treewide: k8s 1.28 and lots related updates
First, this contains a bunch of dependency updates. Important ones in no
particular order:
Kubernetes 1.24.2 -> 1.28.8
etcd 3.5.4 -> 3.5.13
Protobuf 1.32.0 -> 1.33.0
OpenTelemetry 0.20.0 -> 1.20.0
containerd 1.6.6 -> 1.7.15
CoreDNS 1.9.2 -> 1.11.1
With Kubernetes 1.25 PodSecurityPolicies are removed, this replaces them
with a static PodSecurity admission configuration which behaves the same
or is slightly more permissive in most ways. Only known exceptions are
that NET_RAW is no longer an allowed permission and non-standard SELinux
labels are no longer permitted (but these never did anything anyways).
The RBAC policies are intentionally not removed yet as we do not yet
have the capability to actually update these, so they will be removed
when that is available (#288), until then they will stay in-place but
do nothing.
With the containerd upgrade the deprecated option for ignoring
preseeded/pinned images for garbage collection in Kubelet can be
removed.
This change also contains some drive-by fixes to the controller-manager,
like passing the Service IP net and disabling cloud-related control
loops which generate spurious warnings if enabled.
The containerd tracing patch is removed as we can now use OTel v1, thus
that patch is no longer necessary.
An actual upgrade test will be part of a future CL as this one is
already quite large and it works stand-alone.
Co-authored-by: Tim Windelschmidt <tim@monogon.tech>
Change-Id: I8e5f51e6e6240a1b67590458b2f1c24d58c8e91e
Reviewed-on: https://review.monogon.dev/c/monogon/+/2315
Tested-by: Jenkins CI
Reviewed-by: Tim Windelschmidt <tim@monogon.tech>
diff --git a/third_party/go/patches/nfproxy-adapt-to-k8s-1.28.patch b/third_party/go/patches/nfproxy-adapt-to-k8s-1.28.patch
new file mode 100644
index 0000000..388a970
--- /dev/null
+++ b/third_party/go/patches/nfproxy-adapt-to-k8s-1.28.patch
@@ -0,0 +1,149 @@
+From bb611be1b10448316ba21defeede6bec3217febc Mon Sep 17 00:00:00 2001
+From: Lorenz Brun <lorenz@monogon.tech>
+Date: Tue, 14 Nov 2023 13:49:46 +0100
+Subject: [PATCH 1/2] Adapt to K8s 1.28
+
+---
+ cmd/nfproxy.go | 6 +++---
+ pkg/controller/controller_endpointslice.go | 6 +++---
+ pkg/proxy/cache.go | 2 +-
+ pkg/proxy/proxy.go | 2 +-
+ pkg/proxy/proxy_endpointslice.go | 2 +-
+ pkg/proxy/service.go | 4 ++--
+ pkg/proxy/tools.go | 2 +-
+ 7 files changed, 12 insertions(+), 12 deletions(-)
+
+diff --git a/cmd/nfproxy.go b/cmd/nfproxy.go
+index 66972ab..83d8b01 100644
+--- a/cmd/nfproxy.go
++++ b/cmd/nfproxy.go
+@@ -44,8 +44,8 @@ import (
+ "k8s.io/client-go/kubernetes/scheme"
+ "k8s.io/client-go/tools/record"
+ "k8s.io/component-base/logs"
++ nodeutil "k8s.io/component-helpers/node/util"
+ "k8s.io/klog"
+- utilnode "k8s.io/kubernetes/pkg/util/node"
+ )
+
+ var (
+@@ -111,7 +111,7 @@ func main() {
+ }
+
+ // Create event recorder
+- hostname, err := utilnode.GetHostname("")
++ hostname, err := nodeutil.GetHostname("")
+ if err != nil {
+ klog.Errorf("nfproxy failed to get local host name with error: %+v", err)
+ os.Exit(1)
+@@ -169,7 +169,7 @@ func main() {
+ // instantiate EndpointSlice controller, otherwise Endpoints controller will be used.
+ var ep epController
+ if endpointSlice {
+- ep = controller.NewEndpointSliceController(nfproxy, client, kubeInformerFactory.Discovery().V1beta1().EndpointSlices())
++ ep = controller.NewEndpointSliceController(nfproxy, client, kubeInformerFactory.Discovery().V1().EndpointSlices())
+ } else {
+ ep = controller.NewEndpointsController(nfproxy, client, kubeInformerFactory.Core().V1().Endpoints())
+ }
+diff --git a/pkg/controller/controller_endpointslice.go b/pkg/controller/controller_endpointslice.go
+index ef97ef5..d060a4d 100644
+--- a/pkg/controller/controller_endpointslice.go
++++ b/pkg/controller/controller_endpointslice.go
+@@ -20,9 +20,9 @@ import (
+ "fmt"
+
+ v1 "k8s.io/api/core/v1"
+- discovery "k8s.io/api/discovery/v1beta1"
++ discovery "k8s.io/api/discovery/v1"
+ utilruntime "k8s.io/apimachinery/pkg/util/runtime"
+- "k8s.io/client-go/informers/discovery/v1beta1"
++ discoveryv1 "k8s.io/client-go/informers/discovery/v1"
+ "k8s.io/client-go/kubernetes"
+ "k8s.io/client-go/kubernetes/scheme"
+ typedcorev1 "k8s.io/client-go/kubernetes/typed/core/v1"
+@@ -119,7 +119,7 @@ func (c *endpointSliceController) Start(stopCh <-chan struct{}) error {
+ func NewEndpointSliceController(
+ proxy proxy.Proxy,
+ kubeClientset kubernetes.Interface,
+- epSliceInformer v1beta1.EndpointSliceInformer) EndpointSliceController {
++ epSliceInformer discoveryv1.EndpointSliceInformer) EndpointSliceController {
+
+ klog.V(4).Info("Creating event broadcaster for EndpointSlice controller")
+ eventBroadcaster := record.NewBroadcaster()
+diff --git a/pkg/proxy/cache.go b/pkg/proxy/cache.go
+index 92d06ca..7ef0e6f 100644
+--- a/pkg/proxy/cache.go
++++ b/pkg/proxy/cache.go
+@@ -21,7 +21,7 @@ import (
+ "sync"
+
+ v1 "k8s.io/api/core/v1"
+- discovery "k8s.io/api/discovery/v1beta1"
++ discovery "k8s.io/api/discovery/v1"
+ "k8s.io/apimachinery/pkg/types"
+ "k8s.io/klog"
+ )
+diff --git a/pkg/proxy/proxy.go b/pkg/proxy/proxy.go
+index 7839820..5876784 100644
+--- a/pkg/proxy/proxy.go
++++ b/pkg/proxy/proxy.go
+@@ -22,7 +22,7 @@ import (
+ utilnftables "github.com/google/nftables"
+ "github.com/sbezverk/nfproxy/pkg/nftables"
+ v1 "k8s.io/api/core/v1"
+- discovery "k8s.io/api/discovery/v1beta1"
++ discovery "k8s.io/api/discovery/v1"
+ "k8s.io/apimachinery/pkg/types"
+ "k8s.io/client-go/tools/record"
+ "k8s.io/klog"
+diff --git a/pkg/proxy/proxy_endpointslice.go b/pkg/proxy/proxy_endpointslice.go
+index 5310ed3..5c97096 100644
+--- a/pkg/proxy/proxy_endpointslice.go
++++ b/pkg/proxy/proxy_endpointslice.go
+@@ -21,7 +21,7 @@ import (
+ "time"
+
+ v1 "k8s.io/api/core/v1"
+- discovery "k8s.io/api/discovery/v1beta1"
++ discovery "k8s.io/api/discovery/v1"
+ "k8s.io/klog"
+ )
+
+diff --git a/pkg/proxy/service.go b/pkg/proxy/service.go
+index 9cc10b7..6e91fae 100644
+--- a/pkg/proxy/service.go
++++ b/pkg/proxy/service.go
+@@ -152,7 +152,7 @@ func newServiceInfo(port *v1.ServicePort, service *v1.Service, baseInfo *BaseSer
+
+ func newBaseServiceInfo(port *v1.ServicePort, service *v1.Service) *BaseServiceInfo {
+ onlyNodeLocalEndpoints := false
+- if apiservice.RequestsOnlyLocalTraffic(service) {
++ if apiservice.ExternalPolicyLocal(service) {
+ onlyNodeLocalEndpoints = true
+ }
+ var stickyMaxAgeSeconds int
+@@ -175,7 +175,7 @@ func newBaseServiceInfo(port *v1.ServicePort, service *v1.Service) *BaseServiceI
+ // topologyKeys: service.Spec.TopologyKeys,
+ svcnft: &nftables.SVCnft{},
+ }
+- if service.Spec.IPFamilies != nil {
++ if len(service.Spec.IPFamilies) > 0 {
+ info.ipFamilies = service.Spec.IPFamilies
+ } else {
+ info.ipFamilies = make([]v1.IPFamily, 1)
+diff --git a/pkg/proxy/tools.go b/pkg/proxy/tools.go
+index 06c4ae3..3f7f0b9 100644
+--- a/pkg/proxy/tools.go
++++ b/pkg/proxy/tools.go
+@@ -26,7 +26,7 @@ import (
+
+ utilnftables "github.com/google/nftables"
+ v1 "k8s.io/api/core/v1"
+- discovery "k8s.io/api/discovery/v1beta1"
++ discovery "k8s.io/api/discovery/v1"
+ metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+ "k8s.io/apimachinery/pkg/types"
+ "k8s.io/apimachinery/pkg/util/intstr"
+--
+2.40.1
+