Revisions of kubernetes-salt
buildservice-autocommit
accepted
request 705961
from
Factory Maintainer (factory-maintainer)
(revision 377)
baserev update by copy to link target
Containers Team (containersteam)
committed
(revision 376)
new commit from concourse: Commit bb22844 by Alvaro Saurin alvaro.saurin@gmail.com Synchronize everythihg before starting an orchestration. Replace all the `mine.get` calls by the more compact `get_with_expr` function. bsc#1124784 Signed-off-by: Alvaro Saurin <alvaro.saurin@gmail.com>
Containers Team (containersteam)
committed
(revision 375)
new commit from concourse: Commit b0a79f7 by Nirmoy Das ndas@suse.de cilium: add repo for cilium Signed-off-by: Nirmoy Das <ndas@suse.de>
Containers Team (containersteam)
committed
(revision 374)
new commit from concourse: Commit 0fcce23 by Alvaro Saurin alvaro.saurin@gmail.com When using file.managed, create a temporary file that is in /tmp instead of using the same directory the target file is. This fixes some problems with programs/daemons that could be monitoring that directory. bsc#1123716 Signed-off-by: Alvaro Saurin <alvaro.saurin@gmail.com>
Containers Team (containersteam)
committed
(revision 373)
new commit from concourse: Commit e49af82 by Markos Chandras mchandras@suse.de Jenkinsfile: Update repository information for jenkins-library
Containers Team (containersteam)
committed
(revision 372)
new commit from concourse: Commit 1e20516 by Florian Bergmann fbergmann@suse.de Add a dummy state to not have an empty state in an orchestration This is a workaround for https://github.com/saltstack/salt/issues/14553 when upgrading crio 1.9 to 1.10.
Containers Team (containersteam)
committed
(revision 371)
new commit from concourse: Commit c67d8f9 by dmaiocchi dmaiocchi@suse.com Improve states stability - caasp_etcd.healthy function can fail even if the etcd cluster is healty: adding a retry is better solution for avoding false-failure during orchs. - add caasp_service for kubeapi-server.service, with this we are checking 10 times that the service is running in a row. ( having service.running only can cause false failures) - fixed some indentation around states.
Containers Team (containersteam)
committed
(revision 370)
new commit from concourse: Commit 9c06818 by Florian Bergmann fbergmann@suse.de Use iteritems from six import for python2/3 compatibility. Fixes bsc#1123497 Commit 1b21219 by Florian Bergmann fbergmann@suse.de Fix python3 iteration over dictionary. In python3 python prevents modifying the dictionary that is iterated over. Instead of modifying the dictionary a new one is constructed instead. Fixes bsc#1123497
Containers Team (containersteam)
committed
(revision 369)
new commit from concourse: Commit 78435fc by Jordi Massaguer Pla jmassaguerpla@suse.de use caasp v4 images from SUSE Registry
Containers Team (containersteam)
committed
(revision 368)
new commit from concourse: Commit b3b4568 by Markos Chandras mchandras@suse.de Jenkinsfile: Switch to dynamic library fetching and drop branch Instead of having the library hardcoded to Jenkins master, we can fetch it dynamically. We also drop the usage of library branches since it does not make sense to maintain such a thing in the CI. The master branch should be able to handle both development and release branches.
Containers Team (containersteam)
committed
(revision 367)
new commit from concourse: Commit 4280cf4 by Maximilian Meister mmeister@suse.de update critical pod configuration https://kubernetes.io/docs/tasks/administer-cluster/guaranteed-scheduling-critical-addon-pods/ bsc#1122783 Signed-off-by: Maximilian Meister <mmeister@suse.de>
Containers Team (containersteam)
committed
(revision 366)
new commit from concourse: Commit 32d6dbe by Maximilian Meister mmeister@suse.de [bsc#1125095] deployment timeout not correctly configured instead of setting the timeout we were only setting the retries which causes the timeout to be prolonged too much Signed-off-by: Maximilian Meister <mmeister@suse.de>
Containers Team (containersteam)
committed
(revision 365)
new commit from concourse: Commit a5d00a8 by Florian Bergmann fbergmann@suse.de Force basename on the system certificate name to prevent path traversal
Containers Team (containersteam)
committed
(revision 364)
new commit from concourse: Commit 4f75ad3 by Rafael Fernández López ereslibre@ereslibre.es Make nodename appear first on the /etc/hosts file Salt will pick the first name on the current default interface to determine the hostname of the machine. Since we are sorting with all entries for each machine there's a high change that a salt minion id will win the first position, affecting certain grains that we use to determine the hostname of the node. Fixes: bsc#1117339
Containers Team (containersteam)
committed
(revision 363)
new commit from concourse: Commit d0d4384 by Michal Jura mjura@suse.com Enable kube-apiserver authentication to the kubelet (bsc#1121146) Kube-apiserver should authenticate to the kubelet with a client certificate and key. This is configured with the --kubelet-client-certificate and --kubelet-client-key flags provided to the API server. Kubelet has to be started with the --client-ca-file flag or clientCAFile option in kubelet-config.yaml file, this is providing a CA bundle to verify client certificates with. (cherry picked from commit 6309fb22ae122db6e2db2705fe47c1f4ae939ffb) Commit 1b083a4 by Michal Jura mjura@suse.com Disable anonymous access to Kubelet API (bsc#1121146) (cherry picked from commit dd88fe82fa8a611db1593025b5c61818e7a61999)
Containers Team (containersteam)
committed
(revision 362)
new commit from concourse: Commit 42c129a by Panos Georgiadis drpaneas@gmail.com Disable insecure port in kube-apiserver (bsc#1121148) _service kubernetes-salt.changes kubernetes-salt.spec master.tar.gz Fixes bnc#1121148 - Critical Security issue for KubeAPI Insecure API port exposed to all Master Node guest containers In older versions of Kubernetes, you could run kube-apiserver with an API port that does not have any protections around it. This PR disables insecure port by passing the --insecure-port=0 In recent versions, this has been disabled by default with the intention of completely deprecating it (cherry picked from commit 01d91482e9a84b05b3b6eaec6a94b7b19ee74ee4)
Containers Team (containersteam)
committed
(revision 361)
new commit from concourse: Commit cb017ed by Alvaro Saurin alvaro.saurin@gmail.com Use a writable directory for volume plugins Use the same volumes plugins directory for the controller-manager and the kubelet. bsc#1117942 Signed-off-by: Alvaro Saurin <alvaro.saurin@gmail.com>
Containers Team (containersteam)
committed
(revision 360)
new commit from concourse: Commit 8baefd4 by Panos Georgiadis drpaneas@gmail.com Run flannel in unprivileged mode (bsc#1121153 bsc#1121154) Fixes bsc#1121153 - High Security issue for Kubernetes: Flannel container runs in privileged mode This fix makes sure that flannel runs in unprivileged mode. This is done by changing the flannel manifests and also adding a new PSP policy that disables both privilege mode and privilege escallation. The new PSP activates 'NET_ADMIN' capability, hostNetwork and allowedHostPaths. _service kubernetes-salt.changes kubernetes-salt.spec master.tar.gz Fixes bsc#1121154 - High Security issue for Kubernetes: Flannel container has read/write access to /run, including docker.sock Change the path from '/run' into '/run/flannel' Co-authored-by: chentex <vzepedamas@suse.com> (cherry picked from commit 8216c9ce691c8174eb2fcd66a1a2fecc446ee106)
Containers Team (containersteam)
committed
(revision 359)
new commit from concourse: Commit 9ceeeab by dmaiocchi dmaiocchi@suse.com Improve msg of healty function. Cluster is to generic, use etcd cluster instead
Containers Team (containersteam)
committed
(revision 358)
new commit from concourse: Commit 8443e0d by Markos Chandras mchandras@suse.de Jenkinsfile: Use docker cmdline directly instead of k8s Jenkins plugin The tox and flake8 pipelines are the only ones which depend on the k8s Jenkins plugin. As such, we can use docker directly in order to be able to drop the plugin from the server. The nodelabel is hardcoded because it does not make much sense to make this configurable given everything happens on a container.
Displaying revisions 1 - 20 of 377