Merge branch 'master' of https://github.com/kubernetes/minikube into json-output

2020-07-10 19:12:50 -04:00 · 2020-07-10 19:12:50 -04:00 · 3a290606db
parent bfa4575a5f 442bc138ce
commit 3a290606db
60 changed files with 779 additions and 327 deletions
--- a/.github/workflows/master.yml
+++ b/.github/workflows/master.yml
@ -80,6 +80,8 @@ jobs:
        continue-on-error: false
  # Run the following integration tests after the build_minikube
  # They will run in parallel and use the binaries in previous step
+  # Run the following integration tests after the build_minikube
+  # They will run in parallel and use the binaries in previous step
  functional_docker_ubuntu:
    needs: [build_minikube]
    env:
@ -194,6 +196,16 @@ jobs:
        run: |
          brew install docker-machine docker
          sudo docker --version
+      - name: Info
+        shell: bash
+        run: |
+          hostname
+          VBoxManage --version
+          sysctl hw.physicalcpu hw.logicalcpu 
+      - name: Disable firewall
+        run: |
+          sudo /usr/libexec/ApplicationFirewall/socketfilterfw --setglobalstate off
+          sudo /usr/libexec/ApplicationFirewall/socketfilterfw -k
      - name: Download Binaries
        uses: actions/download-artifact@v1
        with:
@ -666,6 +678,16 @@ jobs:
        run: |
          brew install docker-machine docker
          sudo docker --version
+      - name: Info
+        shell: bash
+        run: |
+          hostname
+          VBoxManage --version
+          sysctl hw.physicalcpu hw.logicalcpu 
+      - name: Disable firewall
+        run: |
+          sudo /usr/libexec/ApplicationFirewall/socketfilterfw --setglobalstate off
+          sudo /usr/libexec/ApplicationFirewall/socketfilterfw -k      
      - name: Download Binaries
        uses: actions/download-artifact@v1
        with:
@ -830,6 +852,16 @@ jobs:
        uses: actions/download-artifact@v1
        with:
          name: minikube_binaries
+      - name: Info
+        shell: bash
+        run: |
+          hostname
+          VBoxManage --version
+          sysctl hw.physicalcpu hw.logicalcpu 
+      - name: Disable firewall
+        run: |
+          sudo /usr/libexec/ApplicationFirewall/socketfilterfw --setglobalstate off
+          sudo /usr/libexec/ApplicationFirewall/socketfilterfw -k
      - name: Run Integration Test
        continue-on-error: true
        # bash {0} to allow test to continue to next step. in case of
@ -988,6 +1020,16 @@ jobs:
        uses: actions/download-artifact@v1
        with:
          name: minikube_binaries
+      - name: Info
+        shell: bash
+        run: |
+          hostname
+          VBoxManage --version
+          sysctl hw.physicalcpu hw.logicalcpu 
+      - name: Disable firewall
+        run: |
+          sudo /usr/libexec/ApplicationFirewall/socketfilterfw --setglobalstate off
+          sudo /usr/libexec/ApplicationFirewall/socketfilterfw -k
      - name: Run Integration Test
        continue-on-error: false
        # bash {0} to allow test to continue to next step. in case of
--- a/.github/workflows/pr.yml
+++ b/.github/workflows/pr.yml
@ -192,6 +192,16 @@ jobs:
        run: |
          brew install docker-machine docker
          sudo docker --version
+      - name: Info
+        shell: bash
+        run: |
+          hostname
+          VBoxManage --version
+          sysctl hw.physicalcpu hw.logicalcpu 
+      - name: Disable firewall
+        run: |
+          sudo /usr/libexec/ApplicationFirewall/socketfilterfw --setglobalstate off
+          sudo /usr/libexec/ApplicationFirewall/socketfilterfw -k
      - name: Download Binaries
        uses: actions/download-artifact@v1
        with:
@ -664,6 +674,16 @@ jobs:
        run: |
          brew install docker-machine docker
          sudo docker --version
+      - name: Info
+        shell: bash
+        run: |
+          hostname
+          VBoxManage --version
+          sysctl hw.physicalcpu hw.logicalcpu 
+      - name: Disable firewall
+        run: |
+          sudo /usr/libexec/ApplicationFirewall/socketfilterfw --setglobalstate off
+          sudo /usr/libexec/ApplicationFirewall/socketfilterfw -k      
      - name: Download Binaries
        uses: actions/download-artifact@v1
        with:
@ -828,6 +848,16 @@ jobs:
        uses: actions/download-artifact@v1
        with:
          name: minikube_binaries
+      - name: Info
+        shell: bash
+        run: |
+          hostname
+          VBoxManage --version
+          sysctl hw.physicalcpu hw.logicalcpu 
+      - name: Disable firewall
+        run: |
+          sudo /usr/libexec/ApplicationFirewall/socketfilterfw --setglobalstate off
+          sudo /usr/libexec/ApplicationFirewall/socketfilterfw -k
      - name: Run Integration Test
        continue-on-error: true
        # bash {0} to allow test to continue to next step. in case of
@ -986,6 +1016,16 @@ jobs:
        uses: actions/download-artifact@v1
        with:
          name: minikube_binaries
+      - name: Info
+        shell: bash
+        run: |
+          hostname
+          VBoxManage --version
+          sysctl hw.physicalcpu hw.logicalcpu 
+      - name: Disable firewall
+        run: |
+          sudo /usr/libexec/ApplicationFirewall/socketfilterfw --setglobalstate off
+          sudo /usr/libexec/ApplicationFirewall/socketfilterfw -k
      - name: Run Integration Test
        continue-on-error: false
        # bash {0} to allow test to continue to next step. in case of
--- a/.travis.yml
+++ b/.travis.yml
@ -3,7 +3,7 @@
 os: linux
 language: go
 go:
-  - 1.13.9
+  - 1.14.4
 env:
  global:
    - GOPROXY=https://proxy.golang.org
@ -11,7 +11,7 @@ matrix:
  include:
    - language: go
      name: Code Lint
-      go: 1.13.9
+      go: 1.14.4
      env:
        - TESTSUITE=lintall
      before_install:
@ -20,7 +20,7 @@ matrix:

    - language: go
      name: Unit Test
-      go: 1.13.9
+      go: 1.14.4
      env:
        - TESTSUITE=unittest
      before_install:
@ -29,7 +29,7 @@ matrix:

    - language: go
      name: Build
-      go: 1.13.9
+      go: 1.14.4
      script: make
 after_success:
  - bash <(curl -s https://codecov.io/bash)
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -1,5 +1,35 @@
 # Release Notes

+## Version 1.12.0 - 2020-07-09
+
+Features:
+
+* new addon : pod-security-policy [#8454](https://github.com/kubernetes/minikube/pull/8454)
+* new --extra-config option to config "scheduler" [#8147](https://github.com/kubernetes/minikube/pull/8147)
+
+ISO Changes:
+
+* Upgrade Docker, from 19.03.11 to 19.03.12 [#8643](https://github.com/kubernetes/minikube/pull/8643)
+* Upgrade crio to 1.18.2 [#8645](https://github.com/kubernetes/minikube/pull/8645)
+
+Bug fixes:
+
+* none: Fix 'minikube delete' issues when the apiserver is down  [#8664](https://github.com/kubernetes/minikube/pull/8664)
+
+Huge thank you for this release towards our contributors:
+
+- Anders F Björklund
+- Ilya Danilkin
+- Jani Poikela
+- Li Zhijian
+- Matt Broberg
+- Medya Ghazizadeh
+- Priya Wadhwa
+- Sharif Elgamal
+- Thomas Strömberg
+- colvin
+- vinu2003
+
 ## Version 1.12.0-beta.1 - 2020-07-01

 Features:
@ -9,7 +39,7 @@ Features:
 * Reduce coredns replicas from 2 to 1 [#8552](https://github.com/kubernetes/minikube/pull/8552)
 * Allow passing in extra args to etcd via command line [#8551](https://github.com/kubernetes/minikube/pull/8551)

-Minor Impovements:
+Minor Improvements:

 * Kernel with CONFIG_IKHEADERS for BPF tools on Kubernetes [#8582](https://github.com/kubernetes/minikube/pull/8582)
 * CNI: Update CRIO netconfig with matching subnet [#8570](https://github.com/kubernetes/minikube/pull/8570)
@ -20,7 +50,6 @@ Minor Impovements:
 * Gracefully exit if container runtime is misspelled [#8593](https://github.com/kubernetes/minikube/pull/8593)
 * add verification for enabling ingress, registry and gvisor addons [#8563](https://github.com/kubernetes/minikube/pull/8563)
 * Disable containerd from starting up at boot [#8621](https://github.com/kubernetes/minikube/pull/8621)
-* Upgrade podman to 2.0.0 [#8539](https://github.com/kubernetes/minikube/pull/8539)
 * Bump Dashboard to v2.0.1 [#8294](https://github.com/kubernetes/minikube/pull/8294)
 * Check for iptables file before determining container is running [#8565](https://github.com/kubernetes/minikube/pull/8565)

--- a/10
+++ b/10
@ -15,7 +15,7 @@
 # Bump these on release - and please check ISO_VERSION for correctness.
 VERSION_MAJOR ?= 1
 VERSION_MINOR ?= 12
-VERSION_BUILD ?= 0-beta.1
+VERSION_BUILD ?= 0
 RAW_VERSION=$(VERSION_MAJOR).$(VERSION_MINOR).$(VERSION_BUILD)
 VERSION ?= v$(RAW_VERSION)

@ -23,13 +23,13 @@ KUBERNETES_VERSION ?= $(shell egrep "DefaultKubernetesVersion =" pkg/minikube/co
 KIC_VERSION ?= $(shell egrep "Version =" pkg/drivers/kic/types.go | cut -d \" -f2)

 # Default to .0 for higher cache hit rates, as build increments typically don't require new ISO versions
-ISO_VERSION ?= v1.11.0
+ISO_VERSION ?= v$(VERSION_MAJOR).$(VERSION_MINOR).0
 # Dashes are valid in semver, but not Linux packaging. Use ~ to delimit alpha/beta
 DEB_VERSION ?= $(subst -,~,$(RAW_VERSION))
 RPM_VERSION ?= $(DEB_VERSION)

 # used by hack/jenkins/release_build_and_upload.sh and KVM_BUILD_IMAGE, see also BUILD_IMAGE below
-GO_VERSION ?= 1.13.9
+GO_VERSION ?= 1.14.4

 INSTALL_SIZE ?= $(shell du out/minikube-windows-amd64.exe | cut -f1)
 BUILDROOT_BRANCH ?= 2019.02.11
@ -41,8 +41,8 @@ COMMIT ?= $(if $(shell git status --porcelain --untracked-files=no),"${COMMIT_NO

 HYPERKIT_BUILD_IMAGE 	?= karalabe/xgo-1.12.x
 # NOTE: "latest" as of 2020-05-13. kube-cross images aren't updated as often as Kubernetes
-# https://github.com/kubernetes/kubernetes/blob/release-1.18/build/build-image/cross/VERSION
-BUILD_IMAGE 	?= us.gcr.io/k8s-artifacts-prod/build-image/kube-cross:v$(GO_VERSION)-5
+# https://github.com/kubernetes/kubernetes/blob/master/build/build-image/cross/VERSION
+BUILD_IMAGE 	?= us.gcr.io/k8s-artifacts-prod/build-image/kube-cross:v$(GO_VERSION)-2
 ISO_BUILD_IMAGE ?= $(REGISTRY)/buildroot-image
 KVM_BUILD_IMAGE ?= $(REGISTRY)/kvm-build-image:$(GO_VERSION)

--- a/cmd/minikube/cmd/config/profile.go
+++ b/cmd/minikube/cmd/config/profile.go
@ -47,7 +47,7 @@ var ProfileCmd = &cobra.Command{
 		// Check whether the profile name is container friendly
 		if !config.ProfileNameValid(profile) {
 			out.WarningT("Profile name '{{.profilename}}' is not valid", out.V{"profilename": profile})
-			exit.UsageT("Only alphanumeric, dots, underscores and dashes '-' are permitted. Minimum 2 characters, starting by alphanumeric.")
+			exit.UsageT("Only alphanumeric and dashes '-' are permitted. Minimum 1 character, starting with alphanumeric.")
 		}
 		/**
 		we need to add code over here to check whether the profile
--- a/cmd/minikube/cmd/mount.go
+++ b/cmd/minikube/cmd/mount.go
@ -151,14 +151,14 @@ var mountCmd = &cobra.Command{
 			bindIP = "127.0.0.1"
 		}
 		out.T(out.Mounting, "Mounting host path {{.sourcePath}} into VM as {{.destinationPath}} ...", out.V{"sourcePath": hostPath, "destinationPath": vmPath})
-		out.T(out.Option, "Mount type:   {{.name}}", out.V{"type": cfg.Type})
-		out.T(out.Option, "User ID:      {{.userID}}", out.V{"userID": cfg.UID})
-		out.T(out.Option, "Group ID:     {{.groupID}}", out.V{"groupID": cfg.GID})
-		out.T(out.Option, "Version:      {{.version}}", out.V{"version": cfg.Version})
-		out.T(out.Option, "Message Size: {{.size}}", out.V{"size": cfg.MSize})
-		out.T(out.Option, "Permissions:  {{.octalMode}} ({{.writtenMode}})", out.V{"octalMode": fmt.Sprintf("%o", cfg.Mode), "writtenMode": cfg.Mode})
-		out.T(out.Option, "Options:      {{.options}}", out.V{"options": cfg.Options})
-		out.T(out.Option, "Bind Address: {{.Address}}", out.V{"Address": net.JoinHostPort(bindIP, fmt.Sprint(port))})
+		out.Infof("Mount type:   {{.name}}", out.V{"type": cfg.Type})
+		out.Infof("User ID:      {{.userID}}", out.V{"userID": cfg.UID})
+		out.Infof("Group ID:     {{.groupID}}", out.V{"groupID": cfg.GID})
+		out.Infof("Version:      {{.version}}", out.V{"version": cfg.Version})
+		out.Infof("Message Size: {{.size}}", out.V{"size": cfg.MSize})
+		out.Infof("Permissions:  {{.octalMode}} ({{.writtenMode}})", out.V{"octalMode": fmt.Sprintf("%o", cfg.Mode), "writtenMode": cfg.Mode})
+		out.Infof("Options:      {{.options}}", out.V{"options": cfg.Options})
+		out.Infof("Bind Address: {{.Address}}", out.V{"Address": net.JoinHostPort(bindIP, fmt.Sprint(port))})

 		var wg sync.WaitGroup
 		if cfg.Type == nineP {
--- a/cmd/minikube/cmd/root_test.go
+++ b/cmd/minikube/cmd/root_test.go
@ -115,7 +115,7 @@ func hideEnv(t *testing.T) func(t *testing.T) {
 func TestPreRunDirectories(t *testing.T) {
 	// Make sure we create the required directories.
 	tempDir := tests.MakeTempDir()
-	defer os.RemoveAll(tempDir)
+	defer tests.RemoveTempDir(tempDir)

 	runCommand(RootCmd.PersistentPreRun)

--- a/cmd/minikube/cmd/start.go
+++ b/cmd/minikube/cmd/start.go
@ -148,7 +148,7 @@ func runStart(cmd *cobra.Command, args []string) {

 	if !config.ProfileNameValid(ClusterFlagValue()) {
 		out.WarningT("Profile name '{{.name}}' is not valid", out.V{"name": ClusterFlagValue()})
-		exit.UsageT("Only alphanumeric, dots, underscores and dashes '-' are permitted. Minimum 2 characters, starting by alphanumeric.")
+		exit.UsageT("Only alphanumeric and dashes '-' are permitted. Minimum 1 character, starting with alphanumeric.")
 	}
 	existing, err := config.Load(ClusterFlagValue())
 	if err != nil && !config.IsNotExist(err) {
@ -156,6 +156,7 @@ func runStart(cmd *cobra.Command, args []string) {
 	}

 	validateSpecifiedDriver(existing)
+	validateKubernetesVersion(existing)
 	ds, alts, specified := selectDriver(existing)
 	starter, err := provisionWithDriver(cmd, ds, existing)
 	if err != nil {
@ -361,7 +362,7 @@ func displayEnviron(env []string) {
 		k := bits[0]
 		v := bits[1]
 		if strings.HasPrefix(k, "MINIKUBE_") || k == constants.KubeconfigEnvVar {
-			out.T(out.Option, "{{.key}}={{.value}}", out.V{"key": k, "value": v})
+			out.Infof("{{.key}}={{.value}}", out.V{"key": k, "value": v})
 		}
 	}
 }
@ -524,7 +525,7 @@ func selectDriver(existing *config.ClusterConfig) (registry.DriverState, []regis
 	if pick.Name == "" {
 		out.T(out.ThumbsDown, "Unable to pick a default driver. Here is what was considered, in preference order:")
 		for _, r := range rejects {
-			out.T(out.Option, "{{ .name }}: {{ .rejection }}", out.V{"name": r.Name, "rejection": r.Rejection})
+			out.Infof("{{ .name }}: {{ .rejection }}", out.V{"name": r.Name, "rejection": r.Rejection})
 		}
 		out.T(out.Workaround, "Try specifying a --driver, or see https://minikube.sigs.k8s.io/docs/start/")
 		os.Exit(exit.Unavailable)
@ -903,6 +904,20 @@ func validateFlags(cmd *cobra.Command, drvName string) {
 		}
 	}

+	// validate kubeadm extra args
+	if invalidOpts := bsutil.FindInvalidExtraConfigFlags(config.ExtraOptions); len(invalidOpts) > 0 {
+		out.ErrT(
+			out.Warning,
+			"These --extra-config parameters are invalid: {{.invalid_extra_opts}}",
+			out.V{"invalid_extra_opts": invalidOpts},
+		)
+		exit.WithCodeT(
+			exit.Config,
+			"Valid components are: {{.valid_extra_opts}}",
+			out.V{"valid_extra_opts": bsutil.KubeadmExtraConfigOpts},
+		)
+	}
+
 	// check that kubeadm extra args contain only allowed parameters
 	for param := range config.ExtraOptions.AsMap().Get(bsutil.Kubeadm) {
 		if !config.ContainsParam(bsutil.KubeadmExtraArgsAllowed[bsutil.KubeadmCmdParam], param) &&
@ -974,6 +989,10 @@ func autoSetDriverOptions(cmd *cobra.Command, drvName string) (err error) {
 	hints := driver.FlagDefaults(drvName)
 	if len(hints.ExtraOptions) > 0 {
 		for _, eo := range hints.ExtraOptions {
+			if config.ExtraOptions.Exists(eo) {
+				glog.Infof("skipping extra-config %q.", eo)
+				continue
+			}
 			glog.Infof("auto setting extra-config to %q.", eo)
 			err = config.ExtraOptions.Set(eo)
 			if err != nil {
@ -1000,26 +1019,9 @@ func autoSetDriverOptions(cmd *cobra.Command, drvName string) (err error) {
 	return err
 }

-// getKubernetesVersion ensures that the requested version is reasonable
-func getKubernetesVersion(old *config.ClusterConfig) string {
-	paramVersion := viper.GetString(kubernetesVersion)
-
-	// try to load the old version first if the user didn't specify anything
-	if paramVersion == "" && old != nil {
-		paramVersion = old.KubernetesConfig.KubernetesVersion
-	}
-
-	if paramVersion == "" || strings.EqualFold(paramVersion, "stable") {
-		paramVersion = constants.DefaultKubernetesVersion
-	} else if strings.EqualFold(paramVersion, "latest") {
-		paramVersion = constants.NewestKubernetesVersion
-	}
-
-	nvs, err := semver.Make(strings.TrimPrefix(paramVersion, version.VersionPrefix))
-	if err != nil {
-		exit.WithCodeT(exit.Data, `Unable to parse "{{.kubernetes_version}}": {{.error}}`, out.V{"kubernetes_version": paramVersion, "error": err})
-	}
-	nv := version.VersionPrefix + nvs.String()
+// validateKubernetesVersion ensures that the requested version is reasonable
+func validateKubernetesVersion(old *config.ClusterConfig) {
+	nvs, _ := semver.Make(strings.TrimPrefix(getKubernetesVersion(old), version.VersionPrefix))

 	oldestVersion, err := semver.Make(strings.TrimPrefix(constants.OldestKubernetesVersion, version.VersionPrefix))
 	if err != nil {
@ -1040,7 +1042,7 @@ func getKubernetesVersion(old *config.ClusterConfig) string {
 	}

 	if old == nil || old.KubernetesConfig.KubernetesVersion == "" {
-		return nv
+		return
 	}

 	ovs, err := semver.Make(strings.TrimPrefix(old.KubernetesConfig.KubernetesVersion, version.VersionPrefix))
@ -1049,7 +1051,6 @@ func getKubernetesVersion(old *config.ClusterConfig) string {
 	}

 	if nvs.LT(ovs) {
-		nv = version.VersionPrefix + ovs.String()
 		profileArg := ""
 		if old.Name != constants.DefaultClusterName {
 			profileArg = fmt.Sprintf(" -p %s", old.Name)
@ -1077,5 +1078,26 @@ func getKubernetesVersion(old *config.ClusterConfig) string {
 	if defaultVersion.GT(nvs) {
 		out.T(out.New, "Kubernetes {{.new}} is now available. If you would like to upgrade, specify: --kubernetes-version={{.prefix}}{{.new}}", out.V{"prefix": version.VersionPrefix, "new": defaultVersion})
 	}
-	return nv
+}
+
+func getKubernetesVersion(old *config.ClusterConfig) string {
+	paramVersion := viper.GetString(kubernetesVersion)
+
+	// try to load the old version first if the user didn't specify anything
+	if paramVersion == "" && old != nil {
+		paramVersion = old.KubernetesConfig.KubernetesVersion
+	}
+
+	if paramVersion == "" || strings.EqualFold(paramVersion, "stable") {
+		paramVersion = constants.DefaultKubernetesVersion
+	} else if strings.EqualFold(paramVersion, "latest") {
+		paramVersion = constants.NewestKubernetesVersion
+	}
+
+	nvs, err := semver.Make(strings.TrimPrefix(paramVersion, version.VersionPrefix))
+	if err != nil {
+		exit.WithCodeT(exit.Data, `Unable to parse "{{.kubernetes_version}}": {{.error}}`, out.V{"kubernetes_version": paramVersion, "error": err})
+	}
+
+	return version.VersionPrefix + nvs.String()
 }
--- a/deploy/addons/pod-security-policy/pod-security-policy.yaml.tmpl
+++ b/deploy/addons/pod-security-policy/pod-security-policy.yaml.tmpl
@ -0,0 +1,132 @@
+---
+apiVersion: policy/v1beta1
+kind: PodSecurityPolicy
+metadata:
+  name: privileged
+  annotations:
+    seccomp.security.alpha.kubernetes.io/allowedProfileNames: "*"
+  labels:
+    addonmanager.kubernetes.io/mode: EnsureExists
+spec:
+  privileged: true
+  allowPrivilegeEscalation: true
+  allowedCapabilities:
+  - "*"
+  volumes:
+  - "*"
+  hostNetwork: true
+  hostPorts:
+  - min: 0
+    max: 65535
+  hostIPC: true
+  hostPID: true
+  runAsUser:
+    rule: 'RunAsAny'
+  seLinux:
+    rule: 'RunAsAny'
+  supplementalGroups:
+    rule: 'RunAsAny'
+  fsGroup:
+    rule: 'RunAsAny'
+---
+apiVersion: policy/v1beta1
+kind: PodSecurityPolicy
+metadata:
+  name: restricted
+  labels:
+    addonmanager.kubernetes.io/mode: EnsureExists
+spec:
+  privileged: false
+  allowPrivilegeEscalation: false
+  requiredDropCapabilities:
+    - ALL
+  volumes:
+    - 'configMap'
+    - 'emptyDir'
+    - 'projected'
+    - 'secret'
+    - 'downwardAPI'
+    - 'persistentVolumeClaim'
+  hostNetwork: false
+  hostIPC: false
+  hostPID: false
+  runAsUser:
+    rule: 'MustRunAsNonRoot'
+  seLinux:
+    rule: 'RunAsAny'
+  supplementalGroups:
+    rule: 'MustRunAs'
+    ranges:
+      # Forbid adding the root group.
+      - min: 1
+        max: 65535
+  fsGroup:
+    rule: 'MustRunAs'
+    ranges:
+      # Forbid adding the root group.
+      - min: 1
+        max: 65535
+  readOnlyRootFilesystem: false
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: psp:privileged
+  labels:
+    addonmanager.kubernetes.io/mode: EnsureExists
+rules:
+- apiGroups: ['policy']
+  resources: ['podsecuritypolicies']
+  verbs:     ['use']
+  resourceNames:
+  - privileged
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: psp:restricted
+  labels:
+    addonmanager.kubernetes.io/mode: EnsureExists
+rules:
+- apiGroups: ['policy']
+  resources: ['podsecuritypolicies']
+  verbs:     ['use']
+  resourceNames:
+  - restricted
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: default:restricted
+  labels:
+    addonmanager.kubernetes.io/mode: EnsureExists
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: psp:restricted
+subjects:
+- kind: Group
+  name: system:authenticated
+  apiGroup: rbac.authorization.k8s.io
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: default:privileged
+  namespace: kube-system
+  labels:
+    addonmanager.kubernetes.io/mode: EnsureExists
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: psp:privileged
+subjects:
+- kind: Group
+  name: system:masters
+  apiGroup: rbac.authorization.k8s.io
+- kind: Group
+  name: system:nodes
+  apiGroup: rbac.authorization.k8s.io
+- kind: Group
+  name: system:serviceaccounts:kube-system
+  apiGroup: rbac.authorization.k8s.io
--- a/deploy/iso/minikube-iso/package/cni-plugins/Config.in
+++ b/deploy/iso/minikube-iso/package/cni-plugins/Config.in
@ -2,4 +2,4 @@ config BR2_PACKAGE_CNI_PLUGINS
 	bool "cni-plugins"
 	default y
 	depends on BR2_x86_64
-	depends on BR2_PACKAGE_HOST_GO_TARGET_ARCH_SUPPORTS
+	depends on BR2_PACKAGE_HOST_GO_ARCH_SUPPORTS
--- a/deploy/iso/minikube-iso/package/cni/Config.in
+++ b/deploy/iso/minikube-iso/package/cni/Config.in
@ -2,4 +2,4 @@ config BR2_PACKAGE_CNI
 	bool "cni"
 	default y
 	depends on BR2_x86_64
-	depends on BR2_PACKAGE_HOST_GO_TARGET_ARCH_SUPPORTS
+	depends on BR2_PACKAGE_HOST_GO_ARCH_SUPPORTS
--- a/deploy/iso/minikube-iso/package/conmon/Config.in
+++ b/deploy/iso/minikube-iso/package/conmon/Config.in
@ -1,7 +1,7 @@
 config BR2_PACKAGE_CONMON
 	bool "conmon"
-	depends on BR2_PACKAGE_HOST_GO_TARGET_ARCH_SUPPORTS
-	depends on BR2_PACKAGE_HOST_GO_TARGET_CGO_LINKING_SUPPORTS
+	depends on BR2_PACKAGE_HOST_GO_ARCH_SUPPORTS
+	depends on BR2_PACKAGE_HOST_GO_CGO_LINKING_SUPPORTS
 	depends on BR2_TOOLCHAIN_HAS_THREADS
 	select BR2_PACKAGE_LIBGLIB2
 	select BR2_PACKAGE_SYSTEMD
--- a/deploy/iso/minikube-iso/package/containerd-bin/Config.in
+++ b/deploy/iso/minikube-iso/package/containerd-bin/Config.in
@ -2,8 +2,8 @@ config BR2_PACKAGE_CONTAINERD_BIN
 	bool "containerd-bin"
 	default y
 	depends on BR2_x86_64
-	depends on BR2_PACKAGE_HOST_GO_TARGET_ARCH_SUPPORTS
-	depends on BR2_PACKAGE_HOST_GO_TARGET_CGO_LINKING_SUPPORTS
+	depends on BR2_PACKAGE_HOST_GO_ARCH_SUPPORTS
+	depends on BR2_PACKAGE_HOST_GO_CGO_LINKING_SUPPORTS
 	depends on BR2_TOOLCHAIN_HAS_THREADS
 	depends on BR2_USE_MMU # lvm2
 	depends on !BR2_STATIC_LIBS # lvm2
--- a/deploy/iso/minikube-iso/package/crio-bin/Config.in
+++ b/deploy/iso/minikube-iso/package/crio-bin/Config.in
@ -2,8 +2,8 @@ config BR2_PACKAGE_CRIO_BIN
 	bool "crio-bin"
 	default y
 	depends on BR2_x86_64
-	depends on BR2_PACKAGE_HOST_GO_TARGET_ARCH_SUPPORTS
-	depends on BR2_PACKAGE_HOST_GO_TARGET_CGO_LINKING_SUPPORTS
+	depends on BR2_PACKAGE_HOST_GO_ARCH_SUPPORTS
+	depends on BR2_PACKAGE_HOST_GO_CGO_LINKING_SUPPORTS
 	depends on BR2_TOOLCHAIN_HAS_THREADS
 	depends on BR2_USE_MMU # lvm2
 	depends on !BR2_STATIC_LIBS # lvm2
--- a/deploy/iso/minikube-iso/package/crio-bin/conmon-config.h
+++ b/deploy/iso/minikube-iso/package/crio-bin/conmon-config.h
@ -0,0 +1,9 @@
+
+#if !defined(CONFIG_H)
+#define CONFIG_H
+
+#define BUF_SIZE 8192
+#define STDIO_BUF_SIZE 8192
+#define DEFAULT_SOCKET_PATH "/var/run/crio"
+
+#endif // CONFIG_H
--- a/deploy/iso/minikube-iso/package/crio-bin/crio-bin.hash
+++ b/deploy/iso/minikube-iso/package/crio-bin/crio-bin.hash
@ -12,6 +12,3 @@ sha256 05f9614c4d5970b4662499b84c270b0ab953596ee863dcd09c9dc7a2d2f09789 v1.16.0.
 sha256 57e1ee990ef2d5af8b32c33a21b4998682608e3556dcf1d3349666f55e7d95b9 v1.16.1.tar.gz
 sha256 23a797762e4544ee7c171ef138cfc1141a3f0acc2838d9965c2a58e53b16c3ae v1.17.0.tar.gz
 sha256 7967e9218fdfb59d6005a9e19c1668469bc5566c2a35927cffe7de8656bb22c7 v1.17.1.tar.gz
-sha256 865ded95aceb3a33a391b252522682de6b37b39498704c490b3a321dbefaafcb v1.18.0.tar.gz
-sha256 794ddc36c2a20fde91fc6cc2c6f02ebdaea85c69b51b67f3994090dbbdbc2a50 v1.18.1.tar.gz
-sha256 25dc558fbabc987bd58c7eab5230121b258a7b0eb34a49dc6595f1c6f3969116 v1.18.2.tar.gz
--- a/deploy/iso/minikube-iso/package/crio-bin/crio-bin.mk
+++ b/deploy/iso/minikube-iso/package/crio-bin/crio-bin.mk
@ -4,8 +4,8 @@
 #
 ################################################################################

-CRIO_BIN_VERSION = v1.18.2
-CRIO_BIN_COMMIT = 7f261aeebffed079b4475dde8b9d602b01973d33
+CRIO_BIN_VERSION = v1.17.1
+CRIO_BIN_COMMIT = ee2de87bd8e2a7a84799476cb4fc4ce8a78fdf6d
 CRIO_BIN_SITE = https://github.com/cri-o/cri-o/archive
 CRIO_BIN_SOURCE = $(CRIO_BIN_VERSION).tar.gz
 CRIO_BIN_DEPENDENCIES = host-go libgpgme
@ -32,7 +32,7 @@ endef

 define CRIO_BIN_BUILD_CMDS
 	mkdir -p $(@D)/bin
-	$(CRIO_BIN_ENV) $(MAKE) $(TARGET_CONFIGURE_OPTS) -C $(@D) COMMIT_NO=$(CRIO_BIN_COMMIT) PREFIX=/usr binaries
+	$(CRIO_BIN_ENV) $(MAKE) $(TARGET_CONFIGURE_OPTS) -C $(@D) GIT_COMMIT=$(CRIO_BIN_COMMIT) PREFIX=/usr binaries
 endef

 define CRIO_BIN_INSTALL_TARGET_CMDS
--- a/deploy/iso/minikube-iso/package/crio-bin/crio.conf
+++ b/deploy/iso/minikube-iso/package/crio-bin/crio.conf
@ -35,15 +35,8 @@ storage_driver = "overlay"
 # the kubelet. The log directory specified must be an absolute directory.
 log_dir = "/var/log/crio/pods"

-# Location for CRI-O to lay down the temporary version file.
-# It is used to check if crio wipe should wipe containers, which should
-# always happen on a node reboot
-version_file = "/var/run/crio/version"
-
-# Location for CRI-O to lay down the persistent version file.
-# It is used to check if crio wipe should wipe images, which should
-# only happen when CRI-O has been upgraded
-version_file_persist = "/var/lib/crio/version"
+# Location for CRI-O to lay down the version file
+version_file = "/var/lib/crio/version"

 # The crio.api table contains settings for the kubelet/gRPC interface.
 [crio.api]
@ -51,11 +44,13 @@ version_file_persist = "/var/lib/crio/version"
 # Path to AF_LOCAL socket on which CRI-O will listen.
 listen = "/var/run/crio/crio.sock"

+# Host IP considered as the primary IP to use by CRI-O for things such as host network IP.
+host_ip = ""
+
 # IP address on which the stream server will listen.
 stream_address = "127.0.0.1"

-# The port on which the stream server will listen. If the port is set to "0", then
-# CRI-O will allocate a random free port number.
+# The port on which the stream server will listen.
 stream_port = "0"

 # Enable encrypted TLS transport of the stream server.
@ -99,10 +94,6 @@ default_runtime = "runc"
 # If true, the runtime will not use pivot_root, but instead use MS_MOVE.
 no_pivot = false

-# decryption_keys_path is the path where the keys required for
-# image decryption are stored. This option supports live configuration reload.
-decryption_keys_path = "/etc/crio/keys/"
-
 # Path to the conmon binary, used for monitoring the OCI runtime.
 # Will be searched for using $PATH if empty.
 conmon = "/usr/libexec/crio/conmon"
@ -116,26 +107,17 @@ conmon_env = [
 	"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
 ]

-# Additional environment variables to set for all the
-# containers. These are overridden if set in the
-# container image spec or in the container runtime configuration.
-default_env = [
-]
-
 # If true, SELinux will be used for pod separation on the host.
 selinux = false

 # Path to the seccomp.json profile which is used as the default seccomp profile
 # for the runtime. If not specified, then the internal default seccomp profile
-# will be used. This option supports live configuration reload.
+# will be used.
 seccomp_profile = ""

 # Used to change the name of the default AppArmor profile of CRI-O. The default
-# profile name is "crio-default". This profile only takes effect if the user
-# does not specify a profile via the Kubernetes Pod's metadata annotation. If
-# the profile is set to "unconfined", then this equals to disabling AppArmor.
-# This option supports live configuration reload.
-apparmor_profile = "crio-default"
+# profile name is "crio-default-" followed by the version string of CRI-O.
+apparmor_profile = "crio-default-1.16.1"

 # Cgroup management implementation used for the runtime.
 cgroup_manager = "systemd"
@ -144,15 +126,17 @@ cgroup_manager = "systemd"
 # only the capabilities defined in the containers json file by the user/kube
 # will be added.
 default_capabilities = [
-	"CHOWN",
-	"DAC_OVERRIDE",
-	"FSETID",
-	"FOWNER",
-	"SETGID",
-	"SETUID",
-	"SETPCAP",
-	"NET_BIND_SERVICE",
-	"KILL",
+	"CHOWN", 
+	"DAC_OVERRIDE", 
+	"FSETID", 
+	"FOWNER", 
+	"NET_RAW", 
+	"SETGID", 
+	"SETUID", 
+	"SETPCAP", 
+	"NET_BIND_SERVICE", 
+	"SYS_CHROOT", 
+	"KILL", 
 ]

 # List of default sysctls. If it is empty or commented out, only the sysctls
@ -167,10 +151,8 @@ default_sysctls = [
 additional_devices = [
 ]

-# Path to OCI hooks directories for automatically executed hooks. If one of the
-# directories does not exist, then CRI-O will automatically skip them.
+# Path to OCI hooks directories for automatically executed hooks.
 hooks_dir = [
-	"/usr/share/containers/oci/hooks.d",
 ]

 # List of default mounts for each container. **Deprecated:** this option will
@ -218,13 +200,9 @@ bind_mount_prefix = ""
 read_only = false

 # Changes the verbosity of the logs based on the level it is set to. Options
-# are fatal, panic, error, warn, info, debug and trace. This option supports
-# live configuration reload.
-log_level = "info"
-
-# Filter the log messages by the provided regular expression.
-# This option supports live configuration reload.
-log_filter = ""
+# are fatal, panic, error, warn, info, and debug. This option supports live
+# configuration reload.
+log_level = "error"

 # The UID mappings for the user namespace of each container. A range is
 # specified in the form containerUID:HostUID:Size. Multiple ranges must be
@ -237,23 +215,12 @@ uid_mappings = ""
 gid_mappings = ""

 # The minimal amount of time in seconds to wait before issuing a timeout
-# regarding the proper termination of the container. The lowest possible
-# value is 30s, whereas lower values are not considered by CRI-O.
-ctr_stop_timeout = 30
+# regarding the proper termination of the container.
+ctr_stop_timeout = 0

-# **DEPRECATED** this option is being replaced by manage_ns_lifecycle, which is described below.
-# manage_network_ns_lifecycle = false
-
-# manage_ns_lifecycle determines whether we pin and remove namespaces
-# and manage their lifecycle
-manage_ns_lifecycle = false
-
-# The directory where the state of the managed namespaces gets tracked.
-# Only used when manage_ns_lifecycle is true.
-namespaces_dir = "/var/run"
-
-# pinns_path is the path to find the pinns binary, which is needed to manage namespace lifecycle
-pinns_path = "/usr/bin/pinns"
+# ManageNetworkNSLifecycle determines whether we pin and remove network namespace
+# and manage its lifecycle.
+manage_network_ns_lifecycle = false

 # The "crio.runtime.runtimes" table defines a list of OCI compatible runtimes.
 # The runtime to use is picked based on the runtime_handler provided by the CRI.
@ -314,7 +281,7 @@ global_auth_file = ""

 # The image used to instantiate infra containers.
 # This option supports live configuration reload.
-pause_image = "k8s.gcr.io/pause:3.2"
+pause_image = "k8s.gcr.io/pause:3.1"

 # The path to a file containing credentials specific for pulling the pause_image from
 # above. The file is similar to that of /var/lib/kubelet/config.json
@ -357,10 +324,6 @@ registries = [
 # CNI plugins.
 [crio.network]

-# The default CNI network name to be selected. If not set or "", then
-# CRI-O will pick-up the first one found in network_dir.
-# cni_default_network = ""
-
 # Path to the directory where CNI configuration files are located.
 network_dir = "/etc/cni/net.d/"

--- a/deploy/iso/minikube-iso/package/crio-bin/crio.conf.default
+++ b/deploy/iso/minikube-iso/package/crio-bin/crio.conf.default
@ -35,15 +35,8 @@
 # the kubelet. The log directory specified must be an absolute directory.
 log_dir = "/var/log/crio/pods"

-# Location for CRI-O to lay down the temporary version file.
-# It is used to check if crio wipe should wipe containers, which should
-# always happen on a node reboot
-version_file = "/var/run/crio/version"
-
-# Location for CRI-O to lay down the persistent version file.
-# It is used to check if crio wipe should wipe images, which should
-# only happen when CRI-O has been upgraded
-version_file_persist = "/var/lib/crio/version"
+# Location for CRI-O to lay down the version file
+version_file = "/var/lib/crio/version"

 # The crio.api table contains settings for the kubelet/gRPC interface.
 [crio.api]
@ -51,11 +44,13 @@ version_file_persist = "/var/lib/crio/version"
 # Path to AF_LOCAL socket on which CRI-O will listen.
 listen = "/var/run/crio/crio.sock"

+# Host IP considered as the primary IP to use by CRI-O for things such as host network IP.
+host_ip = ""
+
 # IP address on which the stream server will listen.
 stream_address = "127.0.0.1"

-# The port on which the stream server will listen. If the port is set to "0", then
-# CRI-O will allocate a random free port number.
+# The port on which the stream server will listen.
 stream_port = "0"

 # Enable encrypted TLS transport of the stream server.
@ -99,10 +94,6 @@ default_runtime = "runc"
 # If true, the runtime will not use pivot_root, but instead use MS_MOVE.
 no_pivot = false

-# decryption_keys_path is the path where the keys required for
-# image decryption are stored. This option supports live configuration reload.
-decryption_keys_path = "/etc/crio/keys/"
-
 # Path to the conmon binary, used for monitoring the OCI runtime.
 # Will be searched for using $PATH if empty.
 conmon = ""
@ -116,43 +107,36 @@ conmon_env = [
 	"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
 ]

-# Additional environment variables to set for all the
-# containers. These are overridden if set in the
-# container image spec or in the container runtime configuration.
-default_env = [
-]
-
 # If true, SELinux will be used for pod separation on the host.
 selinux = false

 # Path to the seccomp.json profile which is used as the default seccomp profile
 # for the runtime. If not specified, then the internal default seccomp profile
-# will be used. This option supports live configuration reload.
+# will be used.
 seccomp_profile = ""

 # Used to change the name of the default AppArmor profile of CRI-O. The default
-# profile name is "crio-default". This profile only takes effect if the user
-# does not specify a profile via the Kubernetes Pod's metadata annotation. If
-# the profile is set to "unconfined", then this equals to disabling AppArmor.
-# This option supports live configuration reload.
-apparmor_profile = "crio-default"
+# profile name is "crio-default-" followed by the version string of CRI-O.
+apparmor_profile = "crio-default-1.16.1"

 # Cgroup management implementation used for the runtime.
-cgroup_manager = "systemd"
+cgroup_manager = "cgroupfs"

 # List of default capabilities for containers. If it is empty or commented out,
 # only the capabilities defined in the containers json file by the user/kube
 # will be added.
 default_capabilities = [
-	"CHOWN",
-	"DAC_OVERRIDE",
-	"FSETID",
-	"FOWNER",
-	"SETGID",
-	"SETUID",
-	"SETPCAP",
-	"NET_BIND_SERVICE",
-	"KILL",
+	"CHOWN", 
+	"DAC_OVERRIDE", 
+	"FSETID", 
+	"FOWNER", 
+	"NET_RAW", 
+	"SETGID", 
+	"SETUID", 
+	"SETPCAP", 
+	"NET_BIND_SERVICE", 
+	"SYS_CHROOT", 
+	"KILL", 
 ]

 # List of default sysctls. If it is empty or commented out, only the sysctls
@ -167,10 +151,8 @@ default_sysctls = [
 additional_devices = [
 ]

-# Path to OCI hooks directories for automatically executed hooks. If one of the
-# directories does not exist, then CRI-O will automatically skip them.
+# Path to OCI hooks directories for automatically executed hooks.
 hooks_dir = [
-	"/usr/share/containers/oci/hooks.d",
 ]

 # List of default mounts for each container. **Deprecated:** this option will
@ -218,13 +200,9 @@ bind_mount_prefix = ""
 read_only = false

 # Changes the verbosity of the logs based on the level it is set to. Options
-# are fatal, panic, error, warn, info, debug and trace. This option supports
-# live configuration reload.
-log_level = "info"
-
-# Filter the log messages by the provided regular expression.
-# This option supports live configuration reload.
-log_filter = ""
+# are fatal, panic, error, warn, info, and debug. This option supports live
+# configuration reload.
+log_level = "error"

 # The UID mappings for the user namespace of each container. A range is
 # specified in the form containerUID:HostUID:Size. Multiple ranges must be
@ -237,23 +215,12 @@ uid_mappings = ""
 gid_mappings = ""

 # The minimal amount of time in seconds to wait before issuing a timeout
-# regarding the proper termination of the container. The lowest possible
-# value is 30s, whereas lower values are not considered by CRI-O.
-ctr_stop_timeout = 30
+# regarding the proper termination of the container.
+ctr_stop_timeout = 0

-# **DEPRECATED** this option is being replaced by manage_ns_lifecycle, which is described below.
-# manage_network_ns_lifecycle = false
-
-# manage_ns_lifecycle determines whether we pin and remove namespaces
-# and manage their lifecycle
-manage_ns_lifecycle = false
-
-# The directory where the state of the managed namespaces gets tracked.
-# Only used when manage_ns_lifecycle is true.
-namespaces_dir = "/var/run"
-
-# pinns_path is the path to find the pinns binary, which is needed to manage namespace lifecycle
-pinns_path = ""
+# ManageNetworkNSLifecycle determines whether we pin and remove network namespace
+# and manage its lifecycle.
+manage_network_ns_lifecycle = false

 # The "crio.runtime.runtimes" table defines a list of OCI compatible runtimes.
 # The runtime to use is picked based on the runtime_handler provided by the CRI.
@ -314,7 +281,7 @@ global_auth_file = ""

 # The image used to instantiate infra containers.
 # This option supports live configuration reload.
-pause_image = "k8s.gcr.io/pause:3.2"
+pause_image = "k8s.gcr.io/pause:3.1"

 # The path to a file containing credentials specific for pulling the pause_image from
 # above. The file is similar to that of /var/lib/kubelet/config.json
@ -356,10 +323,6 @@ image_volumes = "mkdir"
 # CNI plugins.
 [crio.network]

-# The default CNI network name to be selected. If not set or "", then
-# CRI-O will pick-up the first one found in network_dir.
-# cni_default_network = ""
-
 # Path to the directory where CNI configuration files are located.
 network_dir = "/etc/cni/net.d/"

--- a/deploy/iso/minikube-iso/package/podman/Config.in
+++ b/deploy/iso/minikube-iso/package/podman/Config.in
@ -2,8 +2,8 @@ config BR2_PACKAGE_PODMAN
 	bool "podman"
 	default y
 	depends on BR2_x86_64
-	depends on BR2_PACKAGE_HOST_GO_TARGET_ARCH_SUPPORTS
-	depends on BR2_PACKAGE_HOST_GO_TARGET_CGO_LINKING_SUPPORTS
+	depends on BR2_PACKAGE_HOST_GO_ARCH_SUPPORTS
+	depends on BR2_PACKAGE_HOST_GO_CGO_LINKING_SUPPORTS
 	depends on BR2_TOOLCHAIN_HAS_THREADS
 	select BR2_PACKAGE_RUNC_MASTER
 	select BR2_PACKAGE_CONMON
--- a/deploy/iso/minikube-iso/package/runc-master/Config.in
+++ b/deploy/iso/minikube-iso/package/runc-master/Config.in
@ -1,7 +1,7 @@
 config BR2_PACKAGE_RUNC_MASTER
 	bool "runc-master"
-	depends on BR2_PACKAGE_HOST_GO_TARGET_ARCH_SUPPORTS
-	depends on BR2_PACKAGE_HOST_GO_TARGET_CGO_LINKING_SUPPORTS
+	depends on BR2_PACKAGE_HOST_GO_ARCH_SUPPORTS
+	depends on BR2_PACKAGE_HOST_GO_CGO_LINKING_SUPPORTS
 	depends on BR2_TOOLCHAIN_HAS_THREADS
 	help
 	  runC is a CLI tool for spawning and running containers
@ -12,6 +12,6 @@ config BR2_PACKAGE_RUNC_MASTER
 	  https://github.com/opencontainers/runc

 comment "runc needs a toolchain w/ threads"
-	depends on BR2_PACKAGE_HOST_GO_TARGET_ARCH_SUPPORTS && \
-		BR2_PACKAGE_HOST_GO_TARGET_CGO_LINKING_SUPPORTS
+	depends on BR2_PACKAGE_HOST_GO_ARCH_SUPPORTS && \
+		BR2_PACKAGE_HOST_GO_CGO_LINKING_SUPPORTS
 	depends on !BR2_TOOLCHAIN_HAS_THREADS
--- a/deploy/minikube/releases.json
+++ b/deploy/minikube/releases.json
@ -1,4 +1,12 @@
 [
+  {
+      "name": "v1.12.0",
+      "checksums": {
+          "darwin": "7f6c6eeca19d6b16c9043cfc96a42408bbdec8ba90c01bd025249ca855a1362c",
+          "linux": "3501b6c2be48183affa9497e7db6d751d92e1536267268b73ad1a936a2977122",
+          "windows": "a5f8666d762146cc7d85916bcb2d6b7246162e4706f10e5c12a795b9d07ea6c4"
+      }
+  },
  {
      "name": "v1.11.0",
      "checksums": {
--- a/hack/jenkins/common.sh
+++ b/hack/jenkins/common.sh
@ -31,7 +31,7 @@ export KUBECONFIG="${TEST_HOME}/kubeconfig"
 export PATH=$PATH:"/usr/local/bin/:/usr/local/go/bin/:$GOPATH/bin"

 # installing golang so we could do go get for gopogh
-sudo ./installers/check_install_golang.sh "1.13.9" "/usr/local" || true
+sudo ./installers/check_install_golang.sh "1.14.4" "/usr/local" || true

 docker rm -f -v $(docker ps -aq) >/dev/null 2>&1 || true
 docker volume prune -f || true
--- a/pkg/addons/config.go
+++ b/pkg/addons/config.go
@ -156,4 +156,9 @@ var Addons = []*Addon{
 		set:       SetBool,
 		callbacks: []setFn{enableOrDisableAddon},
 	},
+	{
+		name:      "pod-security-policy",
+		set:       SetBool,
+		callbacks: []setFn{enableOrDisableAddon},
+	},
 }
--- a/pkg/drivers/common_test.go
+++ b/pkg/drivers/common_test.go
@ -27,7 +27,7 @@ import (

 func Test_createDiskImage(t *testing.T) {
 	tmpdir := tests.MakeTempDir()
-	defer os.RemoveAll(tmpdir)
+	defer tests.RemoveTempDir(tmpdir)

 	sshPath := filepath.Join(tmpdir, "ssh")
 	if err := ioutil.WriteFile(sshPath, []byte("mysshkey"), 0644); err != nil {
--- a/pkg/drivers/hyperkit/network_test.go
+++ b/pkg/drivers/hyperkit/network_test.go
@ -20,7 +20,6 @@ package hyperkit

 import (
 	"io/ioutil"
-	"os"
 	"path/filepath"
 	"testing"

@ -51,7 +50,7 @@ var validLeases = []byte(`{

 func Test_getIpAddressFromFile(t *testing.T) {
 	tmpdir := tests.MakeTempDir()
-	defer os.RemoveAll(tmpdir)
+	defer tests.RemoveTempDir(tmpdir)

 	dhcpFile := filepath.Join(tmpdir, "dhcp")
 	if err := ioutil.WriteFile(dhcpFile, validLeases, 0644); err != nil {
--- a/pkg/drivers/kic/oci/oci.go
+++ b/pkg/drivers/kic/oci/oci.go
@ -126,8 +126,6 @@ func CreateContainerNode(p CreateParams) error {
 		// for now this is what we want. in the future we may revisit this.
 		"--privileged",
 		"--security-opt", "seccomp=unconfined", //  ignore seccomp
-		// ignore apparmore github actions docker: https://github.com/kubernetes/minikube/issues/7624
-		"--security-opt", "apparmor=unconfined",
 		"--tmpfs", "/tmp", // various things depend on working /tmp
 		"--tmpfs", "/run", // systemd wants a writable /run
 		// logs,pods be stroed on  filesystem vs inside container,
@ -150,6 +148,8 @@ func CreateContainerNode(p CreateParams) error {
 	}
 	if p.OCIBinary == Docker {
 		runArgs = append(runArgs, "--volume", fmt.Sprintf("%s:/var", p.Name))
+		// ignore apparmore github actions docker: https://github.com/kubernetes/minikube/issues/7624
+		runArgs = append(runArgs, "--security-opt", "apparmor=unconfined")
 	}

 	runArgs = append(runArgs, fmt.Sprintf("--cpus=%s", p.CPUs))
--- a/pkg/minikube/assets/addons.go
+++ b/pkg/minikube/assets/addons.go
@ -81,6 +81,14 @@ var Addons = map[string]*Addon{
 			"0640",
 			false),
 	}, true, "default-storageclass"),
+	"pod-security-policy": NewAddon([]*BinAsset{
+		MustBinAsset(
+			"deploy/addons/pod-security-policy/pod-security-policy.yaml.tmpl",
+			vmpath.GuestAddonsDir,
+			"pod-security-policy.yaml",
+			"0640",
+			false),
+	}, false, "pod-security-policy"),
 	"storage-provisioner": NewAddon([]*BinAsset{
 		MustBinAsset(
 			"deploy/addons/storage-provisioner/storage-provisioner.yaml.tmpl",
--- a/pkg/minikube/bootstrapper/bsutil/extraconfig.go
+++ b/pkg/minikube/bootstrapper/bsutil/extraconfig.go
@ -95,6 +95,21 @@ func CreateFlagsFromExtraArgs(extraOptions config.ExtraOptionSlice) string {
 	return convertToFlags(kubeadmExtraOpts)
 }

+// FindInvalidExtraConfigFlags returns all invalid 'extra-config' options
+func FindInvalidExtraConfigFlags(opts config.ExtraOptionSlice) []string {
+	invalidOptsMap := make(map[string]struct{})
+	var invalidOpts []string
+	for _, extraOpt := range opts {
+		if _, ok := componentToKubeadmConfigKey[extraOpt.Component]; !ok {
+			if _, ok := invalidOptsMap[extraOpt.Component]; !ok {
+				invalidOpts = append(invalidOpts, extraOpt.Component)
+				invalidOptsMap[extraOpt.Component] = struct{}{}
+			}
+		}
+	}
+	return invalidOpts
+}
+
 // extraConfigForComponent generates a map of flagname-value pairs for a k8s
 // component.
 func extraConfigForComponent(component string, opts config.ExtraOptionSlice, version semver.Version) (map[string]string, error) {
@ -133,20 +148,12 @@ func defaultOptionsForComponentAndVersion(component string, version semver.Versi

 // newComponentOptions creates a new componentOptions
 func newComponentOptions(opts config.ExtraOptionSlice, version semver.Version, featureGates string, cp config.Node) ([]componentOptions, error) {
+	if invalidOpts := FindInvalidExtraConfigFlags(opts); len(invalidOpts) > 0 {
+		return nil, fmt.Errorf("unknown components %v. valid components are: %v", invalidOpts, KubeadmExtraConfigOpts)
+	}
+
 	var kubeadmExtraArgs []componentOptions
-	for _, extraOpt := range opts {
-		if _, ok := componentToKubeadmConfigKey[extraOpt.Component]; !ok {
-			return nil, fmt.Errorf("unknown component %q. valid components are: %v", componentToKubeadmConfigKey, componentToKubeadmConfigKey)
-		}
-	}
-
-	keys := []string{}
-	for k := range componentToKubeadmConfigKey {
-		keys = append(keys, k)
-	}
-	sort.Strings(keys)
-
-	for _, component := range keys {
+	for _, component := range KubeadmExtraConfigOpts {
 		kubeadmComponentKey := componentToKubeadmConfigKey[component]
 		if kubeadmComponentKey == "" {
 			continue
--- a/pkg/minikube/bootstrapper/bsutil/extraconfig_test.go
+++ b/pkg/minikube/bootstrapper/bsutil/extraconfig_test.go
@ -0,0 +1,59 @@
+/*
+Copyright 2016 The Kubernetes Authors All rights reserved.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Package bsutil will eventually be renamed to kubeadm package after getting rid of older one
+package bsutil
+
+import (
+	"reflect"
+	"testing"
+
+	"k8s.io/minikube/pkg/minikube/config"
+)
+
+func TestFindInvalidExtraConfigFlags(t *testing.T) {
+	defaultOpts := getExtraOpts()
+	badOption1 := config.ExtraOption{Component: "bad_option_1"}
+	badOption2 := config.ExtraOption{Component: "bad_option_2"}
+	tests := []struct {
+		name string
+		opts config.ExtraOptionSlice
+		want []string
+	}{
+		{
+			name: "with valid options only",
+			opts: defaultOpts,
+			want: nil,
+		},
+		{
+			name: "with invalid options",
+			opts: append(defaultOpts, badOption1, badOption2),
+			want: []string{"bad_option_1", "bad_option_2"},
+		},
+		{
+			name: "with invalid options and duplicates",
+			opts: append(defaultOpts, badOption2, badOption1, badOption1),
+			want: []string{"bad_option_2", "bad_option_1"},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			if got := FindInvalidExtraConfigFlags(tt.opts); !reflect.DeepEqual(got, tt.want) {
+				t.Errorf("FindInvalidExtraConfigFlags() = %v, want %v", got, tt.want)
+			}
+		})
+	}
+}
--- a/pkg/minikube/bootstrapper/bsutil/kubeadm.go
+++ b/pkg/minikube/bootstrapper/bsutil/kubeadm.go
@ -147,15 +147,26 @@ func GenerateKubeadmYAML(cc config.ClusterConfig, n config.Node, r cruntime.Mana
 // These are the components that can be configured
 // through the "extra-config"
 const (
-	Kubelet           = "kubelet"
-	Kubeadm           = "kubeadm"
 	Apiserver         = "apiserver"
-	Scheduler         = "scheduler"
 	ControllerManager = "controller-manager"
-	Kubeproxy         = "kube-proxy"
+	Scheduler         = "scheduler"
 	Etcd              = "etcd"
+	Kubeadm           = "kubeadm"
+	Kubeproxy         = "kube-proxy"
+	Kubelet           = "kubelet"
 )

+// KubeadmExtraConfigOpts is a list of allowed "extra-config" components
+var KubeadmExtraConfigOpts = []string{
+	Apiserver,
+	ControllerManager,
+	Scheduler,
+	Etcd,
+	Kubeadm,
+	Kubelet,
+	Kubeproxy,
+}
+
 // InvokeKubeadm returns the invocation command for Kubeadm
 func InvokeKubeadm(version string) string {
 	return fmt.Sprintf("sudo env PATH=%s:$PATH kubeadm", binRoot(version))
--- a/pkg/minikube/bootstrapper/bsutil/kverify/api_server.go
+++ b/pkg/minikube/bootstrapper/bsutil/kverify/api_server.go
@ -205,7 +205,13 @@ func apiServerHealthz(hostname string, port int) (state.State, error) {
 		return nil
 	}

-	err = retry.Local(check, 8*time.Second)
+	err = retry.Local(check, 5*time.Second)
+
+	// Don't propagate 'Stopped' upwards as an error message, as clients may interpret the err
+	// as an inability to get status. We need it for retry.Local, however.
+	if st == state.Stopped {
+		return st, nil
+	}
 	return st, err
 }

--- a/pkg/minikube/bootstrapper/certs_test.go
+++ b/pkg/minikube/bootstrapper/certs_test.go
@ -30,7 +30,7 @@ import (

 func TestSetupCerts(t *testing.T) {
 	tempDir := tests.MakeTempDir()
-	defer os.RemoveAll(tempDir)
+	defer tests.RemoveTempDir(tempDir)

 	k8s := config.KubernetesConfig{
 		APIServerName: constants.APIServerName,
--- a/pkg/minikube/bootstrapper/kubeadm/errors.go
+++ b/pkg/minikube/bootstrapper/kubeadm/errors.go
@ -16,7 +16,17 @@ limitations under the License.

 package kubeadm

-import "errors"
+import (
+	"errors"
+	"fmt"
+)
+
+// max minutes wait for kubeadm init. usually finishes in less than 1 minute.
+// giving it a generous timeout for possible super slow machines.
+const initTimeoutMinutes = 10
+
+// max seconds to wait for running kubectl apply manifests to the cluster to exit
+const applyTimeoutSeconds = 10

 // FailFastError type is an error that could not be solved by trying again
 type FailFastError struct {
@ -30,3 +40,6 @@ func (f *FailFastError) Error() string {
 // ErrNoExecLinux is thrown on linux when the kubeadm binaries are mounted in a noexec volume on Linux as seen in https://github.com/kubernetes/minikube/issues/8327#issuecomment-651288459
 // this error could be seen on docker/podman or none driver.
 var ErrNoExecLinux = &FailFastError{errors.New("mounted kubeadm binary is not executable")}
+
+// ErrInitTimedout is thrown if kubeadm init takes longer than max time allowed
+var ErrInitTimedout = fmt.Errorf("kubeadm init timed out in %d minutes", initTimeoutMinutes)
--- a/pkg/minikube/bootstrapper/kubeadm/kubeadm.go
+++ b/pkg/minikube/bootstrapper/kubeadm/kubeadm.go
@ -225,9 +225,15 @@ func (k *Bootstrapper) init(cfg config.ClusterConfig) error {
 	}

 	conf := bsutil.KubeadmYamlPath
-	c := exec.Command("/bin/bash", "-c", fmt.Sprintf("%s init --config %s %s --ignore-preflight-errors=%s",
+	ctx, cancel := context.WithTimeout(context.Background(), initTimeoutMinutes*time.Minute)
+	defer cancel()
+	c := exec.CommandContext(ctx, "/bin/bash", "-c", fmt.Sprintf("%s init --config %s %s --ignore-preflight-errors=%s",
 		bsutil.InvokeKubeadm(cfg.KubernetesConfig.KubernetesVersion), conf, extraFlags, strings.Join(ignore, ",")))
 	if _, err := k.c.RunCmd(c); err != nil {
+		if ctx.Err() == context.DeadlineExceeded {
+			return ErrInitTimedout
+		}
+
 		if strings.Contains(err.Error(), "'kubeadm': Permission denied") {
 			return ErrNoExecLinux
 		}
@ -829,8 +835,7 @@ func (k *Bootstrapper) applyNodeLabels(cfg config.ClusterConfig) error {
 	commitLbl := "minikube.k8s.io/commit=" + version.GetGitCommitID()
 	nameLbl := "minikube.k8s.io/name=" + cfg.Name

-	// Allow no more than 5 seconds for applying labels
-	ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
+	ctx, cancel := context.WithTimeout(context.Background(), applyTimeoutSeconds*time.Second)
 	defer cancel()
 	// example:
 	// sudo /var/lib/minikube/binaries/<version>/kubectl label nodes minikube.k8s.io/version=<version> minikube.k8s.io/commit=aa91f39ffbcf27dcbb93c4ff3f457c54e585cf4a-dirty minikube.k8s.io/name=p1 minikube.k8s.io/updated_at=2020_02_20T12_05_35_0700 --all --overwrite --kubeconfig=/var/lib/minikube/kubeconfig
@ -839,6 +844,9 @@ func (k *Bootstrapper) applyNodeLabels(cfg config.ClusterConfig) error {
 		fmt.Sprintf("--kubeconfig=%s", path.Join(vmpath.GuestPersistentDir, "kubeconfig")))

 	if _, err := k.c.RunCmd(cmd); err != nil {
+		if ctx.Err() == context.DeadlineExceeded {
+			return errors.Wrapf(err, "timeout apply labels")
+		}
 		return errors.Wrapf(err, "applying node labels")
 	}
 	return nil
--- a/pkg/minikube/cni/flannel.go
+++ b/pkg/minikube/cni/flannel.go
@ -17,6 +17,9 @@ limitations under the License.
 package cni

 import (
+	"os/exec"
+
+	"github.com/pkg/errors"
 	"k8s.io/minikube/pkg/minikube/config"
 )

@ -637,6 +640,12 @@ func (c Flannel) String() string {

 // Apply enables the CNI
 func (c Flannel) Apply(r Runner) error {
+	// Mostly applicable to the 'none' driver
+	_, err := r.RunCmd(exec.Command("stat", "/opt/cni/bin/portmap"))
+	if err != nil {
+		return errors.Wrap(err, "required 'portmap' CNI plug-in not found")
+	}
+
 	return applyManifest(c.cc, r, manifestAsset([]byte(flannelTmpl)))
 }

--- a/pkg/minikube/cni/kindnet.go
+++ b/pkg/minikube/cni/kindnet.go
@ -18,6 +18,7 @@ package cni

 import (
 	"bytes"
+	"os/exec"
 	"text/template"

 	"github.com/pkg/errors"
@ -168,6 +169,12 @@ func (c KindNet) manifest() (assets.CopyableFile, error) {

 // Apply enables the CNI
 func (c KindNet) Apply(r Runner) error {
+	// This is mostly applicable to the 'none' driver
+	_, err := r.RunCmd(exec.Command("stat", "/opt/cni/bin/portmap"))
+	if err != nil {
+		return errors.Wrap(err, "required 'portmap' CNI plug-in not found")
+	}
+
 	m, err := c.manifest()
 	if err != nil {
 		return errors.Wrap(err, "manifest")
--- a/pkg/minikube/config/extra_options.go
+++ b/pkg/minikube/config/extra_options.go
@ -19,6 +19,8 @@ package config
 import (
 	"fmt"
 	"strings"
+
+	"github.com/golang/glog"
 )

 // ExtraOption is an extra option
@ -38,6 +40,29 @@ type ExtraOptionSlice []ExtraOption
 // ComponentExtraOptionMap maps components to their extra opts, which is a map of keys to values
 type ComponentExtraOptionMap map[string]map[string]string

+// Exists returns true if component.key (parsed from value) is already in ExtraOptionSlice
+func (es *ExtraOptionSlice) Exists(value string) bool {
+	// The component is the value before the first dot.
+	componentSplit := strings.SplitN(value, ".", 2)
+	if len(componentSplit) != 2 {
+		glog.Errorf("invalid value: must contain at least one period: %q", value)
+		return false
+	}
+
+	keySplit := strings.SplitN(componentSplit[1], "=", 2)
+	if len(keySplit) != 2 {
+		glog.Errorf("invalid value: must contain one equal sign: %q", value)
+		return false
+	}
+
+	for _, opt := range *es {
+		if opt.Component == componentSplit[0] && opt.Key == keySplit[0] {
+			return true
+		}
+	}
+	return false
+}
+
 // Set parses the string value into a slice
 func (es *ExtraOptionSlice) Set(value string) error {
 	// The component is the value before the first dot.
--- a/pkg/minikube/config/extra_options_test.go
+++ b/pkg/minikube/config/extra_options_test.go
@ -79,6 +79,29 @@ func TestValidFlags(t *testing.T) {
 	}
 }

+func TestExists(t *testing.T) {
+	extraOptions := ExtraOptionSlice{
+		ExtraOption{Component: "c1", Key: "bar", Value: "c1-bar"},
+		ExtraOption{Component: "c1", Key: "baz", Value: "c1-baz"},
+		ExtraOption{Component: "c2", Key: "bar", Value: "c2-bar"},
+	}
+
+	for _, tc := range []struct {
+		searchString string
+		expRes       bool
+	}{
+		{"c1.bar=bar", true},
+		{"c1.foo=foo", false},
+		{"c2.bar=bar", true},
+		{"c2.baz=baz", false},
+		{"c3.baz=baz", false},
+	} {
+		if res := extraOptions.Exists(tc.searchString); res != tc.expRes {
+			t.Errorf("Unexpected value. Expected %t, got %t", tc.expRes, res)
+		}
+	}
+}
+
 func TestGet(t *testing.T) {
 	extraOptions := ExtraOptionSlice{
 		ExtraOption{Component: "c1", Key: "bar", Value: "c1-bar"},
--- a/pkg/minikube/config/profile.go
+++ b/pkg/minikube/config/profile.go
@ -84,13 +84,13 @@ func PrimaryControlPlane(cc *ClusterConfig) (Node, error) {
 	return cp, nil
 }

-// ProfileNameValid checks if the profile name is container name friendly
+// ProfileNameValid checks if the profile name is container name and DNS hostname/label friendly.
 func ProfileNameValid(name string) bool {
+	// RestrictedNamePattern describes the characters allowed to represent a profile's name
+	const RestrictedNamePattern = `(([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]*[a-zA-Z0-9])\.)*([A-Za-z0-9]|[A-Za-z0-9][A-Za-z0-9\-]*[A-Za-z0-9])`

-	// RestrictedNameChars collects the characters allowed to represent a name
-	const RestrictedNameChars = `[a-zA-Z0-9][a-zA-Z0-9_.-]`
+	var validName = regexp.MustCompile(`^` + RestrictedNamePattern + `$`)

-	var validName = regexp.MustCompile(`^` + RestrictedNameChars + `+$`)
 	return validName.MatchString(name)
 }

@ -181,6 +181,7 @@ func SaveProfile(name string, cfg *ClusterConfig, miniHome ...string) error {
 	if err = os.Rename(tf.Name(), path); err != nil {
 		return err
 	}
+
 	return nil
 }

--- a/pkg/minikube/config/profile_test.go
+++ b/pkg/minikube/config/profile_test.go
@ -73,24 +73,38 @@ func TestListProfiles(t *testing.T) {
 }

 func TestProfileNameValid(t *testing.T) {
-	var testCases = []struct {
-		name     string
-		expected bool
-	}{
-		{"meaningful_name", true},
-		{"meaningful_name@", false},
-		{"n_a_m_e_2", true},
-		{"n", false},
-		{"_name", false},
-		{"N__a.M--E12567", true},
-	}
-	for _, tt := range testCases {
-		got := ProfileNameValid(tt.name)
-		if got != tt.expected {
-			t.Errorf("expected ProfileNameValid(%s)=%t but got %t ", tt.name, tt.expected, got)
-		}
+	var testCases = map[string]bool{
+		"profile":             true,
+		"pro-file":            true,
+		"profile1":            true,
+		"pro-file1":           true,
+		"1st-profile":         true,
+		"1st-2nd-3rd-profile": true,
+		"n":                   true,
+		"1":                   true,
+		"12567":               true,
+
+		"pro file":         false,
+		"pro-file-":        false,
+		"-profile":         false,
+		"meaningful_name":  false,
+		"meaningful_name@": false,
+		"n_a_m_e_2":        false,
+		"_name":            false,
+		"N__a.M--E12567":   false,
 	}

+	for name, exp := range testCases {
+		name, exp := name, exp // capture range variables
+
+		t.Run(name, func(t *testing.T) {
+			t.Parallel()
+			got := ProfileNameValid(name)
+			if got != exp {
+				t.Errorf("expected ProfileNameValid(%s)=%t but got %t ", name, exp, got)
+			}
+		})
+	}
 }

 func TestProfileNameInReservedKeywords(t *testing.T) {
--- a/pkg/minikube/kubeconfig/context_test.go
+++ b/pkg/minikube/kubeconfig/context_test.go
@ -26,6 +26,7 @@ import (
 func TestDeleteContext(t *testing.T) {
 	// See kubeconfig_test
 	fn := tempFile(t, kubeConfigWithoutHTTPS)
+	defer os.Remove(fn)
 	if err := DeleteContext("la-croix", fn); err != nil {
 		t.Fatal(err)
 	}
--- a/pkg/minikube/kubeconfig/kubeconfig_test.go
+++ b/pkg/minikube/kubeconfig/kubeconfig_test.go
@ -263,6 +263,7 @@ func TestVerifyEndpoint(t *testing.T) {
 		t.Run(test.description, func(t *testing.T) {
 			t.Parallel()
 			configFilename := tempFile(t, test.existing)
+			defer os.Remove(configFilename)
 			err := VerifyEndpoint("minikube", test.hostname, test.port, configFilename)
 			if err != nil && !test.err {
 				t.Errorf("Got unexpected error: %v", err)
@ -330,6 +331,7 @@ func TestUpdateIP(t *testing.T) {
 		t.Run(test.description, func(t *testing.T) {
 			t.Parallel()
 			configFilename := tempFile(t, test.existing)
+			defer os.Remove(configFilename)
 			statusActual, err := UpdateEndpoint("minikube", test.hostname, test.port, configFilename)
 			if err != nil && !test.err {
 				t.Errorf("Got unexpected error: %v", err)
@ -419,6 +421,7 @@ func Test_Endpoint(t *testing.T) {
 	for _, test := range tests {
 		t.Run(test.description, func(t *testing.T) {
 			configFilename := tempFile(t, test.cfg)
+			defer os.Remove(configFilename)
 			hostname, port, err := Endpoint("minikube", configFilename)
 			if err != nil && !test.err {
 				t.Errorf("Got unexpected error: %v", err)
--- a/pkg/minikube/machine/client_test.go
+++ b/pkg/minikube/machine/client_test.go
@ -19,18 +19,15 @@ package machine
 import (
 	"bufio"
 	"fmt"
-	"io/ioutil"
-	"log"
 	"net"
 	"os"
-	"path/filepath"
 	"testing"

 	"github.com/docker/machine/libmachine/drivers/plugin/localbinary"

 	"k8s.io/minikube/pkg/minikube/driver"
-	"k8s.io/minikube/pkg/minikube/localpath"
 	_ "k8s.io/minikube/pkg/minikube/registry/drvs/virtualbox"
+	testutil "k8s.io/minikube/pkg/minikube/tests"
 )

 const vboxConfig = `
@ -113,24 +110,9 @@ func TestLocalClientNewHost(t *testing.T) {
 	}
 }

-func makeTempDir() string {
-	tempDir, err := ioutil.TempDir("", "minipath")
-	if err != nil {
-		log.Fatal(err)
-	}
-	tempDir = filepath.Join(tempDir, ".minikube")
-	os.Setenv(localpath.MinikubeHome, tempDir)
-	return localpath.MiniPath()
-}
-
 func TestRunNotDriver(t *testing.T) {
-	tempDir := makeTempDir()
-	defer func() { //clean up tempdir
-		err := os.RemoveAll(tempDir)
-		if err != nil {
-			t.Errorf("failed to clean up temp folder  %q", tempDir)
-		}
-	}()
+	tempDir := testutil.MakeTempDir()
+	defer testutil.RemoveTempDir(tempDir)
 	StartDriver()
 	if !localbinary.CurrentBinaryIsDockerMachine {
 		t.Fatal("CurrentBinaryIsDockerMachine not set. This will break driver initialization.")
@ -140,8 +122,8 @@ func TestRunNotDriver(t *testing.T) {
 func TestRunDriver(t *testing.T) {
 	// This test is a bit complicated. It verifies that when the root command is
 	// called with the proper environment variables, we setup the libmachine driver.
-	tempDir := makeTempDir()
-	defer os.RemoveAll(tempDir)
+	tempDir := testutil.MakeTempDir()
+	defer testutil.RemoveTempDir(tempDir)

 	os.Setenv(localbinary.PluginEnvKey, localbinary.PluginEnvVal)
 	os.Setenv(localbinary.PluginEnvDriverName, driver.VirtualBox)
--- a/pkg/minikube/machine/filesync_test.go
+++ b/pkg/minikube/machine/filesync_test.go
@ -17,26 +17,16 @@ limitations under the License.
 package machine

 import (
-	"io/ioutil"
 	"os"
 	"path/filepath"
 	"testing"

 	"github.com/google/go-cmp/cmp"
 	"k8s.io/minikube/pkg/minikube/localpath"
+	testutil "k8s.io/minikube/pkg/minikube/tests"
 	"k8s.io/minikube/pkg/minikube/vmpath"
 )

-func setupTestDir() (string, error) {
-	path, err := ioutil.TempDir("", "minipath")
-	if err != nil {
-		return "", err
-	}
-
-	os.Setenv(localpath.MinikubeHome, path)
-	return path, err
-}
-
 func TestAssetsFromDir(t *testing.T) {
 	tests := []struct {
 		description string
@ -107,17 +97,8 @@ func TestAssetsFromDir(t *testing.T) {

 	for _, test := range tests {
 		t.Run(test.description, func(t *testing.T) {
-			testDir, err := setupTestDir()
-			defer func() { //clean up tempdir
-				err := os.RemoveAll(testDir)
-				if err != nil {
-					t.Errorf("failed to clean up temp folder  %q", testDir)
-				}
-			}()
-			if err != nil {
-				t.Errorf("got unexpected error creating test dir: %v", err)
-				return
-			}
+			testDir := testutil.MakeTempDir()
+			defer testutil.RemoveTempDir(testDir)

 			testDirs = append(testDirs, testDir)
 			testFileBaseDir := filepath.Join(testDir, test.baseDir)
--- a/pkg/minikube/node/config.go
+++ b/pkg/minikube/node/config.go
@ -41,10 +41,10 @@ func showVersionInfo(k8sVersion string, cr cruntime.Manager) {
 	register.Reg.SetStep(register.PreparingKubernetes)
 	out.T(cr.Style(), "Preparing Kubernetes {{.k8sVersion}} on {{.runtime}} {{.runtimeVersion}} ...", out.V{"k8sVersion": k8sVersion, "runtime": cr.Name(), "runtimeVersion": version})
 	for _, v := range config.DockerOpt {
-		out.T(out.Option, "opt {{.docker_option}}", out.V{"docker_option": v})
+		out.Infof("opt {{.docker_option}}", out.V{"docker_option": v})
 	}
 	for _, v := range config.DockerEnv {
-		out.T(out.Option, "env {{.docker_env}}", out.V{"docker_env": v})
+		out.Infof("env {{.docker_env}}", out.V{"docker_env": v})
 	}
 }

--- a/pkg/minikube/node/start.go
+++ b/pkg/minikube/node/start.go
@ -289,7 +289,7 @@ func setupKubeAdm(mAPI libmachine.API, cfg config.ClusterConfig, n config.Node,
 		exit.WithError("Failed to get bootstrapper", err)
 	}
 	for _, eo := range config.ExtraOptions {
-		out.T(out.Option, "{{.extra_option_component_name}}.{{.key}}={{.value}}", out.V{"extra_option_component_name": eo.Component, "key": eo.Key, "value": eo.Value})
+		out.Infof("{{.extra_option_component_name}}.{{.key}}={{.value}}", out.V{"extra_option_component_name": eo.Component, "key": eo.Key, "value": eo.Value})
 	}
 	// Loads cached images, generates config files, download binaries
 	// update cluster and set up certs
@ -424,7 +424,7 @@ func validateNetwork(h *host.Host, r command.Runner, imageRepository string) (st
 				out.T(out.Internet, "Found network options:")
 				optSeen = true
 			}
-			out.T(out.Option, "{{.key}}={{.value}}", out.V{"key": k, "value": v})
+			out.Infof("{{.key}}={{.value}}", out.V{"key": k, "value": v})
 			ipExcluded := proxy.IsIPExcluded(ip) // Skip warning if minikube ip is already in NO_PROXY
 			k = strings.ToUpper(k)               // for http_proxy & https_proxy
 			if (k == "HTTP_PROXY" || k == "HTTPS_PROXY") && !ipExcluded && !warnedOnce {
--- a/pkg/minikube/notify/notify_test.go
+++ b/pkg/minikube/notify/notify_test.go
@ -43,7 +43,7 @@ func TestMaybePrintUpdateTextFromGithub(t *testing.T) {

 func TestShouldCheckURL(t *testing.T) {
 	tempDir := tests.MakeTempDir()
-	defer os.RemoveAll(tempDir)
+	defer tests.RemoveTempDir(tempDir)

 	lastUpdateCheckFilePath := filepath.Join(tempDir, "last_update_check")

@ -152,7 +152,7 @@ func TestGetLatestVersionFromURLMalformed(t *testing.T) {

 func TestMaybePrintUpdateText(t *testing.T) {
 	tempDir := tests.MakeTempDir()
-	defer os.RemoveAll(tempDir)
+	defer tests.RemoveTempDir(tempDir)
 	outputBuffer := tests.NewFakeFile()
 	out.SetErrFile(outputBuffer)

--- a/pkg/minikube/out/out.go
+++ b/pkg/minikube/out/out.go
@ -69,6 +69,10 @@ type V map[string]interface{}

 // T writes a stylized and templated message to stdout
 func T(style StyleEnum, format string, a ...V) {
+	if style == Option {
+		Infof(format, a...)
+		return
+	}
 	outStyled := ApplyTemplateFormatting(style, useColor, format, a...)
 	if JSON {
 		register.PrintStep(outStyled)
@ -77,6 +81,12 @@ func T(style StyleEnum, format string, a ...V) {
 	String(outStyled)
 }

+// Infof is used for informational logs (options, env variables, etc)
+func Infof(format string, a ...V) {
+	outStyled := ApplyTemplateFormatting(Option, useColor, format, a...)
+	String(outStyled)
+}
+
 // String writes a basic formatted string to stdout
 func String(format string, a ...interface{}) {
 	// Flush log buffer so that output order makes sense
--- a/pkg/minikube/tests/dir_utils.go
+++ b/pkg/minikube/tests/dir_utils.go
@ -45,6 +45,13 @@ func MakeTempDir() string {
 	return localpath.MiniPath()
 }

+func RemoveTempDir(tempdir string) {
+	if filepath.Base(tempdir) == ".minikube" {
+		tempdir = filepath.Dir(tempdir)
+	}
+	os.RemoveAll(tempdir)
+}
+
 // FakeFile satisfies fdWriter
 type FakeFile struct {
 	b bytes.Buffer
--- a/pkg/util/retry/retry.go
+++ b/pkg/util/retry/retry.go
@ -36,6 +36,7 @@ func Local(callback func() error, maxTime time.Duration) error {
 	b.InitialInterval = 250 * time.Millisecond
 	b.RandomizationFactor = 0.25
 	b.Multiplier = 1.25
+	b.MaxElapsedTime = maxTime
 	return backoff.RetryNotify(callback, b, notify)
 }

--- a/site/content/en/docs/commands/start.md
+++ b/site/content/en/docs/commands/start.md
@ -66,7 +66,7 @@ minikube start [flags]
      --insecure-registry strings         Insecure Docker registries to pass to the Docker daemon.  The default service CIDR range will automatically be added.
      --install-addons                    If set, install addons. Defaults to true. (default true)
      --interactive                       Allow user prompts for more information (default true)
-      --iso-url strings                   Locations to fetch the minikube ISO from. (default [https://storage.googleapis.com/minikube/iso/minikube-v1.11.0.iso,https://github.com/kubernetes/minikube/releases/download/v1.11.0/minikube-v1.11.0.iso,https://kubernetes.oss-cn-hangzhou.aliyuncs.com/minikube/iso/minikube-v1.11.0.iso])
+      --iso-url strings                   Locations to fetch the minikube ISO from. (default [https://storage.googleapis.com/minikube/iso/minikube-v1.12.0.iso,https://github.com/kubernetes/minikube/releases/download/v1.12.0/minikube-v1.12.0.iso,https://kubernetes.oss-cn-hangzhou.aliyuncs.com/minikube/iso/minikube-v1.12.0.iso])
      --keep-context                      This will keep the existing kubectl context and will create a minikube context.
      --kubernetes-version string         The Kubernetes version that the minikube VM will use (ex: v1.2.3, 'stable' for v1.18.3, 'latest' for v1.18.4-rc.0). Defaults to 'stable'.
      --kvm-gpu                           Enable experimental NVIDIA GPU support in minikube
--- a/site/content/en/docs/drivers/includes/podman_usage.inc
+++ b/site/content/en/docs/drivers/includes/podman_usage.inc
@ -1,20 +1,22 @@
-## experimental
+## Experimental

-This is an experimental driver. please use it only for experimental reasons.
-for a better kubernetes in container experience, use docker [driver]({{< ref "/docs/drivers/docker/" >}})
-
-## Install Podman
-
- [Podman](https://podman.io/getting-started/installation.html)
+This is an experimental driver. Please use it only for experimental reasons until it has reached maturity. For a more reliable minikube experience, use a non-experimental driver, like [Docker]({{< ref "/docs/drivers/docker.md" >}}).

 ## Usage

-Start a cluster using the podman driver:
+It's recommended to run minikube with the podman driver and [CRI-O container runtime](https://https://cri-o.io/): 

 ```shell
-minikube start --driver=podman
+minikube start --driver=podman --container-runtime=cri-o
 ```
-To make docker the default driver:
+
+Alternatively, start minikube with the podman driver only: 
+
+```shell
+minikube start --driver=podman 
+```
+
+To make podman the default driver: 

 ```shell
 minikube config set driver podman
--- a/site/content/en/docs/drivers/kvm2.md
+++ b/site/content/en/docs/drivers/kvm2.md
@ -37,6 +37,10 @@ The `minikube start` command supports 3 additional kvm specific flags:

 Also see [co/kvm2 open issues](https://github.com/kubernetes/minikube/labels/co%2Fkvm2)

+### Nested Virtulization
+
+If you are running KVM in a nested virtualization environment ensure your config the kernel modules correctly follow either [this](https://stafwag.github.io/blog/blog/2018/06/04/nested-virtualization-in-kvm/)  or [this](VM follow to config the kernel modules. also https://computingforgeeks.com/how-to-install-kvm-virtualization-on-debian/) tutorial.
+
 ## Troubleshooting
 * Run `virt-host-validate` and check for the suggestions.
 * Run `minikube start --alsologtostderr -v=7` to debug crashes
--- a/site/content/en/docs/drivers/podman.md
+++ b/site/content/en/docs/drivers/podman.md
@ -11,21 +11,36 @@ aliases:
 This driver is experimental and in active development. Help wanted!
 {{% /pageinfo %}}

-The podman driver is another kubernetes in container driver for minikube. similar to [docker](https://minikube.sigs.k8s.io/docs/drivers/docker/) driver. The podman driver is  experimental, and only supported on Linux and macOS (with a remote podman server).
+The podman driver is an alternative container runtime to the [Docker]({{< ref "/docs/drivers/docker.md" >}}) driver.

 ## Requirements

- Install [Podman](https://podman.io/getting-started/installation) 
- amd64 system 
+- Linux or macOS operating systems on amd64 architecture 
+- Install [podman](https://podman.io/getting-started/installation.html)

-## Try it with CRI-O container runtime.
-
-```shell
-minikube start --driver=podman --container-runtime=cri-o
-```

 {{% readfile file="/docs/drivers/includes/podman_usage.inc" %}}

 ## Known Issues

 - Podman driver is not supported on non-amd64 architectures such as arm yet. For non-amd64 archs please use [other drivers]({{< ref "/docs/drivers/_index.md" >}}) 
+- Podman requirements passwordless running of sudo. If you run into an error about sudo, do the following: 
+
+```shell
+$ sudo visudo
+```
+Then append the following to the section *at the very bottom* of the file where `username` is your user account.
+
+```shell
+username ALL=(ALL) NOPASSWD: /usr/bin/podman
+```
+
+Be sure this text is *after* `#includedir /etc/sudoers.d`. To confirm it worked, try: 
+
+```shell
+sudo -k -n podman version
+```
+
+## Troubleshooting
+
+- Run `minikube start --alsologtostderr -v=7` to debug errors and crashes
--- a/site/content/en/docs/handbook/registry.md
+++ b/site/content/en/docs/handbook/registry.md
@ -107,4 +107,4 @@ docker push localhost:5000/myimage

 After the image is pushed, refer to it by `localhost:5000/{name}` in kubectl specs.

-## 
+## 
--- a/site/content/en/docs/tutorials/using_psp.md
+++ b/site/content/en/docs/tutorials/using_psp.md
@ -13,18 +13,33 @@ This tutorial explains how to start minikube with Pod Security Policies (PSP) en

 ## Prerequisites

- Minikube 1.5.2 with Kubernetes 1.16.x or higher
+- Minikube 1.11.1 with Kubernetes 1.16.x or higher

 ## Tutorial

-Before starting minikube, you need to give it the PSP YAMLs in order to allow minikube to bootstrap.  
+Start minikube with the `PodSecurityPolicy` admission controller and the
+`pod-security-policy` addon enabled.

-Create the directory:  
+`minikube start --extra-config=apiserver.enable-admission-plugins=PodSecurityPolicy --addons=pod-security-policy`
+
+The `pod-security-policy` addon must be enabled along with the admission
+controller to prevent issues during bootstrap.
+
+## Older versions of minikube
+
+Older versions of minikube do not ship with the `pod-security-policy` addon, so
+the policies that addon enables must be separately applied to the cluster.
+
+## Minikube 1.5.2 through 1.6.2
+
+Before starting minikube, you need to give it the PSP YAMLs in order to allow minikube to bootstrap.
+
+Create the directory:
 `mkdir -p ~/.minikube/files/etc/kubernetes/addons`

 Copy the YAML below into this file: `~/.minikube/files/etc/kubernetes/addons/psp.yaml`

-Now start minikube:  
+Now start minikube:
 `minikube start --extra-config=apiserver.enable-admission-plugins=PodSecurityPolicy`

 ```yaml
@ -161,3 +176,24 @@ subjects:
  name: system:serviceaccounts:kube-system
  apiGroup: rbac.authorization.k8s.io
 ```
+
+### Minikube between 1.6.2 and 1.11.1
+
+With minikube versions greater than 1.6.2 and less than 1.11.1, the YAML files
+shown above will not be automatically applied to the cluster. You may have
+errors during bootstrap of the cluster if the admission controller is enabled.
+
+To use Pod Security Policies with these versions of minikube, first start a
+cluster without the `PodSecurityPolicy` admission controller enabled.
+
+Next, apply the YAML shown above to the cluster.
+
+Finally, stop the cluster and then restart it with the admission controller
+enabled.
+
+```
+minikube start
+kubectl apply -f /path/to/psp.yaml
+minikube stop
+minikube start --extra-config=apiserver.enable-admission-plugins=PodSecurityPolicy
+```
--- a/test.sh
+++ b/test.sh
@ -67,6 +67,7 @@ then
        ${pkgs} \
        && echo ok || ((exitcode += 32))
    tail -n +2 "${cov_tmp}" >>"${COVERAGE_PATH}"
+    rm ${cov_tmp}
 fi

 exit "${exitcode}"
--- a/test/integration/net_test.go
+++ b/test/integration/net_test.go
@ -90,7 +90,16 @@ func TestNetworkPlugins(t *testing.T) {
 				}
 				if !t.Failed() {
 					t.Run("KubeletFlags", func(t *testing.T) {
-						rr, err := Run(t, exec.CommandContext(ctx, Target(), "ssh", "-p", profile, "pgrep -a kubelet"))
+						var rr *RunResult
+						var err error
+
+						// none does not support 'minikube ssh'
+						if NoneDriver() {
+							rr, err = Run(t, exec.CommandContext(ctx, "pgrep", "-a", "kubelet"))
+						} else {
+							rr, err = Run(t, exec.CommandContext(ctx, Target(), "ssh", "-p", profile, "pgrep -a kubelet"))
+						}
+
 						if err != nil {
 							t.Fatalf("ssh failed: %v", err)
 						}