From 587d772834948d823be6f2a844b13cedab1f7fe6 Mon Sep 17 00:00:00 2001 From: Nick Baker Date: Mon, 29 Jan 2024 20:46:17 +0000 Subject: [PATCH] handle pod-infra-container-image on older versions --- nodeadm/internal/kubelet/config.go | 33 +++++++++++++++++++ .../e2e/cases/pod-infra-container/config.yaml | 9 +++++ .../test/e2e/cases/pod-infra-container/run.sh | 18 ++++++++++ 3 files changed, 60 insertions(+) create mode 100644 nodeadm/test/e2e/cases/pod-infra-container/config.yaml create mode 100755 nodeadm/test/e2e/cases/pod-infra-container/run.sh diff --git a/nodeadm/internal/kubelet/config.go b/nodeadm/internal/kubelet/config.go index fa8a79ff7..e6a5d04d1 100644 --- a/nodeadm/internal/kubelet/config.go +++ b/nodeadm/internal/kubelet/config.go @@ -240,6 +240,35 @@ func (ksc *kubeletConfig) withDefaultReservedResources() { ksc.KubeReservedCgroup = ptr.String("/runtime") } +// The '--pod-infra-container-image' flags is added so that the sandbox image is +// not garbage collected. There are several way in which we could remove this: +// - wait until a minimum supported version of kubernetes which implements the +// image pinning CRI support: https://github.com/kubernetes/kubernetes/pull/118544 +// - update to containerd 2.0, which reworks the abstraction and no longer +// requires sandbox image +func (ksc *kubeletConfig) withPodInfraContainerImage(cfg *api.NodeConfig, kubeletVersion string, flags map[string]string) error { + if semver.Compare(kubeletVersion, "v1.27.0") < 0 { + awsDomain, err := util.GetAwsDomain(context.TODO(), imds.New(imds.Options{})) + if err != nil { + return err + } + ecrUri, err := util.GetEcrUri(util.GetEcrUriRequest{ + Region: cfg.Status.Instance.Region, + Domain: awsDomain, + AllowFips: true, + }) + if err != nil { + return err + } + pauseContainerImage, err := util.GetPauseContainer(ecrUri) + if err != nil { + return err + } + flags["pod-infra-container-image"] = pauseContainerImage + } + return nil +} + func (k *kubelet) GenerateKubeletConfig(cfg *api.NodeConfig) (*kubeletConfig, error) { // Get the kubelet/kubernetes version to help conditionally enable features kubeletVersion, err := GetKubeletVersion() @@ -249,6 +278,7 @@ func (k *kubelet) GenerateKubeletConfig(cfg *api.NodeConfig) (*kubeletConfig, er zap.L().Info("Detected kubelet version", zap.String("version", kubeletVersion)) kubeletConfig := defaultKubeletSubConfig() + if err := kubeletConfig.withFallbackClusterDns(&cfg.Spec.Cluster); err != nil { return nil, err } @@ -258,6 +288,9 @@ func (k *kubelet) GenerateKubeletConfig(cfg *api.NodeConfig) (*kubeletConfig, er if err := kubeletConfig.withNodeIp(cfg, k.flags); err != nil { return nil, err } + if err := kubeletConfig.withPodInfraContainerImage(cfg, kubeletVersion, k.flags); err != nil { + return nil, err + } kubeletConfig.withVersionToggles(kubeletVersion, k.flags) kubeletConfig.withCloudProvider(cfg, k.flags) diff --git a/nodeadm/test/e2e/cases/pod-infra-container/config.yaml b/nodeadm/test/e2e/cases/pod-infra-container/config.yaml new file mode 100644 index 000000000..e859ba74b --- /dev/null +++ b/nodeadm/test/e2e/cases/pod-infra-container/config.yaml @@ -0,0 +1,9 @@ +--- +apiVersion: node.eks.aws/v1alpha1 +kind: NodeConfig +spec: + cluster: + name: my-cluster + apiServerEndpoint: https://example.com + certificateAuthority: Y2VydGlmaWNhdGVBdXRob3JpdHk= + cidr: 10.100.0.0/16 diff --git a/nodeadm/test/e2e/cases/pod-infra-container/run.sh b/nodeadm/test/e2e/cases/pod-infra-container/run.sh new file mode 100755 index 000000000..2a2d2e1ad --- /dev/null +++ b/nodeadm/test/e2e/cases/pod-infra-container/run.sh @@ -0,0 +1,18 @@ +#!/usr/bin/env bash + +set -o errexit +set -o nounset +set -o pipefail + +source /helpers.sh + +mock::imds +wait::dbus-ready + +mock::kubelet 1.26.0 +nodeadm init --skip run --config-source file://config.yaml +assert::file-contains /etc/eks/kubelet/environment '--pod-infra-container-image=602401143452.dkr.ecr.us-west-2.amazonaws.com/eks/pause:3.5' + +mock::kubelet 1.27.0 +nodeadm init --skip run --config-source file://config.yaml +assert::file-not-contains /etc/eks/kubelet/environment 'pod-infra-container-image'