OCPCLOUD-2733: rebase on upstream 1.31.0 release #319
Conversation
…viders Remove deprecated k8s.io/legacy-cloud-providers
vpa-updater: Log the Pod namespace when evicting a Pod
…dification Modify logic to look for ocid type prefix in OCI cloud provider builder
Add initial setup for cluster-autoscaler Azure e2e tests
…ample-manifests Update example manifests with the latest RBAC permissions.
Add ability to the VPA admission-controller to reload it's certificate v2
Remove vendor directory, readded by mistake
…s-approver-no-more CA - Restore aleksandra-malinowska as approver
Fix/aws asg unsafe decommission 5829
feat(clusterapi): per nodeGroup autoscaling options
…troller-logging vpa-admission-controller: Log object's namespace
Use autoscaling.x-k8s.io rather than cluster-autoscaler.kubernetes.io
Update ProvReq annotations to new prefix
Update Azure cluster-autoscaler e2e cluster template
…ogging vpa-recommender: Log object's namespace
|
added an upstream fix for the goimports, i have a feeling the deletion taint tests are still going to give us issues. |
|
i'll add a few more ignores to the snyk config |
This change carries files and modifications that are used by OpenShift release infrastructure and related files. * spec file * dockerfiles * vertical-pod-autoscaler/Dockerfile.rhel * vertical-pod-autoscaler/Dockerfile.openshift * images/cluster-autoscaler/Dockerfile * images/cluster-autoscaler/Dockerfile.rhel * hack scripts (ci and build related) * Makefile * JUnit tools * update gitignore * update/remove OWNERS files * ci-operator config yaml * add vendor folders for cluster-autoscaler and balancer * add Snyk file to exclude vendor directories and problematic cloud providers on scan
…otation The delete annotation upstream has a different format, but is now inferred dynamically from the API group. If we update this in MAO to use the new format, we can drop this old key
This change re-adds the machine api support for labels and taints on node groups. The code was removed upstream as it is openshift specific, see this pull request[0]. It also adds in the functionality of the upstream override annotation for labels and taints[1] to support https://issues.redhat.com/browse/MIXEDARCH-259 [0]: kubernetes#5249 [1]: kubernetes#5382
the upstream annotations for the scale from zero capacity resources is slighty different than the openshift implementation. the largest difference is the addition of a gpu type annotation. openshift does not yet utilize this annotation and thus this patch should be carried until the machineset controllers for the various providers on openshift have been modified to use the new annotations. another important change is the modification of the memory annotation. previously in openshift we expected this value to be a count of memory in Mebibytes. the conversion function and tests have been modified to allow continued openshift operation. this change can be dropped when the annotations in openshift have been updated, the progress for this effort can be followed at https://issues.redhat.com/browse/OCPCLOUD-944
…ider This change corrects the behavior for parsing taints from the unstructured scalable resource. This is required on OpenShift as our implementation is slightly different from the upstream.
this change fixes the import order so that the goimports tool does not complain about the ordering.
|
The security issues presented here may warrant a discussion with the VPA team, I can see some about unsanitised input, yet, I suspect the answer will be "we control the input so it's ok" Otherwise changes here are looking good Are the periodic issues known? |
|
cc @joelsmith , happy for your input on the security warnings |
yes, these are not new. they are related to the deletion taint issue we are working on. |
|
I went to the Snyk dashboard and I have told Snyk to ignore the VPA issues as they were all false alarms. There is still one in /test security |
|
thanks Joel! |
|
i did some research and have added an ignore for the import-verifier. it is only used during the build process to inspect the imports on go files, it currently is only used from the verify-imports.sh script, and it has an empty list for input restrictions. which means that currently it does not check anything. while it is possible that an attacker could get into the supply chain and change the import restrictions, the result of this would most likely be limited as we currently do not have any restrictions. while they might be able to break part of the build process, it seems unlikely that there would be deleterious effects on the code that weren't merged in other patches. /test security |
|
/test security |
1 similar comment
|
/test security |
|
/retest |
|
@elmiko: The following tests failed, say
Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
|
@JoelSpeed looks like we are just down to the pathologically failing deletion taint tests |
|
/lgtm |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: JoelSpeed The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
openshift-ci
bot
added
the
approved
openshift-merge-bot
bot
merged commit b533c8b
into
openshift:master
|
[ART PR BUILD NOTIFIER] Distgit: vertical-pod-autoscaler |
|
[ART PR BUILD NOTIFIER] Distgit: atomic-openshift-cluster-autoscaler |
This commit rebases the autoscaler on top of the Kubernetes/Autoscaler 1.31.0 release. There are several commits that we carry on top of the upstream autoscaler and the rebase process allows us to preserve those. Here is a description of the process I used to create this PR.
(inspired by the commit description for the 1.18 rebase. pr #139)
Process
First we need to identify the carry commits that we currently have, this is done against our previous rebase to catch new changes. Once identified we will drop commits which have merged upstream and only carry unique commits. (see below for the carried and dropped commits).
Identify carry commits (run from the openshift/master branch), these are the commits that begin with
UPSTREAM:up until the merge commit for the previous rebase commit (merge upstream/cluster-autoscaler-1.30.1)After identifying the carry commits, the next step is to create the new commit-tree that will be used for the rebase and then cherry pick the carry commits into the new branch. The following commands cover these steps:
With the
merge-1.31branch in place, I cherry picked the carry commits which applied, resolved merge conflicts, and finally tested the resulting tree against the unit test and end-to-end suite.Carried Commits
These commits are for features which have not yet been accepted upstream, are integral to our CI platform, or are specific to the releases we create for OpenShift.
Squashed Commits
These commits were squashed into the carried commits to help reduce the length of our history. All these commits have been squashed into their topically related commits.
Dropped Commits
These commits were dropped.
Of special note in this rebase is this commit
due to the scale from zero changes being accepted upstream we can now drop our carried patch. but, the upstream implementation has differed slightly from our's (mainly around annotation names). we will need to carry this patch until we can fix all the providers to properly use the new annotations. This patch can be dropped once the epic contained in https://issues.redhat.com/browse/OCPCLOUD-2136 is completed.