pull from upstream#3
Open
fvalle1 wants to merge 1729 commits into
Open
Conversation
Dump containerd config files
azure: list VMSS NICs in protokube gossip seed discovery
Signed-off-by: Ciprian Hacman <ciprian@hakman.dev>
Signed-off-by: Ciprian Hacman <ciprian@hakman.dev>
etcd-manager: upgrade to v3.0.20260512
Use N4A machine type in GCE
hetzner: upgrade CCM to v1.31.0
hetzner: upgrade CSI driver to v2.20.2
kops toolbox dump fixes
Disable kube-proxy when Calico runs in eBPF mode
VFS used to fall back to listing every EC2 region via DescribeRegions and fanning out one GetBucketLocation per region whenever the initial GetBucketLocation failed (cross-account buckets). That pulled the entire EC2 SDK into every kops binary purely for one call. HeadBucket can be called against any region in the partition: S3 returns the bucket region in BucketRegion on success and in the x-amz-bucket-region response header on cross-region 301 redirects. One call replaces the fanout and drops the EC2 SDK from the channels binary (~28 MB smaller).
vfs: Use HeadBucket to resolve S3 bucket region
Used only for two well-known tag constants(kubernetes.io/role/elb and kubernetes.io/role/internal-elb), shrinking the kops binary by ~4MB.
aws: Drop cloud-provider-aws dependency
Cloud.DeregisterInstance failures were logged but the node-groups loop continued, leaving every worker tainted with kops.k8s.io/scheduled-for-update. Mark these errors exitable so the roll bails out on the first failure.
Abort rolling update on load balancer deregister failure
Nodeup uses curl which does not support s3://, so accepting such URLs silently leads to nodes failing to boot. Validate the scheme upfront.
The kops create instancegroup command applies a kops.k8s.io/instancegroup node label so workloads can target a specific instance group via affinity or label selectors. Instance groups generated by kops create cluster did not receive this label, leaving the two code paths inconsistent.
chore: downgrade containerd to v2.2.4
Signed-off-by: Ciprian Hacman <ciprian@hakman.dev>
Signed-off-by: Ciprian Hacman <ciprian@hakman.dev>
test: avoid kubeconfig access in golden tests
scaletest: Build only linux/amd64 in kubernetes scalability presubmits
…ates scaletest: Allow feature gates to be set in scalability tests
Signed-off-by: Arnaud Meukam <ameukam@gmail.com>
gVisor (runsc) was previously installable on any instance group role. Restrict it to nodes with role Node: reject cluster/IG configs that enable gVisor on control plane, apiserver, or bastion roles, strip the gVisor config from non-worker nodeup configs, and only apply the gVisor node label and RuntimeClass addon when a worker has it enabled. Also harden nil handling for cluster.Spec.Containerd in nodeup config and bootstrapchannelbuilder. Update release notes and add tests across validation, nodeup config, gvisor builder, and instancegroup spec.
Bumps [actions/checkout](https://github.com/actions/checkout) from 6.0.2 to 6.0.3. - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](actions/checkout@de0fac2...df4cb1c) --- updated-dependencies: - dependency-name: actions/checkout dependency-version: 6.0.3 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>
feat: add gVisor RuntimeClass support for containerd
…ctions/checkout-6.0.3 build(deps): bump actions/checkout from 6.0.2 to 6.0.3
Surface Calico's Felix NFTablesMode (Disabled, Enabled, Auto) as a field on CalicoNetworkingSpec and propagate it to the calico-node DaemonSet via FELIX_NFTABLESMODE. When left unset, the upstream Calico chart default applies, preserving existing behavior. On distributions where iptables is only present as a shim over nftables (e.g. RHEL10+, Rocky10+), routing Felix's data plane through iptables-nft / nft_compat has produced BGP session flapping and broken pod networking on GCE. This field lets clusters opt their Calico install into native nftables on those nodes.
Calico: add NFTablesMode setting
Signed-off-by: Ciprian Hacman <ciprian@hakman.dev>
etcd-manager: switch to go-runner-based distroless image
kube-proxy: assert buildPod command in unit test
gVisor: add HasGVisor() helper function
…nect dump: add --node-dump-timeout flag for per-node dump timeout
scaltest: Default node dump timeout to 5m in scalability run-test.sh
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
12 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
No description provided.