mirror of
https://github.com/ceph/ceph-csi.git
synced 2025-06-13 18:43:34 +00:00
rebase: update replaced k8s.io modules to v0.33.0
Signed-off-by: Niels de Vos <ndevos@ibm.com>
This commit is contained in:
Niels de Vos
committed by
mergify[bot]
mergify[bot]
parent
dd77e72800
commit
107407b44b
2
e2e/vendor/k8s.io/kubernetes/pkg/kubelet/lifecycle/doc.go
generated
vendored
2
e2e/vendor/k8s.io/kubernetes/pkg/kubelet/lifecycle/doc.go
generated
vendored
@ -16,4 +16,4 @@ limitations under the License.
|
||||
|
||||
// Package lifecycle contains handlers for pod lifecycle events and interfaces
|
||||
// to integrate with kubelet admission, synchronization, and eviction of pods.
|
||||
package lifecycle // import "k8s.io/kubernetes/pkg/kubelet/lifecycle"
|
||||
package lifecycle
|
||||
|
||||
72
e2e/vendor/k8s.io/kubernetes/pkg/kubelet/lifecycle/predicate.go
generated
vendored
72
e2e/vendor/k8s.io/kubernetes/pkg/kubelet/lifecycle/predicate.go
generated
vendored
@ -22,15 +22,16 @@ import (
|
||||
|
||||
v1 "k8s.io/api/core/v1"
|
||||
utilfeature "k8s.io/apiserver/pkg/util/feature"
|
||||
"k8s.io/component-base/featuregate"
|
||||
"k8s.io/component-helpers/scheduling/corev1"
|
||||
"k8s.io/klog/v2"
|
||||
podutil "k8s.io/kubernetes/pkg/api/v1/pod"
|
||||
v1helper "k8s.io/kubernetes/pkg/apis/core/v1/helper"
|
||||
"k8s.io/kubernetes/pkg/features"
|
||||
"k8s.io/kubernetes/pkg/kubelet/types"
|
||||
"k8s.io/kubernetes/pkg/scheduler"
|
||||
schedulerframework "k8s.io/kubernetes/pkg/scheduler/framework"
|
||||
"k8s.io/kubernetes/pkg/scheduler/framework/plugins/tainttoleration"
|
||||
"k8s.io/utils/ptr"
|
||||
)
|
||||
|
||||
const (
|
||||
@ -52,6 +53,11 @@ const (
|
||||
// than Always for some of its init containers.
|
||||
InitContainerRestartPolicyForbidden = "InitContainerRestartPolicyForbidden"
|
||||
|
||||
// SupplementalGroupsPolicyNotSupported is used to denote that the pod was
|
||||
// rejected admission to the node because the node does not support
|
||||
// the pod's SupplementalGroupsPolicy.
|
||||
SupplementalGroupsPolicyNotSupported = "SupplementalGroupsPolicyNotSupported"
|
||||
|
||||
// UnexpectedAdmissionError is used to denote that the pod was rejected
|
||||
// admission to the node because of an error during admission that could not
|
||||
// be categorized.
|
||||
@ -135,25 +141,20 @@ func (w *predicateAdmitHandler) Admit(attrs *PodAdmitAttributes) PodAdmitResult
|
||||
}
|
||||
}
|
||||
|
||||
if rejectPodAdmissionBasedOnSupplementalGroupsPolicy(admitPod, node) {
|
||||
message := fmt.Sprintf("SupplementalGroupsPolicy=%s is not supported in this node", v1.SupplementalGroupsPolicyStrict)
|
||||
klog.InfoS("Failed to admit pod", "pod", klog.KObj(admitPod), "message", message)
|
||||
return PodAdmitResult{
|
||||
Admit: false,
|
||||
Reason: SupplementalGroupsPolicyNotSupported,
|
||||
Message: message,
|
||||
}
|
||||
}
|
||||
|
||||
pods := attrs.OtherPods
|
||||
nodeInfo := schedulerframework.NewNodeInfo(pods...)
|
||||
nodeInfo.SetNode(node)
|
||||
|
||||
// TODO: Remove this after the SidecarContainers feature gate graduates to GA.
|
||||
if !utilfeature.DefaultFeatureGate.Enabled(features.SidecarContainers) {
|
||||
for _, c := range admitPod.Spec.InitContainers {
|
||||
if podutil.IsRestartableInitContainer(&c) {
|
||||
message := fmt.Sprintf("Init container %q may not have a non-default restartPolicy", c.Name)
|
||||
klog.InfoS("Failed to admit pod", "pod", klog.KObj(admitPod), "message", message)
|
||||
return PodAdmitResult{
|
||||
Admit: false,
|
||||
Reason: InitContainerRestartPolicyForbidden,
|
||||
Message: message,
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
// ensure the node has enough plugin resources for that required in pods
|
||||
if err = w.pluginResourceUpdateFunc(nodeInfo, attrs); err != nil {
|
||||
message := fmt.Sprintf("Update plugin resources failed due to %v, which is unexpected.", err)
|
||||
@ -272,6 +273,45 @@ func rejectPodAdmissionBasedOnOSField(pod *v1.Pod) bool {
|
||||
return string(pod.Spec.OS.Name) != runtime.GOOS
|
||||
}
|
||||
|
||||
// rejectPodAdmissionBasedOnSupplementalGroupsPolicy rejects pod only if
|
||||
// - the feature is beta or above, and SupplementalPolicy=Strict is set in the pod
|
||||
// - but, the node does not support the feature
|
||||
//
|
||||
// Note: During the feature is alpha or before(not yet released) in emulated version,
|
||||
// it should admit for backward compatibility
|
||||
func rejectPodAdmissionBasedOnSupplementalGroupsPolicy(pod *v1.Pod, node *v1.Node) bool {
|
||||
admit, reject := false, true // just for readability
|
||||
|
||||
inUse := (pod.Spec.SecurityContext != nil && pod.Spec.SecurityContext.SupplementalGroupsPolicy != nil)
|
||||
if !inUse {
|
||||
return admit
|
||||
}
|
||||
|
||||
isBetaOrAbove := false
|
||||
if featureSpec, ok := utilfeature.DefaultMutableFeatureGate.GetAll()[features.SupplementalGroupsPolicy]; ok {
|
||||
isBetaOrAbove = (featureSpec.PreRelease == featuregate.Beta) || (featureSpec.PreRelease == featuregate.GA)
|
||||
}
|
||||
|
||||
if !isBetaOrAbove {
|
||||
return admit
|
||||
}
|
||||
|
||||
featureSupportedOnNode := ptr.Deref(
|
||||
ptr.Deref(node.Status.Features, v1.NodeFeatures{SupplementalGroupsPolicy: ptr.To(false)}).SupplementalGroupsPolicy,
|
||||
false,
|
||||
)
|
||||
effectivePolicy := ptr.Deref(
|
||||
pod.Spec.SecurityContext.SupplementalGroupsPolicy,
|
||||
v1.SupplementalGroupsPolicyMerge,
|
||||
)
|
||||
|
||||
if effectivePolicy == v1.SupplementalGroupsPolicyStrict && !featureSupportedOnNode {
|
||||
return reject
|
||||
}
|
||||
|
||||
return admit
|
||||
}
|
||||
|
||||
func removeMissingExtendedResources(pod *v1.Pod, nodeInfo *schedulerframework.NodeInfo) *v1.Pod {
|
||||
filterExtendedResources := func(containers []v1.Container) {
|
||||
for i, c := range containers {
|
||||
|
||||
Reference in New Issue
Block a user