This is an opt-in feature to expose logs, while there are some security concerns, functionaly it is very similar to the recently GA-ed NodeLogQuery, which is also opt-in.
This feature has been "deprecated" since 1.15 without removal and is still actively used by multiple installers / distros (e.g. GKE, https://github.com/zalando-incubator/kubernetes-on-aws)
It is not reasonable to plan removal after 20+ releases, and there do not seem to be any plans to do so.
This commit introduces the DRAResourceClaimGranularStatusAuthorization
feature gate (Beta in 1.36) to enforce fine-grained authorization checks
on ResourceClaim status updates.
Previously, 'update' permission on 'resourceclaims/status' allowed modifying
the entire status. To enforce the principle of least privilege for DRA
drivers and the scheduler, this change introduces synthetic subresources and
verb prefixes:
- 'resourceclaims/binding': Required to update 'status.allocation' and
'status.reservedFor'.
- 'resourceclaims/driver': Required to update 'status.devices'. Evaluated
on a per-driver basis using 'associated-node:<verb>' (for node-local
ServiceAccounts) or 'arbitrary-node:<verb>' (for cluster-wide controllers).
If the reconcileElectionStep function returns `noRequeue, nil`, it causes log
spam from apiserver. This is because HandleErrorWithContext regardless of
error value. Skip logging if error is nil.
Also, tag the log message with the involved lease object name.
```
...
{"ts":1773796037662.8264,"logger":"UnhandledError","caller":"leaderelection/leaderelection_controller.go:169","msg":"Failed to reconcile election step"}
{"ts":1773796038472.465,"logger":"UnhandledError","caller":"leaderelection/leaderelection_controller.go:169","msg":"Failed to reconcile election step"}
...
```
Use contextual logging in sync() and syncStatus() by passing ctx
from the caller instead of context.Background(). Replace klog.Infof
calls with logger.Info/Error from klog.FromContext(ctx).
Update tests to use ktesting.NewTestContext.
Signed-off-by: ChengHao Yang <17496418+tico88612@users.noreply.github.com>
* Drop WorkloadRef field and introduce SchedulingGroup field in Pod API
* Introduce v1alpha2 Workload and PodGroup APIs, drop v1alpha1 Workload API
Co-authored-by: yongruilin <yongrlin@outlook.com>
* Run hack/update-codegen.sh
* Adjust kube-scheduler code and integration tests to v1alpha2 API
* Drop v1alpha1 scheduling API group and run make update
---------
Co-authored-by: yongruilin <yongrlin@outlook.com>
This addresses a PR review comment to clean up storageversionhashdata which is only used in tests by moving its contents directly into the test file where they are used and making them private.
- Register v1 MutatingAdmissionPolicy and Binding in apiserver storage.
- Add defaults and validation for v1 types.
- Update storage version hash data.
- Add API testdata.
Replace all imports of k8s.io/apimachinery/pkg/util/dump with
k8s.io/utils/dump across the repo. The apimachinery dump package
now contains deprecated wrapper functions that delegate to
k8s.io/utils/dump for backwards compatibility.
Signed-off-by: Davanum Srinivas <davanum@gmail.com>
