Update release-1.5 to 1.5.1

.github/workflows/scorecard.yml

@@ -0,0 +1,72 @@
+# This workflow uses actions that are not certified by GitHub. They are provided
+# by a third-party and are governed by separate terms of service, privacy
+# policy, and support documentation.
+
+name: Scorecard supply-chain security
+on:
+  # For Branch-Protection check. Only the default branch is supported. See
+  # https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection
+  branch_protection_rule:
+  # To guarantee Maintained check is occasionally updated. See
+  # https://github.com/ossf/scorecard/blob/main/docs/checks.md#maintained
+  schedule:
+    - cron: '30 14 * * *'
+  push:
+    branches: [ "master" ]
+
+# Declare default permissions as read only.
+permissions: read-all
+
+jobs:
+  analysis:
+    name: Scorecard analysis
+    runs-on: ubuntu-latest
+    permissions:
+      # Needed to upload the results to code-scanning dashboard.
+      security-events: write
+      # Needed to publish results and get a badge (see publish_results below).
+      id-token: write
+      # Uncomment the permissions below if installing in a private repository.
+      # contents: read
+      # actions: read
+
+    steps:
+      - name: "Checkout code"
+        uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # v3.1.0
+        with:
+          persist-credentials: false
+
+      - name: "Run analysis"
+        uses: ossf/scorecard-action@e38b1902ae4f44df626f11ba0734b14fb91f8f86 # v2.1.2
+        with:
+          results_file: results.sarif
+          results_format: sarif
+          # (Optional) "write" PAT token. Uncomment the `repo_token` line below if:
+          # - you want to enable the Branch-Protection check on a *public* repository, or
+          # - you are installing Scorecard on a *private* repository
+          # To create the PAT, follow the steps in https://github.com/ossf/scorecard-action#authentication-with-pat.
+          # repo_token: ${{ secrets.SCORECARD_TOKEN }}
+
+          # Public repositories:
+          #   - Publish results to OpenSSF REST API for easy access by consumers
+          #   - Allows the repository to include the Scorecard badge.
+          #   - See https://github.com/ossf/scorecard-action#publishing-results.
+          # For private repositories:
+          #   - `publish_results` will always be set to `false`, regardless
+          #     of the value entered here.
+          publish_results: true
+
+      # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
+      # format to the repository Actions tab.
+      - name: "Upload artifact"
+        uses: actions/upload-artifact@3cea5372237819ed00197afe530f5a7ea3e805c8 # v3.1.0
+        with:
+          name: SARIF file
+          path: results.sarif
+          retention-days: 5
+
+      # Upload the results to GitHub's code scanning dashboard.
+      - name: "Upload to code-scanning"
+        uses: github/codeql-action/upload-sarif@17573ee1cc1b9d061760f3a006fc4aac4f944fd5 # v2.2.4
+        with:
+          sarif_file: results.sarif

CHANGELOG.md

@@ -1,5 +1,22 @@
 # Change Log
 
+## v1.5.1
+> Chang log since v1.5.0
+
+In version 1.5.1, the focus was on enhancing UnitedDeployment and addressing various bug fixes:
+
+- Add the ability to plan the lower and upper bound of capacity to the subsets in UnitedDeployment ([#1428](https://github.com/openkruise/kruise/pull/1428), [@veophi](https://github.com/veophi))
+
+- Fix unexpected job recreation by adding controller-revision-hash label for ImageListPullJob. ([#1441](https://github.com/openkruise/kruise/pull/1428), [@veophi](https://github.com/veophi))
+
+- Add prometheus metrics for pub and deletion protection to enhance observability for pub & deletion protection ([#1398](https://github.com/openkruise/kruise/pull/1398), [@zmberg](https://github.com/zmberg))
+
+- Add enable pprof flag for kruise daemon, now you can disable the pprof of kruise daemon ([#1416](https://github.com/openkruise/kruise/pull/1416), [@chengjoey](https://github.com/chengjoey))
+
+- Fix SidecarSet upgrade exception for UpdateExpectations to solve the problem of updating the image of the sidecar container ([#1435](https://github.com/openkruise/kruise/pull/1435), [@zmberg](https://github.com/zmberg)])
+
+- add audit log for pub and deletion protection to enhance observability for pub & deletion protection  ([#1438](https://github.com/openkruise/kruise/pull/1438), [@zmberg](https://github.com/zmberg)])
+
 ## v1.5.0
 > Change log since v1.4.0
 

apis/apps/defaults/v1alpha1.go

@@ -225,6 +225,25 @@ func SetDefaultsUnitedDeployment(obj *v1alpha1.UnitedDeployment, injectTemplateD
 			}
 		}
 	}
+
+	hasReplicasSettings := false
+	hasCapacitySettings := false
+	for _, subset := range obj.Spec.Topology.Subsets {
+		if subset.Replicas != nil {
+			hasReplicasSettings = true
+		}
+		if subset.MinReplicas != nil || subset.MaxReplicas != nil {
+			hasCapacitySettings = true
+		}
+	}
+	if hasCapacitySettings && !hasReplicasSettings {
+		for i := range obj.Spec.Topology.Subsets {
+			subset := &obj.Spec.Topology.Subsets[i]
+			if subset.MinReplicas == nil {
+				subset.MinReplicas = &intstr.IntOrString{Type: intstr.Int, IntVal: 0}
+			}
+		}
+	}
 }
 
 // SetDefaults_CloneSet set default values for CloneSet.

apis/apps/v1alpha1/containerrecreaterequest_types.go

@@ -44,7 +44,9 @@ type ContainerRecreateRequestSpec struct {
 	// PodName is name of the Pod that owns the recreated containers.
 	PodName string `json:"podName"`
 	// Containers contains the containers that need to recreate in the Pod.
-	Containers []ContainerRecreateRequestContainer `json:"containers"`
+	// +patchMergeKey=name
+	// +patchStrategy=merge
+	Containers []ContainerRecreateRequestContainer `json:"containers" patchStrategy:"merge" patchMergeKey:"name"`
 	// Strategy defines strategies for containers recreation.
 	Strategy *ContainerRecreateRequestStrategy `json:"strategy,omitempty"`
 	// ActiveDeadlineSeconds is the deadline duration of this ContainerRecreateRequest.

apis/apps/v1alpha1/ephemeraljob_types.go

@@ -75,7 +75,9 @@ type EphemeralContainerTemplateSpec struct {
 	// EphemeralContainers defines ephemeral container list in match pods.
 	// +kubebuilder:pruning:PreserveUnknownFields
 	// +kubebuilder:validation:Schemaless
-	EphemeralContainers []v1.EphemeralContainer `json:"ephemeralContainers"`
+	// +patchMergeKey=name
+	// +patchStrategy=merge
+	EphemeralContainers []v1.EphemeralContainer `json:"ephemeralContainers" patchStrategy:"merge" patchMergeKey:"name"`
 }
 
 // EphemeralJobStatus defines the observed state of EphemeralJob

apis/apps/v1alpha1/pod_probe_marker_types.go

@@ -31,7 +31,9 @@ type PodProbeMarkerSpec struct {
 	// Probe Result will record in Pod.Status.Conditions, and condition.type=probe.name.
 	// condition.status=True indicates probe success
 	// condition.status=False indicates probe fails
-	Probes []PodContainerProbe `json:"probes"`
+	// +patchMergeKey=name
+	// +patchStrategy=merge
+	Probes []PodContainerProbe `json:"probes" patchStrategy:"merge" patchMergeKey:"name"`
 }
 
 type PodContainerProbe struct {
@@ -44,7 +46,9 @@ type PodContainerProbe struct {
 	// According to the execution result of ContainerProbe, perform specific actions,
 	// such as: patch Pod labels, annotations, ReadinessGate Condition
 	// It cannot be null at the same time as PodConditionType.
-	MarkerPolicy []ProbeMarkerPolicy `json:"markerPolicy,omitempty"`
+	// +patchMergeKey=state
+	// +patchStrategy=merge
+	MarkerPolicy []ProbeMarkerPolicy `json:"markerPolicy,omitempty"  patchStrategy:"merge" patchMergeKey:"state"`
 	// If it is not empty, the Probe execution result will be recorded on the Pod condition.
 	// It cannot be null at the same time as MarkerPolicy.
 	// For example PodConditionType=game.kruise.io/healthy, pod.status.condition.type = game.kruise.io/healthy.

apis/apps/v1alpha1/resourcedistribution_types.go

@@ -69,8 +69,10 @@ type ResourceDistributionTargetNamespaces struct {
 		Pattern string `json:"pattern,omitempty"`
 	*/
 
+	// +patchMergeKey=name
+	// +patchStrategy=merge
 	// +optional
-	List []ResourceDistributionNamespace `json:"list,omitempty"`
+	List []ResourceDistributionNamespace `json:"list,omitempty" patchStrategy:"merge" patchMergeKey:"name"`
 }
 
 // ResourceDistributionNamespace contains a namespace name

apis/apps/v1alpha1/sidecarset_types.go

@@ -49,15 +49,21 @@ type SidecarSetSpec struct {
 	// InitContainers is the list of init containers to be injected into the selected pod
 	// We will inject those containers by their name in ascending order
 	// We only inject init containers when a new pod is created, it does not apply to any existing pod
-	InitContainers []SidecarContainer `json:"initContainers,omitempty"`
+	// +patchMergeKey=name
+	// +patchStrategy=merge
+	InitContainers []SidecarContainer `json:"initContainers,omitempty" patchStrategy:"merge" patchMergeKey:"name"`
 
 	// Containers is the list of sidecar containers to be injected into the selected pod
-	Containers []SidecarContainer `json:"containers,omitempty"`
+	// +patchMergeKey=name
+	// +patchStrategy=merge
+	Containers []SidecarContainer `json:"containers,omitempty" patchStrategy:"merge" patchMergeKey:"name"`
 
 	// List of volumes that can be mounted by sidecar containers
 	// +kubebuilder:pruning:PreserveUnknownFields
 	// +kubebuilder:validation:Schemaless
-	Volumes []corev1.Volume `json:"volumes,omitempty"`
+	// +patchMergeKey=name
+	// +patchStrategy=merge
+	Volumes []corev1.Volume `json:"volumes,omitempty" patchStrategy:"merge" patchMergeKey:"name"`
 
 	// The sidecarset updateStrategy to use to replace existing pods with new ones.
 	UpdateStrategy SidecarSetUpdateStrategy `json:"updateStrategy,omitempty"`
@@ -66,7 +72,9 @@ type SidecarSetSpec struct {
 	InjectionStrategy SidecarSetInjectionStrategy `json:"injectionStrategy,omitempty"`
 
 	// List of the names of secrets required by pulling sidecar container images
-	ImagePullSecrets []corev1.LocalObjectReference `json:"imagePullSecrets,omitempty"`
+	// +patchMergeKey=name
+	// +patchStrategy=merge
+	ImagePullSecrets []corev1.LocalObjectReference `json:"imagePullSecrets,omitempty" patchStrategy:"merge" patchMergeKey:"name"`
 
 	// RevisionHistoryLimit indicates the maximum quantity of stored revisions about the SidecarSet.
 	// default value is 10

apis/apps/v1alpha1/uniteddeployment_types.go

@@ -161,8 +161,10 @@ type ManualUpdate struct {
 type Topology struct {
 	// Contains the details of each subset. Each element in this array represents one subset
 	// which will be provisioned and managed by UnitedDeployment.
+	// +patchMergeKey=name
+	// +patchStrategy=merge
 	// +optional
-	Subsets []Subset `json:"subsets,omitempty"`
+	Subsets []Subset `json:"subsets,omitempty" patchStrategy:"merge" patchMergeKey:"name"`
 }
 
 // Subset defines the detail of a subset.
@@ -187,8 +189,26 @@ type Subset struct {
 	// percentage like '10%', which means 10% of UnitedDeployment replicas of pods will be distributed
 	// under this subset. If nil, the number of replicas in this subset is determined by controller.
 	// Controller will try to keep all the subsets with nil replicas have average pods.
+	// Replicas and MinReplicas/MaxReplicas are mutually exclusive in a UnitedDeployment.
 	// +optional
 	Replicas *intstr.IntOrString `json:"replicas,omitempty"`
+
+	// Indicates the lower bounded replicas of the subset.
+	// MinReplicas must be more than or equal to 0 if it is set.
+	// Controller will prioritize satisfy minReplicas for each subset
+	// according to the order of Topology.Subsets.
+	// Defaults to 0.
+	// +optional
+	MinReplicas *intstr.IntOrString `json:"minReplicas,omitempty"`
+
+	// Indicates the upper bounded replicas of the subset.
+	// MaxReplicas must be more than or equal to MinReplicas.
+	// MaxReplicas == nil means no limitation.
+	// Please ensure that at least one subset has empty MaxReplicas(no limitation) to avoid stuck scaling.
+	// Defaults to nil.
+	// +optional
+	MaxReplicas *intstr.IntOrString `json:"maxReplicas,omitempty"`
+
 	// Patch indicates patching to the templateSpec.
 	// Patch takes precedence over other fields
 	// If the Patch also modifies the Replicas, NodeSelectorTerm or Tolerations, use value in the Patch

apis/apps/v1alpha1/workloadspread_types.go

@@ -29,7 +29,9 @@ type WorkloadSpreadSpec struct {
 	TargetReference *TargetReference `json:"targetRef"`
 
 	// Subsets describes the pods distribution details between each of subsets.
-	Subsets []WorkloadSpreadSubset `json:"subsets"`
+	// +patchMergeKey=name
+	// +patchStrategy=merge
+	Subsets []WorkloadSpreadSubset `json:"subsets" patchStrategy:"merge" patchMergeKey:"name"`
 
 	// ScheduleStrategy indicates the strategy the WorkloadSpread used to preform the schedule between each of subsets.
 	// +optional

cmd/daemon/main.go

@@ -37,8 +37,9 @@ import (
 )
 
 var (
-	bindAddr  = flag.String("addr", ":10221", "The address the metric endpoint and healthz binds to.")
-	pprofAddr = flag.String("pprof-addr", ":10222", "The address the pprof binds to.")
+	bindAddr    = flag.String("addr", ":10221", "The address the metric endpoint and healthz binds to.")
+	pprofAddr   = flag.String("pprof-addr", ":10222", "The address the pprof binds to.")
+	enablePprof = flag.Bool("enable-pprof", true, "Enable pprof for daemon.")
 )
 
 func main() {
@@ -55,11 +56,13 @@ func main() {
 	if err := client.NewRegistry(cfg); err != nil {
 		klog.Fatalf("Failed to init clientset registry: %v", err)
 	}
-	go func() {
-		if err := http.ListenAndServe(*pprofAddr, nil); err != nil {
-			klog.Fatal(err, "unable to start pprof")
-		}
-	}()
+	if enablePprof != nil && *enablePprof {
+		go func() {
+			if err := http.ListenAndServe(*pprofAddr, nil); err != nil {
+				klog.Fatal(err, "unable to start pprof")
+			}
+		}()
+	}
 	ctx := signals.SetupSignalHandler()
 	d, err := daemon.NewDaemon(cfg, *bindAddr)
 	if err != nil {

config/crd/bases/apps.kruise.io_uniteddeployments.yaml

@@ -975,6 +975,26 @@ spec:
                     items:
                       description: Subset defines the detail of a subset.
                       properties:
+                        maxReplicas:
+                          anyOf:
+                          - type: integer
+                          - type: string
+                          description: Indicates the upper bounded replicas of the
+                            subset. MaxReplicas must be more than or equal to MinReplicas.
+                            MaxReplicas == nil means no limitation. Please ensure
+                            that at least one subset has empty MaxReplicas(no limitation)
+                            to avoid stuck scaling. Defaults to nil.
+                          x-kubernetes-int-or-string: true
+                        minReplicas:
+                          anyOf:
+                          - type: integer
+                          - type: string
+                          description: Indicates the lower bounded replicas of the
+                            subset. MinReplicas must be more than or equal to 0 if
+                            it is set. Controller will prioritize satisfy minReplicas
+                            for each subset according to the order of Topology.Subsets.
+                            Defaults to 0.
+                          x-kubernetes-int-or-string: true
                         name:
                           description: Indicates subset name as a DNS_LABEL, which
                             will be used to generate subset workload name prefix in
@@ -1072,7 +1092,8 @@ spec:
                             pods will be distributed under this subset. If nil, the
                             number of replicas in this subset is determined by controller.
                             Controller will try to keep all the subsets with nil replicas
-                            have average pods.
+                            have average pods. Replicas and MinReplicas/MaxReplicas
+                            are mutually exclusive in a UnitedDeployment.
                           x-kubernetes-int-or-string: true
                         tolerations:
                           description: Indicates the tolerations the pods under this