🔥 Apply carried patches.

.ko.yaml

@@ -1,4 +1,5 @@
 # Use :nonroot base image for all containers
-defaultBaseImage: gcr.io/distroless/static:nonroot
+defaultBaseImage: registry.access.redhat.com/ubi8/ubi-minimal:latest
 baseImageOverrides:
+  knative.dev/serving/test/test_images/runtime: gcr.io/distroless/static:nonroot
   knative.dev/serving/vendor/github.com/tsenart/vegeta/v12: ubuntu:latest

config/core/200-roles/config-map-view-downstream.yaml

@@ -0,0 +1,25 @@
+# Extra role for downstream, so that users can get the autoscaling CM to fetch defaults.
+kind: Role
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  namespace: knative-serving
+  name: openshift-serverless-view-serving-configmaps
+rules:
+  - apiGroups: [""]
+    resources: ["configmaps"]
+    resourceNames: ["config-autoscaler"]
+    verbs: ["get", "list", "watch"]
+---
+kind: RoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: openshift-serverless-view-serving-configmaps
+  namespace: knative-serving
+subjects:
+  - kind: Group
+    name: system:authenticated
+    apiGroup: rbac.authorization.k8s.io
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: openshift-serverless-view-serving-configmaps

config/core/deployments/activator-hpa.yaml

@@ -50,7 +50,7 @@ metadata:
     app.kubernetes.io/name: knative-serving
     app.kubernetes.io/version: devel
 spec:
-  minAvailable: 80%
+  minAvailable: 1
   selector:
     matchLabels:
       app: activator

config/core/deployments/webhook-hpa.yaml

@@ -48,7 +48,7 @@ metadata:
     app.kubernetes.io/name: knative-serving
     app.kubernetes.io/version: devel
 spec:
-  minAvailable: 80%
+  minAvailable: 1
   selector:
     matchLabels:
       app: webhook

openshift/release/artifacts/serving-core.yaml

@@ -1,26 +1,4 @@
 ---
-# Copyright 2018 The Knative Authors
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#     https://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-apiVersion: v1
-kind: Namespace
-metadata:
-  name: knative-serving
-  labels:
-    app.kubernetes.io/name: knative-serving
-    app.kubernetes.io/version: "release-v1.12"
----
 # Copyright 2023 The Knative Authors
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
@@ -235,6 +213,32 @@ rules:
     resources: ["images"]
     verbs: ["get", "list", "create", "update", "delete", "patch", "watch"]
 ---
+# Extra role for downstream, so that users can get the autoscaling CM to fetch defaults.
+kind: Role
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  namespace: knative-serving
+  name: openshift-serverless-view-serving-configmaps
+rules:
+  - apiGroups: [""]
+    resources: ["configmaps"]
+    resourceNames: ["config-autoscaler"]
+    verbs: ["get", "list", "watch"]
+---
+kind: RoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: openshift-serverless-view-serving-configmaps
+  namespace: knative-serving
+subjects:
+  - kind: Group
+    name: system:authenticated
+    apiGroup: rbac.authorization.k8s.io
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: openshift-serverless-view-serving-configmaps
+---
 # Copyright 2019 The Knative Authors
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
@@ -6147,7 +6151,7 @@ metadata:
     app.kubernetes.io/name: knative-serving
     app.kubernetes.io/version: "release-v1.12"
 spec:
-  minAvailable: 80%
+  minAvailable: 1
   selector:
     matchLabels:
       app: activator
@@ -6640,7 +6644,7 @@ metadata:
     app.kubernetes.io/name: knative-serving
     app.kubernetes.io/version: "release-v1.12"
 spec:
-  minAvailable: 80%
+  minAvailable: 1
   selector:
     matchLabels:
       app: webhook

pkg/apis/serving/v1/revision_defaults.go

@@ -189,21 +189,14 @@ func (rs *RevisionSpec) defaultSecurityContext(psc *corev1.PodSecurityContext, c
 	if updatedSC.AllowPrivilegeEscalation == nil {
 		updatedSC.AllowPrivilegeEscalation = ptr.Bool(false)
 	}
-	if psc.SeccompProfile == nil || psc.SeccompProfile.Type == "" {
-		if updatedSC.SeccompProfile == nil {
-			updatedSC.SeccompProfile = &corev1.SeccompProfile{}
-		}
-		if updatedSC.SeccompProfile.Type == "" {
-			updatedSC.SeccompProfile.Type = corev1.SeccompProfileTypeRuntimeDefault
-		}
-	}
+
 	if updatedSC.Capabilities == nil {
 		updatedSC.Capabilities = &corev1.Capabilities{}
 		updatedSC.Capabilities.Drop = []corev1.Capability{"ALL"}
 		// Default in NET_BIND_SERVICE to allow binding to low-numbered ports.
 		needsLowPort := false
 		for _, p := range container.Ports {
-			if p.ContainerPort < 1024 {
+			if p.ContainerPort > 0 && p.ContainerPort < 1024 {
 				needsLowPort = true
 				break
 			}
@@ -212,11 +205,9 @@ func (rs *RevisionSpec) defaultSecurityContext(psc *corev1.PodSecurityContext, c
 			updatedSC.Capabilities.Add = []corev1.Capability{"NET_BIND_SERVICE"}
 		}
 	}
-
-	if psc.RunAsNonRoot == nil {
+	if psc.RunAsNonRoot == nil && updatedSC.RunAsNonRoot == nil {
 		updatedSC.RunAsNonRoot = ptr.Bool(true)
 	}
-
 	if *updatedSC != (corev1.SecurityContext{}) {
 		container.SecurityContext = updatedSC
 	}

pkg/apis/serving/v1/revision_defaults_test.go

@@ -900,11 +900,8 @@ func TestRevisionDefaulting(t *testing.T) {
 						ReadinessProbe: defaultProbe,
 						Resources:      defaultResources,
 						SecurityContext: &corev1.SecurityContext{
-							RunAsNonRoot:             ptr.Bool(true),
 							AllowPrivilegeEscalation: ptr.Bool(false),
-							SeccompProfile: &corev1.SeccompProfile{
-								Type: corev1.SeccompProfileTypeRuntimeDefault,
-							},
+							RunAsNonRoot:             ptr.Bool(true),
 							Capabilities: &corev1.Capabilities{
 								Drop: []corev1.Capability{"ALL"},
 								Add:  []corev1.Capability{"NET_BIND_SERVICE"},
@@ -914,11 +911,8 @@ func TestRevisionDefaulting(t *testing.T) {
 						Name:      "sidecar",
 						Resources: defaultResources,
 						SecurityContext: &corev1.SecurityContext{
-							RunAsNonRoot:             ptr.Bool(true),
 							AllowPrivilegeEscalation: ptr.Bool(false),
-							SeccompProfile: &corev1.SeccompProfile{
-								Type: corev1.SeccompProfileTypeRuntimeDefault,
-							},
+							RunAsNonRoot:             ptr.Bool(true),
 							Capabilities: &corev1.Capabilities{
 								Drop: []corev1.Capability{"ALL"},
 							},
@@ -927,11 +921,8 @@ func TestRevisionDefaulting(t *testing.T) {
 						Name:      "special-sidecar",
 						Resources: defaultResources,
 						SecurityContext: &corev1.SecurityContext{
-							RunAsNonRoot:             ptr.Bool(true),
 							AllowPrivilegeEscalation: ptr.Bool(true),
-							SeccompProfile: &corev1.SeccompProfile{
-								Type: corev1.SeccompProfileTypeRuntimeDefault,
-							},
+							RunAsNonRoot:             ptr.Bool(true),
 							Capabilities: &corev1.Capabilities{
 								Add:  []corev1.Capability{"NET_ADMIN"},
 								Drop: []corev1.Capability{},
@@ -941,12 +932,12 @@ func TestRevisionDefaulting(t *testing.T) {
 					InitContainers: []corev1.Container{{
 						Name: "special-init",
 						SecurityContext: &corev1.SecurityContext{
-							RunAsNonRoot:             ptr.Bool(true),
 							AllowPrivilegeEscalation: ptr.Bool(true),
 							SeccompProfile: &corev1.SeccompProfile{
 								Type:             corev1.SeccompProfileTypeLocalhost,
 								LocalhostProfile: ptr.String("special"),
 							},
+							RunAsNonRoot: ptr.Bool(true),
 							Capabilities: &corev1.Capabilities{
 								Add: []corev1.Capability{"NET_ADMIN"},
 							},
@@ -1004,8 +995,8 @@ func TestRevisionDefaulting(t *testing.T) {
 						ReadinessProbe: defaultProbe,
 						Resources:      defaultResources,
 						SecurityContext: &corev1.SecurityContext{
-							RunAsNonRoot:             ptr.Bool(true),
 							AllowPrivilegeEscalation: ptr.Bool(false),
+							RunAsNonRoot:             ptr.Bool(true),
 							Capabilities: &corev1.Capabilities{
 								Drop: []corev1.Capability{"ALL"},
 							},
@@ -1014,8 +1005,8 @@ func TestRevisionDefaulting(t *testing.T) {
 					InitContainers: []corev1.Container{{
 						Name: "init",
 						SecurityContext: &corev1.SecurityContext{
-							RunAsNonRoot:             ptr.Bool(true),
 							AllowPrivilegeEscalation: ptr.Bool(false),
+							RunAsNonRoot:             ptr.Bool(true),
 							Capabilities: &corev1.Capabilities{
 								Drop: []corev1.Capability{"ALL"},
 							},

pkg/reconciler/revision/resources/queue.go

@@ -86,9 +86,6 @@ var (
 		Capabilities: &corev1.Capabilities{
 			Drop: []corev1.Capability{"ALL"},
 		},
-		SeccompProfile: &corev1.SeccompProfile{
-			Type: corev1.SeccompProfileTypeRuntimeDefault,
-		},
 	}
 )
 

test/e2e/grpc_test.go

@@ -34,7 +34,6 @@ import (
 
 	"golang.org/x/sync/errgroup"
 	"google.golang.org/grpc"
-	"google.golang.org/grpc/credentials"
 	"google.golang.org/grpc/credentials/insecure"
 
 	corev1 "k8s.io/api/core/v1"
@@ -68,9 +67,6 @@ func hasPort(u string) bool {
 
 func dial(ctx *TestContext, host, domain string) (*grpc.ClientConn, error) {
 	defaultPort := "80"
-	if test.ServingFlags.HTTPS {
-		defaultPort = "443"
-	}
 	if !hasPort(host) {
 		host = net.JoinHostPort(host, defaultPort)
 	}
@@ -83,12 +79,6 @@ func dial(ctx *TestContext, host, domain string) (*grpc.ClientConn, error) {
 	}
 
 	creds := insecure.NewCredentials()
-	if test.ServingFlags.HTTPS {
-		tlsConfig := test.TLSClientConfig(context.Background(), ctx.t.Logf, ctx.clients)
-		// Set ServerName for pseudo hostname with TLS.
-		tlsConfig.ServerName = domain
-		creds = credentials.NewTLS(tlsConfig)
-	}
 
 	return grpc.Dial(
 		host,
@@ -321,11 +311,6 @@ func streamTest(tc *TestContext, host, domain string) {
 
 func testGRPC(t *testing.T, f grpcTest, fopts ...rtesting.ServiceOption) {
 	t.Helper()
-	// TODO: https option with parallel leads to flakes.
-	// https://github.com/knative/serving/issues/11387
-	if !test.ServingFlags.HTTPS {
-		t.Parallel()
-	}
 
 	// Setup
 	clients := Setup(t)
@@ -366,16 +351,13 @@ func testGRPC(t *testing.T, f grpcTest, fopts ...rtesting.ServiceOption) {
 	}
 
 	host := url.Host
-	if !test.ServingFlags.ResolvableDomain {
+	if true {
 		addr, mapper, err := ingress.GetIngressEndpoint(context.Background(), clients.KubeClient, pkgTest.Flags.IngressEndpoint)
 		if err != nil {
 			t.Fatal("Could not get service endpoint:", err)
 		}
-		if test.ServingFlags.HTTPS {
-			host = net.JoinHostPort(addr, mapper("443"))
-		} else {
-			host = net.JoinHostPort(addr, mapper("80"))
-		}
+
+		host = net.JoinHostPort(addr, mapper("80"))
 	}
 
 	f(&TestContext{

test/e2e/securedefaults/secure_pod_defaults_test.go

@@ -60,9 +60,6 @@ func TestSecureDefaults(t *testing.T) {
 	if revisionSC.AllowPrivilegeEscalation == nil || *revisionSC.AllowPrivilegeEscalation {
 		t.Errorf("Expected allowPrivilegeEscalation: false, got %v", revisionSC.AllowPrivilegeEscalation)
 	}
-	if revisionSC.SeccompProfile == nil || revisionSC.SeccompProfile.Type != v1.SeccompProfileTypeRuntimeDefault {
-		t.Errorf("Expected seccompProfile to be RuntimeDefault, got: %v", revisionSC.SeccompProfile)
-	}
 }
 
 func TestUnsafePermitted(t *testing.T) {

vendor/knative.dev/pkg/controller/stats_reporter.go

@@ -199,7 +199,7 @@ func (r *reporter) ReportReconcile(duration time.Duration, success string, key t
 		return err
 	}
 
-	metrics.RecordBatch(ctx, reconcileCountStat.M(1),
-		reconcileLatencyStat.M(duration.Milliseconds()))
+	// TODO skonto: fix latency histograms
+	metrics.Record(ctx, reconcileCountStat.M(1))
 	return nil
 }

vendor/knative.dev/pkg/test/helpers/name.go

@@ -26,7 +26,7 @@ import (
 const (
 	letterBytes     = "abcdefghijklmnopqrstuvwxyz"
 	randSuffixLen   = 8
-	nameLengthLimit = 50
+	nameLengthLimit = 40
 	sep             = '-'
 	sepS            = "-"
 	testNamePrefix  = "Test"