treewide: update to Kubernetes 1.31
Overall not that bad, we got rid of some workarounds and added some new
ones. Biggest change is a significant refactor of the hyperkube package
as Kubernetes really doesn't like multiple of their top-level Cobra
commands to be instantiated. One new patch for gVisor as new fields got
added to a Linux struct which caused codegen to rename an existing one.
That patch will go away once [1] is released as this has been changed
back again.
Otherwise mostly standard rebases of patches. We currently have a
warning in kubelet as our containerd CRI does not support the
RuntimeConfig RPC, but no released version of containerd has that and
the fallback works fine for now.
[1] https://go-review.googlesource.com/c/sys/+/607876
Change-Id: I275e5fb78bc1d09c4ca0e8b5705edbaa80f30d96
Reviewed-on: https://review.monogon.dev/c/monogon/+/3355
Reviewed-by: Tim Windelschmidt <tim@monogon.tech>
Tested-by: Jenkins CI
diff --git a/third_party/go/patches/gvisor-unix-0.20.patch b/third_party/go/patches/gvisor-unix-0.20.patch
new file mode 100644
index 0000000..80908e6
--- /dev/null
+++ b/third_party/go/patches/gvisor-unix-0.20.patch
@@ -0,0 +1,17 @@
+Fix for https://github.com/google/gvisor/issues/10483
+
+--- a/pkg/xdp/xdp.go
++++ b/pkg/xdp/xdp.go
+@@ -151,9 +151,9 @@
+ }
+
+ reg := unix.XDPUmemReg{
+- Addr: uint64(sliceBackingPointer(umemMemory)),
+- Len: uint64(len(umemMemory)),
+- Size: opts.FrameSize,
++ Addr: uint64(sliceBackingPointer(umemMemory)),
++ Len: uint64(len(umemMemory)),
++ Chunk_size: opts.FrameSize,
+ // Not useful in the RX path.
+ Headroom: 0,
+ // TODO(b/240191988): Investigate use of SHARED flag.
diff --git a/third_party/go/patches/k8s-drop-legacy-log-path.patch b/third_party/go/patches/k8s-drop-legacy-log-path.patch
index 1d7a28b..5c164ca 100644
--- a/third_party/go/patches/k8s-drop-legacy-log-path.patch
+++ b/third_party/go/patches/k8s-drop-legacy-log-path.patch
@@ -1,4 +1,4 @@
-From 93c9d8f8f44f2d3b67bdd51471b92dd108df3ca4 Mon Sep 17 00:00:00 2001
+From 4d98a0637eee66923b854ef75653f74aeb37240b Mon Sep 17 00:00:00 2001
From: Lorenz Brun <lorenz@monogon.tech>
Date: Wed, 16 Mar 2022 18:10:09 +0100
Subject: [PATCH] Drop legacy log path
@@ -12,13 +12,13 @@
5 files changed, 115 deletions(-)
diff --git a/pkg/kubelet/kubelet.go b/pkg/kubelet/kubelet.go
-index e8918472ee8..f80bfc41240 100644
+index 5d848de88fb..0495eaed7d1 100644
--- a/pkg/kubelet/kubelet.go
+++ b/pkg/kubelet/kubelet.go
-@@ -1459,13 +1459,6 @@ func (kl *Kubelet) initializeModules() error {
+@@ -1506,13 +1506,6 @@ func (kl *Kubelet) initializeModules() error {
return err
}
-
+
- // If the container logs directory does not exist, create it.
- if _, err := os.Stat(ContainerLogsDir); err != nil {
- if err := kl.os.MkdirAll(ContainerLogsDir, 0755); err != nil {
@@ -26,17 +26,17 @@
- }
- }
-
- // Start the image manager.
- kl.imageManager.Start()
-
+ if sysruntime.GOOS == "windows" {
+ // On Windows we should not allow other users to read the logs directory
+ // to avoid allowing non-root containers from reading the logs of other containers.
diff --git a/pkg/kubelet/kuberuntime/kuberuntime_container.go b/pkg/kubelet/kuberuntime/kuberuntime_container.go
-index 97abc229335..458333dafcb 100644
+index b049540d0d3..7b1baa29c14 100644
--- a/pkg/kubelet/kuberuntime/kuberuntime_container.go
+++ b/pkg/kubelet/kuberuntime/kuberuntime_container.go
-@@ -257,25 +257,6 @@ func (m *kubeGenericRuntimeManager) startContainer(ctx context.Context, podSandb
+@@ -285,25 +285,6 @@ func (m *kubeGenericRuntimeManager) startContainer(ctx context.Context, podSandb
}
m.recordContainerEvent(pod, container, containerID, v1.EventTypeNormal, events.StartedContainer, fmt.Sprintf("Started container %s", container.Name))
-
+
- // Symlink container logs to the legacy container log location for cluster logging
- // support.
- // TODO(random-liu): Remove this after cluster logging supports CRI container log path.
@@ -59,10 +59,10 @@
// Step 4: execute the post start hook.
if container.Lifecycle != nil && container.Lifecycle.PostStart != nil {
kubeContainerID := kubecontainer.ContainerID{
-@@ -1217,23 +1198,6 @@ func (m *kubeGenericRuntimeManager) removeContainerLog(ctx context.Context, cont
+@@ -1317,23 +1298,6 @@ func (m *kubeGenericRuntimeManager) removeContainerLog(ctx context.Context, cont
return err
}
-
+
- resp, err := m.runtimeService.ContainerStatus(ctx, containerID, false)
- if err != nil {
- return fmt.Errorf("failed to get container status %q: %v", containerID, err)
@@ -82,9 +82,9 @@
- }
return nil
}
-
+
diff --git a/pkg/kubelet/kuberuntime/kuberuntime_gc.go b/pkg/kubelet/kuberuntime/kuberuntime_gc.go
-index 35a19704b95..6ac4883eab1 100644
+index 6189b1f07ca..3cd3daa5a6c 100644
--- a/pkg/kubelet/kuberuntime/kuberuntime_gc.go
+++ b/pkg/kubelet/kuberuntime/kuberuntime_gc.go
@@ -19,7 +19,6 @@ package kuberuntime
@@ -95,7 +95,7 @@
"path/filepath"
"sort"
"time"
-@@ -346,51 +345,6 @@ func (cgc *containerGC) evictPodLogsDirectories(ctx context.Context, allSourcesR
+@@ -347,51 +346,6 @@ func (cgc *containerGC) evictPodLogsDirectories(ctx context.Context, allSourcesR
}
}
}
@@ -146,9 +146,9 @@
- }
return nil
}
-
+
diff --git a/pkg/kubelet/runonce.go b/pkg/kubelet/runonce.go
-index b11442ae902..10c783eb868 100644
+index 448df444869..d5ecd47337f 100644
--- a/pkg/kubelet/runonce.go
+++ b/pkg/kubelet/runonce.go
@@ -19,7 +19,6 @@ package kubelet
@@ -157,12 +157,12 @@
"fmt"
- "os"
"time"
-
+
v1 "k8s.io/api/core/v1"
@@ -50,13 +49,6 @@ func (kl *Kubelet) RunOnce(updates <-chan kubetypes.PodUpdate) ([]RunPodResult,
return nil, err
}
-
+
- // If the container logs directory does not exist, create it.
- if _, err := os.Stat(ContainerLogsDir); err != nil {
- if err := kl.os.MkdirAll(ContainerLogsDir, 0755); err != nil {
@@ -174,7 +174,7 @@
case u := <-updates:
klog.InfoS("Processing manifest with pods", "numPods", len(u.Pods))
diff --git a/test/e2e_node/log_path_test.go b/test/e2e_node/log_path_test.go
-index 68f2cf544aa..f5493d7f88e 100644
+index a1589e6d91e..179206eb1dd 100644
--- a/test/e2e_node/log_path_test.go
+++ b/test/e2e_node/log_path_test.go
@@ -22,8 +22,6 @@ import (
@@ -186,7 +186,7 @@
"k8s.io/kubernetes/test/e2e/framework"
e2epod "k8s.io/kubernetes/test/e2e/framework/pod"
admissionapi "k8s.io/pod-security-admission/api"
-@@ -122,22 +120,6 @@ var _ = SIGDescribe("ContainerLogPath [NodeConformance]", func() {
+@@ -122,22 +120,6 @@ var _ = SIGDescribe("ContainerLogPath", framework.WithNodeConformance(), func()
err := createAndWaitPod(ctx, makeLogPod(logPodName, logString))
framework.ExpectNoError(err, "Failed waiting for pod: %s to enter success state", logPodName)
})
@@ -206,9 +206,9 @@
- err = createAndWaitPod(ctx, makeLogCheckPod(logCheckPodName, logString, expectedlogFile))
- framework.ExpectNoError(err, "Failed waiting for pod: %s to enter success state", logCheckPodName)
- })
-
+
ginkgo.It("should print log to correct cri log path", func(ctx context.Context) {
-
---
-2.41.0
+
+--
+2.44.1
diff --git a/third_party/go/patches/k8s-native-mounter.patch b/third_party/go/patches/k8s-native-mounter.patch
index 21e228e..29a5e34 100644
--- a/third_party/go/patches/k8s-native-mounter.patch
+++ b/third_party/go/patches/k8s-native-mounter.patch
@@ -1,26 +1,26 @@
-From d56a2d05e536534730660813c182055bb705b22a Mon Sep 17 00:00:00 2001
+From 2c25c4cdf0a3526625bf38c0d16519d8b5c80132 Mon Sep 17 00:00:00 2001
From: Lorenz Brun <lorenz@brun.one>
Date: Tue, 17 Mar 2020 21:41:08 +0100
Subject: [PATCH] Provide native mounter implementation for Linux
---
- mount_linux.go | 141 +++++++++++++++++++++++++++++++++++++++++++++++++
- 1 file changed, 141 insertions(+)
+ mount_linux.go | 140 ++++++++++++++++++
+ 1 file changed, 140 insertions(+)
diff --git a/mount_linux.go b/mount_linux.go
-index 07ce76d..e925185 100644
+index 541af2c391e..23523bf5d30 100644
--- a/mount_linux.go
+++ b/mount_linux.go
-@@ -69,6 +70,8 @@ type Mounter struct {
+@@ -70,6 +70,8 @@ type Mounter struct {
withSystemd *bool
trySystemd bool
withSafeNotMountedBehavior bool
+ withLinuxUtils bool
+ nativeSupportedFstypes map[string]struct{}
}
-
+
var _ MounterForceUnmounter = &Mounter{}
-@@ -81,6 +84,8 @@ func New(mounterPath string) Interface {
+@@ -82,6 +84,8 @@ func New(mounterPath string) Interface {
mounterPath: mounterPath,
trySystemd: true,
withSafeNotMountedBehavior: detectSafeNotMountedBehavior(),
@@ -28,8 +28,8 @@
+ nativeSupportedFstypes: detectNativeSupportedFstypes(),
}
}
-
-@@ -93,6 +98,8 @@ func NewWithoutSystemd(mounterPath string) Interface {
+
+@@ -94,6 +98,8 @@ func NewWithoutSystemd(mounterPath string) Interface {
mounterPath: mounterPath,
trySystemd: false,
withSafeNotMountedBehavior: detectSafeNotMountedBehavior(),
@@ -37,11 +37,11 @@
+ nativeSupportedFstypes: detectNativeSupportedFstypes(),
}
}
-
-@@ -111,6 +118,29 @@ func (mounter *Mounter) hasSystemd() bool {
- return *mounter.withSystemd
+
+@@ -165,6 +171,29 @@ func (mounter *Mounter) bindMountSensitive(mounterPath string, mountCmd string,
+ }
}
-
+
+func (mounter *Mounter) mountNative(source string, target string, fstype string, options []string, sensitiveOptions []string) error {
+ flags, pflags, fsoptions := parseMountOptions(options)
+ if len(pflags) > 0 {
@@ -68,7 +68,7 @@
// Mount mounts source to target as fstype with given options. 'source' and 'fstype' must
// be an empty string in case it's not required, e.g. for remount, or for auto filesystem
// type, where kernel handles fstype for you. The mount 'options' is a list of options,
-@@ -126,6 +156,10 @@ func (mounter *Mounter) Mount(source string, target string, fstype string, optio
+@@ -180,6 +209,10 @@ func (mounter *Mounter) Mount(source string, target string, fstype string, optio
// method should be used by callers that pass sensitive material (like
// passwords) as mount options.
func (mounter *Mounter) MountSensitive(source string, target string, fstype string, options []string, sensitiveOptions []string) error {
@@ -79,8 +79,8 @@
// Path to mounter binary if containerized mounter is needed. Otherwise, it is set to empty.
// All Linux distros are expected to be shipped with a mount utility that a support bind mounts.
mounterPath := ""
-@@ -157,6 +191,9 @@ func (mounter *Mounter) MountSensitiveWithoutSystemd(source string, target strin
-
+@@ -207,6 +240,9 @@ func (mounter *Mounter) MountSensitiveWithoutSystemd(source string, target strin
+
// MountSensitiveWithoutSystemdWithMountFlags is the same as MountSensitiveWithoutSystemd with additional mount flags.
func (mounter *Mounter) MountSensitiveWithoutSystemdWithMountFlags(source string, target string, fstype string, options []string, sensitiveOptions []string, mountFlags []string) error {
+ if !mounter.withLinuxUtils {
@@ -89,10 +89,10 @@
mounterPath := ""
bind, bindOpts, bindRemountOpts, bindRemountOptsSensitive := MakeBindOptsSensitive(options, sensitiveOptions)
if bind {
-@@ -179,6 +216,80 @@ func (mounter *Mounter) MountSensitiveWithoutSystemdWithMountFlags(source string
+@@ -225,6 +261,80 @@ func (mounter *Mounter) MountSensitiveWithoutSystemdWithMountFlags(source string
return mounter.doMount(mounterPath, defaultMountCommand, source, target, fstype, options, sensitiveOptions, mountFlags, false)
}
-
+
+// nativeSupportsFstype checks if the native mounter can mount the given fstype
+func (mounter *Mounter) nativeSupportsFstype(fstype string) bool {
+ _, ok := mounter.nativeSupportedFstypes[fstype]
@@ -170,10 +170,10 @@
// doMount runs the mount command. mounterPath is the path to mounter binary if containerized mounter is used.
// sensitiveOptions is an extension of options except they will not be logged (because they may contain sensitive material)
// systemdMountRequired is an extension of option to decide whether uses systemd mount.
-@@ -294,6 +405,30 @@ func detectSafeNotMountedBehaviorWithExec(exec utilexec.Interface) bool {
+@@ -340,6 +450,30 @@ func detectSafeNotMountedBehaviorWithExec(exec utilexec.Interface) bool {
return false
}
-
+
+// detectLinuxUtils detects if the host operating system has the mount and unmount commands present
+func detectLinuxUtils() bool {
+ _, err := exec.LookPath("mount")
@@ -201,7 +201,7 @@
// MakeMountArgs makes the arguments to the mount(8) command.
// options MUST not contain sensitive material (like passwords).
func MakeMountArgs(source, target, fstype string, options []string) (mountArgs []string) {
-@@ -364,6 +499,12 @@ func AddSystemdScopeSensitive(systemdRunPath, mountName, command string, args []
+@@ -410,6 +544,12 @@ func AddSystemdScopeSensitive(systemdRunPath, mountName, command string, args []
// If the mounter has safe "not mounted" behavior, no error will be returned when the target is not a mount point.
func (mounter *Mounter) Unmount(target string) error {
klog.V(4).Infof("Unmounting %s", target)
@@ -214,6 +214,6 @@
command := exec.Command("umount", target)
output, err := command.CombinedOutput()
if err != nil {
---
-2.41.0
+--
+2.44.1
diff --git a/third_party/go/patches/nfproxy-adapt-to-k8s-1.28.patch b/third_party/go/patches/nfproxy-adapt-to-k8s-1.28.patch
index 388a970..4754b2c 100644
--- a/third_party/go/patches/nfproxy-adapt-to-k8s-1.28.patch
+++ b/third_party/go/patches/nfproxy-adapt-to-k8s-1.28.patch
@@ -1,17 +1,18 @@
-From bb611be1b10448316ba21defeede6bec3217febc Mon Sep 17 00:00:00 2001
+From 046483de1453fb8cc1823066844d4617f4f04f85 Mon Sep 17 00:00:00 2001
From: Lorenz Brun <lorenz@monogon.tech>
Date: Tue, 14 Nov 2023 13:49:46 +0100
-Subject: [PATCH 1/2] Adapt to K8s 1.28
+Subject: [PATCH] Adapt to K8s 1.28
---
- cmd/nfproxy.go | 6 +++---
- pkg/controller/controller_endpointslice.go | 6 +++---
- pkg/proxy/cache.go | 2 +-
- pkg/proxy/proxy.go | 2 +-
- pkg/proxy/proxy_endpointslice.go | 2 +-
- pkg/proxy/service.go | 4 ++--
- pkg/proxy/tools.go | 2 +-
- 7 files changed, 12 insertions(+), 12 deletions(-)
+ cmd/nfproxy.go | 6 +++---
+ pkg/controller/controller_endpointslice.go | 6 +++---
+ pkg/proxy/cache.go | 2 +-
+ pkg/proxy/endpoints.go | 10 +++++++++-
+ pkg/proxy/proxy.go | 2 +-
+ pkg/proxy/proxy_endpointslice.go | 2 +-
+ pkg/proxy/service.go | 6 +++---
+ pkg/proxy/tools.go | 2 +-
+ 8 files changed, 22 insertions(+), 14 deletions(-)
diff --git a/cmd/nfproxy.go b/cmd/nfproxy.go
index 66972ab..83d8b01 100644
@@ -83,6 +84,27 @@
"k8s.io/apimachinery/pkg/types"
"k8s.io/klog"
)
+diff --git a/pkg/proxy/endpoints.go b/pkg/proxy/endpoints.go
+index e040285..e288a05 100644
+--- a/pkg/proxy/endpoints.go
++++ b/pkg/proxy/endpoints.go
+@@ -75,7 +75,15 @@ func (info *BaseEndpointInfo) IP() string {
+
+ // Port returns just the Port part of the endpoint.
+ func (info *BaseEndpointInfo) Port() (int, error) {
+- return utilproxy.PortPart(info.Endpoint)
++ _, port, err := net.SplitHostPort(info.Endpoint)
++ if err != nil {
++ return -1, err
++ }
++ portNumber, err := strconv.Atoi(port)
++ if err != nil {
++ return -1, err
++ }
++ return portNumber, nil
+ }
+
+ // Equal is part of proxy.Endpoint interface.
diff --git a/pkg/proxy/proxy.go b/pkg/proxy/proxy.go
index 7839820..5876784 100644
--- a/pkg/proxy/proxy.go
@@ -145,5 +167,5 @@
"k8s.io/apimachinery/pkg/types"
"k8s.io/apimachinery/pkg/util/intstr"
--
-2.40.1
+2.44.1