treewide: k8s 1.28 and lots related updates
First, this contains a bunch of dependency updates. Important ones in no
particular order:
Kubernetes 1.24.2 -> 1.28.8
etcd 3.5.4 -> 3.5.13
Protobuf 1.32.0 -> 1.33.0
OpenTelemetry 0.20.0 -> 1.20.0
containerd 1.6.6 -> 1.7.15
CoreDNS 1.9.2 -> 1.11.1
With Kubernetes 1.25 PodSecurityPolicies are removed, this replaces them
with a static PodSecurity admission configuration which behaves the same
or is slightly more permissive in most ways. Only known exceptions are
that NET_RAW is no longer an allowed permission and non-standard SELinux
labels are no longer permitted (but these never did anything anyways).
The RBAC policies are intentionally not removed yet as we do not yet
have the capability to actually update these, so they will be removed
when that is available (#288), until then they will stay in-place but
do nothing.
With the containerd upgrade the deprecated option for ignoring
preseeded/pinned images for garbage collection in Kubelet can be
removed.
This change also contains some drive-by fixes to the controller-manager,
like passing the Service IP net and disabling cloud-related control
loops which generate spurious warnings if enabled.
The containerd tracing patch is removed as we can now use OTel v1, thus
that patch is no longer necessary.
An actual upgrade test will be part of a future CL as this one is
already quite large and it works stand-alone.
Co-authored-by: Tim Windelschmidt <tim@monogon.tech>
Change-Id: I8e5f51e6e6240a1b67590458b2f1c24d58c8e91e
Reviewed-on: https://review.monogon.dev/c/monogon/+/2315
Tested-by: Jenkins CI
Reviewed-by: Tim Windelschmidt <tim@monogon.tech>
diff --git a/third_party/go/patches/containerd-grpc-inherit-unimplemented.patch b/third_party/go/patches/containerd-grpc-inherit-unimplemented.patch
new file mode 100644
index 0000000..3568b79
--- /dev/null
+++ b/third_party/go/patches/containerd-grpc-inherit-unimplemented.patch
@@ -0,0 +1,54 @@
+From d65088ac138e652772c73ce2b19be03b1966c42a Mon Sep 17 00:00:00 2001
+From: Lorenz Brun <lorenz@monogon.tech>
+Date: Tue, 28 Nov 2023 18:05:11 +0100
+Subject: [PATCH] Use Unimplemented implementation for gRPC forward compat
+
+Otherwise any newly-added methods will cause build failures.
+---
+ pkg/cri/instrument/instrumented_service.go | 2 ++
+ pkg/cri/sbserver/service.go | 2 ++
+ pkg/cri/server/service.go | 2 ++
+ 3 files changed, 6 insertions(+)
+
+diff --git a/pkg/cri/instrument/instrumented_service.go b/pkg/cri/instrument/instrumented_service.go
+index 2f388d56d..ce290559c 100644
+--- a/pkg/cri/instrument/instrumented_service.go
++++ b/pkg/cri/instrument/instrumented_service.go
+@@ -61,6 +61,8 @@ type GRPCAlphaServices interface {
+ // instrumentedService wraps service with containerd namespace and logs.
+ type instrumentedService struct {
+ c criService
++ runtime.UnimplementedRuntimeServiceServer
++ runtime.UnimplementedImageServiceServer
+ }
+
+ func NewService(c criService) GRPCServices {
+diff --git a/pkg/cri/sbserver/service.go b/pkg/cri/sbserver/service.go
+index 9348c6081..9b636aaf8 100644
+--- a/pkg/cri/sbserver/service.go
++++ b/pkg/cri/sbserver/service.go
+@@ -72,6 +72,8 @@ type CRIService interface {
+
+ // criService implements CRIService.
+ type criService struct {
++ runtime.UnimplementedRuntimeServiceServer
++ runtime.UnimplementedImageServiceServer
+ // config contains all configurations.
+ config criconfig.Config
+ // imageFSPath is the path to image filesystem.
+diff --git a/pkg/cri/server/service.go b/pkg/cri/server/service.go
+index 5d946f4a2..b56509534 100644
+--- a/pkg/cri/server/service.go
++++ b/pkg/cri/server/service.go
+@@ -70,6 +70,8 @@ type CRIService interface {
+
+ // criService implements CRIService.
+ type criService struct {
++ runtime.UnimplementedRuntimeServiceServer
++ runtime.UnimplementedImageServiceServer
+ // config contains all configurations.
+ config criconfig.Config
+ // imageFSPath is the path to image filesystem.
+--
+2.42.0
+
diff --git a/third_party/go/patches/containerd-no-tracing.patch b/third_party/go/patches/containerd-no-tracing.patch
deleted file mode 100644
index ee6f8c8..0000000
--- a/third_party/go/patches/containerd-no-tracing.patch
+++ /dev/null
@@ -1,43 +0,0 @@
-From 26ac5a008b349b77288d29cc483ea5d6129f298c Mon Sep 17 00:00:00 2001
-From: Lorenz Brun <lorenz@monogon.tech>
-Date: Wed, 16 Mar 2022 18:35:44 +0100
-Subject: [PATCH] Disable tracing for otel compatibility
-
----
- cmd/containerd/builtins.go | 1 -
- cmd/containerd/command/main.go | 2 --
- 2 files changed, 3 deletions(-)
-
-diff --git a/cmd/containerd/builtins.go b/cmd/containerd/builtins.go
-index 8c6f1fe86..dd8b1d3d9 100644
---- a/cmd/containerd/builtins.go
-+++ b/cmd/containerd/builtins.go
-@@ -36,5 +36,4 @@ import (
- _ "github.com/containerd/containerd/services/snapshots"
- _ "github.com/containerd/containerd/services/tasks"
- _ "github.com/containerd/containerd/services/version"
-- _ "github.com/containerd/containerd/tracing/plugin"
- )
-diff --git a/cmd/containerd/command/main.go b/cmd/containerd/command/main.go
-index f549e08a3..dfde3599e 100644
---- a/cmd/containerd/command/main.go
-+++ b/cmd/containerd/command/main.go
-@@ -35,7 +35,6 @@ import (
- "github.com/containerd/containerd/services/server"
- srvconfig "github.com/containerd/containerd/services/server/config"
- "github.com/containerd/containerd/sys"
-- "github.com/containerd/containerd/tracing"
- "github.com/containerd/containerd/version"
- "github.com/sirupsen/logrus"
- "github.com/urfave/cli"
-@@ -370,7 +369,6 @@ func setLogFormat(config *srvconfig.Config) error {
- }
-
- func setLogHooks() {
-- logrus.StandardLogger().AddHook(tracing.NewLogrusHook())
- }
-
- func dumpStacks(writeToFile bool) {
---
-2.25.1
-
diff --git a/third_party/go/patches/coredns-remove-unused-plugins.patch b/third_party/go/patches/coredns-remove-unused-plugins.patch
index e952585..c05b9a9 100644
--- a/third_party/go/patches/coredns-remove-unused-plugins.patch
+++ b/third_party/go/patches/coredns-remove-unused-plugins.patch
@@ -1,4 +1,4 @@
-From 355d38f38cf241b91a862795892bcb87c5729d2e Mon Sep 17 00:00:00 2001
+From e2134787f676554c0eee7d48d405a5e680ceed8b Mon Sep 17 00:00:00 2001
From: Lorenz Brun <lorenz@monogon.tech>
Date: Wed, 16 Mar 2022 13:39:39 +0100
Subject: [PATCH] Remove unused plugins
@@ -7,11 +7,11 @@
core/dnsserver/zdirectives.go | 7 -------
core/plugin/zplugin.go | 7 -------
plugin.cfg | 7 -------
- plugin/kubernetes/setup.go | 3 ---
- 4 files changed, 24 deletions(-)
+ plugin/kubernetes/setup.go | 2 +-
+ 4 files changed, 1 insertion(+), 22 deletions(-)
diff --git a/core/dnsserver/zdirectives.go b/core/dnsserver/zdirectives.go
-index bca21718..678c02c6 100644
+index 6d713758..8d46a0a2 100644
--- a/core/dnsserver/zdirectives.go
+++ b/core/dnsserver/zdirectives.go
@@ -11,7 +11,6 @@ package dnsserver
@@ -21,8 +21,8 @@
- "geoip",
"cancel",
"tls",
- "reload",
-@@ -20,14 +19,12 @@ var Directives = []string{
+ "timeouts",
+@@ -21,14 +20,12 @@ var Directives = []string{
"root",
"bind",
"debug",
@@ -37,7 +37,7 @@
"local",
"dns64",
"acl",
-@@ -43,15 +40,11 @@ var Directives = []string{
+@@ -45,15 +42,11 @@ var Directives = []string{
"template",
"transfer",
"hosts",
@@ -54,7 +54,7 @@
"forward",
"grpc",
diff --git a/core/plugin/zplugin.go b/core/plugin/zplugin.go
-index a9167eea..2a5d0b13 100644
+index b97cd85c..67c7ecbc 100644
--- a/core/plugin/zplugin.go
+++ b/core/plugin/zplugin.go
@@ -9,23 +9,18 @@ import (
@@ -81,7 +81,7 @@
_ "github.com/coredns/coredns/plugin/grpc"
_ "github.com/coredns/coredns/plugin/header"
_ "github.com/coredns/coredns/plugin/health"
-@@ -45,12 +40,10 @@ import (
+@@ -45,13 +40,11 @@ import (
_ "github.com/coredns/coredns/plugin/reload"
_ "github.com/coredns/coredns/plugin/rewrite"
_ "github.com/coredns/coredns/plugin/root"
@@ -89,24 +89,25 @@
_ "github.com/coredns/coredns/plugin/secondary"
_ "github.com/coredns/coredns/plugin/sign"
_ "github.com/coredns/coredns/plugin/template"
+ _ "github.com/coredns/coredns/plugin/timeouts"
_ "github.com/coredns/coredns/plugin/tls"
- _ "github.com/coredns/coredns/plugin/trace"
_ "github.com/coredns/coredns/plugin/transfer"
- _ "github.com/coredns/coredns/plugin/whoami"
- )
+ _ "github.com/coredns/coredns/plugin/tsig"
+ _ "github.com/coredns/coredns/plugin/view"
diff --git a/plugin.cfg b/plugin.cfg
-index 628e7141..d4ce1c89 100644
+index 407a668e..0429f5ee 100644
--- a/plugin.cfg
+++ b/plugin.cfg
@@ -20,7 +20,6 @@
# log:log
-
+
metadata:metadata
-geoip:geoip
cancel:cancel
tls:tls
- reload:reload
-@@ -29,14 +28,12 @@ bufsize:bufsize
+ timeouts:timeouts
+@@ -30,14 +29,12 @@ bufsize:bufsize
root:root
bind:bind
debug:debug
@@ -121,7 +122,7 @@
local:local
dns64:dns64
acl:acl
-@@ -52,15 +49,11 @@ minimal:minimal
+@@ -54,15 +51,11 @@ minimal:minimal
template:template
transfer:transfer
hosts:hosts
@@ -138,19 +139,25 @@
forward:forward
grpc:grpc
diff --git a/plugin/kubernetes/setup.go b/plugin/kubernetes/setup.go
-index 5f5ab058..ae1a7cf8 100644
+index 0b988a9a..a07a1194 100644
--- a/plugin/kubernetes/setup.go
+++ b/plugin/kubernetes/setup.go
-@@ -17,9 +17,6 @@ import (
-
+@@ -8,6 +8,7 @@ import (
+ "strings"
+
+ "github.com/coredns/caddy"
++
+ "github.com/coredns/coredns/core/dnsserver"
+ "github.com/coredns/coredns/plugin"
+ "github.com/coredns/coredns/plugin/pkg/dnsutil"
+@@ -17,7 +18,6 @@ import (
+ "github.com/go-logr/logr"
"github.com/miekg/dns"
meta "k8s.io/apimachinery/pkg/apis/meta/v1"
-- _ "k8s.io/client-go/plugin/pkg/client/auth/gcp" // pull this in here, because we want it excluded if plugin.cfg doesn't have k8s
-- _ "k8s.io/client-go/plugin/pkg/client/auth/oidc" // pull this in here, because we want it excluded if plugin.cfg doesn't have k8s
-- _ "k8s.io/client-go/plugin/pkg/client/auth/openstack" // pull this in here, because we want it excluded if plugin.cfg doesn't have k8s
+- _ "k8s.io/client-go/plugin/pkg/client/auth/oidc" // pull this in here, because we want it excluded if plugin.cfg doesn't have k8s
"k8s.io/client-go/tools/clientcmd"
"k8s.io/klog/v2"
)
---
-2.25.1
+--
+2.41.0
diff --git a/third_party/go/patches/goimports-group-merging.patch b/third_party/go/patches/goimports-group-merging.patch
index 87a20b3..127f563 100644
--- a/third_party/go/patches/goimports-group-merging.patch
+++ b/third_party/go/patches/goimports-group-merging.patch
@@ -14,7 +14,7 @@
diff -ur org_golang_x_tools.orig/internal/imports/fix_test.go org_golang_x_tools/internal/imports/fix_test.go
--- org_golang_x_tools.orig/internal/imports/fix_test.go 2023-04-03 15:16:24.808998544 +0200
+++ org_golang_x_tools/internal/imports/fix_test.go 2023-04-03 15:16:56.069290812 +0200
-@@ -552,7 +552,6 @@
+@@ -552,7 +552,6 @@ c = fmt.Printf
import (
"fmt"
@@ -22,7 +22,7 @@
"gu"
"manypackages.com/packagea"
-@@ -643,15 +642,11 @@
+@@ -643,15 +642,11 @@ var _, _, _, _, _ = fmt.Errorf, io.Copy, strings.Contains, renamed_packagea.A, B
import (
"fmt"
@@ -40,10 +40,12 @@
_ "manypackages.com/packagec"
)
-@@ -1183,6 +1178,62 @@
- var _, _ = rand.Read, rand.NewZipf
+@@ -1194,6 +1189,62 @@ import (
+ )
`,
- },
+ out: `package main
++`,
++ },
+ {
+ name: "comment_between_imports_simple",
+ in: `package main
@@ -98,11 +100,9 @@
+
+ _ "github.com/bar/foo2"
+)
-+`,
-+ },
+ `,
+ },
}
-
- func TestSimpleCases(t *testing.T) {
Only in org_golang_x_tools/internal/imports: fix_test.go.orig
diff -ur org_golang_x_tools.orig/internal/imports/sortimports.go org_golang_x_tools/internal/imports/sortimports.go
--- org_golang_x_tools.orig/internal/imports/sortimports.go 2023-04-03 15:16:24.808998544 +0200
diff --git a/third_party/go/patches/gvisor-containerd-compat.patch b/third_party/go/patches/gvisor-containerd-compat.patch
index a1a2dc7..5e7f61e 100644
--- a/third_party/go/patches/gvisor-containerd-compat.patch
+++ b/third_party/go/patches/gvisor-containerd-compat.patch
@@ -1,55 +1,50 @@
-From 2aaae27bbcdae1c917441932fb79b6f6b6e0ebcd Mon Sep 17 00:00:00 2001
-From: Tim Windelschmidt <tim@monogon.tech>
-Date: Tue, 12 Sep 2023 14:33:58 +0200
-Subject: [PATCH] containerd 1.6 compatibility
-
----
- pkg/shim/proc/exec.go | 2 +-
- pkg/shim/proc/init.go | 2 +-
- pkg/shim/service.go | 17 +++++++++--------
- pkg/shim/service_linux.go | 2 +-
- 4 files changed, 12 insertions(+), 11 deletions(-)
-
-diff --git a/pkg/shim/proc/exec.go b/pkg/shim/proc/exec.go
-index da2e21598..d0d14dd24 100644
---- a/pkg/shim/proc/exec.go
-+++ b/pkg/shim/proc/exec.go
-@@ -238,7 +238,7 @@ func (e *execProcess) start(ctx context.Context) error {
- if err != nil {
- return fmt.Errorf("failed to retrieve console master: %w", err)
- }
-- if e.console, err = e.parent.Platform.CopyConsole(ctx, console, e.stdio.Stdin, e.stdio.Stdout, e.stdio.Stderr, &e.wg); err != nil {
-+ if e.console, err = e.parent.Platform.CopyConsole(ctx, console, e.id, e.stdio.Stdin, e.stdio.Stdout, e.stdio.Stderr, &e.wg); err != nil {
- return fmt.Errorf("failed to start console copy: %w", err)
- }
- } else if !e.stdio.IsNull() {
-diff --git a/pkg/shim/proc/init.go b/pkg/shim/proc/init.go
-index fcdc8e2bc..f2aaf6c2a 100644
---- a/pkg/shim/proc/init.go
-+++ b/pkg/shim/proc/init.go
-@@ -155,7 +155,7 @@ func (p *Init) Create(ctx context.Context, r *CreateConfig) (err error) {
- if err != nil {
- return fmt.Errorf("failed to retrieve console master: %w", err)
- }
-- console, err = p.Platform.CopyConsole(ctx, console, r.Stdin, r.Stdout, r.Stderr, &p.wg)
-+ console, err = p.Platform.CopyConsole(ctx, console, r.ID, r.Stdin, r.Stdout, r.Stderr, &p.wg)
- if err != nil {
- return fmt.Errorf("failed to start console copy: %w", err)
- }
diff --git a/pkg/shim/service.go b/pkg/shim/service.go
-index a6904e1ae..964a152c9 100644
---- a/pkg/shim/service.go
-+++ b/pkg/shim/service.go
-@@ -50,7 +50,7 @@ import (
+--- a/pkg/shim/service.go (revision fbd632393665c6628221150b74ae50294d9a3695)
++++ b/pkg/shim/service.go (date 1694133552618)
+@@ -32,6 +32,7 @@
+ cgroupsv2 "github.com/containerd/cgroups/v2"
+ "github.com/containerd/console"
+ "github.com/containerd/containerd/api/events"
++ taskAPI "github.com/containerd/containerd/api/runtime/task/v2"
+ "github.com/containerd/containerd/api/types/task"
+ "github.com/containerd/containerd/errdefs"
+ "github.com/containerd/containerd/log"
+@@ -39,18 +40,20 @@
+ "github.com/containerd/containerd/namespaces"
+ "github.com/containerd/containerd/pkg/process"
+ "github.com/containerd/containerd/pkg/stdio"
++ "github.com/containerd/containerd/protobuf"
+ "github.com/containerd/containerd/runtime"
+ "github.com/containerd/containerd/runtime/linux/runctypes"
+ "github.com/containerd/containerd/runtime/v2/shim"
+- taskAPI "github.com/containerd/containerd/runtime/v2/task"
+ "github.com/containerd/containerd/sys/reaper"
+- "github.com/containerd/typeurl"
+- "github.com/gogo/protobuf/types"
+- specs "github.com/opencontainers/runtime-spec/specs-go"
++ "github.com/containerd/typeurl/v2"
++ "github.com/opencontainers/runtime-spec/specs-go"
"github.com/sirupsen/logrus"
"golang.org/x/sys/unix"
++ "google.golang.org/protobuf/types/known/emptypb"
++ "google.golang.org/protobuf/types/known/timestamppb"
++
"gvisor.dev/gvisor/pkg/cleanup"
- "gvisor.dev/gvisor/pkg/shim/runtimeoptions/v14"
+ v14 "gvisor.dev/gvisor/pkg/shim/runtimeoptions/v14"
"gvisor.dev/gvisor/pkg/shim/proc"
"gvisor.dev/gvisor/pkg/shim/runsc"
-@@ -189,7 +189,7 @@ type service struct {
+@@ -60,7 +63,7 @@
+ )
+
+ var (
+- empty = &types.Empty{}
++ empty = &emptypb.Empty{}
+ bufPool = sync.Pool{
+ New: func() any {
+ buffer := make([]byte, 32<<10)
+@@ -189,7 +192,7 @@
var _ shim.Shim = (*service)(nil)
@@ -58,7 +53,7 @@
ns, err := namespaces.NamespaceRequired(ctx)
if err != nil {
return nil, err
-@@ -204,6 +204,7 @@ func (s *service) newCommand(ctx context.Context, containerdBinary, containerdAd
+@@ -204,6 +207,7 @@
}
args := []string{
"-namespace", ns,
@@ -66,7 +61,7 @@
"-address", containerdAddress,
"-publish-binary", containerdBinary,
}
-@@ -219,14 +220,14 @@ func (s *service) newCommand(ctx context.Context, containerdBinary, containerdAd
+@@ -219,14 +223,14 @@
return cmd, nil
}
@@ -85,7 +80,7 @@
if err != nil {
return "", err
}
-@@ -280,8 +281,8 @@ func (s *service) StartShim(ctx context.Context, id, containerdBinary, container
+@@ -280,8 +284,8 @@
if err := shim.WriteAddress(shimAddressPath, address); err != nil {
return "", err
}
@@ -96,11 +91,209 @@
}
cu.Release()
return address, nil
+@@ -315,7 +319,7 @@
+ log.L.Infof("failed to cleanup rootfs mount: %v", err)
+ }
+ return &taskAPI.DeleteResponse{
+- ExitedAt: time.Now(),
++ ExitedAt: timestamppb.New(time.Now()),
+ ExitStatus: 128 + uint32(unix.SIGKILL),
+ }, nil
+ }
+@@ -578,18 +582,18 @@
+ }
+ return &taskAPI.DeleteResponse{
+ ExitStatus: uint32(p.ExitStatus()),
+- ExitedAt: p.ExitedAt(),
++ ExitedAt: timestamppb.New(p.ExitedAt()),
+ Pid: uint32(p.Pid()),
+ }, nil
+ }
+
+ // Exec spawns an additional process inside the container.
+-func (s *service) Exec(ctx context.Context, r *taskAPI.ExecProcessRequest) (*types.Empty, error) {
++func (s *service) Exec(ctx context.Context, r *taskAPI.ExecProcessRequest) (*emptypb.Empty, error) {
+ resp, err := s.exec(ctx, r)
+ return resp, errdefs.ToGRPC(err)
+ }
+
+-func (s *service) exec(ctx context.Context, r *taskAPI.ExecProcessRequest) (*types.Empty, error) {
++func (s *service) exec(ctx context.Context, r *taskAPI.ExecProcessRequest) (*emptypb.Empty, error) {
+ log.L.Debugf("Exec, id: %s, execID: %s", r.ID, r.ExecID)
+
+ s.mu.Lock()
+@@ -619,12 +623,12 @@
+ }
+
+ // ResizePty resizes the terminal of a process.
+-func (s *service) ResizePty(ctx context.Context, r *taskAPI.ResizePtyRequest) (*types.Empty, error) {
++func (s *service) ResizePty(ctx context.Context, r *taskAPI.ResizePtyRequest) (*emptypb.Empty, error) {
+ resp, err := s.resizePty(ctx, r)
+ return resp, errdefs.ToGRPC(err)
+ }
+
+-func (s *service) resizePty(ctx context.Context, r *taskAPI.ResizePtyRequest) (*types.Empty, error) {
++func (s *service) resizePty(ctx context.Context, r *taskAPI.ResizePtyRequest) (*emptypb.Empty, error) {
+ log.L.Debugf("ResizePty, id: %s, execID: %s, dimension: %dx%d", r.ID, r.ExecID, r.Height, r.Width)
+
+ p, err := s.getProcess(r.ExecID)
+@@ -660,14 +664,14 @@
+ log.L.Debugf("State failed: %v", err)
+ return nil, err
+ }
+- status := task.StatusUnknown
++ status := task.Status_UNKNOWN
+ switch st {
+ case "created":
+- status = task.StatusCreated
++ status = task.Status_CREATED
+ case "running":
+- status = task.StatusRunning
++ status = task.Status_RUNNING
+ case "stopped":
+- status = task.StatusStopped
++ status = task.Status_STOPPED
+ }
+ sio := p.Stdio()
+ res := &taskAPI.StateResponse{
+@@ -680,19 +684,19 @@
+ Stderr: sio.Stderr,
+ Terminal: sio.Terminal,
+ ExitStatus: uint32(p.ExitStatus()),
+- ExitedAt: p.ExitedAt(),
++ ExitedAt: timestamppb.New(p.ExitedAt()),
+ }
+ log.L.Debugf("State succeeded, response: %+v", res)
+ return res, nil
+ }
+
+ // Pause the container.
+-func (s *service) Pause(ctx context.Context, r *taskAPI.PauseRequest) (*types.Empty, error) {
++func (s *service) Pause(ctx context.Context, r *taskAPI.PauseRequest) (*emptypb.Empty, error) {
+ resp, err := s.pause(ctx, r)
+ return resp, errdefs.ToGRPC(err)
+ }
+
+-func (s *service) pause(ctx context.Context, r *taskAPI.PauseRequest) (*types.Empty, error) {
++func (s *service) pause(ctx context.Context, r *taskAPI.PauseRequest) (*emptypb.Empty, error) {
+ log.L.Debugf("Pause, id: %s", r.ID)
+ if s.task == nil {
+ log.L.Debugf("Pause error, id: %s: container not created", r.ID)
+@@ -706,12 +710,12 @@
+ }
+
+ // Resume the container.
+-func (s *service) Resume(ctx context.Context, r *taskAPI.ResumeRequest) (*types.Empty, error) {
++func (s *service) Resume(ctx context.Context, r *taskAPI.ResumeRequest) (*emptypb.Empty, error) {
+ resp, err := s.resume(ctx, r)
+ return resp, errdefs.ToGRPC(err)
+ }
+
+-func (s *service) resume(ctx context.Context, r *taskAPI.ResumeRequest) (*types.Empty, error) {
++func (s *service) resume(ctx context.Context, r *taskAPI.ResumeRequest) (*emptypb.Empty, error) {
+ log.L.Debugf("Resume, id: %s", r.ID)
+ if s.task == nil {
+ log.L.Debugf("Resume error, id: %s: container not created", r.ID)
+@@ -725,12 +729,12 @@
+ }
+
+ // Kill a process with the provided signal.
+-func (s *service) Kill(ctx context.Context, r *taskAPI.KillRequest) (*types.Empty, error) {
++func (s *service) Kill(ctx context.Context, r *taskAPI.KillRequest) (*emptypb.Empty, error) {
+ resp, err := s.kill(ctx, r)
+ return resp, errdefs.ToGRPC(err)
+ }
+
+-func (s *service) kill(ctx context.Context, r *taskAPI.KillRequest) (*types.Empty, error) {
++func (s *service) kill(ctx context.Context, r *taskAPI.KillRequest) (*emptypb.Empty, error) {
+ log.L.Debugf("Kill, id: %s, execID: %s, signal: %d, all: %t", r.ID, r.ExecID, r.Signal, r.All)
+
+ p, err := s.getProcess(r.ExecID)
+@@ -772,7 +776,7 @@
+ if err != nil {
+ return nil, fmt.Errorf("failed to marshal process %d info: %w", pid, err)
+ }
+- pInfo.Info = a
++ pInfo.Info = protobuf.FromAny(a)
+ break
+ }
+ }
+@@ -784,12 +788,12 @@
+ }
+
+ // CloseIO closes the I/O context of a process.
+-func (s *service) CloseIO(ctx context.Context, r *taskAPI.CloseIORequest) (*types.Empty, error) {
++func (s *service) CloseIO(ctx context.Context, r *taskAPI.CloseIORequest) (*emptypb.Empty, error) {
+ resp, err := s.closeIO(ctx, r)
+ return resp, errdefs.ToGRPC(err)
+ }
+
+-func (s *service) closeIO(ctx context.Context, r *taskAPI.CloseIORequest) (*types.Empty, error) {
++func (s *service) closeIO(ctx context.Context, r *taskAPI.CloseIORequest) (*emptypb.Empty, error) {
+ log.L.Debugf("CloseIO, id: %s, execID: %s, stdin: %t", r.ID, r.ExecID, r.Stdin)
+
+ p, err := s.getProcess(r.ExecID)
+@@ -805,7 +809,7 @@
+ }
+
+ // Checkpoint checkpoints the container.
+-func (s *service) Checkpoint(ctx context.Context, r *taskAPI.CheckpointTaskRequest) (*types.Empty, error) {
++func (s *service) Checkpoint(ctx context.Context, r *taskAPI.CheckpointTaskRequest) (*emptypb.Empty, error) {
+ log.L.Debugf("Checkpoint, id: %s", r.ID)
+ return empty, errdefs.ToGRPC(errdefs.ErrNotImplemented)
+ }
+@@ -829,12 +833,12 @@
+ }, nil
+ }
+
+-func (s *service) Shutdown(ctx context.Context, r *taskAPI.ShutdownRequest) (*types.Empty, error) {
++func (s *service) Shutdown(ctx context.Context, r *taskAPI.ShutdownRequest) (*emptypb.Empty, error) {
+ resp, err := s.shutdown(ctx, r)
+ return resp, errdefs.ToGRPC(err)
+ }
+
+-func (s *service) shutdown(ctx context.Context, r *taskAPI.ShutdownRequest) (*types.Empty, error) {
++func (s *service) shutdown(ctx context.Context, r *taskAPI.ShutdownRequest) (*emptypb.Empty, error) {
+ log.L.Debugf("Shutdown, id: %s", r.ID)
+ s.cancel()
+ if s.shimAddress != "" {
+@@ -921,12 +925,12 @@
+ }
+ log.L.Debugf("Stats success, id: %s: %+v", r.ID, data)
+ return &taskAPI.StatsResponse{
+- Stats: data,
++ Stats: protobuf.FromAny(data),
+ }, nil
+ }
+
+ // Update updates a running container.
+-func (s *service) Update(ctx context.Context, r *taskAPI.UpdateTaskRequest) (*types.Empty, error) {
++func (s *service) Update(ctx context.Context, r *taskAPI.UpdateTaskRequest) (*emptypb.Empty, error) {
+ return empty, errdefs.ToGRPC(errdefs.ErrNotImplemented)
+ }
+
+@@ -948,7 +952,7 @@
+
+ res := &taskAPI.WaitResponse{
+ ExitStatus: uint32(p.ExitStatus()),
+- ExitedAt: p.ExitedAt(),
++ ExitedAt: timestamppb.New(p.ExitedAt()),
+ }
+ log.L.Debugf("Wait succeeded, response: %+v", res)
+ return res, nil
+@@ -976,7 +980,7 @@
+ ID: p.ID(),
+ Pid: uint32(p.Pid()),
+ ExitStatus: uint32(e.Status),
+- ExitedAt: p.ExitedAt(),
++ ExitedAt: timestamppb.New(p.ExitedAt()),
+ }
+ return
+ }
diff --git a/pkg/shim/service_linux.go b/pkg/shim/service_linux.go
-index fb2f8b062..52c82ca90 100644
---- a/pkg/shim/service_linux.go
-+++ b/pkg/shim/service_linux.go
-@@ -33,7 +33,7 @@ type linuxPlatform struct {
+--- a/pkg/shim/service_linux.go (revision fbd632393665c6628221150b74ae50294d9a3695)
++++ b/pkg/shim/service_linux.go (date 1694133606275)
+@@ -33,7 +33,7 @@
epoller *console.Epoller
}
@@ -109,6 +302,76 @@
if p.epoller == nil {
return nil, fmt.Errorf("uninitialized epoller")
}
---
-2.41.0
+diff --git a/pkg/shim/proc/types.go b/pkg/shim/proc/types.go
+--- a/pkg/shim/proc/types.go (revision fbd632393665c6628221150b74ae50294d9a3695)
++++ b/pkg/shim/proc/types.go (date 1694133223472)
+@@ -18,8 +18,8 @@
+ import (
+ "time"
+- runc "github.com/containerd/go-runc"
+- "github.com/gogo/protobuf/types"
++ "github.com/containerd/go-runc"
++ "google.golang.org/protobuf/types/known/anypb"
+ )
+
+ // Mount holds filesystem mount configuration.
+@@ -49,7 +49,7 @@
+ Stdin string
+ Stdout string
+ Stderr string
+- Spec *types.Any
++ Spec *anypb.Any
+ }
+
+ // Exit is the type of exit events.
+diff --git a/pkg/shim/proc/exec.go b/pkg/shim/proc/exec.go
+--- a/pkg/shim/proc/exec.go (revision fbd632393665c6628221150b74ae50294d9a3695)
++++ b/pkg/shim/proc/exec.go (date 1694133514225)
+@@ -29,9 +29,10 @@
+ "github.com/containerd/containerd/log"
+ "github.com/containerd/containerd/pkg/stdio"
+ "github.com/containerd/fifo"
+- runc "github.com/containerd/go-runc"
+- specs "github.com/opencontainers/runtime-spec/specs-go"
++ "github.com/containerd/go-runc"
++ "github.com/opencontainers/runtime-spec/specs-go"
+ "golang.org/x/sys/unix"
++
+ "gvisor.dev/gvisor/pkg/cleanup"
+
+ "gvisor.dev/gvisor/pkg/shim/runsc"
+@@ -238,7 +239,7 @@
+ if err != nil {
+ return fmt.Errorf("failed to retrieve console master: %w", err)
+ }
+- if e.console, err = e.parent.Platform.CopyConsole(ctx, console, e.stdio.Stdin, e.stdio.Stdout, e.stdio.Stderr, &e.wg); err != nil {
++ if e.console, err = e.parent.Platform.CopyConsole(ctx, console, e.id, e.stdio.Stdin, e.stdio.Stdout, e.stdio.Stderr, &e.wg); err != nil {
+ return fmt.Errorf("failed to start console copy: %w", err)
+ }
+ } else if !e.stdio.IsNull() {
+diff --git a/pkg/shim/proc/init.go b/pkg/shim/proc/init.go
+--- a/pkg/shim/proc/init.go (revision fbd632393665c6628221150b74ae50294d9a3695)
++++ b/pkg/shim/proc/init.go (date 1694133514234)
+@@ -34,9 +34,10 @@
+ "github.com/containerd/containerd/pkg/stdio"
+
+ "github.com/containerd/fifo"
+- runc "github.com/containerd/go-runc"
+- specs "github.com/opencontainers/runtime-spec/specs-go"
++ "github.com/containerd/go-runc"
++ "github.com/opencontainers/runtime-spec/specs-go"
+ "golang.org/x/sys/unix"
++
+ "gvisor.dev/gvisor/pkg/shim/runsc"
+ "gvisor.dev/gvisor/pkg/shim/utils"
+ )
+@@ -155,7 +156,7 @@
+ if err != nil {
+ return fmt.Errorf("failed to retrieve console master: %w", err)
+ }
+- console, err = p.Platform.CopyConsole(ctx, console, r.Stdin, r.Stdout, r.Stderr, &p.wg)
++ console, err = p.Platform.CopyConsole(ctx, console, r.ID, r.Stdin, r.Stdout, r.Stderr, &p.wg)
+ if err != nil {
+ return fmt.Errorf("failed to start console copy: %w", err)
+ }
diff --git a/third_party/go/patches/k8s-drop-legacy-log-path.patch b/third_party/go/patches/k8s-drop-legacy-log-path.patch
index 6f37db7..1d7a28b 100644
--- a/third_party/go/patches/k8s-drop-legacy-log-path.patch
+++ b/third_party/go/patches/k8s-drop-legacy-log-path.patch
@@ -1,7 +1,7 @@
-From 6b4af308e9b420c146983ddb031fd80be0a15ec9 Mon Sep 17 00:00:00 2001
+From 93c9d8f8f44f2d3b67bdd51471b92dd108df3ca4 Mon Sep 17 00:00:00 2001
From: Lorenz Brun <lorenz@monogon.tech>
Date: Wed, 16 Mar 2022 18:10:09 +0100
-Subject: [PATCH 3/5] Drop legacy log path
+Subject: [PATCH] Drop legacy log path
---
pkg/kubelet/kubelet.go | 7 ---
@@ -12,13 +12,13 @@
5 files changed, 115 deletions(-)
diff --git a/pkg/kubelet/kubelet.go b/pkg/kubelet/kubelet.go
-index 01e9c49c6f1..895fa86fb7e 100644
+index e8918472ee8..f80bfc41240 100644
--- a/pkg/kubelet/kubelet.go
+++ b/pkg/kubelet/kubelet.go
-@@ -1326,13 +1326,6 @@ func (kl *Kubelet) initializeModules() error {
+@@ -1459,13 +1459,6 @@ func (kl *Kubelet) initializeModules() error {
return err
}
-
+
- // If the container logs directory does not exist, create it.
- if _, err := os.Stat(ContainerLogsDir); err != nil {
- if err := kl.os.MkdirAll(ContainerLogsDir, 0755); err != nil {
@@ -28,15 +28,15 @@
-
// Start the image manager.
kl.imageManager.Start()
-
+
diff --git a/pkg/kubelet/kuberuntime/kuberuntime_container.go b/pkg/kubelet/kuberuntime/kuberuntime_container.go
-index 680eab7a56e..52210adb35d 100644
+index 97abc229335..458333dafcb 100644
--- a/pkg/kubelet/kuberuntime/kuberuntime_container.go
+++ b/pkg/kubelet/kuberuntime/kuberuntime_container.go
-@@ -255,25 +255,6 @@ func (m *kubeGenericRuntimeManager) startContainer(podSandboxID string, podSandb
+@@ -257,25 +257,6 @@ func (m *kubeGenericRuntimeManager) startContainer(ctx context.Context, podSandb
}
m.recordContainerEvent(pod, container, containerID, v1.EventTypeNormal, events.StartedContainer, fmt.Sprintf("Started container %s", container.Name))
-
+
- // Symlink container logs to the legacy container log location for cluster logging
- // support.
- // TODO(random-liu): Remove this after cluster logging supports CRI container log path.
@@ -59,11 +59,11 @@
// Step 4: execute the post start hook.
if container.Lifecycle != nil && container.Lifecycle.PostStart != nil {
kubeContainerID := kubecontainer.ContainerID{
-@@ -970,23 +951,6 @@ func (m *kubeGenericRuntimeManager) removeContainerLog(containerID string) error
+@@ -1217,23 +1198,6 @@ func (m *kubeGenericRuntimeManager) removeContainerLog(ctx context.Context, cont
return err
}
-
-- resp, err := m.runtimeService.ContainerStatus(containerID, false)
+
+- resp, err := m.runtimeService.ContainerStatus(ctx, containerID, false)
- if err != nil {
- return fmt.Errorf("failed to get container status %q: %v", containerID, err)
- }
@@ -82,20 +82,20 @@
- }
return nil
}
-
+
diff --git a/pkg/kubelet/kuberuntime/kuberuntime_gc.go b/pkg/kubelet/kuberuntime/kuberuntime_gc.go
-index a72691bfcfc..a09dec91fbb 100644
+index 35a19704b95..6ac4883eab1 100644
--- a/pkg/kubelet/kuberuntime/kuberuntime_gc.go
+++ b/pkg/kubelet/kuberuntime/kuberuntime_gc.go
-@@ -18,7 +18,6 @@ package kuberuntime
-
+@@ -19,7 +19,6 @@ package kuberuntime
import (
+ "context"
"fmt"
- "os"
"path/filepath"
"sort"
"time"
-@@ -347,51 +346,6 @@ func (cgc *containerGC) evictPodLogsDirectories(allSourcesReady bool) error {
+@@ -346,51 +345,6 @@ func (cgc *containerGC) evictPodLogsDirectories(ctx context.Context, allSourcesR
}
}
}
@@ -106,7 +106,7 @@
- for _, logSymlink := range logSymlinks {
- if _, err := osInterface.Stat(logSymlink); os.IsNotExist(err) {
- if containerID, err := getContainerIDFromLegacyLogSymlink(logSymlink); err == nil {
-- resp, err := cgc.manager.runtimeService.ContainerStatus(containerID, false)
+- resp, err := cgc.manager.runtimeService.ContainerStatus(ctx, containerID, false)
- if err != nil {
- // TODO: we should handle container not found (i.e. container was deleted) case differently
- // once https://github.com/kubernetes/kubernetes/issues/63336 is resolved
@@ -146,9 +146,9 @@
- }
return nil
}
-
+
diff --git a/pkg/kubelet/runonce.go b/pkg/kubelet/runonce.go
-index 00f3022af5a..99d1c8b6a8d 100644
+index b11442ae902..10c783eb868 100644
--- a/pkg/kubelet/runonce.go
+++ b/pkg/kubelet/runonce.go
@@ -19,7 +19,6 @@ package kubelet
@@ -157,12 +157,12 @@
"fmt"
- "os"
"time"
-
+
v1 "k8s.io/api/core/v1"
-@@ -49,13 +48,6 @@ func (kl *Kubelet) RunOnce(updates <-chan kubetypes.PodUpdate) ([]RunPodResult,
+@@ -50,13 +49,6 @@ func (kl *Kubelet) RunOnce(updates <-chan kubetypes.PodUpdate) ([]RunPodResult,
return nil, err
}
-
+
- // If the container logs directory does not exist, create it.
- if _, err := os.Stat(ContainerLogsDir); err != nil {
- if err := kl.os.MkdirAll(ContainerLogsDir, 0755); err != nil {
@@ -174,7 +174,7 @@
case u := <-updates:
klog.InfoS("Processing manifest with pods", "numPods", len(u.Pods))
diff --git a/test/e2e_node/log_path_test.go b/test/e2e_node/log_path_test.go
-index cdbc2b6d8ae..3535a81822f 100644
+index 68f2cf544aa..f5493d7f88e 100644
--- a/test/e2e_node/log_path_test.go
+++ b/test/e2e_node/log_path_test.go
@@ -22,8 +22,6 @@ import (
@@ -187,15 +187,15 @@
e2epod "k8s.io/kubernetes/test/e2e/framework/pod"
admissionapi "k8s.io/pod-security-admission/api"
@@ -122,22 +120,6 @@ var _ = SIGDescribe("ContainerLogPath [NodeConformance]", func() {
- err := createAndWaitPod(makeLogPod(logPodName, logString))
+ err := createAndWaitPod(ctx, makeLogPod(logPodName, logString))
framework.ExpectNoError(err, "Failed waiting for pod: %s to enter success state", logPodName)
})
-- ginkgo.It("should print log to correct log path", func() {
+- ginkgo.It("should print log to correct log path", func(ctx context.Context) {
-
- logDir := kubelet.ContainerLogsDir
-
- // get containerID from created Pod
-- createdLogPod, err := podClient.Get(context.TODO(), logPodName, metav1.GetOptions{})
+- createdLogPod, err := podClient.Get(ctx, logPodName, metav1.GetOptions{})
- logContainerID := kubecontainer.ParseContainerID(createdLogPod.Status.ContainerStatuses[0].ContainerID)
- framework.ExpectNoError(err, "Failed to get pod: %s", logPodName)
-
@@ -203,12 +203,12 @@
- expectedlogFile := logDir + "/" + logPodName + "_" + f.Namespace.Name + "_" + logContainerName + "-" + logContainerID.ID + ".log"
-
- logCheckPodName := "log-check-" + string(uuid.NewUUID())
-- err = createAndWaitPod(makeLogCheckPod(logCheckPodName, logString, expectedlogFile))
+- err = createAndWaitPod(ctx, makeLogCheckPod(logCheckPodName, logString, expectedlogFile))
- framework.ExpectNoError(err, "Failed waiting for pod: %s to enter success state", logCheckPodName)
- })
-
- ginkgo.It("should print log to correct cri log path", func() {
-
---
-2.25.1
+
+ ginkgo.It("should print log to correct cri log path", func(ctx context.Context) {
+
+--
+2.41.0
diff --git a/third_party/go/patches/k8s-fix-logs-path.patch b/third_party/go/patches/k8s-fix-logs-path.patch
index 8b37544..ff95706 100644
--- a/third_party/go/patches/k8s-fix-logs-path.patch
+++ b/third_party/go/patches/k8s-fix-logs-path.patch
@@ -13,7 +13,7 @@
limitations under the License.
-From 9b6bdecfd07d026eae2c1b62cc8b7b06d14292ee Mon Sep 17 00:00:00 2001
+From b395122005928737cd78a2b46f15c1731f82bc9e Mon Sep 17 00:00:00 2001
From: Lorenz Brun <lorenz@brun.one>
Date: Mon, 25 Jan 2021 17:20:51 +0100
Subject: [PATCH] Change hardcoded pod logs root dir
@@ -23,10 +23,10 @@
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/pkg/kubelet/kuberuntime/kuberuntime_manager.go b/pkg/kubelet/kuberuntime/kuberuntime_manager.go
-index eebba49bbbe..c24b3133bcc 100644
+index 49add764798..fef6591a5ba 100644
--- a/pkg/kubelet/kuberuntime/kuberuntime_manager.go
+++ b/pkg/kubelet/kuberuntime/kuberuntime_manager.go
-@@ -57,7 +57,7 @@ const (
+@@ -70,7 +70,7 @@ const (
// The api version of kubelet runtime api
kubeRuntimeAPIVersion = "0.1.0"
// The root directory for pod logs
@@ -34,7 +34,7 @@
+ podLogsRootDirectory = "/data/kubelet/logs"
// A minimal shutdown window for avoiding unnecessary SIGKILLs
minimumGracePeriodInSeconds = 2
-
---
-2.25.1
+
+--
+2.41.0
diff --git a/third_party/go/patches/k8s-jose-semver-fix.patch b/third_party/go/patches/k8s-jose-semver-fix.patch
deleted file mode 100644
index 5219c0c..0000000
--- a/third_party/go/patches/k8s-jose-semver-fix.patch
+++ /dev/null
@@ -1,159 +0,0 @@
-From 322bdb419f24764af677762536064b1944bf67df Mon Sep 17 00:00:00 2001
-From: Lorenz Brun <lorenz@monogon.tech>
-Date: Thu, 17 Mar 2022 16:56:29 +0100
-Subject: [PATCH 4/4] Fix for semver breakage in go-jose
-
----
- pkg/serviceaccount/claims.go | 4 +--
- pkg/serviceaccount/claims_test.go | 40 +++++++++++-----------
- test/integration/auth/svcaccttoken_test.go | 6 ++--
- 3 files changed, 25 insertions(+), 25 deletions(-)
-
-diff --git a/pkg/serviceaccount/claims.go b/pkg/serviceaccount/claims.go
-index 1e1475c779f..06620f7a420 100644
---- a/pkg/serviceaccount/claims.go
-+++ b/pkg/serviceaccount/claims.go
-@@ -50,7 +50,7 @@ type kubernetes struct {
- Svcacct ref `json:"serviceaccount,omitempty"`
- Pod *ref `json:"pod,omitempty"`
- Secret *ref `json:"secret,omitempty"`
-- WarnAfter jwt.NumericDate `json:"warnafter,omitempty"`
-+ WarnAfter *jwt.NumericDate `json:"warnafter,omitempty"`
- }
-
- type ref struct {
-@@ -198,7 +198,7 @@ func (v *validator) Validate(ctx context.Context, _ string, public *jwt.Claims,
-
- // Check special 'warnafter' field for projected service account token transition.
- warnafter := private.Kubernetes.WarnAfter
-- if warnafter != 0 {
-+ if warnafter != nil {
- if nowTime.After(warnafter.Time()) {
- secondsAfterWarn := nowTime.Unix() - warnafter.Time().Unix()
- auditInfo := fmt.Sprintf("subject: %s, seconds after warning threshold: %d", public.Subject, secondsAfterWarn)
-diff --git a/pkg/serviceaccount/claims_test.go b/pkg/serviceaccount/claims_test.go
-index 2e968f60335..a0b5a595c2f 100644
---- a/pkg/serviceaccount/claims_test.go
-+++ b/pkg/serviceaccount/claims_test.go
-@@ -85,9 +85,9 @@ func TestClaims(t *testing.T) {
-
- sc: &jwt.Claims{
- Subject: "system:serviceaccount:myns:mysvcacct",
-- IssuedAt: jwt.NumericDate(1514764800),
-- NotBefore: jwt.NumericDate(1514764800),
-- Expiry: jwt.NumericDate(1514764800),
-+ IssuedAt: jwt.NewNumericDate(time.Unix(1514764800, 0)),
-+ NotBefore: jwt.NewNumericDate(time.Unix(1514764800, 0)),
-+ Expiry: jwt.NewNumericDate(time.Unix(1514764800, 0)),
- },
- pc: &privateClaims{
- Kubernetes: kubernetes{
-@@ -107,9 +107,9 @@ func TestClaims(t *testing.T) {
-
- sc: &jwt.Claims{
- Subject: "system:serviceaccount:myns:mysvcacct",
-- IssuedAt: jwt.NumericDate(1514764800),
-- NotBefore: jwt.NumericDate(1514764800),
-- Expiry: jwt.NumericDate(1514764800 + 100),
-+ IssuedAt: jwt.NewNumericDate(time.Unix(1514764800, 0)),
-+ NotBefore: jwt.NewNumericDate(time.Unix(1514764800, 0)),
-+ Expiry: jwt.NewNumericDate(time.Unix(1514764800+100, 0)),
- },
- pc: &privateClaims{
- Kubernetes: kubernetes{
-@@ -130,9 +130,9 @@ func TestClaims(t *testing.T) {
- sc: &jwt.Claims{
- Subject: "system:serviceaccount:myns:mysvcacct",
- Audience: []string{"1"},
-- IssuedAt: jwt.NumericDate(1514764800),
-- NotBefore: jwt.NumericDate(1514764800),
-- Expiry: jwt.NumericDate(1514764800 + 100),
-+ IssuedAt: jwt.NewNumericDate(time.Unix(1514764800, 0)),
-+ NotBefore: jwt.NewNumericDate(time.Unix(1514764800, 0)),
-+ Expiry: jwt.NewNumericDate(time.Unix(1514764800+100, 0)),
- },
- pc: &privateClaims{
- Kubernetes: kubernetes{
-@@ -152,9 +152,9 @@ func TestClaims(t *testing.T) {
- sc: &jwt.Claims{
- Subject: "system:serviceaccount:myns:mysvcacct",
- Audience: []string{"1", "2"},
-- IssuedAt: jwt.NumericDate(1514764800),
-- NotBefore: jwt.NumericDate(1514764800),
-- Expiry: jwt.NumericDate(1514764800 + 100),
-+ IssuedAt: jwt.NewNumericDate(time.Unix(1514764800, 0)),
-+ NotBefore: jwt.NewNumericDate(time.Unix(1514764800, 0)),
-+ Expiry: jwt.NewNumericDate(time.Unix(1514764800+100, 0)),
- },
- pc: &privateClaims{
- Kubernetes: kubernetes{
-@@ -175,16 +175,16 @@ func TestClaims(t *testing.T) {
-
- sc: &jwt.Claims{
- Subject: "system:serviceaccount:myns:mysvcacct",
-- IssuedAt: jwt.NumericDate(1514764800),
-- NotBefore: jwt.NumericDate(1514764800),
-- Expiry: jwt.NumericDate(1514764800 + 60*60*24),
-+ IssuedAt: jwt.NewNumericDate(time.Unix(1514764800, 0)),
-+ NotBefore: jwt.NewNumericDate(time.Unix(1514764800, 0)),
-+ Expiry: jwt.NewNumericDate(time.Unix(1514764800+60*60*24, 0)),
- },
- pc: &privateClaims{
- Kubernetes: kubernetes{
- Namespace: "myns",
- Svcacct: ref{Name: "mysvcacct", UID: "mysvcacct-uid"},
- Pod: &ref{Name: "mypod", UID: "mypod-uid"},
-- WarnAfter: jwt.NumericDate(1514764800 + 60*60),
-+ WarnAfter: jwt.NewNumericDate(time.Unix(1514764800+60*60, 0)),
- },
- },
- },
-@@ -223,8 +223,8 @@ type claimTestCase struct {
- name string
- getter ServiceAccountTokenGetter
- private *privateClaims
-- expiry jwt.NumericDate
-- notBefore jwt.NumericDate
-+ expiry *jwt.NumericDate
-+ notBefore *jwt.NumericDate
- expectErr string
- }
-
-@@ -365,8 +365,8 @@ func TestValidatePrivateClaims(t *testing.T) {
- for _, tc := range testcases {
- t.Run(tc.name, func(t *testing.T) {
- v := &validator{tc.getter}
-- expiry := jwt.NumericDate(nowUnix)
-- if tc.expiry != 0 {
-+ expiry := jwt.NewNumericDate(time.Unix(nowUnix, 0))
-+ if tc.expiry != nil {
- expiry = tc.expiry
- }
- _, err := v.Validate(context.Background(), "", &jwt.Claims{Expiry: expiry, NotBefore: tc.notBefore}, tc.private)
-diff --git a/test/integration/auth/svcaccttoken_test.go b/test/integration/auth/svcaccttoken_test.go
-index c02511b43b2..89fb66ee44e 100644
---- a/test/integration/auth/svcaccttoken_test.go
-+++ b/test/integration/auth/svcaccttoken_test.go
-@@ -482,16 +482,16 @@ func TestServiceAccountTokenCreate(t *testing.T) {
- t.Fatalf("error parsing warnafter: %v", err)
- }
-
-- if exp < int64(actualExpiry)-leeway || exp > int64(actualExpiry)+leeway {
-+ if exp < int64(*actualExpiry)-leeway || exp > int64(*actualExpiry)+leeway {
- t.Errorf("unexpected token exp %d, should within range of %d +- %d seconds", exp, actualExpiry, leeway)
- }
-- if warnafter < int64(assumedExpiry)-leeway || warnafter > int64(assumedExpiry)+leeway {
-+ if warnafter < int64(*assumedExpiry)-leeway || warnafter > int64(*assumedExpiry)+leeway {
- t.Errorf("unexpected token warnafter %d, should within range of %d +- %d seconds", warnafter, assumedExpiry, leeway)
- }
-
- checkExpiration(t, treq, requestExp)
- expStatus := treq.Status.ExpirationTimestamp.Time.Unix()
-- if expStatus < int64(assumedExpiry)-leeway || warnafter > int64(assumedExpiry)+leeway {
-+ if expStatus < int64(*assumedExpiry)-leeway || warnafter > int64(*assumedExpiry)+leeway {
- t.Errorf("unexpected expiration returned in tokenrequest status %d, should within range of %d +- %d seconds", expStatus, assumedExpiry, leeway)
- }
- })
---
-2.25.1
-
diff --git a/third_party/go/patches/k8s-native-metrics.patch b/third_party/go/patches/k8s-native-metrics.patch
index 9a96db2..5df5bf9 100644
--- a/third_party/go/patches/k8s-native-metrics.patch
+++ b/third_party/go/patches/k8s-native-metrics.patch
@@ -1,7 +1,7 @@
-From 9f2b5274f50a7e4d5ae096e549c0c16addcc447b Mon Sep 17 00:00:00 2001
-From: Lorenz Brun <lorenz@brun.one>
-Date: Tue, 17 Mar 2020 21:41:08 +0100
-Subject: [PATCH 2/5] Add a native volume metrics implementation
+From 2c0e2b40f6caaa432443e3037dd106ccf4f4b4e2 Mon Sep 17 00:00:00 2001
+From: Tim Windelschmidt <tim@monogon.tech>
+Date: Sat, 9 Sep 2023 14:14:48 +0200
+Subject: [PATCH 1/6] Add a native volume metrics implementation
---
pkg/volume/metrics_native.go | 101 +++++++++++++++++++++++++++++
@@ -225,6 +225,6 @@
+ t.Errorf("Expected error when calling GetMetrics on incorrectly initialized MetricsNative, actual nil")
+ }
+}
---
-2.25.1
+--
+2.41.0
diff --git a/third_party/go/patches/k8s-native-mounter.patch b/third_party/go/patches/k8s-native-mounter.patch
index c8750f5..2965f5e 100644
--- a/third_party/go/patches/k8s-native-mounter.patch
+++ b/third_party/go/patches/k8s-native-mounter.patch
@@ -1,58 +1,55 @@
-From 03ed5e89372babca7f1061bef466f8bf7fdee62c Mon Sep 17 00:00:00 2001
+From d56a2d05e536534730660813c182055bb705b22a Mon Sep 17 00:00:00 2001
From: Lorenz Brun <lorenz@brun.one>
-Date: Mon, 16 Mar 2020 22:13:08 +0100
-Subject: [PATCH 1/5] Provide native mounter implementation for Linux
+Date: Tue, 17 Mar 2020 21:41:08 +0100
+Subject: [PATCH] Provide native mounter implementation for Linux
---
- mount_linux.go | 148 +++++++++++++++++-
- 1 file changed, 144 insertions(+), 4 deletions(-)
+ mount_linux.go | 141 +++++++++++++++++++++++++++++++++++++++++++++++++
+ 1 file changed, 141 insertions(+)
diff --git a/mount_linux.go b/mount_linux.go
-index aaa592161d4..517bf0b2541 100644
+index 7d18072..5e4a79e 100644
--- a/mount_linux.go
+++ b/mount_linux.go
-@@ -22,6 +22,7 @@ package mount
- import (
- "context"
- "fmt"
-+ "io/ioutil"
- "os"
- "os/exec"
- "path/filepath"
-@@ -30,6 +31,7 @@ import (
- "syscall"
- "time"
-
+@@ -34,6 +34,7 @@ import (
+
+ "github.com/moby/sys/mountinfo"
+
+ "golang.org/x/sys/unix"
"k8s.io/klog/v2"
utilexec "k8s.io/utils/exec"
- utilio "k8s.io/utils/io"
-@@ -54,8 +56,10 @@ const (
- // for the linux platform. This implementation assumes that the
- // kubelet is running in the host's root mount namespace.
- type Mounter struct {
-- mounterPath string
-- withSystemd bool
-+ mounterPath string
-+ withSystemd bool
-+ withLinuxUtils bool
-+ nativeSupportedFstypes map[string]struct{}
+ )
+@@ -63,6 +64,8 @@ type Mounter struct {
+ withSystemd *bool
+ trySystemd bool
+ withSafeNotMountedBehavior bool
++ withLinuxUtils bool
++ nativeSupportedFstypes map[string]struct{}
}
-
+
var _ MounterForceUnmounter = &Mounter{}
-@@ -65,11 +69,36 @@ var _ MounterForceUnmounter = &Mounter{}
- // mounterPath allows using an alternative to `/bin/mount` for mounting.
- func New(mounterPath string) Interface {
- return &Mounter{
-- mounterPath: mounterPath,
-- withSystemd: detectSystemd(),
-+ mounterPath: mounterPath,
-+ withSystemd: detectSystemd(),
-+ withLinuxUtils: detectLinuxUtils(),
-+ nativeSupportedFstypes: detectNativeSupportedFstypes(),
+@@ -75,6 +78,8 @@ func New(mounterPath string) Interface {
+ mounterPath: mounterPath,
+ trySystemd: true,
+ withSafeNotMountedBehavior: detectSafeNotMountedBehavior(),
++ withLinuxUtils: detectLinuxUtils(),
++ nativeSupportedFstypes: detectNativeSupportedFstypes(),
}
}
-
+
+@@ -87,6 +92,8 @@ func NewWithoutSystemd(mounterPath string) Interface {
+ mounterPath: mounterPath,
+ trySystemd: false,
+ withSafeNotMountedBehavior: detectSafeNotMountedBehavior(),
++ withLinuxUtils: detectLinuxUtils(),
++ nativeSupportedFstypes: detectNativeSupportedFstypes(),
+ }
+ }
+
+@@ -105,6 +112,29 @@ func (mounter *Mounter) hasSystemd() bool {
+ return *mounter.withSystemd
+ }
+
+func (mounter *Mounter) mountNative(source string, target string, fstype string, options []string, sensitiveOptions []string) error {
+ flags, pflags, fsoptions := parseMountOptions(options)
+ if len(pflags) > 0 {
@@ -79,7 +76,7 @@
// Mount mounts source to target as fstype with given options. 'source' and 'fstype' must
// be an empty string in case it's not required, e.g. for remount, or for auto filesystem
// type, where kernel handles fstype for you. The mount 'options' is a list of options,
-@@ -85,6 +114,10 @@ func (mounter *Mounter) Mount(source string, target string, fstype string, optio
+@@ -120,6 +150,10 @@ func (mounter *Mounter) Mount(source string, target string, fstype string, optio
// method should be used by callers that pass sensitive material (like
// passwords) as mount options.
func (mounter *Mounter) MountSensitive(source string, target string, fstype string, options []string, sensitiveOptions []string) error {
@@ -90,8 +87,8 @@
// Path to mounter binary if containerized mounter is needed. Otherwise, it is set to empty.
// All Linux distros are expected to be shipped with a mount utility that a support bind mounts.
mounterPath := ""
-@@ -116,6 +149,9 @@ func (mounter *Mounter) MountSensitiveWithoutSystemd(source string, target strin
-
+@@ -151,6 +185,9 @@ func (mounter *Mounter) MountSensitiveWithoutSystemd(source string, target strin
+
// MountSensitiveWithoutSystemdWithMountFlags is the same as MountSensitiveWithoutSystemd with additional mount flags.
func (mounter *Mounter) MountSensitiveWithoutSystemdWithMountFlags(source string, target string, fstype string, options []string, sensitiveOptions []string, mountFlags []string) error {
+ if !mounter.withLinuxUtils {
@@ -100,10 +97,10 @@
mounterPath := ""
bind, bindOpts, bindRemountOpts, bindRemountOptsSensitive := MakeBindOptsSensitive(options, sensitiveOptions)
if bind {
-@@ -138,6 +174,80 @@ func (mounter *Mounter) MountSensitiveWithoutSystemdWithMountFlags(source string
+@@ -173,6 +210,80 @@ func (mounter *Mounter) MountSensitiveWithoutSystemdWithMountFlags(source string
return mounter.doMount(mounterPath, defaultMountCommand, source, target, fstype, options, sensitiveOptions, mountFlags, false)
}
-
+
+// nativeSupportsFstype checks if the native mounter can mount the given fstype
+func (mounter *Mounter) nativeSupportsFstype(fstype string) bool {
+ _, ok := mounter.nativeSupportedFstypes[fstype]
@@ -181,10 +178,10 @@
// doMount runs the mount command. mounterPath is the path to mounter binary if containerized mounter is used.
// sensitiveOptions is an extension of options except they will not be logged (because they may contain sensitive material)
// systemdMountRequired is an extension of option to decide whether uses systemd mount.
-@@ -223,6 +333,30 @@ func detectSystemd() bool {
- return true
+@@ -288,6 +399,30 @@ func detectSafeNotMountedBehaviorWithExec(exec utilexec.Interface) bool {
+ return false
}
-
+
+// detectLinuxUtils detects if the host operating system has the mount and unmount commands present
+func detectLinuxUtils() bool {
+ _, err := exec.LookPath("mount")
@@ -193,7 +190,7 @@
+
+func detectNativeSupportedFstypes() map[string]struct{} {
+ nativeSupportedFstypes := make(map[string]struct{})
-+ filesystemsRaw, err := ioutil.ReadFile("/proc/filesystems")
++ filesystemsRaw, err := os.ReadFile("/proc/filesystems")
+ if err != nil {
+ return nativeSupportedFstypes
+ }
@@ -212,8 +209,8 @@
// MakeMountArgs makes the arguments to the mount(8) command.
// options MUST not contain sensitive material (like passwords).
func MakeMountArgs(source, target, fstype string, options []string) (mountArgs []string) {
-@@ -292,6 +426,12 @@ func AddSystemdScopeSensitive(systemdRunPath, mountName, command string, args []
- // Unmount unmounts the target.
+@@ -358,6 +493,12 @@ func AddSystemdScopeSensitive(systemdRunPath, mountName, command string, args []
+ // If the mounter has safe "not mounted" behavior, no error will be returned when the target is not a mount point.
func (mounter *Mounter) Unmount(target string) error {
klog.V(4).Infof("Unmounting %s", target)
+ if !mounter.withLinuxUtils {
@@ -225,6 +222,6 @@
command := exec.Command("umount", target)
output, err := command.CombinedOutput()
if err != nil {
---
-2.25.1
+--
+2.41.0
diff --git a/third_party/go/patches/k8s-removed-block-device-pseudo-locks.patch b/third_party/go/patches/k8s-removed-block-device-pseudo-locks.patch
index 40a9ac6..8ae3140 100644
--- a/third_party/go/patches/k8s-removed-block-device-pseudo-locks.patch
+++ b/third_party/go/patches/k8s-removed-block-device-pseudo-locks.patch
@@ -13,7 +13,7 @@
limitations under the License.
-From f0c9fc613c15e30453295beb25bf73763a4a82df Mon Sep 17 00:00:00 2001
+From 83fe2858cbdff277e416f0ea50366811c81e2382 Mon Sep 17 00:00:00 2001
From: Lorenz Brun <lorenz@brun.one>
Date: Mon, 29 Mar 2021 13:56:06 +0200
Subject: [PATCH] Removed questionable block device pseudo-locks
@@ -33,10 +33,10 @@
1 file changed, 18 deletions(-)
diff --git a/pkg/volume/util/util.go b/pkg/volume/util/util.go
-index 367e05a0d1a..f53f1dcbb4e 100644
+index 601dc646013..5dfdd1ecb02 100644
--- a/pkg/volume/util/util.go
+++ b/pkg/volume/util/util.go
-@@ -527,17 +527,6 @@ func MapBlockVolume(
+@@ -511,17 +511,6 @@ func MapBlockVolume(
return fmt.Errorf("blkUtil.MapDevice failed. devicePath: %s, podVolumeMapPath:%s, volumeMapName: %s, bindMount: %v: %v",
devicePath, podVolumeMapPath, volumeMapName, false, mapErr)
}
@@ -53,8 +53,8 @@
-
return nil
}
-
-@@ -551,13 +540,6 @@ func UnmapBlockVolume(
+
+@@ -535,13 +524,6 @@ func UnmapBlockVolume(
volumeMapName string,
podUID utypes.UID,
) error {
@@ -68,6 +68,6 @@
// unmap devicePath from pod volume path
unmapDeviceErr := blkUtil.UnmapDevice(podDeviceUnmapPath, volumeMapName, false /* bindMount */)
if unmapDeviceErr != nil {
---
-2.25.1
+--
+2.41.0
diff --git a/third_party/go/patches/k8s-reserve-metropolis-ports.patch b/third_party/go/patches/k8s-reserve-metropolis-ports.patch
index 1756d7b..89cff48 100644
--- a/third_party/go/patches/k8s-reserve-metropolis-ports.patch
+++ b/third_party/go/patches/k8s-reserve-metropolis-ports.patch
@@ -1,8 +1,18 @@
+From b10b2922f0b4fb114b6b535df1ba9fca583c6cf2 Mon Sep 17 00:00:00 2001
+From: Tim Windelschmidt <tim@monogon.tech>
+Date: Sat, 9 Sep 2023 14:22:59 +0200
+Subject: [PATCH 6/6] reserve metropolis system ports
+
+---
+ .../service/portallocator/controller/repair.go | 15 +++++++++++++++
+ 1 file changed, 15 insertions(+)
+
diff --git a/pkg/registry/core/service/portallocator/controller/repair.go b/pkg/registry/core/service/portallocator/controller/repair.go
---- a/pkg/registry/core/service/portallocator/controller/repair.go (revision f66044f4361b9f1f96f0053dd46cb7dce5e990a8)
-+++ b/pkg/registry/core/service/portallocator/controller/repair.go (revision bdd789d982712179c6a849ceed7f12e063b3fce3)
-@@ -21,6 +21,8 @@
- "fmt"
+index fa870760490..0f67fe7eb9b 100644
+--- a/pkg/registry/core/service/portallocator/controller/repair.go
++++ b/pkg/registry/core/service/portallocator/controller/repair.go
+@@ -22,6 +22,8 @@ import (
+ "sync"
"time"
+ "source.monogon.dev/metropolis/node"
@@ -10,7 +20,7 @@
corev1 "k8s.io/api/core/v1"
"k8s.io/apimachinery/pkg/api/errors"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-@@ -123,6 +126,18 @@
+@@ -133,6 +136,18 @@ func (c *Repair) doRunOnce() error {
return fmt.Errorf("unable to refresh the port block: %v", err)
}
@@ -28,4 +38,7 @@
+
rebuilt, err := portallocator.NewInMemory(c.portRange)
if err != nil {
- return fmt.Errorf("unable to create port allocator: %v", err)
\ No newline at end of file
+ return fmt.Errorf("unable to create port allocator: %v", err)
+--
+2.41.0
+
diff --git a/third_party/go/patches/kubectl-fix-embed.patch b/third_party/go/patches/kubectl-fix-embed.patch
new file mode 100644
index 0000000..8fc2826
--- /dev/null
+++ b/third_party/go/patches/kubectl-fix-embed.patch
@@ -0,0 +1,27 @@
+--- a/pkg/explain/v2/BUILD.bazel
++++ b/pkg/explain/v2/BUILD.bazel
+@@ -8,6 +8,9 @@
+ "generator.go",
+ "template.go",
+ ],
++ embedsrcs = [
++ "//pkg/explain/v2/templates:files",
++ ],
+ importpath = "k8s.io/kubectl/pkg/explain/v2",
+ importpath_aliases = ["k8s.io/kubectl/pkg/explain"],
+ visibility = ["//visibility:public"],
+
+--- a/pkg/explain/v2/templates/BUILD.bazel
++++ b/pkg/explain/v2/templates/BUILD.bazel
+@@ -17,4 +17,10 @@
+ "@io_k8s_kube_openapi//pkg/spec3",
+ "@io_k8s_kube_openapi//pkg/validation/spec",
+ ],
++)
++
++filegroup(
++ name = "files",
++ srcs = glob(["*.tmpl"]),
++ visibility = ["//visibility:public"],
+ )
+\ No newline at end of file
\ No newline at end of file
diff --git a/third_party/go/patches/nfproxy-adopt-to-k8s-1.24.patch b/third_party/go/patches/nfproxy-adapt-to-k8s-1.28.patch
similarity index 72%
rename from third_party/go/patches/nfproxy-adopt-to-k8s-1.24.patch
rename to third_party/go/patches/nfproxy-adapt-to-k8s-1.28.patch
index 9872e8b..388a970 100644
--- a/third_party/go/patches/nfproxy-adopt-to-k8s-1.24.patch
+++ b/third_party/go/patches/nfproxy-adapt-to-k8s-1.28.patch
@@ -1,16 +1,41 @@
-From 243792d1686cba86669bda9bc2c905cb9cd73a0c Mon Sep 17 00:00:00 2001
+From bb611be1b10448316ba21defeede6bec3217febc Mon Sep 17 00:00:00 2001
From: Lorenz Brun <lorenz@monogon.tech>
-Date: Wed, 4 May 2022 18:37:45 +0200
-Subject: [PATCH] Adopt to renamed function in K8s 1.24
+Date: Tue, 14 Nov 2023 13:49:46 +0100
+Subject: [PATCH 1/2] Adapt to K8s 1.28
---
- pkg/proxy/service.go | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
+ cmd/nfproxy.go | 6 +++---
+ pkg/controller/controller_endpointslice.go | 6 +++---
+ pkg/proxy/cache.go | 2 +-
+ pkg/proxy/proxy.go | 2 +-
+ pkg/proxy/proxy_endpointslice.go | 2 +-
+ pkg/proxy/service.go | 4 ++--
+ pkg/proxy/tools.go | 2 +-
+ 7 files changed, 12 insertions(+), 12 deletions(-)
diff --git a/cmd/nfproxy.go b/cmd/nfproxy.go
index 66972ab..83d8b01 100644
--- a/cmd/nfproxy.go
+++ b/cmd/nfproxy.go
+@@ -44,8 +44,8 @@ import (
+ "k8s.io/client-go/kubernetes/scheme"
+ "k8s.io/client-go/tools/record"
+ "k8s.io/component-base/logs"
++ nodeutil "k8s.io/component-helpers/node/util"
+ "k8s.io/klog"
+- utilnode "k8s.io/kubernetes/pkg/util/node"
+ )
+
+ var (
+@@ -111,7 +111,7 @@ func main() {
+ }
+
+ // Create event recorder
+- hostname, err := utilnode.GetHostname("")
++ hostname, err := nodeutil.GetHostname("")
+ if err != nil {
+ klog.Errorf("nfproxy failed to get local host name with error: %+v", err)
+ os.Exit(1)
@@ -169,7 +169,7 @@ func main() {
// instantiate EndpointSlice controller, otherwise Endpoints controller will be used.
var ep epController
@@ -97,6 +122,15 @@
onlyNodeLocalEndpoints = true
}
var stickyMaxAgeSeconds int
+@@ -175,7 +175,7 @@ func newBaseServiceInfo(port *v1.ServicePort, service *v1.Service) *BaseServiceI
+ // topologyKeys: service.Spec.TopologyKeys,
+ svcnft: &nftables.SVCnft{},
+ }
+- if service.Spec.IPFamilies != nil {
++ if len(service.Spec.IPFamilies) > 0 {
+ info.ipFamilies = service.Spec.IPFamilies
+ } else {
+ info.ipFamilies = make([]v1.IPFamily, 1)
diff --git a/pkg/proxy/tools.go b/pkg/proxy/tools.go
index 06c4ae3..3f7f0b9 100644
--- a/pkg/proxy/tools.go
@@ -111,5 +145,5 @@
"k8s.io/apimachinery/pkg/types"
"k8s.io/apimachinery/pkg/util/intstr"
--
-2.25.1
+2.40.1