)]}' { "log": [ { "commit": "d13c1c64387ca9a83bb832a3faa5c4b07268d265", "tree": "0c0f534db4726e4400486aad25235e8c573d455e", "parents": [ "79a1a8f9dd49afe8e0a2364c4586b8f39525b204" ], "author": { "name": "Lorenz Brun", "email": "lorenz@monogon.tech", "time": "Wed Mar 30 19:58:58 2022 +0200" }, "committer": { "name": "Lorenz Brun", "email": "lorenz@monogon.tech", "time": "Tue Apr 05 10:35:29 2022 +0000" }, "message": "treewide: switch to gomod and bump everything\n\nThis switches version resolution from fietsje to gomod and updates\nall Go dependencies. It also bumps rules_go (required by gVisor) and\nswitches the Gazelle naming convention from go_default_xxx to the\nstandard Bazel convention of the default target having the package\nname.\n\nSince Kubernetes dropped upstream Bazel support and doesn\u0027t check in\nall generated files I manually pregenerated the OpenAPI spec. This\nshould be fixed, but because of the already-huge scope of this CL\nand the rebase complexity this is not in here.\n\nChange-Id: Iec8ea613d06946882426c2f9fad5bda7e8aaf833\nReviewed-on: https://review.monogon.dev/c/monogon/+/639\nReviewed-by: Sergiusz Bazanski \u003cserge@monogon.tech\u003e\nReviewed-by: Leopold Schabel \u003cleo@nexantic.com\u003e\n" }, { "commit": "144b786814f203ed2f2f9a4edfc30cefc5d8dd7c", "tree": "12f11f840239b33329c8bd854a550785e1eed0df", "parents": [ "b309e3fa020ab70f169c0f2b4a63a9f68da775b7" ], "author": { "name": "Serge Bazanski", "email": "serge@monogon.tech", "time": "Fri Dec 17 17:30:14 2021 +0100" }, "committer": { "name": "Sergiusz Bazanski", "email": "serge@monogon.tech", "time": "Mon Dec 20 16:31:30 2021 +0000" }, "message": "third_party: goimports: apply import grouping patch\n\nThis allows developers to build //:goimports and point their IDE/editor\nto it to easily conform to the import style guide.\n\nWe also document how to run this tool in CODING_STANDARDS.md.\nIntegration with IntelliJ is TBD.\n\nChange-Id: I61e412162e51e513ec5888eda5221c9d145b6454\nReviewed-on: https://review.monogon.dev/c/monogon/+/493\nReviewed-by: Leopold Schabel \u003cleo@nexantic.com\u003e\n" }, { "commit": "dcfc6787c736ae3461138224a33c5d5c560df2ff", "tree": "5ce2f2719c320e0f77aa5c667ed8221e27a39ca2", "parents": [ "43e2107d9b76e8c1df0974c3125878ca64f2bb61" ], "author": { "name": "Lorenz Brun", "email": "lorenz@monogon.tech", "time": "Tue Nov 30 05:27:48 2021 +0100" }, "committer": { "name": "Lorenz Brun", "email": "lorenz@monogon.tech", "time": "Tue Nov 30 19:38:46 2021 +0000" }, "message": "build/proto_docs: add proto documentation generator\n\nThis adds an HTML documentation generator for our Protobuf files.\nIt consists of a new Bazel rule `proto_docs` which wraps protoc-gen-doc.\nprotoc-gen-doc itself and go-proto-validator which it includes need\nsome light patching because of dumbness in the Go Proto ecosystem that\ndoesn\u0027t exist in our Bazel build.\n\nThis just hooks up everything, it does not yet do anything custom like\nannotating our own authorization metadata or similar.\n\nChange-Id: If6fd7c777210fea700e49242b5339cfafe7c030d\nReviewed-on: https://review.monogon.dev/c/monogon/+/452\nReviewed-by: Leopold Schabel \u003cleo@nexantic.com\u003e\n" }, { "commit": "c2e3b1b7f29708fa136e9195645b31fce530c1f0", "tree": "94d45711f78c1c1cc859e251519838350ce91938", "parents": [ "44d2ad428573bb20ee6be4b957b1abbacad50fcb" ], "author": { "name": "Lorenz Brun", "email": "lorenz@monogon.tech", "time": "Thu Nov 11 11:06:41 2021 +0100" }, "committer": { "name": "Lorenz Brun", "email": "lorenz@monogon.tech", "time": "Tue Nov 16 12:47:21 2021 +0000" }, "message": "WORKSPACE: bump rules_go go 0.29 and Go to 1.17.1\n\nThe changes to nogo are from rules_go being able to use go_library\ntargets as part toolchain definitions. gVisor needed to be bumped\nto be compatible with Go 1.17. It also needs a fix for us not having\nthe systemd cgroup controller.\n\nChange-Id: I058b5c68d97809a286fbe36df00e49e55874dfd5\nReviewed-on: https://review.monogon.dev/c/monogon/+/438\nReviewed-by: Sergiusz Bazanski \u003cserge@monogon.tech\u003e\n" }, { "commit": "6ebdc418f3c4799c12368e34ea78dc9c9757fb54", "tree": "55dcecf2fda5b992c703dea87ef2cea495f6ffe0", "parents": [ "67483ded56f26ced15581d7a87314d776cf5ecb0" ], "author": { "name": "Serge Bazanski", "email": "serge@nexantic.com", "time": "Fri May 21 16:25:55 2021 +0200" }, "committer": { "name": "Sergiusz Bazanski", "email": "serge@nexantic.com", "time": "Fri May 28 15:53:36 2021 +0000" }, "message": "RFC: build/analysis: add commentwrap\n\nThis adds a Go analyzer which limits the length of comment lines to 80\ncharacters.\n\nRationale:\n\nMonogon currently follows gofmt style. Gofmt in itself is already quite\nopinionated, but one thing it explicitly does not check for is maximum\nline length.\n\nThis implements a limit for the maximum length of a comment line in Go\nsource within Monogon. It explicitly does not limit code line length, as\nthese can be handled much more easily by soft reflows.\n\nThe tool used, github.com/corverroos/commentwrap, will now be\nautomatically ran by our nogo pass, and prevent any line of commnets\nwithin Go to be longer than 80 characters, with the exception of:\n\n - cgo/generate directives\n - TODOs\n - indented comments (eg. sample code or long URLs)\n\nDownsides:\n\n1. We have to reformat the entire codebase. CR/67 does this.\n\n2. We end up with a bulk Git commit that will pollute Git history. A\n followup CR attempts to resolve this by using Git\u0027s ignoreRevsFile\n functionality.\n\n3. There\u0027s currently no integration with IntelliJ and no way to\n automatically reformat code. If this RFC gets approved, a follow up\n CR will be created that adds integration/automation to make this\n easier to work against.\n\nOpen questions:\n\n1. Is 80 characters the right limit? I, personally, quite like it, but\n am willing to compromise on line length.\n\nChange-Id: I063d64596ca5ef038a8426c6b9f806b65c18451e\nReviewed-on: https://review.monogon.dev/c/monogon/+/66\nReviewed-by: Leopold Schabel \u003cleo@nexantic.com\u003e\n" }, { "commit": "37050126ef89ec30cc677c272471debe55ec0d69", "tree": "c64a64a622ec1c3e1e72fc12a6d4252c0e803cc1", "parents": [ "2999427c182463840a339cf0e82885d8a3b6e79f" ], "author": { "name": "Lorenz Brun", "email": "lorenz@nexantic.com", "time": "Tue Mar 30 14:00:27 2021 +0200" }, "committer": { "name": "Leopold Schabel", "email": "leo@nexantic.com", "time": "Tue Apr 13 11:04:01 2021 +0200" }, "message": "Implement Block PVCs in our storage backend\n\nThis implements full support for Block PVCs in our Kubernetes storage backend.\nThe block PVCs are backed by files made available to the pods using loop devices and\nhave read-only and online expansion support.\n\nThis also requires a Kubernetes patch because they call losetup if block PVCs are used\nwith CSI to establish a form of lock on the backing block device. This lock is not\nexclusive and does absolutely nothing for our use case and could get very expensive\non dense machines so I removed it.\n\nTest Plan: Comes with E2E tests\n\nX-Origin-Diff: phab/D746\nGitOrigin-RevId: 430d3f445286c0d3498b2153df333a19f3fcab89\n" }, { "commit": "2073ce34e57b0be3cedd39b8934869abb6f73582", "tree": "8c7f86cecb41848e0614da742935cc656be02239", "parents": [ "7b82227c87f477e9d986d648b8ad63f4268dde3b" ], "author": { "name": "Lorenz Brun", "email": "lorenz@nexantic.com", "time": "Wed Feb 03 18:52:59 2021 +0100" }, "committer": { "name": "Lorenz Brun", "email": "lorenz@nexantic.com", "time": "Wed Feb 03 18:52:59 2021 +0100" }, "message": "Bump Bazel to 4.0.0\n\nThis bumps Bazel to 4.0.0 because we want to use ProtoModule. The update was relatively painless,\nno incompat-flags needed to be switched back off. `bazel_gazelle` is pinned on a master version\nsince they haven\u0027t released a Bazel 4-comaptible version yet and I have one patch against Kubernetes\u0027s\ninfra repo which is going upstream.\n\nTest Plan: Build system change, should be covered by existing tests\n\nX-Origin-Diff: phab/D701\nGitOrigin-RevId: 24f675e6ba33efb9f46191eccca95088d7d2d1f1\n" }, { "commit": "7b82227c87f477e9d986d648b8ad63f4268dde3b", "tree": "bd4f8afb09a40f4217709f956c2344c67f95e660", "parents": [ "378a4455aedda838f60c546e55199092f24952ed" ], "author": { "name": "Lorenz Brun", "email": "lorenz@nexantic.com", "time": "Wed Feb 03 17:03:41 2021 +0100" }, "committer": { "name": "Lorenz Brun", "email": "lorenz@nexantic.com", "time": "Wed Feb 03 17:03:41 2021 +0100" }, "message": "Drop legacy kubelet log path\n\nIt looks like the Kubernetes update broke E2E tests on the EROFS stack because of some change\nto how the legacy log dir is handled. Kubelet currently just crashes because it can\u0027t mkdir\n/var/log/containers. This directory is apparently only used by fluentd for log collection in upstream\nE2E tests and with dockershim, both of which we don\u0027t care about. So let\u0027s just nuke it.\n\nTest Plan: Fixes things on top of the EROFS stack\n\nX-Origin-Diff: phab/D700\nGitOrigin-RevId: 45b7f76a61b7234845ab55fcfbc37a66f69fe065\n" }, { "commit": "74e8e5c35fea1ec9ce13c8a2d16100bab45d42d9", "tree": "3ec734c4b86fed54a5039623c789dd4b805b3b6e", "parents": [ "19eb0006edc79edc53fb53ea0eed67e93f4c8eba" ], "author": { "name": "Lorenz Brun", "email": "lorenz@nexantic.com", "time": "Tue Jan 26 14:00:50 2021 +0100" }, "committer": { "name": "Lorenz Brun", "email": "lorenz@nexantic.com", "time": "Tue Jan 26 14:00:50 2021 +0100" }, "message": "Make containerd work with read-only root\n\nThis makes containerd work with a read-only root. There were a few config mistakes on our side which\ncaused it to write to the rootfs (mostly leftovers from the switch to /ephemeral) and a semi-hardcoded path\nin /var/lib/cni from containernetworking/cni. This is technically configurable, but it would require patching\nthree different repos (see diff message) and getting all of them to agree to take the change and wait for\nit to propagate to all repos (containerd is known to be slow to release stuff). So let\u0027s just hack in\nthis one-line diff for the time being.\n\nTest Plan: Should be covered by existing tests\n\nX-Origin-Diff: phab/D694\nGitOrigin-RevId: 0e8f5dbfb216539c16e64130af9fe1023722ae1b\n" }, { "commit": "19eb0006edc79edc53fb53ea0eed67e93f4c8eba", "tree": "704a52ab75bde43409d80246cf23bce6b6be3467", "parents": [ "842536b10bd1b11e62317940feef215442a8ecb4" ], "author": { "name": "Serge Bazanski", "email": "serge@nexantic.com", "time": "Thu Jan 21 14:25:25 2021 +0100" }, "committer": { "name": "Serge Bazanski", "email": "serge@nexantic.com", "time": "Thu Jan 21 14:25:25 2021 +0100" }, "message": "third_party: bump Kubernetes to 1.19.7\n\nThis... didn\u0027t exactly go well. Turns out a change between rc.1 and rc.2\nbroke our runc runtime by enabling seccomp by default for pod sandboxes.\n\nWe work around this by reverting this change, and filing T916 to solve\nthis soon.\n\nThis fixes T910 and T909.\n\nTest Plan: kube bump, CI should run e2e, didn\u0027t run CTS.\n\nBug: T910, T909\n\nX-Origin-Diff: phab/D691\nGitOrigin-RevId: 78afca77c294895859e0af9150128d82677d875b\n" }, { "commit": "842536b10bd1b11e62317940feef215442a8ecb4", "tree": "264906157b5cd51ef39e952326b85da48b5bbb5b", "parents": [ "f12bedfa4cd144c3abc4deac58405067d55f9c87" ], "author": { "name": "Lorenz Brun", "email": "lorenz@nexantic.com", "time": "Tue Jan 26 13:54:57 2021 +0100" }, "committer": { "name": "Lorenz Brun", "email": "lorenz@nexantic.com", "time": "Tue Jan 26 13:54:57 2021 +0100" }, "message": "Make Kubernetes work with read-only root\n\nThis makes Kubernetes work with a read-only root. There\u0027s two places where they hardcode\npaths: One is the DeviceManager socket path (/var/lib/kubelet/device-plugins/kubelet.sock), that one\nis easy to fix because KubeletRootDir is available one scope above. The other one is the pod logs dir\nwhich is too far removed from the main Kubelet config, so I just changed their hardcoded path to ours.\nThe first patch should be upstreamable, for the second one we\u0027d need to take a different approach to upstream.\n\nTest Plan: Should be covered by existing E2E tests.\n\nX-Origin-Diff: phab/D693\nGitOrigin-RevId: 4606ab228a24bd4a0274f8e3156123710a59f2aa\n" }, { "commit": "f12bedfa4cd144c3abc4deac58405067d55f9c87", "tree": "ddbc408e424a0ea8e446bcf0022ee16278202d63", "parents": [ "c3ad846e0eaf4cf008130a643ff247aa27531e17" ], "author": { "name": "Serge Bazanski", "email": "serge@nexantic.com", "time": "Fri Jan 15 16:58:50 2021 +0100" }, "committer": { "name": "Serge Bazanski", "email": "serge@nexantic.com", "time": "Fri Jan 15 16:58:50 2021 +0100" }, "message": "*: bump up Go dependencies\n\nThis started off as \u0027let\u0027s bump gVisor\u0027. However, pulling that thread\nresulted in quite a few things that also required bumping for the build\nto actually work. Here I come back from a day in the Bazel mines,\nbearing fruits of my labor.\n\nNotable changes:\n\n - bump up gVisor\n - bump up containerd\n - bump up Bazel\n - bump up rules_go, rules_docker, Gazelle\n - use google.golang.org/protobuf (the \u0027new\u0027 go proto package)\n - bump up gRPC (but not too much, as go-etcd is still straggling)\n\nNotable effects:\n\n - new gVisor supports TTY allocation (kubectl run -it\n --image\u003dubuntu:20.04 ubuntu bash now works!)\n\nNotable notes:\n\n - gVisor shim has new been rolled into the main gVisor package and is\n slightly easier to build (we can get rid of a bunch of patches).\n - Opencontainers\u0027 runtime-specs now follow containerd instead of gVisor\n - gVisor had to be taught to use the slightly newer runtime-specs via a\n new patch.\n - go_rule() in Starlark is now deprecated, and we had to change our\n Starlark rule definitions to use rule() instead. We also had to patch\n gVisor to do that (as there hasn\u0027t yet been a release that rolled\n this up).\n - Gazelle now supports different naming schemes for generated Go\n targets - either the old //foo/bar:go_default_library scheme, or a\n new and nicer //foo/bar:bar scheme. We currently force the usage of\n the old scheme, as switching over is probably not going to be easy\n (we use a lot of external Bazel files, and we have to wait for their\n compatibility with the new scheme first).\n - New Bazel/rules_go sets a TMPDIR long enough to generate paths (via\n ioutil.TempDir) to which sockets cannot be bound (108-byte limit).\n - The new protobuf API is incompatible with gogoproto. containerd/ttrpc\n uses gogoproto, but we are smart enough to pull in the old protobuf\n library as gogoproto\u0027s transitive dep. However, ttrpc also wants to\n use some proto-generated grpc bits, and that doesn\u0027t work. We have to\n pull in a ttrpc fork from a PR that hasn\u0027t yet been merged that fixes\n this issue.\n\nTest Plan: Refactor only, should be covered by tests.\n\nX-Origin-Diff: phab/D689\nGitOrigin-RevId: 1188c0605d25e7f40307fab5fd96e7019f3a9171\n" }, { "commit": "31370b07f0df2dc2765d812d4ce00a6b35185b16", "tree": "15563902eee9591083284441c8505b084b275d0a", "parents": [ "313816f41244d7520eb2b6f8c231328ee5b7a4ef" ], "author": { "name": "Serge Bazanski", "email": "serge@nexantic.com", "time": "Thu Jan 07 16:31:14 2021 +0100" }, "committer": { "name": "Serge Bazanski", "email": "serge@nexantic.com", "time": "Thu Jan 07 16:31:14 2021 +0100" }, "message": "*: git.monogon.dev -\u003e source.monogon.dev\n\nThis implements T882, setting our (virtual) GOPATH to source.monogon.dev\nfor this repository.\n\nTest Plan: Refactor, CI only.\n\nX-Origin-Diff: phab/D686\nGitOrigin-RevId: c5e2309089948ffc3a98e68e2e0e1cbb157d3a36\n" }, { "commit": "662b5b3119b0798980b887d1ef9fa1b5632aa7fb", "tree": "3e1fc4ab033530e6d579112ba500d2c6edb43368", "parents": [ "39f2f691726dc6e0a291aa8609085b835a313dad" ], "author": { "name": "Serge Bazanski", "email": "serge@nexantic.com", "time": "Mon Dec 21 13:49:00 2020 +0100" }, "committer": { "name": "Serge Bazanski", "email": "serge@nexantic.com", "time": "Mon Dec 21 13:49:00 2020 +0100" }, "message": "smalltown -\u003e metropolis\n\nThis pass removes all mentions of Smalltown, both from code and comments,\nand replaces them with appropriate new terminology.\n\nTest Plan: Refactor, covered by CI.\n\nX-Origin-Diff: phab/D674\nGitOrigin-RevId: 04a94d44ef07d46f7821530da5614daefe16d7ea\n" }, { "commit": "fa5c2fccc528b40f216687e02f0c1cd004e013d6", "tree": "f39c24f681176b7bbf36fe6af304c6902124f552", "parents": [ "4efaa019244db96128941965aa72c0e1371b0d2d" ], "author": { "name": "Lorenz Brun", "email": "lorenz@nexantic.com", "time": "Mon Sep 28 13:32:12 2020 +0200" }, "committer": { "name": "Lorenz Brun", "email": "lorenz@nexantic.com", "time": "Mon Sep 28 13:32:12 2020 +0200" }, "message": "Use CoreDNS for everything and make directives dynamic\n\nThis moves CoreDNS from Kubernetes to the network tree and uses\nit for OS-side resolution too. For this to work together with Kubernetes it now\ncontains a dynamic directive system which allows various parts of the OS\nto register and unregister directives at runtime. This system is used to hook\nKubernetes and DHCP-supplied DNS servers into the configuration.\n\nThis also enables the hosts plugin to resolve the local hostname from within\nCoreDNS to avoid querying external DNS servers for that (T773).\n\nTest Plan:\nCTS covers K8s-related tests, external resolution manually tested from\na container.\n\nBug: T860, T773\n\nX-Origin-Diff: phab/D628\nGitOrigin-RevId: f1729237f3d17d8801506f4d299b90e7dce0893a\n" }, { "commit": "ed0503cbe3c2d85d138f2604b87d73417be6c940", "tree": "66fce41e479e22ba8a735fbcbb62d768c0307bd3", "parents": [ "b9431c95082a3de6c87f96b700e69b72e4d87fdc" ], "author": { "name": "Lorenz Brun", "email": "lorenz@nexantic.com", "time": "Tue Jul 28 17:21:25 2020 +0200" }, "committer": { "name": "Lorenz Brun", "email": "lorenz@nexantic.com", "time": "Tue Jul 28 17:21:25 2020 +0200" }, "message": "Add Kubernetes CTS\n\nThis adds patches and build specifications for the Kubernetes Conformance Test Suite. This involves\ngating various cloud-specific tests behind the providerless flag (otherwise we\u0027d gain a ton of additional dependencies)\nand an additional 60MiB in test binary size.\nSince the CTS for weird reasons requires kubectl to be available in the path we first build a kubectl go_image and then\nstack the CTS on top of it. The output bundle is then preseeded for use.\n\nTest Plan: `bazel run //core/tests/e2e/k8s_cts`\n\nBug: T836\n\nX-Origin-Diff: phab/D615\nGitOrigin-RevId: 7d2cd780a3ffb63b217591c5854b4aec4031d83d\n" }, { "commit": "b29e0b07048697a8e8b4b33adb98dd6d8e79eddf", "tree": "b0b9660a1a783aae391bafd1a9fbac56bcad5498", "parents": [ "efb028fdc542dd2f19bf74a3be98506e7a15c7b7" ], "author": { "name": "Lorenz Brun", "email": "lorenz@nexantic.com", "time": "Tue Jul 28 17:26:12 2020 +0200" }, "committer": { "name": "Lorenz Brun", "email": "lorenz@nexantic.com", "time": "Tue Jul 28 17:26:12 2020 +0200" }, "message": "Add CoreDNS build\n\nThis adds CoreDNS and all relevant dependencies. Unused plugins are patched out\nto prevent excessive dependencies and binary size.\n\nTest Plan: `bazel build @com_github_coredns_coredns//:coredns`\n\nX-Origin-Diff: phab/D614\nGitOrigin-RevId: a897bc0e9f908218fd2f414d7e3b902c14e0a374\n" }, { "commit": "b682ba55d4a51babad2beebb470b0fef0e6067ca", "tree": "d94c2bb98f3a47896558d9cd4d2cc0271a4558c7", "parents": [ "f85748717f32f0a74816de01b1e5f2e0104342c5" ], "author": { "name": "Lorenz Brun", "email": "lorenz@nexantic.com", "time": "Wed Jul 08 14:51:36 2020 +0200" }, "committer": { "name": "Lorenz Brun", "email": "lorenz@nexantic.com", "time": "Wed Jul 08 14:51:36 2020 +0200" }, "message": "Add service proxy\n\nThis adds a service proxy based on nfproxy and changes to the service IP allocation to make it work.\nAlso adds support for masquerading outbound traffic for outbound network connectivity.\n\nTest Plan:\nCurrently manually tested by creating an alpine pod and running \u0027apk add curl \u0026\u0026 curl -k https://192.168.188.1:443/\u0027.\nWill be covered later by CTS.\n\nBug: T810\n\nX-Origin-Diff: phab/D580\nGitOrigin-RevId: cace863fd8c2f045560f8abf84c40cc77bc275d4\n" }, { "commit": "b876fc31f12628562a51c70668b318b9fc50478b", "tree": "b7f4001c6ab56712dd26473b216e74222b1903f0", "parents": [ "78fd97294dbc8bbf5ef1a490b2d7b7ad96fddcae" ], "author": { "name": "Lorenz Brun", "email": "lorenz@nexantic.com", "time": "Tue Jul 14 13:54:01 2020 +0200" }, "committer": { "name": "Lorenz Brun", "email": "lorenz@nexantic.com", "time": "Tue Jul 14 13:54:01 2020 +0200" }, "message": "Update containerd to 1.4.0-beta.2 and K8s to 1.19.0-rc.0\n\nThis unbreaks bbolt (as part of containerd) on 1.14+ (see https://github.com/etcd-io/bbolt/pull/201 and\nhttps://github.com/etcd-io/bbolt/pull/220), pulls in my patch to ignore image-defined volumes\n(https://github.com/containerd/cri/pull/1504) and gets us some robustness fixes in containerd CNI/CRI integration\n(https://github.com/containerd/cri/pull/1405). This also updates K8s at the same time since they share a lot of\ndependencies and only updating one is very annoying. On the K8s side we mostly get the standard stream of fixes\nplus some patches that are no longer necessary.\n\nOne annoying on the K8s side (but with no impact to the functionality) are these messages in the logs of various\ncomponents:\n```\nW0714 11:51:26.323590 1 warnings.go:67] policy/v1beta1 PodSecurityPolicy is deprecated in v1.22+, unavailable in v1.25+\n```\nThey are caused by KEP-1635, but there\u0027s not explanation why this gets logged so aggressively considering the operators\ncannot do anything about it. There\u0027s no newer version of PodSecurityPolicy and you are pretty much required to use it if\nyou use RBAC.\n\nTest Plan: Covered by existing tests\n\nBug: T753\n\nX-Origin-Diff: phab/D597\nGitOrigin-RevId: f6c447da1de037c27646f9ec9f45ebd5d6660ab0\n" }, { "commit": "78fd97294dbc8bbf5ef1a490b2d7b7ad96fddcae", "tree": "7ae5efa88e132d538d9ec185e6abddd9f46a0570", "parents": [ "cca74b6b61a165e2d1679847731902eaed04bd94" ], "author": { "name": "Lorenz Brun", "email": "lorenz@nexantic.com", "time": "Mon Jul 13 17:01:42 2020 +0200" }, "committer": { "name": "Lorenz Brun", "email": "lorenz@nexantic.com", "time": "Mon Jul 13 17:01:42 2020 +0200" }, "message": "Kubernetes volume \u0026 stamping fixes\n\nThis reenables the projected and downwardapi volume types, both of which are necessary for the CTS to pass\nand are derivatives of the configmap volume which we already support. This also fixes an issue where the stamping\ndefinitions for Kubernetes were not present on our main Kubernetes binary, which broke the CTS.\n\nTest Plan:\nVolumes will be covered by CTS (writing our own tests would be duplicate work), version was manually\ntested to be correct in `bazel run //core/cmd/dbg -- kubectl get nodes` since stamping is hard to test for.\n\nX-Origin-Diff: phab/D584\nGitOrigin-RevId: 403b6c845bc399fdd44ec3ba4ca26e2512a5bc98\n" }, { "commit": "c3ae7588e04e283a9ee798823ff590f2eb26e13f", "tree": "dca98f6ae4627ba043527f1a2de01fb3b740be44", "parents": [ "3b544a960249e7000b4fd9ce36f118c261c467df" ], "author": { "name": "Serge Bazanski", "email": "serge@nexantic.com", "time": "Mon Jun 08 17:15:26 2020 +0200" }, "committer": { "name": "Serge Bazanski", "email": "serge@nexantic.com", "time": "Mon Jun 08 17:15:26 2020 +0200" }, "message": "core/initramfs: add cilium, force static binaries\n\nThis adds a Bazel transition to the initramfs rule to ensure all\nbinaries that are part of it are built statically.\n\nTest Plan: tested by building the binary and checking all binaries are static\n\nX-Origin-Diff: phab/D557\nGitOrigin-RevId: 897b902c6b139fdffd1179caae757f5151ad7804\n" }, { "commit": "878f5f9e5f9de93b09d354db7d116fd3d558dbfa", "tree": "994b67ea5264f7e38bb67e9043a369454eaab75d", "parents": [ "9a741a861a4cb5c52b0251a4abf3a2c606b06198" ], "author": { "name": "Lorenz Brun", "email": "lorenz@nexantic.com", "time": "Tue May 12 16:15:39 2020 +0200" }, "committer": { "name": "Lorenz Brun", "email": "lorenz@nexantic.com", "time": "Tue May 12 16:15:39 2020 +0200" }, "message": "Add Kubernetes Worker and infrastructure\n\nAdds Kubernetes Kubelet with patches for syscall-based mounting and\nsyscall-based (and much faster) metrics. fsquota patches have been\ndeferred to a further revision (for robust emptyDir capacity isolation).\n\nChanges encoding of the node ID to hex since Base64-URL is not supported\nas a character set for K8s names. Also adds `/etc/machine-id` and\n`/etc/os-release` since Kubernetes wants them. `os-release` is generated\nby stamping, `machine-id` is the hex-encoded node ID derived from the\npublic key.\n\nAlso includes a primitive reconciler which automatically ensures a set of\nbuilt-in Kubernetes objects are always present. Currently this includes\na PSP and some basic RBAC policies that are elementary to proper cluster\noperations.\n\nAdds an additional gRPC service (NodeDebugService) to cleanly\ncommunicate with external debug and test tooling. It supports reading\nfrom logbuffers for all externally-run components, checking conditions\n(for replacing log matching in testing and debugging) and getting\ndebug credentials for the Kubernetes cluster.\n\nA small utility (dbg) is provided that interfaces with NodeDebugService\nand provides access to its functions from the CLI. It also incorporates\na kubectl wrapper which directly grabs credentials from the Debug API\nand passes them to kubectl\n(e.g. `bazel run //core/cmd/dbg -- kubectl describe node`).\n\nTest Plan:\nManually tested.\nKubernetes:\n`bazel run //core/cmd/dbg -- kubectl create -f test.yml`\n\nChecked that pods run, logs are accessible and exec works.\n\nReading buffers:\n`bazel run //core/cmd/dbg -- logs containerd`\n\nOutputs containerd logs in the right order.\n\nAutomated testing is in the works, but has been deferred to a future\nrevision because this one is already too big again.\n\nX-Origin-Diff: phab/D525\nGitOrigin-RevId: 0fbfa0c433de405526c7f09ef10c466896331328\n" }, { "commit": "c88c82db8b1a7f8a07782c970e1d0dfb453f9f66", "tree": "22072c4f18e4aaa855577ff0b42a86ef77a9c4cb", "parents": [ "60febd9db40970a31a2f49bdb969897a37c11cc6" ], "author": { "name": "Lorenz Brun", "email": "lorenz@nexantic.com", "time": "Fri May 08 14:35:04 2020 +0200" }, "committer": { "name": "Lorenz Brun", "email": "lorenz@nexantic.com", "time": "Fri May 08 14:35:04 2020 +0200" }, "message": "Add containerd \u0026 gVisor support\n\nThis adds containerd, CNI, gVisor and all the necessary shims\nand supporting infrastructure. It also enables all relevant features in\nthe Linux kernel. containerd is designed as a simple supervisor.Runnable.\nIt is not being started yet, this will happen in D497.\n\nSplit out from feature/kubelet.\n\nTest Plan:\nHas been tested in conjunction with the rest of D497, will be\ncovered by a K8s E2E test there.\n\nX-Origin-Diff: phab/D509\nGitOrigin-RevId: 92523516b7e361a30da330eb187787e6045bfd17\n" }, { "commit": "bb7db92ee6e788b576e22ece70914e0321a785f7", "tree": "1f4fee21a390625bd9766d0394e3076cf7e34d48", "parents": [ "547b33f2b38dba41f2c171f8730ff5093b267eaf" ], "author": { "name": "Serge Bazanski", "email": "serge@nexantic.com", "time": "Thu Apr 30 12:43:10 2020 +0200" }, "committer": { "name": "Serge Bazanski", "email": "serge@nexantic.com", "time": "Thu Apr 30 12:43:10 2020 +0200" }, "message": "Add all dependencies for Kubernetes worker\n\nAdds Kubelet, CNI plugins, containerd, runc and gVisor using a\npre-baked list of dependencies generated using scripts/gazelle-deps/sh.\n\nThis moves all dependencies of gVisor, Kubernetes, runc, etc into the\nsame \u0027namespace\u0027 of Bazel external repositories, giving us ease of\naccessing code as libraries, and benefits when it comes to version\nauditing.\n\nThe gazelle-deps.sh script is a temporary solution that will be replaced\nASAP, see T725.\n\nThis unblocks T486.\n\nThis is an alternative to D389.\n\nTest Plan: `bazel build //core:image` runs and picks up the new binaries\n\nX-Origin-Diff: phab/D487\nGitOrigin-RevId: a28a25071fa2ae76b272d237ce9af777485065ff\n" } ] }