OCPBUGS-78990: Bump 1.35.3 to master

build/common.sh

@@ -348,6 +348,9 @@ function kube::build::clean() {
     if [[ -d "${LOCAL_OUTPUT_ROOT}/local/go/cache" ]]; then
       chmod -R +w "${LOCAL_OUTPUT_ROOT}/local/go/cache"
     fi
+    if [[ -d "${LOCAL_OUTPUT_ROOT}/dockerized/go/cache" ]]; then
+      chmod -R +w "${LOCAL_OUTPUT_ROOT}/dockerized/go/cache"
+    fi
     rm -rf "${LOCAL_OUTPUT_ROOT}"
   fi
 }

build/dependencies.yaml

@@ -114,15 +114,6 @@ dependencies:
     - path: cluster/images/etcd/Makefile
       match: 'GOLANG_VERSION := \d+.\d+(alpha|beta|rc)?\.?(\d+)?'
 
-  # Golang
-  # TODO: this should really be eliminated and controlled by .go-version
-  - name: "golang: upstream version"
-    version: 1.25.7
-    refPaths:
-    - path: .go-version
-    - path: staging/publishing/rules.yaml
-      match: 'default-go-version\: \d+.\d+(alpha|beta|rc)?\.?(\d+)?'
-
   # This should ideally be updated to match the golang version
   # but we can dynamically fetch go if the base image is out of date.
   # This allows us to ship go updates more quickly.

cmd/kubeadm/app/cmd/phases/reset/unmount_linux.go

@@ -70,6 +70,12 @@ func unmountKubeletDirectory(kubeletRunDirectory string, flags []string) error {
 		}
 		klog.V(5).Infof("[reset] Unmounting %q", m[1])
 		if err := syscall.Unmount(m[1], flagsInt); err != nil {
+			// EINVAL is expected here if a duplicate mount entry
+			// was already unmounted via its shared peer.
+			if err == syscall.EINVAL {
+				klog.Warningf("[reset] Ignoring EINVAL error while unmounting %q", m[1])
+				continue
+			}
 			errList = append(errList, errors.WithMessagef(err, "failed to unmount %q", m[1]))
 		}
 	}

cmd/kubeadm/app/util/etcd/etcd.go

@@ -533,8 +533,10 @@ func (c *Client) addMember(name string, peerAddrs string, isLearner bool) ([]Mem
 		ret = append(ret, Member{Name: memberName, PeerURL: m.PeerURLs[0]})
 	}
 
-	// Add the new member client address to the list of endpoints
-	c.Endpoints = append(c.Endpoints, GetClientURLByIP(parsedPeerAddrs.Hostname()))
+	if !isLearner {
+		// Add the new member client address to the list of endpoints
+		c.Endpoints = append(c.Endpoints, GetClientURLByIP(parsedPeerAddrs.Hostname()))
+	}
 
 	return ret, nil
 }

openshift-hack/images/hyperkube/Dockerfile.rhel

@@ -15,4 +15,4 @@ COPY --from=builder /tmp/build/* /usr/bin/
 LABEL io.k8s.display-name="OpenShift Kubernetes Server Commands" \
       io.k8s.description="OpenShift is a platform for developing, building, and deploying containerized applications." \
       io.openshift.tags="openshift,hyperkube" \
-      io.openshift.build.versions="kubernetes=1.35.2"
+      io.openshift.build.versions="kubernetes=1.35.3"

pkg/controller/devicetainteviction/device_taint_eviction.go

@@ -434,6 +434,7 @@ func (tc *Controller) maybeDeletePod(ctx context.Context, podRef tainteviction.N
 			// Doing this immediately is not useful because
 			// it would just race with the informers update
 			// (rule status reads from cache!).
+			tc.logger.V(5).Info("Adding delayed status update because of pod eviction", "deviceTaintRule", klog.KObj(reason.rule), "delay", ruleStatusPeriod)
 			tc.workqueue.AddAfter(workItemForRule(reason.rule), ruleStatusPeriod)
 		}
 	}
@@ -1016,7 +1017,14 @@ func (tc *Controller) Run(ctx context.Context, numWorkers int) error {
 func (tc *Controller) evictPod(podRef tainteviction.NamespacedObject, eviction evictionAndReason) {
 	tc.deletePodAt[podRef] = eviction
 	now := time.Now()
-	tc.workqueue.AddAfter(workItem{podRef: podRef}, eviction.when.Sub(now))
+	delay := eviction.when.Sub(now)
+	if delay <= 0 {
+		tc.logger.V(3).Info("Adding immediate pod eviction", "pod", podRef, "eviction", eviction)
+		tc.workqueue.Add(workItem{podRef: podRef})
+	} else {
+		tc.logger.V(3).Info("Adding delayed pod eviction", "pod", podRef, "eviction", eviction, "delay", delay)
+		tc.workqueue.AddAfter(workItem{podRef: podRef}, delay)
+	}
 
 	if tc.evictPodHook != nil {
 		tc.evictPodHook(podRef, eviction)
@@ -1275,7 +1283,8 @@ func (tc *Controller) handleRuleChange(oldRule, newRule *resourcealpha.DeviceTai
 	}
 
 	if oldRule == nil {
-		// Update the status at least once.
+		// Update the status at least once, immediately and before evicting any pods.
+		tc.logger.V(5).Info("Adding immediate status update because of new rule", "deviceTaintRule", klog.KObj(newRule))
 		tc.workqueue.Add(workItemForRule(newRule))
 	}
 
@@ -1289,9 +1298,13 @@ func (tc *Controller) handleRuleChange(oldRule, newRule *resourcealpha.DeviceTai
 
 	if oldRule != nil &&
 		newRule != nil &&
-		oldRule.UID == newRule.UID &&
-		apiequality.Semantic.DeepEqual(&oldRule.Spec, &newRule.Spec) {
-		return
+		oldRule.UID == newRule.UID {
+		if apiequality.Semantic.DeepEqual(&oldRule.Spec, &newRule.Spec) {
+			return
+		}
+		// Update the status at least once, immediately and before evicting any pods.
+		tc.logger.V(5).Info("Adding immediate status update because of modified rule spec", "deviceTaintRule", klog.KObj(newRule))
+		tc.workqueue.Add(workItemForRule(newRule))
 	}
 
 	// Rule spec changes should be rare. Simply do a brute-force re-evaluation of all allocated claims.
@@ -1475,13 +1488,14 @@ func (tc *Controller) handlePod(pod *v1.Pod) {
 		return
 	}
 
-	tc.logger.V(3).Info("Going to evict pod", "pod", podRef, "eviction", eviction)
 	tc.evictPod(podRef, *eviction)
 
 	// If any reason is because of a taint, then eviction is in progress and the status may need to be updated.
+	// But don't do it immediately because more pod changes may be coming in.
 	for _, reason := range eviction.reason {
 		if reason.rule != nil {
-			tc.workqueue.Add(workItemForRule(reason.rule))
+			tc.logger.V(5).Info("Adding delayed status update because of pod change", "deviceTaintRule", klog.KObj(reason.rule), "delay", ruleStatusPeriod)
+			tc.workqueue.AddAfter(workItemForRule(reason.rule), ruleStatusPeriod)
 		}
 	}
 }