQBYw2FDGa9m+n6atbL github.com/opencontainers/runtime-spec v1.0.3-0.20220909204839-494a5a6aca78/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0= github.com/opencontainers/selinux v1.11.0/go.mod h1:E5dMC3VPuVvVHDYmi78qvhJp8+M586T4DlDRYpFkyec= github.com/openshift-eng/openshift-tests-extension v0.0.0-20241028125658-76ee2532d0bf/go.mod h1:1OhaNsaU9vuy/dlYZLEve7bgE2Ed+yTV5VSbYvGXt4s= -github.com/openshift/api v0.0.0-20241001152557-e415140e5d5f/go.mod h1:Shkl4HanLwDiiBzakv+con/aMGnVE2MAGvoKp5oyYUo= +github.com/openshift/api v0.0.0-20241101202457-04eb3fd119d2/go.mod h1:Shkl4HanLwDiiBzakv+con/aMGnVE2MAGvoKp5oyYUo= github.com/openshift/apiserver-library-go v0.0.0-20241001175710-6064b62894a6/go.mod h1:9Anrq7+DZmmw1Brchx4zmh26hAZbe6Dv7bGXRclnhYI= github.com/openshift/client-go v0.0.0-20241001162912-da6d55e4611f/go.mod h1:KiZi2mJRH1TOJ3FtBDYS6YvUL30s/iIXaGSUrSa36mo= github.com/openshift/google-cadvisor v0.49.0-openshift-4.17-2/go.mod h1:s6Fqwb2KiWG6leCegVhw4KW40tf9f7m+SF1aXiE8Wsk= -github.com/openshift/library-go v0.0.0-20241107160307-0064ad7bd060/go.mod h1:9B1MYPoLtP9tqjWxcbUNVpwxy68zOH/3EIP6c31dAM0= +github.com/openshift/library-go v0.0.0-20241122090744-c450187f381d/go.mod h1:l/3SegTa9x+ry2J213bh7+DBofXOOvdrqU4JC9ktJa0= github.com/openshift/onsi-ginkgo/v2 v2.6.1-0.20241008152707-25bf9f14db44 h1:dKUAGq29JBk2oRn955gnnz3sG/UhlkUKh1ISleLiews= github.com/openshift/onsi-ginkgo/v2 v2.6.1-0.20241008152707-25bf9f14db44/go.mod h1:rlwLi9PilAFJ8jCg9UE1QP6VBpd6/xj3SRC0d6TU0To= github.com/peterbourgon/diskv v2.0.1+incompatible/go.mod h1:uqqh8zWWbv1HBMNONnaR/tNboyR3/BZd58JJSHlUSCU= diff --git a/staging/src/k8s.io/controller-manager/go.sum b/staging/src/k8s.io/controller-manager/go.sum index faa84a58563df..b0587e0e5a4f6 100644 --- a/staging/src/k8s.io/controller-manager/go.sum +++ b/staging/src/k8s.io/controller-manager/go.sum @@ -136,7 +136,7 @@ github.com/mwitkow/go-conntrack v0.0.0-20190716064945-2f068394615f/go.mod h1:qRW github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f/go.mod h1:ZdcZmHo+o7JKHSa8/e818NopupXU1YMK5fe1lsApnBw= github.com/onsi/gomega v1.33.1 h1:dsYjIxxSR755MDmKVsaFQTE22ChNBcuuTWgkUDSubOk= github.com/onsi/gomega v1.33.1/go.mod h1:U4R44UsT+9eLIaYRB2a5qajjtQYn0hauxvRm16AVYg0= -github.com/openshift/library-go v0.0.0-20241107160307-0064ad7bd060/go.mod h1:9B1MYPoLtP9tqjWxcbUNVpwxy68zOH/3EIP6c31dAM0= +github.com/openshift/library-go v0.0.0-20241122090744-c450187f381d/go.mod h1:l/3SegTa9x+ry2J213bh7+DBofXOOvdrqU4JC9ktJa0= github.com/openshift/onsi-ginkgo/v2 v2.6.1-0.20241008152707-25bf9f14db44 h1:dKUAGq29JBk2oRn955gnnz3sG/UhlkUKh1ISleLiews= github.com/openshift/onsi-ginkgo/v2 v2.6.1-0.20241008152707-25bf9f14db44/go.mod h1:rlwLi9PilAFJ8jCg9UE1QP6VBpd6/xj3SRC0d6TU0To= github.com/peterbourgon/diskv v2.0.1+incompatible/go.mod h1:uqqh8zWWbv1HBMNONnaR/tNboyR3/BZd58JJSHlUSCU= diff --git a/staging/src/k8s.io/dynamic-resource-allocation/go.sum b/staging/src/k8s.io/dynamic-resource-allocation/go.sum index f8894884de46f..e7f84eacf0d52 100644 --- a/staging/src/k8s.io/dynamic-resource-allocation/go.sum +++ b/staging/src/k8s.io/dynamic-resource-allocation/go.sum @@ -114,7 +114,7 @@ github.com/mwitkow/go-conntrack v0.0.0-20190716064945-2f068394615f/go.mod h1:qRW github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f/go.mod h1:ZdcZmHo+o7JKHSa8/e818NopupXU1YMK5fe1lsApnBw= github.com/onsi/gomega v1.33.1 h1:dsYjIxxSR755MDmKVsaFQTE22ChNBcuuTWgkUDSubOk= github.com/onsi/gomega v1.33.1/go.mod h1:U4R44UsT+9eLIaYRB2a5qajjtQYn0hauxvRm16AVYg0= -github.com/openshift/library-go v0.0.0-20241107160307-0064ad7bd060/go.mod h1:9B1MYPoLtP9tqjWxcbUNVpwxy68zOH/3EIP6c31dAM0= +github.com/openshift/library-go v0.0.0-20241122090744-c450187f381d/go.mod h1:l/3SegTa9x+ry2J213bh7+DBofXOOvdrqU4JC9ktJa0= github.com/openshift/onsi-ginkgo/v2 v2.6.1-0.20241008152707-25bf9f14db44 h1:dKUAGq29JBk2oRn955gnnz3sG/UhlkUKh1ISleLiews= github.com/openshift/onsi-ginkgo/v2 v2.6.1-0.20241008152707-25bf9f14db44/go.mod h1:rlwLi9PilAFJ8jCg9UE1QP6VBpd6/xj3SRC0d6TU0To= github.com/peterbourgon/diskv v2.0.1+incompatible/go.mod h1:uqqh8zWWbv1HBMNONnaR/tNboyR3/BZd58JJSHlUSCU= diff --git a/staging/src/k8s.io/kube-aggregator/go.mod b/staging/src/k8s.io/kube-aggregator/go.mod index dc80c18e1a018..a7617d21f4c00 100644 --- a/staging/src/k8s.io/kube-aggregator/go.mod +++ b/staging/src/k8s.io/kube-aggregator/go.mod @@ -65,7 +65,7 @@ require ( github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect github.com/modern-go/reflect2 v1.0.2 // indirect github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f // indirect - github.com/openshift/library-go v0.0.0-20241107160307-0064ad7bd060 // indirect + github.com/openshift/library-go v0.0.0-20241122090744-c450187f381d // indirect github.com/pkg/errors v0.9.1 // indirect github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect github.com/prometheus/client_golang v1.19.1 // indirect diff --git a/staging/src/k8s.io/kube-aggregator/go.sum b/staging/src/k8s.io/kube-aggregator/go.sum index eb55290a99702..91a16d47ce3f5 100644 --- a/staging/src/k8s.io/kube-aggregator/go.sum +++ b/staging/src/k8s.io/kube-aggregator/go.sum @@ -200,13 +200,13 @@ github.com/opencontainers/runc v1.1.13/go.mod h1:R016aXacfp/gwQBYw2FDGa9m+n6atbL github.com/opencontainers/runtime-spec v1.0.3-0.20220909204839-494a5a6aca78/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0= github.com/opencontainers/selinux v1.11.0/go.mod h1:E5dMC3VPuVvVHDYmi78qvhJp8+M586T4DlDRYpFkyec= github.com/openshift-eng/openshift-tests-extension v0.0.0-20241028125658-76ee2532d0bf/go.mod h1:1OhaNsaU9vuy/dlYZLEve7bgE2Ed+yTV5VSbYvGXt4s= -github.com/openshift/api v0.0.0-20241001152557-e415140e5d5f/go.mod h1:Shkl4HanLwDiiBzakv+con/aMGnVE2MAGvoKp5oyYUo= +github.com/openshift/api v0.0.0-20241101202457-04eb3fd119d2/go.mod h1:Shkl4HanLwDiiBzakv+con/aMGnVE2MAGvoKp5oyYUo= github.com/openshift/apiserver-library-go v0.0.0-20241001175710-6064b62894a6/go.mod h1:9Anrq7+DZmmw1Brchx4zmh26hAZbe6Dv7bGXRclnhYI= github.com/openshift/build-machinery-go v0.0.0-20240613134303-8359781da660/go.mod h1:8jcm8UPtg2mCAsxfqKil1xrmRMI3a+XU2TZ9fF8A7TE= github.com/openshift/client-go v0.0.0-20241001162912-da6d55e4611f/go.mod h1:KiZi2mJRH1TOJ3FtBDYS6YvUL30s/iIXaGSUrSa36mo= github.com/openshift/google-cadvisor v0.49.0-openshift-4.17-2/go.mod h1:s6Fqwb2KiWG6leCegVhw4KW40tf9f7m+SF1aXiE8Wsk= -github.com/openshift/library-go v0.0.0-20241107160307-0064ad7bd060 h1:jiDC7d8d+jmjv2WfiMY0+Uf55q11MGyYkGGqXnfqWTU= -github.com/openshift/library-go v0.0.0-20241107160307-0064ad7bd060/go.mod h1:9B1MYPoLtP9tqjWxcbUNVpwxy68zOH/3EIP6c31dAM0= +github.com/openshift/library-go v0.0.0-20241122090744-c450187f381d h1:cxEFBp0kZlqTrwnOTg5aCWaGt60A4xiovQKpSdWg25M= +github.com/openshift/library-go v0.0.0-20241122090744-c450187f381d/go.mod h1:l/3SegTa9x+ry2J213bh7+DBofXOOvdrqU4JC9ktJa0= github.com/openshift/onsi-ginkgo/v2 v2.6.1-0.20241008152707-25bf9f14db44 h1:dKUAGq29JBk2oRn955gnnz3sG/UhlkUKh1ISleLiews= github.com/openshift/onsi-ginkgo/v2 v2.6.1-0.20241008152707-25bf9f14db44/go.mod h1:rlwLi9PilAFJ8jCg9UE1QP6VBpd6/xj3SRC0d6TU0To= github.com/peterbourgon/diskv v2.0.1+incompatible/go.mod h1:uqqh8zWWbv1HBMNONnaR/tNboyR3/BZd58JJSHlUSCU= diff --git a/staging/src/k8s.io/kube-controller-manager/go.sum b/staging/src/k8s.io/kube-controller-manager/go.sum index 9bcab2268eeca..920c16b053427 100644 --- a/staging/src/k8s.io/kube-controller-manager/go.sum +++ b/staging/src/k8s.io/kube-controller-manager/go.sum @@ -68,7 +68,7 @@ github.com/modern-go/reflect2 v1.0.2/go.mod h1:yWuevngMOJpCy52FWWMvUC8ws7m/LJsjY github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ= github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f/go.mod h1:ZdcZmHo+o7JKHSa8/e818NopupXU1YMK5fe1lsApnBw= github.com/onsi/gomega v1.33.1/go.mod h1:U4R44UsT+9eLIaYRB2a5qajjtQYn0hauxvRm16AVYg0= -github.com/openshift/library-go v0.0.0-20241107160307-0064ad7bd060/go.mod h1:9B1MYPoLtP9tqjWxcbUNVpwxy68zOH/3EIP6c31dAM0= +github.com/openshift/library-go v0.0.0-20241122090744-c450187f381d/go.mod h1:l/3SegTa9x+ry2J213bh7+DBofXOOvdrqU4JC9ktJa0= github.com/openshift/onsi-ginkgo/v2 v2.6.1-0.20241008152707-25bf9f14db44/go.mod h1:rlwLi9PilAFJ8jCg9UE1QP6VBpd6/xj3SRC0d6TU0To= github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= diff --git a/staging/src/k8s.io/kubelet/go.sum b/staging/src/k8s.io/kubelet/go.sum index 8aa58dd051467..11e6053b28233 100644 --- a/staging/src/k8s.io/kubelet/go.sum +++ b/staging/src/k8s.io/kubelet/go.sum @@ -108,7 +108,7 @@ github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8m github.com/mwitkow/go-conntrack v0.0.0-20190716064945-2f068394615f/go.mod h1:qRWi+5nqEBWmkhHvq77mSJWrCKwh8bxhgT7d/eI7P4U= github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f h1:y5//uYreIhSUg3J1GEMiLbxo1LJaP8RfCpH6pymGZus= github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f/go.mod h1:ZdcZmHo+o7JKHSa8/e818NopupXU1YMK5fe1lsApnBw= -github.com/openshift/library-go v0.0.0-20241107160307-0064ad7bd060/go.mod h1:9B1MYPoLtP9tqjWxcbUNVpwxy68zOH/3EIP6c31dAM0= +github.com/openshift/library-go v0.0.0-20241122090744-c450187f381d/go.mod h1:l/3SegTa9x+ry2J213bh7+DBofXOOvdrqU4JC9ktJa0= github.com/openshift/onsi-ginkgo/v2 v2.6.1-0.20241008152707-25bf9f14db44 h1:dKUAGq29JBk2oRn955gnnz3sG/UhlkUKh1ISleLiews= github.com/openshift/onsi-ginkgo/v2 v2.6.1-0.20241008152707-25bf9f14db44/go.mod h1:rlwLi9PilAFJ8jCg9UE1QP6VBpd6/xj3SRC0d6TU0To= github.com/peterbourgon/diskv v2.0.1+incompatible/go.mod h1:uqqh8zWWbv1HBMNONnaR/tNboyR3/BZd58JJSHlUSCU= diff --git a/staging/src/k8s.io/pod-security-admission/go.mod b/staging/src/k8s.io/pod-security-admission/go.mod index bbbc9ebb6dc5f..8c5798864611f 100644 --- a/staging/src/k8s.io/pod-security-admission/go.mod +++ b/staging/src/k8s.io/pod-security-admission/go.mod @@ -58,7 +58,7 @@ require ( github.com/modern-go/reflect2 v1.0.2 // indirect github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect github.com/onsi/gomega v1.33.1 // indirect - github.com/openshift/library-go v0.0.0-20241107160307-0064ad7bd060 // indirect + github.com/openshift/library-go v0.0.0-20241122090744-c450187f381d // indirect github.com/pkg/errors v0.9.1 // indirect github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect github.com/prometheus/client_golang v1.19.1 // indirect diff --git a/staging/src/k8s.io/pod-security-admission/go.sum b/staging/src/k8s.io/pod-security-admission/go.sum index 34857f98649af..208a56055788e 100644 --- a/staging/src/k8s.io/pod-security-admission/go.sum +++ b/staging/src/k8s.io/pod-security-admission/go.sum @@ -158,11 +158,11 @@ github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3I github.com/opencontainers/image-spec v1.0.2/go.mod h1:BtxoFyWECRxE4U/7sNtV5W15zMzWCbyJoFRP3s7yZA0= github.com/opencontainers/runc v1.1.13/go.mod h1:R016aXacfp/gwQBYw2FDGa9m+n6atbLWrYY8hNMT/sA= github.com/opencontainers/selinux v1.11.0/go.mod h1:E5dMC3VPuVvVHDYmi78qvhJp8+M586T4DlDRYpFkyec= -github.com/openshift/api v0.0.0-20241001152557-e415140e5d5f/go.mod h1:Shkl4HanLwDiiBzakv+con/aMGnVE2MAGvoKp5oyYUo= +github.com/openshift/api v0.0.0-20241101202457-04eb3fd119d2/go.mod h1:Shkl4HanLwDiiBzakv+con/aMGnVE2MAGvoKp5oyYUo= github.com/openshift/build-machinery-go v0.0.0-20240613134303-8359781da660/go.mod h1:8jcm8UPtg2mCAsxfqKil1xrmRMI3a+XU2TZ9fF8A7TE= github.com/openshift/client-go v0.0.0-20241001162912-da6d55e4611f/go.mod h1:KiZi2mJRH1TOJ3FtBDYS6YvUL30s/iIXaGSUrSa36mo= -github.com/openshift/library-go v0.0.0-20241107160307-0064ad7bd060 h1:jiDC7d8d+jmjv2WfiMY0+Uf55q11MGyYkGGqXnfqWTU= -github.com/openshift/library-go v0.0.0-20241107160307-0064ad7bd060/go.mod h1:9B1MYPoLtP9tqjWxcbUNVpwxy68zOH/3EIP6c31dAM0= +github.com/openshift/library-go v0.0.0-20241122090744-c450187f381d h1:cxEFBp0kZlqTrwnOTg5aCWaGt60A4xiovQKpSdWg25M= +github.com/openshift/library-go v0.0.0-20241122090744-c450187f381d/go.mod h1:l/3SegTa9x+ry2J213bh7+DBofXOOvdrqU4JC9ktJa0= github.com/openshift/onsi-ginkgo/v2 v2.6.1-0.20241008152707-25bf9f14db44 h1:dKUAGq29JBk2oRn955gnnz3sG/UhlkUKh1ISleLiews= github.com/openshift/onsi-ginkgo/v2 v2.6.1-0.20241008152707-25bf9f14db44/go.mod h1:rlwLi9PilAFJ8jCg9UE1QP6VBpd6/xj3SRC0d6TU0To= github.com/peterbourgon/diskv v2.0.1+incompatible/go.mod h1:uqqh8zWWbv1HBMNONnaR/tNboyR3/BZd58JJSHlUSCU= diff --git a/staging/src/k8s.io/sample-apiserver/go.mod b/staging/src/k8s.io/sample-apiserver/go.mod index d792c9ac4b3bb..e31743af42ce2 100644 --- a/staging/src/k8s.io/sample-apiserver/go.mod +++ b/staging/src/k8s.io/sample-apiserver/go.mod @@ -55,7 +55,7 @@ require ( github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect github.com/modern-go/reflect2 v1.0.2 // indirect github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect - github.com/openshift/library-go v0.0.0-20241107160307-0064ad7bd060 // indirect + github.com/openshift/library-go v0.0.0-20241122090744-c450187f381d // indirect github.com/pkg/errors v0.9.1 // indirect github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect github.com/prometheus/client_golang v1.19.1 // indirect diff --git a/staging/src/k8s.io/sample-apiserver/go.sum b/staging/src/k8s.io/sample-apiserver/go.sum index 22be54db2ca5c..958ca85e8f83e 100644 --- a/staging/src/k8s.io/sample-apiserver/go.sum +++ b/staging/src/k8s.io/sample-apiserver/go.sum @@ -158,11 +158,11 @@ github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3I github.com/opencontainers/image-spec v1.0.2/go.mod h1:BtxoFyWECRxE4U/7sNtV5W15zMzWCbyJoFRP3s7yZA0= github.com/opencontainers/runc v1.1.13/go.mod h1:R016aXacfp/gwQBYw2FDGa9m+n6atbLWrYY8hNMT/sA= github.com/opencontainers/selinux v1.11.0/go.mod h1:E5dMC3VPuVvVHDYmi78qvhJp8+M586T4DlDRYpFkyec= -github.com/openshift/api v0.0.0-20241001152557-e415140e5d5f/go.mod h1:Shkl4HanLwDiiBzakv+con/aMGnVE2MAGvoKp5oyYUo= +github.com/openshift/api v0.0.0-20241101202457-04eb3fd119d2/go.mod h1:Shkl4HanLwDiiBzakv+con/aMGnVE2MAGvoKp5oyYUo= github.com/openshift/build-machinery-go v0.0.0-20240613134303-8359781da660/go.mod h1:8jcm8UPtg2mCAsxfqKil1xrmRMI3a+XU2TZ9fF8A7TE= github.com/openshift/client-go v0.0.0-20241001162912-da6d55e4611f/go.mod h1:KiZi2mJRH1TOJ3FtBDYS6YvUL30s/iIXaGSUrSa36mo= -github.com/openshift/library-go v0.0.0-20241107160307-0064ad7bd060 h1:jiDC7d8d+jmjv2WfiMY0+Uf55q11MGyYkGGqXnfqWTU= -github.com/openshift/library-go v0.0.0-20241107160307-0064ad7bd060/go.mod h1:9B1MYPoLtP9tqjWxcbUNVpwxy68zOH/3EIP6c31dAM0= +github.com/openshift/library-go v0.0.0-20241122090744-c450187f381d h1:cxEFBp0kZlqTrwnOTg5aCWaGt60A4xiovQKpSdWg25M= +github.com/openshift/library-go v0.0.0-20241122090744-c450187f381d/go.mod h1:l/3SegTa9x+ry2J213bh7+DBofXOOvdrqU4JC9ktJa0= github.com/openshift/onsi-ginkgo/v2 v2.6.1-0.20241008152707-25bf9f14db44 h1:dKUAGq29JBk2oRn955gnnz3sG/UhlkUKh1ISleLiews= github.com/openshift/onsi-ginkgo/v2 v2.6.1-0.20241008152707-25bf9f14db44/go.mod h1:rlwLi9PilAFJ8jCg9UE1QP6VBpd6/xj3SRC0d6TU0To= github.com/peterbourgon/diskv v2.0.1+incompatible/go.mod h1:uqqh8zWWbv1HBMNONnaR/tNboyR3/BZd58JJSHlUSCU= diff --git a/vendor/github.com/openshift/api/config/v1/types_infrastructure.go b/vendor/github.com/openshift/api/config/v1/types_infrastructure.go index 392d128c11177..0daa62d3096ef 100644 --- a/vendor/github.com/openshift/api/config/v1/types_infrastructure.go +++ b/vendor/github.com/openshift/api/config/v1/types_infrastructure.go @@ -507,6 +507,20 @@ type AWSPlatformStatus struct { // +listType=atomic // +optional ResourceTags []AWSResourceTag `json:"resourceTags,omitempty"` + + // cloudLoadBalancerConfig holds configuration related to DNS and cloud + // load balancers. It allows configuration of in-cluster DNS as an alternative + // to the platform default DNS implementation. + // When using the ClusterHosted DNS type, Load Balancer IP addresses + // must be provided for the API and internal API load balancers as well as the + // ingress load balancer. + // + // +default={"dnsType": "PlatformDefault"} + // +kubebuilder:default={"dnsType": "PlatformDefault"} + // +openshift:enable:FeatureGate=AWSClusterHostedDNS + // +optional + // +nullable + CloudLoadBalancerConfig *CloudLoadBalancerConfig `json:"cloudLoadBalancerConfig,omitempty"` } // AWSResourceTag is a tag to apply to AWS resources created for the cluster. @@ -647,12 +661,12 @@ type GCPPlatformStatus struct { // Tombstone the field as a reminder. // ClusterHostedDNS ClusterHostedDNS `json:"clusterHostedDNS,omitempty"` - // cloudLoadBalancerConfig is a union that contains the IP addresses of API, - // API-Int and Ingress Load Balancers created on the cloud platform. These - // values would not be populated on on-prem platforms. These Load Balancer - // IPs are used to configure the in-cluster DNS instances for API, API-Int - // and Ingress services. `dnsType` is expected to be set to `ClusterHosted` - // when these Load Balancer IP addresses are populated and used. + // cloudLoadBalancerConfig holds configuration related to DNS and cloud + // load balancers. It allows configuration of in-cluster DNS as an alternative + // to the platform default DNS implementation. + // When using the ClusterHosted DNS type, Load Balancer IP addresses + // must be provided for the API and internal API load balancers as well as the + // ingress load balancer. // // +default={"dnsType": "PlatformDefault"} // +kubebuilder:default={"dnsType": "PlatformDefault"} diff --git a/vendor/github.com/openshift/api/config/v1/types_node.go b/vendor/github.com/openshift/api/config/v1/types_node.go index b3b1b62c4dfc9..a50328c91f6e9 100644 --- a/vendor/github.com/openshift/api/config/v1/types_node.go +++ b/vendor/github.com/openshift/api/config/v1/types_node.go @@ -46,6 +46,25 @@ type NodeSpec struct { // the status and corresponding reaction of the cluster // +optional WorkerLatencyProfile WorkerLatencyProfileType `json:"workerLatencyProfile,omitempty"` + + // minimumKubeletVersion is the lowest version of a kubelet that can join the cluster. + // Specifically, the apiserver will deny most authorization requests of kubelets that are older + // than the specified version, only allowing the kubelet to get and update its node object, and perform + // subjectaccessreviews. + // This means any kubelet that attempts to join the cluster will not be able to run any assigned workloads, + // and will eventually be marked as not ready. + // Its max length is 8, so maximum version allowed is either "9.999.99" or "99.99.99". + // Since the kubelet reports the version of the kubernetes release, not Openshift, this field references + // the underlying kubernetes version this version of Openshift is based off of. + // In other words: if an admin wishes to ensure no nodes run an older version than Openshift 4.17, then + // they should set the minimumKubeletVersion to 1.30.0. + // When comparing versions, the kubelet's version is stripped of any contents outside of major.minor.patch version. + // Thus, a kubelet with version "1.0.0-ec.0" will be compatible with minimumKubeletVersion "1.0.0" or earlier. + // +kubebuilder:validation:XValidation:rule="self == \"\" || self.matches('^[0-9]*.[0-9]*.[0-9]*$')",message="minmumKubeletVersion must be in a semver compatible format of x.y.z, or empty" + // +kubebuilder:validation:MaxLength:=8 + // +openshift:enable:FeatureGate=MinimumKubeletVersion + // +optional + MinimumKubeletVersion string `json:"minimumKubeletVersion"` } type NodeStatus struct { diff --git a/vendor/github.com/openshift/api/config/v1/zz_generated.deepcopy.go b/vendor/github.com/openshift/api/config/v1/zz_generated.deepcopy.go index 0693469984739..1b7fa44aad6da 100644 --- a/vendor/github.com/openshift/api/config/v1/zz_generated.deepcopy.go +++ b/vendor/github.com/openshift/api/config/v1/zz_generated.deepcopy.go @@ -245,6 +245,11 @@ func (in *AWSPlatformStatus) DeepCopyInto(out *AWSPlatformStatus) { *out = make([]AWSResourceTag, len(*in)) copy(*out, *in) } + if in.CloudLoadBalancerConfig != nil { + in, out := &in.CloudLoadBalancerConfig, &out.CloudLoadBalancerConfig + *out = new(CloudLoadBalancerConfig) + (*in).DeepCopyInto(*out) + } return } diff --git a/vendor/github.com/openshift/api/config/v1/zz_generated.featuregated-crd-manifests.yaml b/vendor/github.com/openshift/api/config/v1/zz_generated.featuregated-crd-manifests.yaml index fa5dd4e31d3e8..abfea5eaf0e36 100644 --- a/vendor/github.com/openshift/api/config/v1/zz_generated.featuregated-crd-manifests.yaml +++ b/vendor/github.com/openshift/api/config/v1/zz_generated.featuregated-crd-manifests.yaml @@ -310,6 +310,7 @@ infrastructures.config.openshift.io: Capability: "" Category: "" FeatureGates: + - AWSClusterHostedDNS - BareMetalLoadBalancer - GCPClusterHostedDNS - GCPLabelsTags @@ -382,7 +383,8 @@ nodes.config.openshift.io: CRDName: nodes.config.openshift.io Capability: "" Category: "" - FeatureGates: [] + FeatureGates: + - MinimumKubeletVersion FilenameOperatorName: config-operator FilenameOperatorOrdering: "01" FilenameRunLevel: "0000_10" diff --git a/vendor/github.com/openshift/api/config/v1/zz_generated.swagger_doc_generated.go b/vendor/github.com/openshift/api/config/v1/zz_generated.swagger_doc_generated.go index c580bd8342e44..145a7e4c041a1 100644 --- a/vendor/github.com/openshift/api/config/v1/zz_generated.swagger_doc_generated.go +++ b/vendor/github.com/openshift/api/config/v1/zz_generated.swagger_doc_generated.go @@ -1184,10 +1184,11 @@ func (AWSPlatformSpec) SwaggerDoc() map[string]string { } var map_AWSPlatformStatus = map[string]string{ - "": "AWSPlatformStatus holds the current status of the Amazon Web Services infrastructure provider.", - "region": "region holds the default AWS region for new AWS resources created by the cluster.", - "serviceEndpoints": "ServiceEndpoints list contains custom endpoints which will override default service endpoint of AWS Services. There must be only one ServiceEndpoint for a service.", - "resourceTags": "resourceTags is a list of additional tags to apply to AWS resources created for the cluster. See https://docs.aws.amazon.com/general/latest/gr/aws_tagging.html for information on tagging AWS resources. AWS supports a maximum of 50 tags per resource. OpenShift reserves 25 tags for its use, leaving 25 tags available for the user.", + "": "AWSPlatformStatus holds the current status of the Amazon Web Services infrastructure provider.", + "region": "region holds the default AWS region for new AWS resources created by the cluster.", + "serviceEndpoints": "ServiceEndpoints list contains custom endpoints which will override default service endpoint of AWS Services. There must be only one ServiceEndpoint for a service.", + "resourceTags": "resourceTags is a list of additional tags to apply to AWS resources created for the cluster. See https://docs.aws.amazon.com/general/latest/gr/aws_tagging.html for information on tagging AWS resources. AWS supports a maximum of 50 tags per resource. OpenShift reserves 25 tags for its use, leaving 25 tags available for the user.", + "cloudLoadBalancerConfig": "cloudLoadBalancerConfig holds configuration related to DNS and cloud load balancers. It allows configuration of in-cluster DNS as an alternative to the platform default DNS implementation. When using the ClusterHosted DNS type, Load Balancer IP addresses must be provided for the API and internal API load balancers as well as the ingress load balancer.", } func (AWSPlatformStatus) SwaggerDoc() map[string]string { @@ -1389,7 +1390,7 @@ var map_GCPPlatformStatus = map[string]string{ "region": "region holds the region for new GCP resources created for the cluster.", "resourceLabels": "resourceLabels is a list of additional labels to apply to GCP resources created for the cluster. See https://cloud.google.com/compute/docs/labeling-resources for information on labeling GCP resources. GCP supports a maximum of 64 labels per resource. OpenShift reserves 32 labels for internal use, allowing 32 labels for user configuration.", "resourceTags": "resourceTags is a list of additional tags to apply to GCP resources created for the cluster. See https://cloud.google.com/resource-manager/docs/tags/tags-overview for information on tagging GCP resources. GCP supports a maximum of 50 tags per resource.", - "cloudLoadBalancerConfig": "cloudLoadBalancerConfig is a union that contains the IP addresses of API, API-Int and Ingress Load Balancers created on the cloud platform. These values would not be populated on on-prem platforms. These Load Balancer IPs are used to configure the in-cluster DNS instances for API, API-Int and Ingress services. `dnsType` is expected to be set to `ClusterHosted` when these Load Balancer IP addresses are populated and used.", + "cloudLoadBalancerConfig": "cloudLoadBalancerConfig holds configuration related to DNS and cloud load balancers. It allows configuration of in-cluster DNS as an alternative to the platform default DNS implementation. When using the ClusterHosted DNS type, Load Balancer IP addresses must be provided for the API and internal API load balancers as well as the ingress load balancer.", } func (GCPPlatformStatus) SwaggerDoc() map[string]string { @@ -2087,8 +2088,9 @@ func (NodeList) SwaggerDoc() map[string]string { } var map_NodeSpec = map[string]string{ - "cgroupMode": "CgroupMode determines the cgroups version on the node", - "workerLatencyProfile": "WorkerLatencyProfile determins the how fast the kubelet is updating the status and corresponding reaction of the cluster", + "cgroupMode": "CgroupMode determines the cgroups version on the node", + "workerLatencyProfile": "WorkerLatencyProfile determins the how fast the kubelet is updating the status and corresponding reaction of the cluster", + "minimumKubeletVersion": "minimumKubeletVersion is the lowest version of a kubelet that can join the cluster. Specifically, the apiserver will deny most authorization requests of kubelets that are older than the specified version, only allowing the kubelet to get and update its node object, and perform subjectaccessreviews. This means any kubelet that attempts to join the cluster will not be able to run any assigned workloads, and will eventually be marked as not ready. Its max length is 8, so maximum version allowed is either \"9.999.99\" or \"99.99.99\". Since the kubelet reports the version of the kubernetes release, not Openshift, this field references the underlying kubernetes version this version of Openshift is based off of. In other words: if an admin wishes to ensure no nodes run an older version than Openshift 4.17, then they should set the minimumKubeletVersion to 1.30.0. When comparing versions, the kubelet's version is stripped of any contents outside of major.minor.patch version. Thus, a kubelet with version \"1.0.0-ec.0\" will be compatible with minimumKubeletVersion \"1.0.0\" or earlier.", } func (NodeSpec) SwaggerDoc() map[string]string { diff --git a/vendor/github.com/openshift/api/config/v1alpha1/types_cluster_image_policy.go b/vendor/github.com/openshift/api/config/v1alpha1/types_cluster_image_policy.go index e3670f03e8990..14650fd48f4e1 100644 --- a/vendor/github.com/openshift/api/config/v1alpha1/types_cluster_image_policy.go +++ b/vendor/github.com/openshift/api/config/v1alpha1/types_cluster_image_policy.go @@ -41,6 +41,7 @@ type ClusterImagePolicySpec struct { // If multiple scopes match a given image, only the policy requirements for the most specific scope apply. The policy requirements for more general scopes are ignored. // In addition to setting a policy appropriate for your own deployed applications, make sure that a policy on the OpenShift image repositories // quay.io/openshift-release-dev/ocp-release, quay.io/openshift-release-dev/ocp-v4.0-art-dev (or on a more general scope) allows deployment of the OpenShift images required for cluster operation. + // If a scope is configured in both the ClusterImagePolicy and the ImagePolicy, or if the scope in ImagePolicy is nested under one of the scopes from the ClusterImagePolicy, only the policy from the ClusterImagePolicy will be applied. // For additional details about the format, please refer to the document explaining the docker transport field, // which can be found at: https://github.com/containers/image/blob/main/docs/containers-policy.json.5.md#docker // +kubebuilder:validation:Required diff --git a/vendor/github.com/openshift/api/config/v1alpha1/types_image_policy.go b/vendor/github.com/openshift/api/config/v1alpha1/types_image_policy.go index 7031110ff1ead..a177ddb0d66bc 100644 --- a/vendor/github.com/openshift/api/config/v1alpha1/types_image_policy.go +++ b/vendor/github.com/openshift/api/config/v1alpha1/types_image_policy.go @@ -40,6 +40,7 @@ type ImagePolicySpec struct { // If multiple scopes match a given image, only the policy requirements for the most specific scope apply. The policy requirements for more general scopes are ignored. // In addition to setting a policy appropriate for your own deployed applications, make sure that a policy on the OpenShift image repositories // quay.io/openshift-release-dev/ocp-release, quay.io/openshift-release-dev/ocp-v4.0-art-dev (or on a more general scope) allows deployment of the OpenShift images required for cluster operation. + // If a scope is configured in both the ClusterImagePolicy and the ImagePolicy, or if the scope in ImagePolicy is nested under one of the scopes from the ClusterImagePolicy, only the policy from the ClusterImagePolicy will be applied. // For additional details about the format, please refer to the document explaining the docker transport field, // which can be found at: https://github.com/containers/image/blob/main/docs/containers-policy.json.5.md#docker // +kubebuilder:validation:Required diff --git a/vendor/github.com/openshift/api/config/v1alpha1/zz_generated.swagger_doc_generated.go b/vendor/github.com/openshift/api/config/v1alpha1/zz_generated.swagger_doc_generated.go index 9da086efc56f1..55468f38dac6e 100644 --- a/vendor/github.com/openshift/api/config/v1alpha1/zz_generated.swagger_doc_generated.go +++ b/vendor/github.com/openshift/api/config/v1alpha1/zz_generated.swagger_doc_generated.go @@ -102,7 +102,7 @@ func (ClusterImagePolicyList) SwaggerDoc() map[string]string { var map_ClusterImagePolicySpec = map[string]string{ "": "CLusterImagePolicySpec is the specification of the ClusterImagePolicy custom resource.", - "scopes": "scopes defines the list of image identities assigned to a policy. Each item refers to a scope in a registry implementing the \"Docker Registry HTTP API V2\". Scopes matching individual images are named Docker references in the fully expanded form, either using a tag or digest. For example, docker.io/library/busybox:latest (not busybox:latest). More general scopes are prefixes of individual-image scopes, and specify a repository (by omitting the tag or digest), a repository namespace, or a registry host (by only specifying the host name and possibly a port number) or a wildcard expression starting with `*.`, for matching all subdomains (not including a port number). Wildcards are only supported for subdomain matching, and may not be used in the middle of the host, i.e. *.example.com is a valid case, but example*.*.com is not. If multiple scopes match a given image, only the policy requirements for the most specific scope apply. The policy requirements for more general scopes are ignored. In addition to setting a policy appropriate for your own deployed applications, make sure that a policy on the OpenShift image repositories quay.io/openshift-release-dev/ocp-release, quay.io/openshift-release-dev/ocp-v4.0-art-dev (or on a more general scope) allows deployment of the OpenShift images required for cluster operation. For additional details about the format, please refer to the document explaining the docker transport field, which can be found at: https://github.com/containers/image/blob/main/docs/containers-policy.json.5.md#docker", + "scopes": "scopes defines the list of image identities assigned to a policy. Each item refers to a scope in a registry implementing the \"Docker Registry HTTP API V2\". Scopes matching individual images are named Docker references in the fully expanded form, either using a tag or digest. For example, docker.io/library/busybox:latest (not busybox:latest). More general scopes are prefixes of individual-image scopes, and specify a repository (by omitting the tag or digest), a repository namespace, or a registry host (by only specifying the host name and possibly a port number) or a wildcard expression starting with `*.`, for matching all subdomains (not including a port number). Wildcards are only supported for subdomain matching, and may not be used in the middle of the host, i.e. *.example.com is a valid case, but example*.*.com is not. If multiple scopes match a given image, only the policy requirements for the most specific scope apply. The policy requirements for more general scopes are ignored. In addition to setting a policy appropriate for your own deployed applications, make sure that a policy on the OpenShift image repositories quay.io/openshift-release-dev/ocp-release, quay.io/openshift-release-dev/ocp-v4.0-art-dev (or on a more general scope) allows deployment of the OpenShift images required for cluster operation. If a scope is configured in both the ClusterImagePolicy and the ImagePolicy, or if the scope in ImagePolicy is nested under one of the scopes from the ClusterImagePolicy, only the policy from the ClusterImagePolicy will be applied. For additional details about the format, please refer to the document explaining the docker transport field, which can be found at: https://github.com/containers/image/blob/main/docs/containers-policy.json.5.md#docker", "policy": "policy contains configuration to allow scopes to be verified, and defines how images not matching the verification policy will be treated.", } @@ -151,7 +151,7 @@ func (ImagePolicyList) SwaggerDoc() map[string]string { var map_ImagePolicySpec = map[string]string{ "": "ImagePolicySpec is the specification of the ImagePolicy CRD.", - "scopes": "scopes defines the list of image identities assigned to a policy. Each item refers to a scope in a registry implementing the \"Docker Registry HTTP API V2\". Scopes matching individual images are named Docker references in the fully expanded form, either using a tag or digest. For example, docker.io/library/busybox:latest (not busybox:latest). More general scopes are prefixes of individual-image scopes, and specify a repository (by omitting the tag or digest), a repository namespace, or a registry host (by only specifying the host name and possibly a port number) or a wildcard expression starting with `*.`, for matching all subdomains (not including a port number). Wildcards are only supported for subdomain matching, and may not be used in the middle of the host, i.e. *.example.com is a valid case, but example*.*.com is not. If multiple scopes match a given image, only the policy requirements for the most specific scope apply. The policy requirements for more general scopes are ignored. In addition to setting a policy appropriate for your own deployed applications, make sure that a policy on the OpenShift image repositories quay.io/openshift-release-dev/ocp-release, quay.io/openshift-release-dev/ocp-v4.0-art-dev (or on a more general scope) allows deployment of the OpenShift images required for cluster operation. For additional details about the format, please refer to the document explaining the docker transport field, which can be found at: https://github.com/containers/image/blob/main/docs/containers-policy.json.5.md#docker", + "scopes": "scopes defines the list of image identities assigned to a policy. Each item refers to a scope in a registry implementing the \"Docker Registry HTTP API V2\". Scopes matching individual images are named Docker references in the fully expanded form, either using a tag or digest. For example, docker.io/library/busybox:latest (not busybox:latest). More general scopes are prefixes of individual-image scopes, and specify a repository (by omitting the tag or digest), a repository namespace, or a registry host (by only specifying the host name and possibly a port number) or a wildcard expression starting with `*.`, for matching all subdomains (not including a port number). Wildcards are only supported for subdomain matching, and may not be used in the middle of the host, i.e. *.example.com is a valid case, but example*.*.com is not. If multiple scopes match a given image, only the policy requirements for the most specific scope apply. The policy requirements for more general scopes are ignored. In addition to setting a policy appropriate for your own deployed applications, make sure that a policy on the OpenShift image repositories quay.io/openshift-release-dev/ocp-release, quay.io/openshift-release-dev/ocp-v4.0-art-dev (or on a more general scope) allows deployment of the OpenShift images required for cluster operation. If a scope is configured in both the ClusterImagePolicy and the ImagePolicy, or if the scope in ImagePolicy is nested under one of the scopes from the ClusterImagePolicy, only the policy from the ClusterImagePolicy will be applied. For additional details about the format, please refer to the document explaining the docker transport field, which can be found at: https://github.com/containers/image/blob/main/docs/containers-policy.json.5.md#docker", "policy": "policy contains configuration to allow scopes to be verified, and defines how images not matching the verification policy will be treated.", } diff --git a/vendor/github.com/openshift/api/features/features.go b/vendor/github.com/openshift/api/features/features.go index 7f49623954327..0d1f0788e184b 100644 --- a/vendor/github.com/openshift/api/features/features.go +++ b/vendor/github.com/openshift/api/features/features.go @@ -40,6 +40,7 @@ var ( reportProblemsToJiraComponent("apiserver-auth"). contactPerson("stlaz"). productScope(kubernetes). + enhancementPR("https://github.com/kubernetes/enhancements/issues/4193"). enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). mustRegister() @@ -47,6 +48,7 @@ var ( reportProblemsToJiraComponent("kube-apiserver"). contactPerson("benluddy"). productScope(kubernetes). + enhancementPR("https://github.com/kubernetes/enhancements/issues/3488"). enableIn(configv1.Default, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). mustRegister() @@ -54,6 +56,7 @@ var ( reportProblemsToJiraComponent("Routing"). contactPerson("miciah"). productScope(ocpSpecific). + enhancementPR(legacyFeatureGateWithoutEnhancement). enableIn(configv1.DevPreviewNoUpgrade). mustRegister() @@ -61,6 +64,7 @@ var ( reportProblemsToJiraComponent("Networking / router"). contactPerson("miheer"). productScope(ocpSpecific). + enhancementPR(legacyFeatureGateWithoutEnhancement). enableIn(configv1.Default, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). mustRegister() @@ -68,6 +72,7 @@ var ( reportProblemsToJiraComponent("auth"). contactPerson("ibihim"). productScope(ocpSpecific). + enhancementPR("https://github.com/openshift/enhancements/pull/899"). enableIn(configv1.Default, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). mustRegister() @@ -75,6 +80,7 @@ var ( reportProblemsToJiraComponent("builds"). contactPerson("adkaplan"). productScope(ocpSpecific). + enhancementPR("https://github.com/openshift/enhancements/pull/1056"). enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). mustRegister() @@ -82,6 +88,7 @@ var ( reportProblemsToJiraComponent("builds"). contactPerson("adkaplan"). productScope(ocpSpecific). + enhancementPR(legacyFeatureGateWithoutEnhancement). enableIn(configv1.Default, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). mustRegister() @@ -89,6 +96,7 @@ var ( reportProblemsToJiraComponent("node"). contactPerson("ehashman"). productScope(kubernetes). + enhancementPR("https://github.com/kubernetes/enhancements/issues/2400"). enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). mustRegister() @@ -96,6 +104,7 @@ var ( reportProblemsToJiraComponent("openstack"). contactPerson("egarcia"). productScope(ocpSpecific). + enhancementPR(legacyFeatureGateWithoutEnhancement). enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). mustRegister() @@ -103,6 +112,7 @@ var ( reportProblemsToJiraComponent("insights"). contactPerson("tremes"). productScope(ocpSpecific). + enhancementPR(legacyFeatureGateWithoutEnhancement). enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). mustRegister() @@ -110,6 +120,7 @@ var ( reportProblemsToJiraComponent("insights"). contactPerson("jmesnil"). productScope(ocpSpecific). + enhancementPR(legacyFeatureGateWithoutEnhancement). enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). mustRegister() @@ -117,6 +128,7 @@ var ( reportProblemsToJiraComponent("scheduling"). contactPerson("jchaloup"). productScope(kubernetes). + enhancementPR("https://github.com/kubernetes/enhancements/issues/4381"). enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). mustRegister() @@ -124,6 +136,7 @@ var ( reportProblemsToJiraComponent("cloud-credential-operator"). contactPerson("abutcher"). productScope(ocpSpecific). + enhancementPR(legacyFeatureGateWithoutEnhancement). enableIn(configv1.Default, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). mustRegister() @@ -131,6 +144,7 @@ var ( reportProblemsToJiraComponent("apps"). contactPerson("atiratree"). productScope(kubernetes). + enhancementPR("https://github.com/kubernetes/enhancements/issues/961"). enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). mustRegister() @@ -138,12 +152,14 @@ var ( reportProblemsToJiraComponent("node"). contactPerson("sairameshv"). productScope(kubernetes). + enhancementPR("https://github.com/kubernetes/enhancements/issues/3386"). mustRegister() FeatureGatePrivateHostedZoneAWS = newFeatureGate("PrivateHostedZoneAWS"). reportProblemsToJiraComponent("Routing"). contactPerson("miciah"). productScope(ocpSpecific). + enhancementPR(legacyFeatureGateWithoutEnhancement). enableIn(configv1.Default, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). mustRegister() @@ -151,6 +167,7 @@ var ( reportProblemsToJiraComponent("node"). contactPerson("sgrunert"). productScope(ocpSpecific). + enhancementPR(legacyFeatureGateWithoutEnhancement). enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). mustRegister() @@ -158,6 +175,7 @@ var ( reportProblemsToJiraComponent("Installer"). contactPerson("bhb"). productScope(ocpSpecific). + enhancementPR(legacyFeatureGateWithoutEnhancement). enableIn(configv1.Default, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). mustRegister() @@ -165,6 +183,7 @@ var ( reportProblemsToJiraComponent("cloud-provider"). contactPerson("jspeed"). productScope(ocpSpecific). + enhancementPR(legacyFeatureGateWithoutEnhancement). enableIn(configv1.Default, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). mustRegister() @@ -172,6 +191,7 @@ var ( reportProblemsToJiraComponent("machine-config-operator/platform-baremetal"). contactPerson("mkowalsk"). productScope(kubernetes). + enhancementPR("https://github.com/kubernetes/enhancements/issues/3705"). enableIn(configv1.Default, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). mustRegister() @@ -179,6 +199,7 @@ var ( reportProblemsToJiraComponent("splat"). contactPerson("vr4manta"). productScope(ocpSpecific). + enhancementPR(legacyFeatureGateWithoutEnhancement). enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). mustRegister() @@ -186,6 +207,7 @@ var ( reportProblemsToJiraComponent("splat"). contactPerson("rvanderp3"). productScope(ocpSpecific). + enhancementPR(legacyFeatureGateWithoutEnhancement). enableIn(configv1.Default, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). mustRegister() @@ -193,6 +215,7 @@ var ( reportProblemsToJiraComponent("router"). contactPerson("thejasn"). productScope(ocpSpecific). + enhancementPR(legacyFeatureGateWithoutEnhancement). enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). mustRegister() @@ -200,6 +223,7 @@ var ( reportProblemsToJiraComponent("Networking/ovn-kubernetes"). contactPerson("tssurya"). productScope(ocpSpecific). + enhancementPR(legacyFeatureGateWithoutEnhancement). enableIn(configv1.Default, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). mustRegister() @@ -207,6 +231,7 @@ var ( reportProblemsToJiraComponent("Networking/ovn-kubernetes"). contactPerson("tssurya"). productScope(ocpSpecific). + enhancementPR(legacyFeatureGateWithoutEnhancement). enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). mustRegister() @@ -214,6 +239,7 @@ var ( reportProblemsToJiraComponent("Networking/cluster-network-operator"). contactPerson("jcaamano"). productScope(ocpSpecific). + enhancementPR(legacyFeatureGateWithoutEnhancement). enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). mustRegister() @@ -221,6 +247,7 @@ var ( reportProblemsToJiraComponent("Networking/ovn-kubernetes"). contactPerson("jcaamano"). productScope(ocpSpecific). + enhancementPR(legacyFeatureGateWithoutEnhancement). enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). mustRegister() @@ -228,6 +255,7 @@ var ( reportProblemsToJiraComponent("Networking/ovn-kubernetes"). contactPerson("pliu"). productScope(ocpSpecific). + enhancementPR(legacyFeatureGateWithoutEnhancement). enableIn(configv1.Default, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). mustRegister() @@ -235,6 +263,7 @@ var ( reportProblemsToJiraComponent("Networking/cluster-network-operator"). contactPerson("kyrtapz"). productScope(ocpSpecific). + enhancementPR(legacyFeatureGateWithoutEnhancement). enableIn(configv1.Default, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). mustRegister() @@ -242,6 +271,7 @@ var ( reportProblemsToJiraComponent("Networking"). contactPerson("npinaeva"). productScope(ocpSpecific). + enhancementPR(legacyFeatureGateWithoutEnhancement). enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). mustRegister() @@ -249,6 +279,7 @@ var ( reportProblemsToJiraComponent("etcd"). contactPerson("hasbro17"). productScope(ocpSpecific). + enhancementPR(legacyFeatureGateWithoutEnhancement). enableIn(configv1.Default, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). mustRegister() @@ -256,6 +287,7 @@ var ( reportProblemsToJiraComponent("etcd"). contactPerson("hasbro17"). productScope(ocpSpecific). + enhancementPR(legacyFeatureGateWithoutEnhancement). enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). mustRegister() @@ -263,6 +295,7 @@ var ( reportProblemsToJiraComponent("etcd"). contactPerson("hasbro17"). productScope(ocpSpecific). + enhancementPR(legacyFeatureGateWithoutEnhancement). enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). mustRegister() @@ -270,12 +303,14 @@ var ( reportProblemsToJiraComponent("ecoproject"). contactPerson("msluiter"). productScope(ocpSpecific). + enhancementPR(legacyFeatureGateWithoutEnhancement). mustRegister() FeatureGateDNSNameResolver = newFeatureGate("DNSNameResolver"). reportProblemsToJiraComponent("dns"). contactPerson("miciah"). productScope(ocpSpecific). + enhancementPR(legacyFeatureGateWithoutEnhancement). enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). mustRegister() @@ -283,6 +318,7 @@ var ( reportProblemsToJiraComponent("splat"). contactPerson("rvanderp3"). productScope(ocpSpecific). + enhancementPR(legacyFeatureGateWithoutEnhancement). enableIn(configv1.Default, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). mustRegister() @@ -290,6 +326,7 @@ var ( reportProblemsToJiraComponent("MachineConfigOperator"). contactPerson("cdoern"). productScope(ocpSpecific). + enhancementPR(legacyFeatureGateWithoutEnhancement). enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). mustRegister() @@ -297,19 +334,22 @@ var ( reportProblemsToJiraComponent("Installer"). contactPerson("vincepri"). productScope(ocpSpecific). + enhancementPR(legacyFeatureGateWithoutEnhancement). mustRegister() - FeatureGateMetricsServer = newFeatureGate("MetricsServer"). - reportProblemsToJiraComponent("Monitoring"). - contactPerson("slashpai"). + FeatureGateGCPClusterHostedDNS = newFeatureGate("GCPClusterHostedDNS"). + reportProblemsToJiraComponent("Installer"). + contactPerson("barbacbd"). productScope(ocpSpecific). - enableIn(configv1.Default, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). + enhancementPR(legacyFeatureGateWithoutEnhancement). + enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). mustRegister() - FeatureGateGCPClusterHostedDNS = newFeatureGate("GCPClusterHostedDNS"). + FeatureGateAWSClusterHostedDNS = newFeatureGate("AWSClusterHostedDNS"). reportProblemsToJiraComponent("Installer"). contactPerson("barbacbd"). productScope(ocpSpecific). + enhancementPR(legacyFeatureGateWithoutEnhancement). enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). mustRegister() @@ -317,6 +357,7 @@ var ( reportProblemsToJiraComponent("NodeTuningOperator"). contactPerson("titzhak"). productScope(ocpSpecific). + enhancementPR(legacyFeatureGateWithoutEnhancement). enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). mustRegister() @@ -324,6 +365,7 @@ var ( reportProblemsToJiraComponent("MachineConfigOperator"). contactPerson("djoshy"). productScope(ocpSpecific). + enhancementPR(legacyFeatureGateWithoutEnhancement). enableIn(configv1.Default, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). mustRegister() @@ -331,6 +373,7 @@ var ( reportProblemsToJiraComponent("MachineConfigOperator"). contactPerson("djoshy"). productScope(ocpSpecific). + enhancementPR(legacyFeatureGateWithoutEnhancement). enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). mustRegister() @@ -338,6 +381,7 @@ var ( reportProblemsToJiraComponent("cloud-provider"). contactPerson("jspeed"). productScope(kubernetes). + enhancementPR("https://github.com/kubernetes/enhancements/issues/2395"). enableIn(configv1.Default, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). mustRegister() @@ -345,6 +389,7 @@ var ( reportProblemsToJiraComponent("MachineConfigOperator"). contactPerson("dkhater"). productScope(ocpSpecific). + enhancementPR(legacyFeatureGateWithoutEnhancement). enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). mustRegister() @@ -352,6 +397,7 @@ var ( reportProblemsToJiraComponent("MachineConfigOperator"). contactPerson("inesqyx"). productScope(ocpSpecific). + enhancementPR(legacyFeatureGateWithoutEnhancement). enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). mustRegister() @@ -359,6 +405,7 @@ var ( reportProblemsToJiraComponent("Cluster Version Operator"). contactPerson("lmohanty"). productScope(ocpSpecific). + enhancementPR(legacyFeatureGateWithoutEnhancement). enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). mustRegister() @@ -366,6 +413,7 @@ var ( reportProblemsToJiraComponent("kube-apiserver"). contactPerson("dgrisonnet"). productScope(kubernetes). + enhancementPR(legacyFeatureGateWithoutEnhancement). enableIn(configv1.Default, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). mustRegister() @@ -373,6 +421,7 @@ var ( reportProblemsToJiraComponent("MachineConfigOperator"). contactPerson("jhernand"). productScope(ocpSpecific). + enhancementPR(legacyFeatureGateWithoutEnhancement). enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). mustRegister() @@ -380,6 +429,7 @@ var ( reportProblemsToJiraComponent("Cluster Version Operator"). contactPerson("pmuller"). productScope(ocpSpecific). + enhancementPR(legacyFeatureGateWithoutEnhancement). enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). mustRegister() @@ -387,13 +437,23 @@ var ( reportProblemsToJiraComponent("kube-apiserver"). contactPerson("akashem"). productScope(kubernetes). + enhancementPR("https://github.com/kubernetes/enhancements/issues/4006"). enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). mustRegister() + FeatureGateVolumeAttributesClass = newFeatureGate("VolumeAttributesClass"). + reportProblemsToJiraComponent("Storage / Kubernetes External Components"). + contactPerson("dfajmon"). + productScope(kubernetes). + enhancementPR("https://github.com/kubernetes/enhancements/issues/3751"). + enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). + mustRegister() + FeatureGateVolumeGroupSnapshot = newFeatureGate("VolumeGroupSnapshot"). reportProblemsToJiraComponent("Storage / Kubernetes External Components"). contactPerson("fbertina"). productScope(kubernetes). + enhancementPR("https://github.com/kubernetes/enhancements/issues/3476"). enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). mustRegister() @@ -401,6 +461,7 @@ var ( reportProblemsToJiraComponent("authentication"). contactPerson("liouk"). productScope(ocpSpecific). + enhancementPR("https://github.com/openshift/enhancements/pull/1596"). enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). enableForClusterProfile(Hypershift, configv1.Default, configv1.TechPreviewNoUpgrade). mustRegister() @@ -409,6 +470,7 @@ var ( reportProblemsToJiraComponent("cluster-config"). contactPerson("deads"). productScope(ocpSpecific). + enhancementPR(legacyFeatureGateWithoutEnhancement). enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). mustRegister() @@ -416,6 +478,7 @@ var ( reportProblemsToJiraComponent("olm"). contactPerson("joe"). productScope(ocpSpecific). + enhancementPR(legacyFeatureGateWithoutEnhancement). enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). mustRegister() @@ -423,6 +486,7 @@ var ( reportProblemsToJiraComponent("olm"). contactPerson("joe"). productScope(ocpSpecific). + enhancementPR(legacyFeatureGateWithoutEnhancement). enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). mustRegister() @@ -430,6 +494,7 @@ var ( reportProblemsToJiraComponent("insights"). contactPerson("tremes"). productScope(ocpSpecific). + enhancementPR(legacyFeatureGateWithoutEnhancement). enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). mustRegister() @@ -437,6 +502,7 @@ var ( reportProblemsToJiraComponent("metal"). contactPerson("EmilienM"). productScope(ocpSpecific). + enhancementPR(legacyFeatureGateWithoutEnhancement). enableIn(configv1.Default, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). mustRegister() @@ -444,6 +510,7 @@ var ( reportProblemsToJiraComponent("insights"). contactPerson("tremes"). productScope(ocpSpecific). + enhancementPR(legacyFeatureGateWithoutEnhancement). enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). mustRegister() @@ -451,6 +518,7 @@ var ( reportProblemsToJiraComponent("MachineConfigOperator"). contactPerson("jerzhang"). productScope(ocpSpecific). + enhancementPR(legacyFeatureGateWithoutEnhancement). enableIn(configv1.Default, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). mustRegister() @@ -458,6 +526,7 @@ var ( reportProblemsToJiraComponent("Monitoring"). contactPerson("rexagod"). productScope(ocpSpecific). + enhancementPR(legacyFeatureGateWithoutEnhancement). enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). mustRegister() @@ -465,6 +534,7 @@ var ( reportProblemsToJiraComponent("Storage / Kubernetes External Components"). contactPerson("rbednar"). productScope(ocpSpecific). + enhancementPR(legacyFeatureGateWithoutEnhancement). enableIn(configv1.Default, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). mustRegister() @@ -472,12 +542,14 @@ var ( reportProblemsToJiraComponent("Installer"). contactPerson("cjschaef"). productScope(ocpSpecific). + enhancementPR(legacyFeatureGateWithoutEnhancement). mustRegister() FeatureGateChunkSizeMiB = newFeatureGate("ChunkSizeMiB"). reportProblemsToJiraComponent("Image Registry"). contactPerson("flavianmissi"). productScope(ocpSpecific). + enhancementPR(legacyFeatureGateWithoutEnhancement). enableIn(configv1.Default, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). mustRegister() @@ -485,12 +557,14 @@ var ( reportProblemsToJiraComponent("OCPCLOUD"). contactPerson("jspeed"). productScope(ocpSpecific). + enhancementPR(legacyFeatureGateWithoutEnhancement). mustRegister() FeatureGatePersistentIPsForVirtualization = newFeatureGate("PersistentIPsForVirtualization"). reportProblemsToJiraComponent("CNV Network"). contactPerson("mduarted"). productScope(ocpSpecific). + enhancementPR(legacyFeatureGateWithoutEnhancement). enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). mustRegister() @@ -498,6 +572,7 @@ var ( reportProblemsToJiraComponent("Monitoring"). contactPerson("marioferh"). productScope(ocpSpecific). + enhancementPR(legacyFeatureGateWithoutEnhancement). enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). mustRegister() @@ -505,6 +580,7 @@ var ( reportProblemsToJiraComponent("Installer"). contactPerson("r4f4"). productScope(ocpSpecific). + enhancementPR(legacyFeatureGateWithoutEnhancement). enableIn(configv1.Default, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). mustRegister() @@ -512,12 +588,14 @@ var ( reportProblemsToJiraComponent("Installer"). contactPerson("r4f4"). productScope(ocpSpecific). + enhancementPR(legacyFeatureGateWithoutEnhancement). mustRegister() FeatureGateMultiArchInstallGCP = newFeatureGate("MultiArchInstallGCP"). reportProblemsToJiraComponent("Installer"). contactPerson("r4f4"). productScope(ocpSpecific). + enhancementPR(legacyFeatureGateWithoutEnhancement). enableIn(configv1.Default, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). mustRegister() @@ -525,6 +603,7 @@ var ( reportProblemsToJiraComponent("Routing"). contactPerson("miciah"). productScope(ocpSpecific). + enhancementPR(legacyFeatureGateWithoutEnhancement). enableIn(configv1.Default, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). mustRegister() @@ -532,6 +611,7 @@ var ( reportProblemsToJiraComponent("Storage / Kubernetes External Components"). contactPerson("fbertina"). productScope(ocpSpecific). + enhancementPR(legacyFeatureGateWithoutEnhancement). enableIn(configv1.Default, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). mustRegister() @@ -539,6 +619,7 @@ var ( reportProblemsToJiraComponent("Multi-Arch"). contactPerson("psundara"). productScope(ocpSpecific). + enhancementPR(legacyFeatureGateWithoutEnhancement). enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). mustRegister() @@ -546,6 +627,7 @@ var ( reportProblemsToJiraComponent("Node"). contactPerson("haircommander"). productScope(kubernetes). + enhancementPR("https://github.com/kubernetes/enhancements/issues/127"). enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). mustRegister() @@ -553,6 +635,7 @@ var ( reportProblemsToJiraComponent("Node"). contactPerson("haircommander"). productScope(kubernetes). + enhancementPR("https://github.com/kubernetes/enhancements/issues/127"). enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). mustRegister() @@ -560,6 +643,7 @@ var ( reportProblemsToJiraComponent("Node"). contactPerson("haircommander"). productScope(kubernetes). + enhancementPR("https://github.com/kubernetes/enhancements/issues/4265"). enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). mustRegister() @@ -567,6 +651,23 @@ var ( reportProblemsToJiraComponent("SPLAT"). contactPerson("rvanderp"). productScope(ocpSpecific). + enhancementPR(legacyFeatureGateWithoutEnhancement). enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). mustRegister() + + FeatureGateIngressControllerDynamicConfigurationManager = newFeatureGate("IngressControllerDynamicConfigurationManager"). + reportProblemsToJiraComponent("Networking/router"). + contactPerson("miciah"). + productScope(ocpSpecific). + enhancementPR(legacyFeatureGateWithoutEnhancement). + enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). + mustRegister() + + FeatureGateMinimumKubeletVersion = newFeatureGate("MinimumKubeletVersion"). + reportProblemsToJiraComponent("Node"). + contactPerson("haircommander"). + productScope(ocpSpecific). + enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). + enhancementPR("https://github.com/openshift/enhancements/pull/1697"). + mustRegister() ) diff --git a/vendor/github.com/openshift/api/features/util.go b/vendor/github.com/openshift/api/features/util.go index d8d8e94a0e9e1..3fd55bcdfe701 100644 --- a/vendor/github.com/openshift/api/features/util.go +++ b/vendor/github.com/openshift/api/features/util.go @@ -3,6 +3,8 @@ package features import ( "fmt" configv1 "github.com/openshift/api/config/v1" + "net/url" + "strings" ) // FeatureGateDescription is a golang-only interface used to contains details for a feature gate. @@ -18,6 +20,8 @@ type FeatureGateDescription struct { ResponsiblePerson string // OwningProduct is the product that owns the lifecycle of the gate. OwningProduct OwningProduct + // EnhancementPR is the PR for the enhancement. + EnhancementPR string } type FeatureGateEnabledDisabled struct { @@ -45,10 +49,15 @@ type featureGateBuilder struct { owningJiraComponent string responsiblePerson string owningProduct OwningProduct + enhancementPRURL string statusByClusterProfileByFeatureSet map[ClusterProfileName]map[configv1.FeatureSet]bool } +const ( + legacyFeatureGateWithoutEnhancement = "FeatureGate predates 4.18" +) + // newFeatureGate featuregate are disabled in every FeatureSet and selectively enabled func newFeatureGate(name string) *featureGateBuilder { b := &featureGateBuilder{ @@ -80,6 +89,11 @@ func (b *featureGateBuilder) productScope(owningProduct OwningProduct) *featureG return b } +func (b *featureGateBuilder) enhancementPR(url string) *featureGateBuilder { + b.enhancementPRURL = url + return b +} + func (b *featureGateBuilder) enableIn(featureSets ...configv1.FeatureSet) *featureGateBuilder { for clusterProfile := range b.statusByClusterProfileByFeatureSet { for _, featureSet := range featureSets { @@ -109,6 +123,19 @@ func (b *featureGateBuilder) register() (configv1.FeatureGateName, error) { if len(b.owningProduct) == 0 { return "", fmt.Errorf("missing owningProduct") } + _, enhancementPRErr := url.Parse(b.enhancementPRURL) + switch { + case b.enhancementPRURL == legacyFeatureGateWithoutEnhancement: + + case len(b.enhancementPRURL) == 0: + return "", fmt.Errorf("FeatureGate/%s is missing an enhancementPR with GA Graduation Criteria like https://github.com/openshift/enhancements/pull/#### or https://github.com/kubernetes/enhancements/issues/####", b.name) + + case !strings.HasPrefix(b.enhancementPRURL, "https://github.com/openshift/enhancements/pull/") && !strings.HasPrefix(b.enhancementPRURL, "https://github.com/kubernetes/enhancements/issues/"): + return "", fmt.Errorf("FeatureGate/%s enhancementPR format is incorrect; must be like https://github.com/openshift/enhancements/pull/#### or https://github.com/kubernetes/enhancements/issues/####", b.name) + + case enhancementPRErr != nil: + return "", fmt.Errorf("FeatureGate/%s is enhancementPR is invalid: %w", b.name, enhancementPRErr) + } featureGateName := configv1.FeatureGateName(b.name) description := FeatureGateDescription{ @@ -118,6 +145,7 @@ func (b *featureGateBuilder) register() (configv1.FeatureGateName, error) { OwningJiraComponent: b.owningJiraComponent, ResponsiblePerson: b.responsiblePerson, OwningProduct: b.owningProduct, + EnhancementPR: b.enhancementPRURL, } // statusByClusterProfileByFeatureSet is initialized by constructor to be false for every combination diff --git a/vendor/github.com/openshift/api/kubecontrolplane/v1/types.go b/vendor/github.com/openshift/api/kubecontrolplane/v1/types.go index b9cdcc213b849..6d29f42e3fcd1 100644 --- a/vendor/github.com/openshift/api/kubecontrolplane/v1/types.go +++ b/vendor/github.com/openshift/api/kubecontrolplane/v1/types.go @@ -62,6 +62,25 @@ type KubeAPIServerConfig struct { // TODO this needs to be removed. APIServerArguments map[string]Arguments `json:"apiServerArguments"` + + // minimumKubeletVersion is the lowest version of a kubelet that can join the cluster. + // Specifically, the apiserver will deny most authorization requests of kubelets that are older + // than the specified version, only allowing the kubelet to get and update its node object, and perform + // subjectaccessreviews. + // This means any kubelet that attempts to join the cluster will not be able to run any assigned workloads, + // and will eventually be marked as not ready. + // Its max length is 8, so maximum version allowed is either "9.999.99" or "99.99.99". + // Since the kubelet reports the version of the kubernetes release, not Openshift, this field references + // the underlying kubernetes version this version of Openshift is based off of. + // In other words: if an admin wishes to ensure no nodes run an older version than Openshift 4.17, then + // they should set the minimumKubeletVersion to 1.30.0. + // When comparing versions, the kubelet's version is stripped of any contents outside of major.minor.patch version. + // Thus, a kubelet with version "1.0.0-ec.0" will be compatible with minimumKubeletVersion "1.0.0" or earlier. + // +kubebuilder:validation:XValidation:rule="self == \"\" || self.matches('^[0-9]*.[0-9]*.[0-9]*$')",message="minmumKubeletVersion must be in a semver compatible format of x.y.z, or empty" + // +kubebuilder:validation:MaxLength:=8 + // +openshift:enable:FeatureGate=MinimumKubeletVersion + // +optional + MinimumKubeletVersion string `json:"minimumKubeletVersion"` } // Arguments masks the value so protobuf can generate diff --git a/vendor/github.com/openshift/api/kubecontrolplane/v1/zz_generated.swagger_doc_generated.go b/vendor/github.com/openshift/api/kubecontrolplane/v1/zz_generated.swagger_doc_generated.go index 906bb271b00b1..5ecdd05839262 100644 --- a/vendor/github.com/openshift/api/kubecontrolplane/v1/zz_generated.swagger_doc_generated.go +++ b/vendor/github.com/openshift/api/kubecontrolplane/v1/zz_generated.swagger_doc_generated.go @@ -33,6 +33,7 @@ var map_KubeAPIServerConfig = map[string]string{ "projectConfig": "projectConfig feeds an admission plugin", "serviceAccountPublicKeyFiles": "serviceAccountPublicKeyFiles is a list of files, each containing a PEM-encoded public RSA key. (If any file contains a private key, the public portion of the key is used) The list of public keys is used to verify presented service account tokens. Each key is tried in order until the list is exhausted or verification succeeds. If no keys are specified, no service account authentication will be available.", "oauthConfig": "oauthConfig, if present start the /oauth endpoint in this process", + "minimumKubeletVersion": "minimumKubeletVersion is the lowest version of a kubelet that can join the cluster. Specifically, the apiserver will deny most authorization requests of kubelets that are older than the specified version, only allowing the kubelet to get and update its node object, and perform subjectaccessreviews. This means any kubelet that attempts to join the cluster will not be able to run any assigned workloads, and will eventually be marked as not ready. Its max length is 8, so maximum version allowed is either \"9.999.99\" or \"99.99.99\". Since the kubelet reports the version of the kubernetes release, not Openshift, this field references the underlying kubernetes version this version of Openshift is based off of. In other words: if an admin wishes to ensure no nodes run an older version than Openshift 4.17, then they should set the minimumKubeletVersion to 1.30.0. When comparing versions, the kubelet's version is stripped of any contents outside of major.minor.patch version. Thus, a kubelet with version \"1.0.0-ec.0\" will be compatible with minimumKubeletVersion \"1.0.0\" or earlier.", } func (KubeAPIServerConfig) SwaggerDoc() map[string]string { diff --git a/vendor/github.com/openshift/api/operator/v1/types.go b/vendor/github.com/openshift/api/operator/v1/types.go index eeb8afdc6d22e..f04b6846aee56 100644 --- a/vendor/github.com/openshift/api/operator/v1/types.go +++ b/vendor/github.com/openshift/api/operator/v1/types.go @@ -147,17 +147,27 @@ type GenerationStatus struct { // group is the group of the thing you're tracking // +kubebuilder:validation:Required Group string `json:"group"` + // resource is the resource type of the thing you're tracking // +kubebuilder:validation:Required Resource string `json:"resource"` + // namespace is where the thing you're tracking is // +kubebuilder:validation:Required Namespace string `json:"namespace"` + // name is the name of the thing you're tracking // +kubebuilder:validation:Required Name string `json:"name"` + + // TODO: Add validation for lastGeneration. The value for this field should generally increase, except when the associated + // resource has been deleted and re-created. To accurately validate this field, we should introduce a new UID field and only + // enforce an increasing value in lastGeneration when the UID remains unchanged. A change in the UID indicates that the resource + // was re-created, allowing the lastGeneration value to reset or decrease. + // lastGeneration is the last generation of the workload controller involved LastGeneration int64 `json:"lastGeneration"` + // hash is an optional field set for resources without generation that are content sensitive like secrets and configmaps Hash string `json:"hash"` } @@ -178,12 +188,34 @@ var ( // OperatorCondition is just the standard condition fields. type OperatorCondition struct { + // type of condition in CamelCase or in foo.example.com/CamelCase. + // --- + // Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + // useful (see .node.status.conditions), the ability to deconflict is important. + // The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + // +required // +kubebuilder:validation:Required - Type string `json:"type"` - Status ConditionStatus `json:"status"` - LastTransitionTime metav1.Time `json:"lastTransitionTime,omitempty"` - Reason string `json:"reason,omitempty"` - Message string `json:"message,omitempty"` + // +kubebuilder:validation:Pattern=`^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$` + // +kubebuilder:validation:MaxLength=316 + Type string `json:"type" protobuf:"bytes,1,opt,name=type"` + + // status of the condition, one of True, False, Unknown. + // +required + // +kubebuilder:validation:Required + // +kubebuilder:validation:Enum=True;False;Unknown + Status ConditionStatus `json:"status"` + + // lastTransitionTime is the last time the condition transitioned from one status to another. + // This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + // +required + // +kubebuilder:validation:Required + // +kubebuilder:validation:Type=string + // +kubebuilder:validation:Format=date-time + LastTransitionTime metav1.Time `json:"lastTransitionTime,omitempty"` + + Reason string `json:"reason,omitempty"` + + Message string `json:"message,omitempty"` } type ConditionStatus string diff --git a/vendor/github.com/openshift/api/operator/v1/types_ingress.go b/vendor/github.com/openshift/api/operator/v1/types_ingress.go index 7ae22ee0a7ce7..1f56643456491 100644 --- a/vendor/github.com/openshift/api/operator/v1/types_ingress.go +++ b/vendor/github.com/openshift/api/operator/v1/types_ingress.go @@ -392,6 +392,7 @@ type CIDR string // LoadBalancerStrategy holds parameters for a load balancer. // +openshift:validation:FeatureGateAwareXValidation:featureGate=SetEIPForNLBIngressController,rule="!has(self.scope) || self.scope != 'Internal' || !has(self.providerParameters) || !has(self.providerParameters.aws) || !has(self.providerParameters.aws.networkLoadBalancer) || !has(self.providerParameters.aws.networkLoadBalancer.eipAllocations)",message="eipAllocations are forbidden when the scope is Internal." +// +kubebuilder:validation:XValidation:rule=`!has(self.scope) || self.scope != 'Internal' || !has(self.providerParameters) || !has(self.providerParameters.openstack) || !has(self.providerParameters.openstack.floatingIP) || self.providerParameters.openstack.floatingIP == ""`,message="cannot specify a floating ip when scope is internal" type LoadBalancerStrategy struct { // scope indicates the scope at which the load balancer is exposed. // Possible values are "External" and "Internal". @@ -678,19 +679,28 @@ type IBMLoadBalancerParameters struct { // OpenStackLoadBalancerParameters provides configuration settings that are // specific to OpenStack load balancers. type OpenStackLoadBalancerParameters struct { - // loadBalancerIP specifies the floating IP address that the load balancer will use. + // loadBalancerIP is tombstoned since the field was replaced by floatingIP. + // LoadBalancerIP string `json:"loadBalancerIP,omitempty"` + + // floatingIP specifies the IP address that the load balancer will use. // When not specified, an IP address will be assigned randomly by the OpenStack cloud provider. + // When specified, the floating IP has to be pre-created. If the + // specified value is not a floating IP or is already claimed, the + // OpenStack cloud provider won't be able to provision the load + // balancer. + // This field may only be used if the IngressController has External scope. // This value must be a valid IPv4 or IPv6 address. // + --- - // + Note: this field is meant to be set by the ingress controller to populate the - // + `Service.Spec.LoadBalancerIP` field which has been deprecated in Kubernetes: + // + Note: this field is meant to be set by the ingress controller + // + to populate the `Service.Spec.LoadBalancerIP` field which has been + // + deprecated in Kubernetes: // + https://github.com/kubernetes/kubernetes/pull/107235 // + However, the field is still used by cloud-provider-openstack to reconcile - // + the floating IP that we attach to the load balancer. + // + the floating IP that we attach to the external load balancer. // - // +kubebuilder:validation:XValidation:rule="isIP(self)",message="loadBalancerIP must be a valid IPv4 or IPv6 address" + // +kubebuilder:validation:XValidation:rule="isIP(self)",message="floatingIP must be a valid IPv4 or IPv6 address" // +optional - LoadBalancerIP string `json:"loadBalancerIP,omitempty"` + FloatingIP string `json:"floatingIP,omitempty"` } // AWSClassicLoadBalancerParameters holds configuration parameters for an diff --git a/vendor/github.com/openshift/api/operator/v1/zz_generated.swagger_doc_generated.go b/vendor/github.com/openshift/api/operator/v1/zz_generated.swagger_doc_generated.go index a3a78a89b7c78..03d9e16edbb9c 100644 --- a/vendor/github.com/openshift/api/operator/v1/zz_generated.swagger_doc_generated.go +++ b/vendor/github.com/openshift/api/operator/v1/zz_generated.swagger_doc_generated.go @@ -52,7 +52,10 @@ func (NodeStatus) SwaggerDoc() map[string]string { } var map_OperatorCondition = map[string]string{ - "": "OperatorCondition is just the standard condition fields.", + "": "OperatorCondition is just the standard condition fields.", + "type": "type of condition in CamelCase or in foo.example.com/CamelCase.", + "status": "status of the condition, one of True, False, Unknown.", + "lastTransitionTime": "lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.", } func (OperatorCondition) SwaggerDoc() map[string]string { @@ -1122,8 +1125,8 @@ func (NodePortStrategy) SwaggerDoc() map[string]string { } var map_OpenStackLoadBalancerParameters = map[string]string{ - "": "OpenStackLoadBalancerParameters provides configuration settings that are specific to OpenStack load balancers.", - "loadBalancerIP": "loadBalancerIP specifies the floating IP address that the load balancer will use. When not specified, an IP address will be assigned randomly by the OpenStack cloud provider. This value must be a valid IPv4 or IPv6 address. ", + "": "OpenStackLoadBalancerParameters provides configuration settings that are specific to OpenStack load balancers.", + "floatingIP": "floatingIP specifies the IP address that the load balancer will use. When not specified, an IP address will be assigned randomly by the OpenStack cloud provider. When specified, the floating IP has to be pre-created. If the specified value is not a floating IP or is already claimed, the OpenStack cloud provider won't be able to provision the load balancer. This field may only be used if the IngressController has External scope. This value must be a valid IPv4 or IPv6 address. ", } func (OpenStackLoadBalancerParameters) SwaggerDoc() map[string]string { diff --git a/vendor/github.com/openshift/library-go/pkg/apiserver/node/minimum_kubelet_version.go b/vendor/github.com/openshift/library-go/pkg/apiserver/node/minimum_kubelet_version.go new file mode 100644 index 0000000000000..208adb815a464 --- /dev/null +++ b/vendor/github.com/openshift/library-go/pkg/apiserver/node/minimum_kubelet_version.go @@ -0,0 +1,80 @@ +package node + +import ( + "fmt" + "strings" + + "github.com/blang/semver/v4" + + corev1 "k8s.io/api/core/v1" +) + +// An error to be returned when kubelet version is lower than specified minimum kubelet version. +// Used to differentiate between a parsing failure, and a failure because the kubelet is out of date. +var ErrKubeletOutdated = fmt.Errorf("kubelet version is outdated") + +// ValidateMinimumKubeletVersion takes a list of nodes and a currently set min version. +// It parses the min version and iterates through the nodes, comparing the version of the kubelets +// to the min version. +// It will error if any nodes are older than the min version. +func ValidateMinimumKubeletVersion(nodes []*corev1.Node, minimumKubeletVersion string) error { + // unset, no error + if minimumKubeletVersion == "" { + return nil + } + + version, err := semver.Parse(minimumKubeletVersion) + if err != nil { + return fmt.Errorf("failed to parse submitted version %s %v", minimumKubeletVersion, err.Error()) + } + + for _, node := range nodes { + if err := IsNodeTooOld(node, &version); err != nil { + return err + } + } + return nil +} + +// IsNodeTooOld answers that very question. It takes a node object and a minVersion, +// parses each into a semver version, and then determines whether the version of the kubelet on the +// node is older than min version. +// When the node is too old, it returns the error ErrKubeletOutdated. If a different error occurs, an error is returned. +// If the node is new enough and no error happens, nil is returned. +func IsNodeTooOld(node *corev1.Node, minVersion *semver.Version) error { + return IsKubeletVersionTooOld(node.Status.NodeInfo.KubeletVersion, minVersion) +} + +// IsKubeletVerisionTooOld answers that very question. It takes a kubelet version and a minVersion, +// parses each into a semver version, and then determines whether the version of the kubelet on the +// node is older than min version. +// It will fail if the minVersion is nil, if the kubeletVersion is invalid, or if the minVersion is greater than +// the kubeletVersion +// When the kubelet is too old, it returns the error ErrKubeletOutdated. If a different error occurs, an error is returned. +// If the node is new enough and no error happens, nil is returned. +func IsKubeletVersionTooOld(kubeletVersion string, minVersion *semver.Version) error { + if minVersion == nil { + return fmt.Errorf("given minimum version is nil") + } + version, err := ParseKubeletVersion(kubeletVersion) + if err != nil { + return fmt.Errorf("failed to parse node version %s: %v", kubeletVersion, err) + } + if minVersion.GT(*version) { + return fmt.Errorf("%w: kubelet version is %v, which is lower than minimumKubeletVersion of %v", ErrKubeletOutdated, *version, *minVersion) + } + return nil +} + +// ParseKubeletVersion parses it into a semver.Version object, stripping +// any information in the version that isn't "major.minor.patch". +func ParseKubeletVersion(kubeletVersion string) (*semver.Version, error) { + version, err := semver.Parse(strings.TrimPrefix(kubeletVersion, "v")) + if err != nil { + return nil, err + } + + version.Pre = nil + version.Build = nil + return &version, nil +} diff --git a/vendor/modules.txt b/vendor/modules.txt index 0387d146e09ac..3bcb98ac38b90 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -553,7 +553,7 @@ github.com/openshift-eng/openshift-tests-extension/pkg/extension/extensiontests github.com/openshift-eng/openshift-tests-extension/pkg/flags github.com/openshift-eng/openshift-tests-extension/pkg/ginkgo github.com/openshift-eng/openshift-tests-extension/pkg/version -# github.com/openshift/api v0.0.0-20241001152557-e415140e5d5f +# github.com/openshift/api v0.0.0-20241101202457-04eb3fd119d2 ## explicit; go 1.22.0 github.com/openshift/api/apiserver/v1 github.com/openshift/api/apps/v1 @@ -748,12 +748,13 @@ github.com/openshift/client-go/user/informers/externalversions/internalinterface github.com/openshift/client-go/user/informers/externalversions/user github.com/openshift/client-go/user/informers/externalversions/user/v1 github.com/openshift/client-go/user/listers/user/v1 -# github.com/openshift/library-go v0.0.0-20241107160307-0064ad7bd060 +# github.com/openshift/library-go v0.0.0-20241122090744-c450187f381d ## explicit; go 1.22.0 github.com/openshift/library-go/pkg/apiserver/admission/admissionregistrationtesting github.com/openshift/library-go/pkg/apiserver/admission/admissionrestconfig github.com/openshift/library-go/pkg/apiserver/admission/admissiontimeout github.com/openshift/library-go/pkg/apiserver/apiserverconfig +github.com/openshift/library-go/pkg/apiserver/node github.com/openshift/library-go/pkg/authorization/authorizationutil github.com/openshift/library-go/pkg/authorization/hardcodedauthorizer github.com/openshift/library-go/pkg/authorization/scopemetadata From 590e4dce050ccbc42af69a70a337726e20cec37e Mon Sep 17 00:00:00 2001 From: Peter Hunt Date: Fri, 4 Oct 2024 14:53:39 -0400 Subject: [PATCH 3/7] UPSTREAM: : authorization: add minimumkubeletversion package MinimumKubeletVersion is a way for an admin to declare that nodes any older than the minimum version cannot authorize with the apiserver. This effectively prevents them from joining. Doing so means the apiservers can trust newer features are usable on clusters with version skews Signed-off-by: Peter Hunt --- cmd/kube-apiserver/app/config.go | 15 ++ .../minimum_kubelet_version.go | 92 +++++++++ .../minimum_kubelet_version_test.go | 194 ++++++++++++++++++ 3 files changed, 301 insertions(+) create mode 100644 openshift-kube-apiserver/authorization/minimumkubeletversion/minimum_kubelet_version.go create mode 100644 openshift-kube-apiserver/authorization/minimumkubeletversion/minimum_kubelet_version_test.go diff --git a/cmd/kube-apiserver/app/config.go b/cmd/kube-apiserver/app/config.go index 7f03d42f9d8e1..f1272dbdcf702 100644 --- a/cmd/kube-apiserver/app/config.go +++ b/cmd/kube-apiserver/app/config.go @@ -23,8 +23,12 @@ import ( aggregatorapiserver "k8s.io/kube-aggregator/pkg/apiserver" aggregatorscheme "k8s.io/kube-aggregator/pkg/apiserver/scheme" + "k8s.io/apiserver/pkg/authorization/union" "k8s.io/kubernetes/cmd/kube-apiserver/app/options" + "k8s.io/kubernetes/openshift-kube-apiserver/authorization/minimumkubeletversion" + "k8s.io/kubernetes/openshift-kube-apiserver/enablement" "k8s.io/kubernetes/pkg/api/legacyscheme" + "k8s.io/kubernetes/pkg/auth/nodeidentifier" "k8s.io/kubernetes/pkg/controlplane" controlplaneapiserver "k8s.io/kubernetes/pkg/controlplane/apiserver" generatedopenapi "k8s.io/kubernetes/pkg/generated/openapi" @@ -86,6 +90,17 @@ func NewConfig(opts options.CompletedOptions) (*Config, error) { return nil, err } + if ocfg := enablement.OpenshiftConfig(); ocfg != nil { + // Add MinimumKubeletVerison authorizer, to block a node from being able to access most resources if it's not new enough. + // We must do so here instead of in pkg/apiserver because it relies on a node informer, which is not present in generic control planes. + genericConfig.Authorization.Authorizer = union.New(genericConfig.Authorization.Authorizer, minimumkubeletversion.NewMinimumKubeletVersion( + ocfg.MinimumKubeletVersion, + nodeidentifier.NewDefaultNodeIdentifier(), + versionedInformers.Core().V1().Nodes().Informer(), + versionedInformers.Core().V1().Nodes().Lister(), + )) + } + kubeAPIs, serviceResolver, pluginInitializer, err := CreateKubeAPIServerConfig(opts, genericConfig, versionedInformers, storageFactory) if err != nil { return nil, err diff --git a/openshift-kube-apiserver/authorization/minimumkubeletversion/minimum_kubelet_version.go b/openshift-kube-apiserver/authorization/minimumkubeletversion/minimum_kubelet_version.go new file mode 100644 index 0000000000000..3aecfdb2c7798 --- /dev/null +++ b/openshift-kube-apiserver/authorization/minimumkubeletversion/minimum_kubelet_version.go @@ -0,0 +1,92 @@ +package minimumkubeletversion + +import ( + "context" + "fmt" + + "github.com/blang/semver/v4" + nodelib "github.com/openshift/library-go/pkg/apiserver/node" + authorizationv1 "k8s.io/api/authorization/v1" + "k8s.io/apimachinery/pkg/runtime/schema" + "k8s.io/apiserver/pkg/authorization/authorizer" + v1listers "k8s.io/client-go/listers/core/v1" + cache "k8s.io/client-go/tools/cache" + api "k8s.io/kubernetes/pkg/apis/core" + "k8s.io/kubernetes/pkg/auth/nodeidentifier" +) + +type minimumKubeletVersionAuth struct { + nodeIdentifier nodeidentifier.NodeIdentifier + nodeInformer cache.SharedIndexInformer + nodeLister v1listers.NodeLister + minVersion *semver.Version + hasNodeInformerSyncedFn func() bool // factored for unit tests +} + +// Creates a new minimumKubeletVersionAuth object, which is an authorizer that checks +// whether nodes are new enough to be authorized. +func NewMinimumKubeletVersion(minVersionStr string, + nodeIdentifier nodeidentifier.NodeIdentifier, + nodeInformer cache.SharedIndexInformer, + nodeLister v1listers.NodeLister, +) *minimumKubeletVersionAuth { + var minVersionPtr *semver.Version + if len(minVersionStr) != 0 { + v := semver.MustParse(minVersionStr) + minVersionPtr = &v + } + + return &minimumKubeletVersionAuth{ + nodeIdentifier: nodeIdentifier, + nodeInformer: nodeInformer, + nodeLister: nodeLister, + hasNodeInformerSyncedFn: nodeInformer.HasSynced, + minVersion: minVersionPtr, + } +} + +func (m *minimumKubeletVersionAuth) Authorize(ctx context.Context, attrs authorizer.Attributes) (authorizer.Decision, string, error) { + if m.minVersion == nil { + return authorizer.DecisionNoOpinion, "", nil + } + + nodeName, isNode := m.nodeIdentifier.NodeIdentity(attrs.GetUser()) + if !isNode { + // ignore requests from non-nodes + return authorizer.DecisionNoOpinion, "", nil + } + + if len(nodeName) == 0 { + return authorizer.DecisionNoOpinion, fmt.Sprintf("unknown node for user %q", attrs.GetUser().GetName()), nil + } + + // Short-circut if "subjectaccessreviews", or a "get" or "update" on the node object. + // Regardless of kubelet version, it should be allowed to do these things. + if attrs.IsResourceRequest() { + requestResource := schema.GroupResource{Group: attrs.GetAPIGroup(), Resource: attrs.GetResource()} + switch requestResource { + case api.Resource("nodes"): + if v := attrs.GetVerb(); v == "get" || v == "update" { + return authorizer.DecisionNoOpinion, "", nil + } + // TODO(haircommander): do we need other flavors of access reviews here? + case authorizationv1.Resource("subjectaccessreviews"): + return authorizer.DecisionNoOpinion, "", nil + } + } + + if !m.hasNodeInformerSyncedFn() { + return authorizer.DecisionNoOpinion, fmt.Sprintf("node informer not synced, cannot check if node %s is new enough", nodeName), nil + } + + node, err := m.nodeLister.Get(nodeName) + if err != nil { + return authorizer.DecisionNoOpinion, fmt.Sprintf("failed to get node %s: %v", nodeName, err), nil + } + + if err := nodelib.IsNodeTooOld(node, m.minVersion); err != nil { + return authorizer.DecisionDeny, err.Error(), nil + } + + return authorizer.DecisionNoOpinion, "", nil +} diff --git a/openshift-kube-apiserver/authorization/minimumkubeletversion/minimum_kubelet_version_test.go b/openshift-kube-apiserver/authorization/minimumkubeletversion/minimum_kubelet_version_test.go new file mode 100644 index 0000000000000..d33edb1e5daef --- /dev/null +++ b/openshift-kube-apiserver/authorization/minimumkubeletversion/minimum_kubelet_version_test.go @@ -0,0 +1,194 @@ +package minimumkubeletversion + +import ( + "context" + "strings" + "testing" + + "github.com/blang/semver/v4" + authorizationv1 "k8s.io/api/authorization/v1" + v1 "k8s.io/api/core/v1" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/apiserver/pkg/authentication/user" + kauthorizer "k8s.io/apiserver/pkg/authorization/authorizer" + "k8s.io/client-go/informers" + "k8s.io/client-go/kubernetes/fake" + "k8s.io/kubernetes/pkg/auth/nodeidentifier" + "k8s.io/kubernetes/pkg/controller" +) + +func TestAuthorize(t *testing.T) { + nodeUser := &user.DefaultInfo{Name: "system:node:node0", Groups: []string{"system:nodes"}} + + testCases := []struct { + name string + minVersion string + attributes kauthorizer.AttributesRecord + expectedAllowed kauthorizer.Decision + expectedErr string + expectedMsg string + node *v1.Node + }{ + { + name: "no version", + minVersion: "", + expectedAllowed: kauthorizer.DecisionNoOpinion, + expectedErr: "", + node: &v1.Node{ObjectMeta: metav1.ObjectMeta{Name: "name"}}, + }, + { + name: "user not a node", + minVersion: "1.30.0", + attributes: kauthorizer.AttributesRecord{ + ResourceRequest: true, + Namespace: "ns", + User: &user.DefaultInfo{Name: "name"}, + }, + expectedAllowed: kauthorizer.DecisionNoOpinion, + node: &v1.Node{ObjectMeta: metav1.ObjectMeta{Name: "node0"}}, + }, + { + name: "skips if subjectaccessreviews", + minVersion: "1.30.0", + attributes: kauthorizer.AttributesRecord{ + ResourceRequest: true, + Namespace: "ns", + User: nodeUser, + Resource: "subjectaccessreviews", + APIGroup: authorizationv1.GroupName, + }, + expectedAllowed: kauthorizer.DecisionNoOpinion, + node: &v1.Node{ObjectMeta: metav1.ObjectMeta{Name: "node0"}}, + }, + { + name: "skips if get node", + minVersion: "1.30.0", + attributes: kauthorizer.AttributesRecord{ + ResourceRequest: true, + Namespace: "ns", + User: nodeUser, + Resource: "nodes", + Verb: "get", + }, + expectedAllowed: kauthorizer.DecisionNoOpinion, + node: &v1.Node{ObjectMeta: metav1.ObjectMeta{Name: "node0"}}, + }, + { + name: "skips if update nodes", + minVersion: "1.30.0", + attributes: kauthorizer.AttributesRecord{ + ResourceRequest: true, + Namespace: "ns", + User: nodeUser, + Resource: "nodes", + Verb: "update", + }, + expectedAllowed: kauthorizer.DecisionNoOpinion, + node: &v1.Node{ObjectMeta: metav1.ObjectMeta{Name: "node0"}}, + }, + { + name: "fail if update node not found", + minVersion: "1.30.0", + attributes: kauthorizer.AttributesRecord{ + ResourceRequest: true, + Namespace: "ns", + User: nodeUser, + }, + expectedAllowed: kauthorizer.DecisionNoOpinion, + expectedMsg: `failed to get node node0: node "node0" not found`, + node: &v1.Node{ObjectMeta: metav1.ObjectMeta{Name: "node1"}}, + }, + { + name: "skip if bogus kubelet version", + minVersion: "1.30.0", + attributes: kauthorizer.AttributesRecord{ + ResourceRequest: true, + Namespace: "ns", + User: nodeUser, + }, + expectedAllowed: kauthorizer.DecisionDeny, + expectedMsg: `failed to parse node version bogus: No Major.Minor.Patch elements found`, + node: &v1.Node{ObjectMeta: metav1.ObjectMeta{Name: "node0"}, + Status: v1.NodeStatus{ + NodeInfo: v1.NodeSystemInfo{ + KubeletVersion: "bogus", + }, + }}, + }, + { + name: "deny if too low version", + minVersion: "1.30.0", + attributes: kauthorizer.AttributesRecord{ + ResourceRequest: true, + Namespace: "ns", + User: nodeUser, + }, + expectedAllowed: kauthorizer.DecisionDeny, + expectedMsg: `kubelet version is outdated: kubelet version is 1.29.8, which is lower than minimumKubeletVersion of 1.30.0`, + node: &v1.Node{ObjectMeta: metav1.ObjectMeta{Name: "node0"}, + Status: v1.NodeStatus{ + NodeInfo: v1.NodeSystemInfo{ + KubeletVersion: "v1.29.8-20+15d27f9ba1c119", + }, + }}, + }, + { + name: "accept if high enough version", + minVersion: "1.30.0", + attributes: kauthorizer.AttributesRecord{ + ResourceRequest: true, + Namespace: "ns", + User: nodeUser, + }, + expectedAllowed: kauthorizer.DecisionNoOpinion, + node: &v1.Node{ObjectMeta: metav1.ObjectMeta{Name: "node0"}, + Status: v1.NodeStatus{ + NodeInfo: v1.NodeSystemInfo{ + KubeletVersion: "1.30.0", + }, + }}, + }, + } + + for _, tc := range testCases { + t.Run(tc.name, func(t *testing.T) { + fakeInformerFactory := informers.NewSharedInformerFactory(&fake.Clientset{}, controller.NoResyncPeriodFunc()) + fakeNodeInformer := fakeInformerFactory.Core().V1().Nodes() + fakeNodeInformer.Informer().GetStore().Add(tc.node) + var minVersion *semver.Version + if tc.minVersion != "" { + v := semver.MustParse(tc.minVersion) + minVersion = &v + } + + authorizer := &minimumKubeletVersionAuth{ + nodeIdentifier: nodeidentifier.NewDefaultNodeIdentifier(), + nodeInformer: fakeNodeInformer.Informer(), + nodeLister: fakeNodeInformer.Lister(), + minVersion: minVersion, + hasNodeInformerSyncedFn: func() bool { + return true + }, + } + + actualAllowed, actualMsg, actualErr := authorizer.Authorize(context.TODO(), tc.attributes) + switch { + case len(tc.expectedErr) == 0 && actualErr == nil: + case len(tc.expectedErr) == 0 && actualErr != nil: + t.Errorf("%s: unexpected error: %v", tc.name, actualErr) + case len(tc.expectedErr) != 0 && actualErr == nil: + t.Errorf("%s: missing error: %v", tc.name, tc.expectedErr) + case len(tc.expectedErr) != 0 && actualErr != nil: + if !strings.Contains(actualErr.Error(), tc.expectedErr) { + t.Errorf("expected %v, got %v", tc.expectedErr, actualErr) + } + } + if tc.expectedMsg != actualMsg { + t.Errorf("expected %v, got %v", tc.expectedMsg, actualMsg) + } + if tc.expectedAllowed != actualAllowed { + t.Errorf("expected %v, got %v", tc.expectedAllowed, actualAllowed) + } + }) + } +} From 2fef0685876444859c9e4fd35ae353e17904a7ef Mon Sep 17 00:00:00 2001 From: Peter Hunt Date: Mon, 25 Nov 2024 11:44:55 -0500 Subject: [PATCH 4/7] UPSTREAM: authorizer: move mininum kubelet version authorizer to pkg/kubeapiserver and add authorization mode this does require a line of code be moved from the enablement package to stop a cyclical import Signed-off-by: Peter Hunt --- cmd/kube-apiserver/app/config.go | 15 ------- .../minimum_kubelet_version.go | 13 +++--- .../enablement/intialization.go | 5 +++ pkg/kubeapiserver/authorizer/modes/patch.go | 3 +- pkg/kubeapiserver/authorizer/patch.go | 43 +++++++++++++++++++ pkg/kubeapiserver/authorizer/reload.go | 11 +++++ 6 files changed, 68 insertions(+), 22 deletions(-) diff --git a/cmd/kube-apiserver/app/config.go b/cmd/kube-apiserver/app/config.go index f1272dbdcf702..7f03d42f9d8e1 100644 --- a/cmd/kube-apiserver/app/config.go +++ b/cmd/kube-apiserver/app/config.go @@ -23,12 +23,8 @@ import ( aggregatorapiserver "k8s.io/kube-aggregator/pkg/apiserver" aggregatorscheme "k8s.io/kube-aggregator/pkg/apiserver/scheme" - "k8s.io/apiserver/pkg/authorization/union" "k8s.io/kubernetes/cmd/kube-apiserver/app/options" - "k8s.io/kubernetes/openshift-kube-apiserver/authorization/minimumkubeletversion" - "k8s.io/kubernetes/openshift-kube-apiserver/enablement" "k8s.io/kubernetes/pkg/api/legacyscheme" - "k8s.io/kubernetes/pkg/auth/nodeidentifier" "k8s.io/kubernetes/pkg/controlplane" controlplaneapiserver "k8s.io/kubernetes/pkg/controlplane/apiserver" generatedopenapi "k8s.io/kubernetes/pkg/generated/openapi" @@ -90,17 +86,6 @@ func NewConfig(opts options.CompletedOptions) (*Config, error) { return nil, err } - if ocfg := enablement.OpenshiftConfig(); ocfg != nil { - // Add MinimumKubeletVerison authorizer, to block a node from being able to access most resources if it's not new enough. - // We must do so here instead of in pkg/apiserver because it relies on a node informer, which is not present in generic control planes. - genericConfig.Authorization.Authorizer = union.New(genericConfig.Authorization.Authorizer, minimumkubeletversion.NewMinimumKubeletVersion( - ocfg.MinimumKubeletVersion, - nodeidentifier.NewDefaultNodeIdentifier(), - versionedInformers.Core().V1().Nodes().Informer(), - versionedInformers.Core().V1().Nodes().Lister(), - )) - } - kubeAPIs, serviceResolver, pluginInitializer, err := CreateKubeAPIServerConfig(opts, genericConfig, versionedInformers, storageFactory) if err != nil { return nil, err diff --git a/openshift-kube-apiserver/authorization/minimumkubeletversion/minimum_kubelet_version.go b/openshift-kube-apiserver/authorization/minimumkubeletversion/minimum_kubelet_version.go index 3aecfdb2c7798..7db15dac39828 100644 --- a/openshift-kube-apiserver/authorization/minimumkubeletversion/minimum_kubelet_version.go +++ b/openshift-kube-apiserver/authorization/minimumkubeletversion/minimum_kubelet_version.go @@ -5,12 +5,15 @@ import ( "fmt" "github.com/blang/semver/v4" + openshiftfeatures "github.com/openshift/api/features" nodelib "github.com/openshift/library-go/pkg/apiserver/node" authorizationv1 "k8s.io/api/authorization/v1" "k8s.io/apimachinery/pkg/runtime/schema" "k8s.io/apiserver/pkg/authorization/authorizer" + "k8s.io/apiserver/pkg/util/feature" v1listers "k8s.io/client-go/listers/core/v1" cache "k8s.io/client-go/tools/cache" + "k8s.io/component-base/featuregate" api "k8s.io/kubernetes/pkg/apis/core" "k8s.io/kubernetes/pkg/auth/nodeidentifier" ) @@ -25,15 +28,13 @@ type minimumKubeletVersionAuth struct { // Creates a new minimumKubeletVersionAuth object, which is an authorizer that checks // whether nodes are new enough to be authorized. -func NewMinimumKubeletVersion(minVersionStr string, +func NewMinimumKubeletVersion(minVersion *semver.Version, nodeIdentifier nodeidentifier.NodeIdentifier, nodeInformer cache.SharedIndexInformer, nodeLister v1listers.NodeLister, ) *minimumKubeletVersionAuth { - var minVersionPtr *semver.Version - if len(minVersionStr) != 0 { - v := semver.MustParse(minVersionStr) - minVersionPtr = &v + if !feature.DefaultMutableFeatureGate.Enabled(featuregate.Feature(openshiftfeatures.FeatureGateMinimumKubeletVersion)) { + minVersion = nil } return &minimumKubeletVersionAuth{ @@ -41,7 +42,7 @@ func NewMinimumKubeletVersion(minVersionStr string, nodeInformer: nodeInformer, nodeLister: nodeLister, hasNodeInformerSyncedFn: nodeInformer.HasSynced, - minVersion: minVersionPtr, + minVersion: minVersion, } } diff --git a/openshift-kube-apiserver/enablement/intialization.go b/openshift-kube-apiserver/enablement/intialization.go index 52794bec4b645..3aff4daf24c92 100644 --- a/openshift-kube-apiserver/enablement/intialization.go +++ b/openshift-kube-apiserver/enablement/intialization.go @@ -87,6 +87,11 @@ func ForceGlobalInitializationForOpenShift() { // we need to have the authorization chain place something before system:masters // SkipSystemMastersAuthorizer disable implicitly added system/master authz, and turn it into another authz mode "SystemMasters", to be added via authorization-mode authorizer.SkipSystemMastersAuthorizer() + + // Set the minimum kubelet version + // If the OpenshiftConfig wasn't configured by this point, it's a programming error, + // and this should panic. + authorizer.SetMinimumKubeletVersion(OpenshiftConfig().MinimumKubeletVersion) } var SCCAdmissionPlugin = sccadmission.NewConstraint() diff --git a/pkg/kubeapiserver/authorizer/modes/patch.go b/pkg/kubeapiserver/authorizer/modes/patch.go index bc892601ebe6f..830982e5b7145 100644 --- a/pkg/kubeapiserver/authorizer/modes/patch.go +++ b/pkg/kubeapiserver/authorizer/modes/patch.go @@ -2,7 +2,8 @@ package modes var ModeScope = "Scope" var ModeSystemMasters = "SystemMasters" +var ModeMinimumKubeletVersion = "MinimumKubeletVersion" func init() { - AuthorizationModeChoices = append(AuthorizationModeChoices, ModeScope, ModeSystemMasters) + AuthorizationModeChoices = append(AuthorizationModeChoices, ModeScope, ModeSystemMasters, ModeMinimumKubeletVersion) } diff --git a/pkg/kubeapiserver/authorizer/patch.go b/pkg/kubeapiserver/authorizer/patch.go index 8a095efcf98d5..42ec2fca10705 100644 --- a/pkg/kubeapiserver/authorizer/patch.go +++ b/pkg/kubeapiserver/authorizer/patch.go @@ -1,8 +1,51 @@ package authorizer +import ( + "sync" + + "github.com/blang/semver/v4" +) + var skipSystemMastersAuthorizer = false // SkipSystemMastersAuthorizer disable implicitly added system/master authz, and turn it into another authz mode "SystemMasters", to be added via authorization-mode func SkipSystemMastersAuthorizer() { skipSystemMastersAuthorizer = true } + +var ( + minimumKubeletVersion *semver.Version + versionLock sync.Mutex + versionSet bool +) + +// GetMinimumKubeletVersion retrieves the set global minimum kubelet version in a safe way. +// It ensures it is only retrieved once, and is set before it's retrieved. +// The global value should only be gotten through this function. +// It is valid for the version to be unset. It will be treated the same as explicitly setting version to "". +// This function (and the corresponding functions/variables) are added to avoid a import cycle between the +// ./openshift-kube-apiserver/enablement and ./pkg/kubeapiserver/authorizer packages +func GetMinimumKubeletVersion() *semver.Version { + versionLock.Lock() + defer versionLock.Unlock() + return minimumKubeletVersion +} + +// SetMinimumKubeletVersion sets the global minimum kubelet version in a safe way. +// It ensures it is only set once, and the passed version is valid. +// If will panic on any error. +// The global value should only be set through this function. +// Passing an empty string for version is valid, and means there is no minimum version. +func SetMinimumKubeletVersion(version string) { + versionLock.Lock() + defer versionLock.Unlock() + if versionSet { + panic("coding error: MinimumKubeletVersion already set") + } + versionSet = true + if len(version) == 0 { + return + } + v := semver.MustParse(version) + minimumKubeletVersion = &v +} diff --git a/pkg/kubeapiserver/authorizer/reload.go b/pkg/kubeapiserver/authorizer/reload.go index 575fba1b48696..a30f48a0955b5 100644 --- a/pkg/kubeapiserver/authorizer/reload.go +++ b/pkg/kubeapiserver/authorizer/reload.go @@ -28,6 +28,7 @@ import ( "time" "k8s.io/kubernetes/openshift-kube-apiserver/authorization/browsersafe" + "k8s.io/kubernetes/openshift-kube-apiserver/authorization/minimumkubeletversion" "k8s.io/apimachinery/pkg/util/sets" authzconfig "k8s.io/apiserver/pkg/apis/apiserver" @@ -43,6 +44,7 @@ import ( webhookmetrics "k8s.io/apiserver/plugin/pkg/authorizer/webhook/metrics" "k8s.io/klog/v2" "k8s.io/kubernetes/pkg/auth/authorizer/abac" + "k8s.io/kubernetes/pkg/auth/nodeidentifier" "k8s.io/kubernetes/pkg/kubeapiserver/authorizer/modes" "k8s.io/kubernetes/pkg/util/filesystem" "k8s.io/kubernetes/plugin/pkg/auth/authorizer/node" @@ -173,6 +175,15 @@ func (r *reloadableAuthorizerResolver) newForConfig(authzConfig *authzconfig.Aut case authzconfig.AuthorizerType(modes.ModeSystemMasters): // no browsersafeauthorizer here becase that rewrites the resources. This authorizer matches no matter which resource matches. authorizers = append(authorizers, authorizerfactory.NewPrivilegedGroups(user.SystemPrivilegedGroup)) + case authzconfig.AuthorizerType(modes.ModeMinimumKubeletVersion): + // Add MinimumKubeletVerison authorizer, to block a node from being able to access most resources if it's not new enough. + // We must do so here instead of in pkg/apiserver because it relies on a node informer, which is not present in generic control planes. + authorizers = append(authorizers, minimumkubeletversion.NewMinimumKubeletVersion( + GetMinimumKubeletVersion(), + nodeidentifier.NewDefaultNodeIdentifier(), + r.initialConfig.VersionedInformerFactory.Core().V1().Nodes().Informer(), + r.initialConfig.VersionedInformerFactory.Core().V1().Nodes().Lister(), + )) default: return nil, nil, fmt.Errorf("unknown authorization mode %s specified", configuredAuthorizer.Type) } From d15e00ec124853bfd61dbc361de18efc416bf2d5 Mon Sep 17 00:00:00 2001 From: Peter Hunt Date: Thu, 17 Oct 2024 13:15:00 -0400 Subject: [PATCH 5/7] UPSTREAM: : crdvalidation: move latency profile file to be agnostic of field Signed-off-by: Peter Hunt --- ..._extreme_worker_latency_profile.go => validate_node_config.go} | 0 ...orker_latency_profile_test.go => validate_node_config_test.go} | 0 2 files changed, 0 insertions(+), 0 deletions(-) rename openshift-kube-apiserver/admission/customresourcevalidation/node/{restrict_extreme_worker_latency_profile.go => validate_node_config.go} (100%) rename openshift-kube-apiserver/admission/customresourcevalidation/node/{restrict_extreme_worker_latency_profile_test.go => validate_node_config_test.go} (100%) diff --git a/openshift-kube-apiserver/admission/customresourcevalidation/node/restrict_extreme_worker_latency_profile.go b/openshift-kube-apiserver/admission/customresourcevalidation/node/validate_node_config.go similarity index 100% rename from openshift-kube-apiserver/admission/customresourcevalidation/node/restrict_extreme_worker_latency_profile.go rename to openshift-kube-apiserver/admission/customresourcevalidation/node/validate_node_config.go diff --git a/openshift-kube-apiserver/admission/customresourcevalidation/node/restrict_extreme_worker_latency_profile_test.go b/openshift-kube-apiserver/admission/customresourcevalidation/node/validate_node_config_test.go similarity index 100% rename from openshift-kube-apiserver/admission/customresourcevalidation/node/restrict_extreme_worker_latency_profile_test.go rename to openshift-kube-apiserver/admission/customresourcevalidation/node/validate_node_config_test.go From 3008df5b0bc6571dda93fea8d6b3bcf141513abe Mon Sep 17 00:00:00 2001 From: Peter Hunt Date: Thu, 17 Oct 2024 13:15:50 -0400 Subject: [PATCH 6/7] UPSTREAM: : admission: validate minimumKubeletVersion Signed-off-by: Peter Hunt --- .../node/validate_node_config.go | 102 +++++++- .../node/validate_node_config_test.go | 219 ++++++++++++++++++ 2 files changed, 312 insertions(+), 9 deletions(-) diff --git a/openshift-kube-apiserver/admission/customresourcevalidation/node/validate_node_config.go b/openshift-kube-apiserver/admission/customresourcevalidation/node/validate_node_config.go index b4b63914f8d71..0c261472f28b9 100644 --- a/openshift-kube-apiserver/admission/customresourcevalidation/node/validate_node_config.go +++ b/openshift-kube-apiserver/admission/customresourcevalidation/node/validate_node_config.go @@ -2,16 +2,25 @@ package node import ( "context" + "errors" "fmt" "io" + configv1 "github.com/openshift/api/config/v1" + nodelib "github.com/openshift/library-go/pkg/apiserver/node" + + openshiftfeatures "github.com/openshift/api/features" "k8s.io/apimachinery/pkg/api/validation" + "k8s.io/apimachinery/pkg/labels" "k8s.io/apimachinery/pkg/runtime" "k8s.io/apimachinery/pkg/runtime/schema" "k8s.io/apimachinery/pkg/util/validation/field" "k8s.io/apiserver/pkg/admission" - - configv1 "github.com/openshift/api/config/v1" + "k8s.io/apiserver/pkg/admission/initializer" + "k8s.io/apiserver/pkg/util/feature" + "k8s.io/client-go/informers" + corev1listers "k8s.io/client-go/listers/core/v1" + "k8s.io/component-base/featuregate" "k8s.io/kubernetes/openshift-kube-apiserver/admission/customresourcevalidation" ) @@ -25,18 +34,28 @@ var rejectionScenarios = []struct { {fromProfile: configv1.LowUpdateSlowReaction, toProfile: configv1.DefaultUpdateDefaultReaction}, } -const PluginName = "config.openshift.io/RestrictExtremeWorkerLatencyProfile" +const PluginName = "config.openshift.io/ValidateConfigNodeV1" // Register registers a plugin func Register(plugins *admission.Plugins) { plugins.Register(PluginName, func(config io.Reader) (admission.Interface, error) { - return customresourcevalidation.NewValidator( + ret := &validateCustomResourceWithNodeLister{} + delegate, err := customresourcevalidation.NewValidator( map[schema.GroupResource]bool{ configv1.Resource("nodes"): true, }, map[schema.GroupVersionKind]customresourcevalidation.ObjectValidator{ - configv1.GroupVersion.WithKind("Node"): configNodeV1{}, + configv1.GroupVersion.WithKind("Node"): &configNodeV1{ + nodeLister: ret.getNodeLister, + waitForReady: ret.getWaitForReady, + minimumKubeletVersionEnabled: feature.DefaultMutableFeatureGate.Enabled(featuregate.Feature(openshiftfeatures.FeatureGateMinimumKubeletVersion)), + }, }) + if err != nil { + return nil, err + } + ret.ValidationInterface = delegate + return ret, nil }) } @@ -57,7 +76,13 @@ func toConfigNodeV1(uncastObj runtime.Object) (*configv1.Node, field.ErrorList) return obj, nil } -type configNodeV1 struct{} +type configNodeV1 struct { + admission.ValidationInterface + + nodeLister func() corev1listers.NodeLister + waitForReady func() func() bool + minimumKubeletVersionEnabled bool +} func validateConfigNodeForExtremeLatencyProfile(obj, oldObj *configv1.Node) *field.Error { fromProfile := oldObj.Spec.WorkerLatencyProfile @@ -78,18 +103,21 @@ func validateConfigNodeForExtremeLatencyProfile(obj, oldObj *configv1.Node) *fie return nil } -func (configNodeV1) ValidateCreate(_ context.Context, uncastObj runtime.Object) field.ErrorList { +func (c *configNodeV1) ValidateCreate(_ context.Context, uncastObj runtime.Object) field.ErrorList { obj, allErrs := toConfigNodeV1(uncastObj) if len(allErrs) > 0 { return allErrs } allErrs = append(allErrs, validation.ValidateObjectMeta(&obj.ObjectMeta, false, customresourcevalidation.RequireNameCluster, field.NewPath("metadata"))...) + if err := c.validateMinimumKubeletVersion(obj); err != nil { + allErrs = append(allErrs, err) + } return allErrs } -func (configNodeV1) ValidateUpdate(_ context.Context, uncastObj runtime.Object, uncastOldObj runtime.Object) field.ErrorList { +func (c *configNodeV1) ValidateUpdate(_ context.Context, uncastObj runtime.Object, uncastOldObj runtime.Object) field.ErrorList { obj, allErrs := toConfigNodeV1(uncastObj) if len(allErrs) > 0 { return allErrs @@ -103,11 +131,36 @@ func (configNodeV1) ValidateUpdate(_ context.Context, uncastObj runtime.Object, if err := validateConfigNodeForExtremeLatencyProfile(obj, oldObj); err != nil { allErrs = append(allErrs, err) } + if err := c.validateMinimumKubeletVersion(obj); err != nil { + allErrs = append(allErrs, err) + } return allErrs } +func (c *configNodeV1) validateMinimumKubeletVersion(obj *configv1.Node) *field.Error { + if !c.minimumKubeletVersionEnabled { + return nil + } + fieldPath := field.NewPath("spec", "minimumKubeletVersion") + if !c.waitForReady()() { + return field.InternalError(fieldPath, fmt.Errorf("caches not synchronized, cannot validate minimumKubeletVersion")) + } -func (configNodeV1) ValidateStatusUpdate(_ context.Context, uncastObj runtime.Object, uncastOldObj runtime.Object) field.ErrorList { + nodes, err := c.nodeLister().List(labels.Everything()) + if err != nil { + return field.Forbidden(fieldPath, fmt.Sprintf("Getting nodes to compare minimum version %v", err.Error())) + } + + if err := nodelib.ValidateMinimumKubeletVersion(nodes, obj.Spec.MinimumKubeletVersion); err != nil { + if errors.Is(err, nodelib.ErrKubeletOutdated) { + return field.Forbidden(fieldPath, err.Error()) + } + return field.Invalid(fieldPath, obj.Spec.MinimumKubeletVersion, err.Error()) + } + return nil +} + +func (*configNodeV1) ValidateStatusUpdate(_ context.Context, uncastObj runtime.Object, uncastOldObj runtime.Object) field.ErrorList { obj, errs := toConfigNodeV1(uncastObj) if len(errs) > 0 { return errs @@ -122,3 +175,34 @@ func (configNodeV1) ValidateStatusUpdate(_ context.Context, uncastObj runtime.Ob return errs } + +type validateCustomResourceWithNodeLister struct { + nodeLister corev1listers.NodeLister + + handler admission.Handler + admission.ValidationInterface +} + +var _ = initializer.WantsExternalKubeInformerFactory(&validateCustomResourceWithNodeLister{}) + +func (c *validateCustomResourceWithNodeLister) SetExternalKubeInformerFactory(kubeInformers informers.SharedInformerFactory) { + nodeInformer := kubeInformers.Core().V1().Nodes() + c.nodeLister = nodeInformer.Lister() + c.handler.SetReadyFunc(nodeInformer.Informer().HasSynced) +} + +func (c *validateCustomResourceWithNodeLister) ValidateInitialization() error { + if c.nodeLister == nil { + return fmt.Errorf("%s needs a nodes", PluginName) + } + + return nil +} + +func (c *validateCustomResourceWithNodeLister) getNodeLister() corev1listers.NodeLister { + return c.nodeLister +} + +func (c *validateCustomResourceWithNodeLister) getWaitForReady() func() bool { + return c.handler.WaitForReady +} diff --git a/openshift-kube-apiserver/admission/customresourcevalidation/node/validate_node_config_test.go b/openshift-kube-apiserver/admission/customresourcevalidation/node/validate_node_config_test.go index b22c6a2da90a1..6af84972eb862 100644 --- a/openshift-kube-apiserver/admission/customresourcevalidation/node/validate_node_config_test.go +++ b/openshift-kube-apiserver/admission/customresourcevalidation/node/validate_node_config_test.go @@ -7,6 +7,11 @@ import ( "github.com/stretchr/testify/assert" configv1 "github.com/openshift/api/config/v1" + v1 "k8s.io/api/core/v1" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/apimachinery/pkg/util/validation/field" + corev1listers "k8s.io/client-go/listers/core/v1" + "k8s.io/client-go/tools/cache" ) func TestValidateConfigNodeForExtremeLatencyProfile(t *testing.T) { @@ -66,3 +71,217 @@ func TestValidateConfigNodeForExtremeLatencyProfile(t *testing.T) { }) } } + +func TestValidateConfigNodeForMinimumKubeletVersion(t *testing.T) { + testCases := []struct { + name string + version string + shouldReject bool + nodes []*v1.Node + nodeListErr error + errType field.ErrorType + errMsg string + }{ + // no rejections + { + name: "should not reject when minimum kubelet version is empty", + version: "", + shouldReject: false, + }, + { + name: "should reject when min kubelet version bogus", + version: "bogus", + shouldReject: true, + nodes: []*v1.Node{ + { + Status: v1.NodeStatus{ + NodeInfo: v1.NodeSystemInfo{ + KubeletVersion: "1.30.0", + }, + }, + }, + }, + errType: field.ErrorTypeInvalid, + errMsg: "failed to parse submitted version bogus No Major.Minor.Patch elements found", + }, + { + name: "should reject when kubelet version is bogus", + version: "1.30.0", + shouldReject: true, + nodes: []*v1.Node{ + { + ObjectMeta: metav1.ObjectMeta{ + Name: "node", + }, + Status: v1.NodeStatus{ + NodeInfo: v1.NodeSystemInfo{ + KubeletVersion: "bogus", + }, + }, + }, + }, + errType: field.ErrorTypeInvalid, + errMsg: "failed to parse node version bogus: No Major.Minor.Patch elements found", + }, + { + name: "should reject when kubelet version is too old", + version: "1.30.0", + shouldReject: true, + nodes: []*v1.Node{ + { + ObjectMeta: metav1.ObjectMeta{ + Name: "node", + }, + Status: v1.NodeStatus{ + NodeInfo: v1.NodeSystemInfo{ + KubeletVersion: "1.29.0", + }, + }, + }, + }, + errType: field.ErrorTypeForbidden, + errMsg: "kubelet version is 1.29.0, which is lower than minimumKubeletVersion of 1.30.0", + }, + { + name: "should reject when one kubelet version is too old", + version: "1.30.0", + shouldReject: true, + nodes: []*v1.Node{ + { + ObjectMeta: metav1.ObjectMeta{ + Name: "node", + }, + Status: v1.NodeStatus{ + NodeInfo: v1.NodeSystemInfo{ + KubeletVersion: "1.30.0", + }, + }, + }, + { + ObjectMeta: metav1.ObjectMeta{ + Name: "node2", + }, + Status: v1.NodeStatus{ + NodeInfo: v1.NodeSystemInfo{ + KubeletVersion: "1.29.0", + }, + }, + }, + }, + errType: field.ErrorTypeForbidden, + errMsg: "kubelet version is 1.29.0, which is lower than minimumKubeletVersion of 1.30.0", + }, + { + name: "should not reject when kubelet version is equal", + version: "1.30.0", + shouldReject: false, + nodes: []*v1.Node{ + { + ObjectMeta: metav1.ObjectMeta{ + Name: "node", + }, + Status: v1.NodeStatus{ + NodeInfo: v1.NodeSystemInfo{ + KubeletVersion: "1.30.0", + }, + }, + }, + }, + }, + { + name: "should reject when min version incomplete", + version: "1.30", + shouldReject: true, + nodes: []*v1.Node{ + { + ObjectMeta: metav1.ObjectMeta{ + Name: "node", + }, + Status: v1.NodeStatus{ + NodeInfo: v1.NodeSystemInfo{ + KubeletVersion: "1.30.0", + }, + }, + }, + }, + errType: field.ErrorTypeInvalid, + errMsg: "failed to parse submitted version 1.30 No Major.Minor.Patch elements found", + }, + { + name: "should reject when kubelet version incomplete", + version: "1.30.0", + shouldReject: true, + nodes: []*v1.Node{ + { + ObjectMeta: metav1.ObjectMeta{ + Name: "node", + }, + Status: v1.NodeStatus{ + NodeInfo: v1.NodeSystemInfo{ + KubeletVersion: "1.30", + }, + }, + }, + }, + errType: field.ErrorTypeInvalid, + errMsg: "failed to parse node version 1.30: No Major.Minor.Patch elements found", + }, + { + name: "should not reject when kubelet version is new enough", + version: "1.30.0", + shouldReject: false, + nodes: []*v1.Node{ + { + ObjectMeta: metav1.ObjectMeta{ + Name: "node", + }, + Status: v1.NodeStatus{ + NodeInfo: v1.NodeSystemInfo{ + KubeletVersion: "1.31.0", + }, + }, + }, + }, + }, + } + for _, testCase := range testCases { + shouldStr := "should not be" + if testCase.shouldReject { + shouldStr = "should be" + } + t.Run(testCase.name, func(t *testing.T) { + obj := configv1.Node{ + Spec: configv1.NodeSpec{ + MinimumKubeletVersion: testCase.version, + }, + } + v := &configNodeV1{ + nodeLister: fakeNodeLister(testCase.nodes), + waitForReady: func() func() bool { + return func() bool { + return true + } + }, + minimumKubeletVersionEnabled: true, + } + + fieldErr := v.validateMinimumKubeletVersion(&obj) + assert.Equal(t, testCase.shouldReject, fieldErr != nil, "minimum kubelet version %q %s rejected", testCase.version, shouldStr) + if testCase.shouldReject { + assert.Equal(t, "spec.minimumKubeletVersion", fieldErr.Field, "field name during for mininumKubeletVersion should be spec.mininumKubeletVersion") + assert.Equal(t, fieldErr.Type, testCase.errType, "error type should be %q", testCase.errType) + assert.Contains(t, fieldErr.Detail, testCase.errMsg, "error message should contain %q", testCase.errMsg) + } + }) + } +} + +func fakeNodeLister(nodes []*v1.Node) func() corev1listers.NodeLister { + indexer := cache.NewIndexer(cache.MetaNamespaceKeyFunc, cache.Indexers{}) + for _, node := range nodes { + _ = indexer.Add(node) + } + return func() corev1listers.NodeLister { + return corev1listers.NewNodeLister(indexer) + } +} From 7da3df3ec4175072dbacdfdb1cc1c4ef8d22520e Mon Sep 17 00:00:00 2001 From: Peter Hunt Date: Mon, 25 Nov 2024 12:22:49 -0500 Subject: [PATCH 7/7] WIP Signed-off-by: Peter Hunt --- .../minimumkubeletversion/minimum_kubelet_version.go | 9 +++++++++ pkg/kubeapiserver/authorizer/reload.go | 1 + 2 files changed, 10 insertions(+) diff --git a/openshift-kube-apiserver/authorization/minimumkubeletversion/minimum_kubelet_version.go b/openshift-kube-apiserver/authorization/minimumkubeletversion/minimum_kubelet_version.go index 7db15dac39828..e24877982ccb4 100644 --- a/openshift-kube-apiserver/authorization/minimumkubeletversion/minimum_kubelet_version.go +++ b/openshift-kube-apiserver/authorization/minimumkubeletversion/minimum_kubelet_version.go @@ -14,6 +14,7 @@ import ( v1listers "k8s.io/client-go/listers/core/v1" cache "k8s.io/client-go/tools/cache" "k8s.io/component-base/featuregate" + "k8s.io/klog/v2" api "k8s.io/kubernetes/pkg/apis/core" "k8s.io/kubernetes/pkg/auth/nodeidentifier" ) @@ -54,10 +55,12 @@ func (m *minimumKubeletVersionAuth) Authorize(ctx context.Context, attrs authori nodeName, isNode := m.nodeIdentifier.NodeIdentity(attrs.GetUser()) if !isNode { // ignore requests from non-nodes + klog.Infof("XXXXXXXX not a node %v", attrs.GetUser()) return authorizer.DecisionNoOpinion, "", nil } if len(nodeName) == 0 { + klog.Infof("XXXXXXXX empty node name %v", attrs.GetUser()) return authorizer.DecisionNoOpinion, fmt.Sprintf("unknown node for user %q", attrs.GetUser().GetName()), nil } @@ -68,26 +71,32 @@ func (m *minimumKubeletVersionAuth) Authorize(ctx context.Context, attrs authori switch requestResource { case api.Resource("nodes"): if v := attrs.GetVerb(); v == "get" || v == "update" { + klog.Infof("XXXXXXXX node get or update %v", attrs.GetUser()) return authorizer.DecisionNoOpinion, "", nil } // TODO(haircommander): do we need other flavors of access reviews here? case authorizationv1.Resource("subjectaccessreviews"): + klog.Infof("XXXXXXXX SAR %v", attrs.GetUser()) return authorizer.DecisionNoOpinion, "", nil } } if !m.hasNodeInformerSyncedFn() { + klog.Infof("XXXXXXXX not synced %v", attrs.GetUser()) return authorizer.DecisionNoOpinion, fmt.Sprintf("node informer not synced, cannot check if node %s is new enough", nodeName), nil } node, err := m.nodeLister.Get(nodeName) if err != nil { + klog.Infof("XXXXXXXX failed to get node %s %v", nodeName, attrs.GetUser()) return authorizer.DecisionNoOpinion, fmt.Sprintf("failed to get node %s: %v", nodeName, err), nil } if err := nodelib.IsNodeTooOld(node, m.minVersion); err != nil { + klog.Infof("XXXXXXXX node too old %s %v", nodeName, attrs.GetUser()) return authorizer.DecisionDeny, err.Error(), nil } + klog.Infof("XXXXXXXX OK %s", attrs.GetUser()) return authorizer.DecisionNoOpinion, "", nil } diff --git a/pkg/kubeapiserver/authorizer/reload.go b/pkg/kubeapiserver/authorizer/reload.go index a30f48a0955b5..31e220036e9e2 100644 --- a/pkg/kubeapiserver/authorizer/reload.go +++ b/pkg/kubeapiserver/authorizer/reload.go @@ -176,6 +176,7 @@ func (r *reloadableAuthorizerResolver) newForConfig(authzConfig *authzconfig.Aut // no browsersafeauthorizer here becase that rewrites the resources. This authorizer matches no matter which resource matches. authorizers = append(authorizers, authorizerfactory.NewPrivilegedGroups(user.SystemPrivilegedGroup)) case authzconfig.AuthorizerType(modes.ModeMinimumKubeletVersion): + klog.Infof("XXXXX have min kubelet verison") // Add MinimumKubeletVerison authorizer, to block a node from being able to access most resources if it's not new enough. // We must do so here instead of in pkg/apiserver because it relies on a node informer, which is not present in generic control planes. authorizers = append(authorizers, minimumkubeletversion.NewMinimumKubeletVersion(