Merge pull request #136 from krunalhinguu/v1.29.5-k8s-may-patches

[v1.29] Release v1.29.5

.go-version

@@ -1 +1 @@
-1.21.8
+1.21.9

build/build-image/cross/VERSION

@@ -1 +1 @@
-v1.29.0-go1.21.8-bullseye.0
+v1.29.0-go1.21.9-bullseye.0

build/common.sh

@@ -96,9 +96,9 @@ readonly KUBE_RSYNC_PORT="${KUBE_RSYNC_PORT:-}"
 readonly KUBE_CONTAINER_RSYNC_PORT=8730
 
 # These are the default versions (image tags) for their respective base images.
-readonly __default_distroless_iptables_version=v0.4.6
-readonly __default_go_runner_version=v2.3.1-go1.21.8-bookworm.0
-readonly __default_setcap_version=bookworm-v1.0.1
+readonly __default_distroless_iptables_version=v0.4.7
+readonly __default_go_runner_version=v2.3.1-go1.21.9-bookworm.0
+readonly __default_setcap_version=bookworm-v1.0.2
 
 # These are the base images for the Docker-wrapped binaries.
 readonly KUBE_GORUNNER_IMAGE="${KUBE_GORUNNER_IMAGE:-$KUBE_BASE_IMAGE_REGISTRY/go-runner:$__default_go_runner_version}"

build/dependencies.yaml

@@ -118,7 +118,7 @@ dependencies:
 
   # Golang
   - name: "golang: upstream version"
-    version: 1.21.8
+    version: 1.21.9
     refPaths:
     - path: .go-version
     - path: build/build-image/cross/VERSION
@@ -140,13 +140,13 @@ dependencies:
       match: minimum_go_version=go([0-9]+\.[0-9]+)
 
   - name: "registry.k8s.io/kube-cross: dependents"
-    version: v1.29.0-go1.21.8-bullseye.0
+    version: v1.29.0-go1.21.9-bullseye.0
     refPaths:
     - path: build/build-image/cross/VERSION
 
   # Base images
   - name: "registry.k8s.io/debian-base: dependents"
-    version: bookworm-v1.0.1
+    version: bookworm-v1.0.2
     refPaths:
     - path: cluster/images/etcd/Makefile
       match: BASEIMAGE\?\=registry\.k8s\.io\/build-image\/debian-base:[a-zA-Z]+\-v((([0-9]+)\.([0-9]+)\.([0-9]+)(?:-([0-9a-zA-Z-]+(?:\.[0-9a-zA-Z-]+)*))?)(?:\+([0-9a-zA-Z-]+(?:\.[0-9a-zA-Z-]+)*))?)
@@ -178,15 +178,15 @@ dependencies:
       match: registry\.k8s\.io\/build-image\/debian-base:[a-zA-Z]+\-v((([0-9]+)\.([0-9]+)\.([0-9]+)(?:-([0-9a-zA-Z-]+(?:\.[0-9a-zA-Z-]+)*))?)(?:\+([0-9a-zA-Z-]+(?:\.[0-9a-zA-Z-]+)*))?)
 
   - name: "registry.k8s.io/distroless-iptables: dependents"
-    version: v0.4.6
+    version: v0.4.7
     refPaths:
     - path: build/common.sh
       match: __default_distroless_iptables_version=
     - path: test/utils/image/manifest.go
       match: configs\[DistrolessIptables\] = Config{list\.BuildImageRegistry, "distroless-iptables", "v([0-9]+)\.([0-9]+)\.([0-9]+)"}
 
   - name: "registry.k8s.io/go-runner: dependents"
-    version: v2.3.1-go1.21.8-bookworm.0
+    version: v2.3.1-go1.21.9-bookworm.0
     refPaths:
     - path: build/common.sh
       match: __default_go_runner_version=
@@ -254,7 +254,7 @@ dependencies:
       match: configs\[Pause\] = Config{list\.GcRegistry, "pause", "\d+\.\d+(.\d+)?"}
 
   - name: "registry.k8s.io/build-image/setcap: dependents"
-    version: bookworm-v1.0.1
+    version: bookworm-v1.0.2
     refPaths:
     - path: build/common.sh
       match: __default_setcap_version=

cluster/gce/config-default.sh

@@ -90,7 +90,7 @@ fi
 # By default, the latest image from the image family will be used unless an
 # explicit image will be set.
 GCI_VERSION=${KUBE_GCI_VERSION:-}
-IMAGE_FAMILY=${KUBE_IMAGE_FAMILY:-cos-97-lts}
+IMAGE_FAMILY=${KUBE_IMAGE_FAMILY:-cos-109-lts}
 export MASTER_IMAGE=${KUBE_GCE_MASTER_IMAGE:-}
 export MASTER_IMAGE_FAMILY=${KUBE_GCE_MASTER_IMAGE_FAMILY:-${IMAGE_FAMILY}}
 export MASTER_IMAGE_PROJECT=${KUBE_GCE_MASTER_PROJECT:-cos-cloud}

cluster/gce/config-test.sh

@@ -103,7 +103,7 @@ ALLOWED_NOTREADY_NODES=${ALLOWED_NOTREADY_NODES:-$(($(get-num-nodes) / 100))}
 # By default, the latest image from the image family will be used unless an
 # explicit image will be set.
 GCI_VERSION=${KUBE_GCI_VERSION:-}
-IMAGE_FAMILY=${KUBE_IMAGE_FAMILY:-cos-97-lts}
+IMAGE_FAMILY=${KUBE_IMAGE_FAMILY:-cos-109-lts}
 export MASTER_IMAGE=${KUBE_GCE_MASTER_IMAGE:-}
 export MASTER_IMAGE_FAMILY=${KUBE_GCE_MASTER_IMAGE_FAMILY:-${IMAGE_FAMILY}}
 export MASTER_IMAGE_PROJECT=${KUBE_GCE_MASTER_PROJECT:-cos-cloud}

cluster/gce/gci/configure-helper.sh

@@ -3161,7 +3161,7 @@ spec:
   - name: vol
   containers:
   - name: pv-recycler
-    image: registry.k8s.io/build-image/debian-base:bookworm-v1.0.1
+    image: registry.k8s.io/build-image/debian-base:bookworm-v1.0.2
     command:
     - /bin/sh
     args:

cluster/images/etcd/Makefile

@@ -92,19 +92,19 @@ DOCKERFILE.windows = Dockerfile.windows
 DOCKERFILE := ${DOCKERFILE.${OS}}
 
 ifeq ($(ARCH),amd64)
-    BASEIMAGE?=registry.k8s.io/build-image/debian-base:bookworm-v1.0.1
+    BASEIMAGE?=registry.k8s.io/build-image/debian-base:bookworm-v1.0.2
 endif
 ifeq ($(ARCH),arm)
-    BASEIMAGE?=registry.k8s.io/build-image/debian-base-arm:bookworm-v1.0.1
+    BASEIMAGE?=registry.k8s.io/build-image/debian-base-arm:bookworm-v1.0.2
 endif
 ifeq ($(ARCH),arm64)
-    BASEIMAGE?=registry.k8s.io/build-image/debian-base-arm64:bookworm-v1.0.1
+    BASEIMAGE?=registry.k8s.io/build-image/debian-base-arm64:bookworm-v1.0.2
 endif
 ifeq ($(ARCH),ppc64le)
-    BASEIMAGE?=registry.k8s.io/build-image/debian-base-ppc64le:bookworm-v1.0.1
+    BASEIMAGE?=registry.k8s.io/build-image/debian-base-ppc64le:bookworm-v1.0.2
 endif
 ifeq ($(ARCH),s390x)
-    BASEIMAGE?=registry.k8s.io/build-image/debian-base-s390x:bookworm-v1.0.1
+    BASEIMAGE?=registry.k8s.io/build-image/debian-base-s390x:bookworm-v1.0.2
 endif
 
 BASE.windows = mcr.microsoft.com/windows/nanoserver

cmd/kube-controller-manager/app/controllermanager.go

@@ -575,7 +575,9 @@ func CreateControllerContext(logger klog.Logger, s *config.CompletedConfig, root
 	// Informer transform to trim ManagedFields for memory efficiency.
 	trim := func(obj interface{}) (interface{}, error) {
 		if accessor, err := meta.Accessor(obj); err == nil {
-			accessor.SetManagedFields(nil)
+			if accessor.GetManagedFields() != nil {
+				accessor.SetManagedFields(nil)
+			}
 		}
 		return obj, nil
 	}

cmd/kubeadm/app/phases/certs/renewal/manager.go

@@ -322,7 +322,7 @@ func (rm *Manager) CertificateExists(name string) (bool, error) {
 		return false, errors.Errorf("%s is not a known certificate", name)
 	}
 
-	return handler.readwriter.Exists(), nil
+	return handler.readwriter.Exists()
 }
 
 // GetCertificateExpirationInfo returns certificate expiration info.
@@ -358,7 +358,7 @@ func (rm *Manager) CAExists(name string) (bool, error) {
 		return false, errors.Errorf("%s is not a known certificate", name)
 	}
 
-	return handler.readwriter.Exists(), nil
+	return handler.readwriter.Exists()
 }
 
 // GetCAExpirationInfo returns CA expiration info.

cmd/kubeadm/app/phases/certs/renewal/readwriter.go

@@ -36,7 +36,7 @@ import (
 // read or write a certificate stored/embedded in a file
 type certificateReadWriter interface {
 	//Exists return true if the certificate exists
-	Exists() bool
+	Exists() (bool, error)
 
 	// Read a certificate stored/embedded in a file
 	Read() (*x509.Certificate, error)
@@ -61,17 +61,20 @@ func newPKICertificateReadWriter(certificateDir string, baseName string) *pkiCer
 }
 
 // Exists checks if a certificate exist
-func (rw *pkiCertificateReadWriter) Exists() bool {
+func (rw *pkiCertificateReadWriter) Exists() (bool, error) {
 	certificatePath, _ := pkiutil.PathsForCertAndKey(rw.certificateDir, rw.baseName)
 	return fileExists(certificatePath)
 }
 
-func fileExists(filename string) bool {
+func fileExists(filename string) (bool, error) {
 	info, err := os.Stat(filename)
-	if os.IsNotExist(err) {
-		return false
+	if err != nil {
+		if os.IsNotExist(err) {
+			return false, nil
+		}
+		return false, err
 	}
-	return !info.IsDir()
+	return !info.IsDir(), nil
 }
 
 // Read a certificate from a file the K8s pki managed by kubeadm
@@ -120,7 +123,7 @@ func newKubeconfigReadWriter(kubernetesDir string, kubeConfigFileName string, ce
 }
 
 // Exists checks if a certificate embedded in kubeConfig file exists
-func (rw *kubeConfigReadWriter) Exists() bool {
+func (rw *kubeConfigReadWriter) Exists() (bool, error) {
 	return fileExists(rw.kubeConfigFilePath)
 }
 

cmd/kubeadm/app/phases/certs/renewal/readwriter_test.go

@@ -19,6 +19,7 @@ package renewal
 import (
 	"crypto"
 	"crypto/x509"
+	"fmt"
 	"net"
 	"os"
 	"path/filepath"
@@ -199,3 +200,147 @@ func writeTestKubeconfig(t *testing.T, dir, name string, caCert *x509.Certificat
 
 	return cert
 }
+
+func TestFileExists(t *testing.T) {
+	tmpdir, err := os.MkdirTemp("", "")
+	if err != nil {
+		t.Fatalf("Couldn't create tmpdir: %v", err)
+	}
+	defer func() {
+		err = os.RemoveAll(tmpdir)
+		if err != nil {
+			t.Fatalf("Fail to remove tmpdir: %v", err)
+		}
+	}()
+	tmpfile, err := os.CreateTemp(tmpdir, "")
+	if err != nil {
+		t.Fatalf("Couldn't create tmpfile: %v", err)
+	}
+	tests := []struct {
+		name     string
+		filename string
+		want     bool
+	}{
+		{
+			name:     "file exist",
+			filename: tmpfile.Name(),
+			want:     true,
+		},
+		{
+			name:     "file does not exist",
+			filename: "foo",
+			want:     false,
+		},
+		{
+			name:     "file path is a dir",
+			filename: tmpdir,
+			want:     false,
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			if got, _ := fileExists(tt.filename); got != tt.want {
+				t.Errorf("fileExists() = %v, want %v", got, tt.want)
+			}
+		})
+	}
+}
+
+func TestPKICertificateReadWriterExists(t *testing.T) {
+	tmpdir, err := os.MkdirTemp("", "")
+	if err != nil {
+		t.Fatalf("Couldn't create tmpdir: %v", err)
+	}
+	defer func() {
+		err = os.RemoveAll(tmpdir)
+		if err != nil {
+			t.Fatalf("Fail to remove tmpdir: %v", err)
+		}
+	}()
+	filename := "testfile"
+	tmpfilepath := filepath.Join(tmpdir, fmt.Sprintf(filename+".crt"))
+	err = os.WriteFile(tmpfilepath, nil, 0644)
+	if err != nil {
+		t.Fatalf("Couldn't write file: %v", err)
+	}
+	type fields struct {
+		baseName       string
+		certificateDir string
+	}
+	tests := []struct {
+		name   string
+		fields fields
+		want   bool
+	}{
+		{
+			name: "cert file exists",
+			fields: fields{
+				baseName:       filename,
+				certificateDir: tmpdir,
+			},
+			want: true,
+		},
+		{
+			name: "cert file does not exist",
+			fields: fields{
+				baseName:       "foo",
+				certificateDir: tmpdir,
+			},
+			want: false,
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			rw := &pkiCertificateReadWriter{
+				baseName:       tt.fields.baseName,
+				certificateDir: tt.fields.certificateDir,
+			}
+			if got, _ := rw.Exists(); got != tt.want {
+				t.Errorf("pkiCertificateReadWriter.Exists() = %v, want %v", got, tt.want)
+			}
+		})
+	}
+}
+
+func TestKubeConfigReadWriterExists(t *testing.T) {
+	tmpdir, err := os.MkdirTemp("", "")
+	if err != nil {
+		t.Fatalf("Couldn't create tmpdir: %v", err)
+	}
+	defer func() {
+		err = os.RemoveAll(tmpdir)
+		if err != nil {
+			t.Fatalf("Fail to remove tmpdir: %v", err)
+		}
+	}()
+	tmpfile, err := os.CreateTemp(tmpdir, "")
+	if err != nil {
+		t.Fatalf("Couldn't create tmpfile: %v", err)
+	}
+	tests := []struct {
+		name               string
+		kubeConfigFilePath string
+		want               bool
+	}{
+		{
+			name:               "file exists",
+			kubeConfigFilePath: tmpfile.Name(),
+			want:               true,
+		},
+		{
+			name:               "file does not exist",
+			kubeConfigFilePath: "foo",
+			want:               false,
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			rw := &kubeConfigReadWriter{
+				kubeConfigFilePath: tt.kubeConfigFilePath,
+			}
+			if got, _ := rw.Exists(); got != tt.want {
+				t.Errorf("kubeConfigReadWriter.Exists() = %v, want %v", got, tt.want)
+			}
+		})
+	}
+}

cmd/kubeadm/app/phases/upgrade/postupgrade.go

@@ -46,6 +46,8 @@ import (
 	"k8s.io/kubernetes/cmd/kubeadm/app/phases/uploadconfig"
 	kubeadmutil "k8s.io/kubernetes/cmd/kubeadm/app/util"
 	dryrunutil "k8s.io/kubernetes/cmd/kubeadm/app/util/dryrun"
+	kubeconfigutil "k8s.io/kubernetes/cmd/kubeadm/app/util/kubeconfig"
+	"k8s.io/kubernetes/cmd/kubeadm/app/util/pkiutil"
 )
 
 // PerformPostUpgradeTasks runs nearly the same functions as 'kubeadm init' would do
@@ -335,6 +337,33 @@ func createSuperAdminKubeConfig(cfg *kubeadmapi.InitConfiguration, outDir string
 		superAdminBackupPath = superAdminPath + ".backup"
 	)
 
+	// Check if the CA is missing on disk. This would mean a cluster with external CA is upgraded.
+	// Show a warning, apply the new admin RBAC and return without generating a separate 'super-admin.conf'.
+	_, _, err = pkiutil.TryLoadCertAndKeyFromDisk(cfg.CertificatesDir, kubeadmconstants.CACertAndKeyBaseName)
+	if os.IsNotExist(errors.Cause(err)) {
+		klog.Warningf("The CA files do not exist in %q, assuming this is an external CA cluster. "+
+			"Skipping the generating of a 'super-admin.conf' file. Please read the release notes for 1.29 "+
+			"and manually migrate to the separate 'admin.conf' and 'super-admin.conf' files. "+
+			"To generate them you can use 'kubeadm init phase kubeconfig ...' on a host that has the CA, or alternatively "+
+			"you can use 'kubeadm certs generate-csr' to get the new kubeconfig specs and CSRs.",
+			cfg.CertificatesDir)
+
+		// Still apply the RBAC for the regular admin. If 'admin.conf' becomes non-elevated in the future
+		// after a manual interaction by the user the RBAC will be needed.
+		adminClient, err := kubeconfigutil.ClientSetFromFile(filepath.Join(outDir, kubeadmconstants.AdminKubeConfigFileName))
+		if err != nil {
+			return err
+		}
+		// The 'superAdminClient' argument is intentionally nil, so that the function fails if creating the RBAC
+		// with 'adminClient' fails.
+		_, err = ensureRBACFunc(context.Background(), adminClient, nil,
+			kubeadmconstants.APICallRetryInterval, kubeadmconstants.APICallWithWriteTimeout)
+		if err != nil {
+			return err
+		}
+		return nil
+	}
+
 	// Create new admin.conf and super-admin.conf.
 	// If something goes wrong, old existing files will be restored from backup as a best effort.