To support new changes for Windows HostProcess Pod for K8S v1.28 and containerd 1.7 #5528
Conversation
NamanAg30
force-pushed
the
updatek8sandcontainerd
branch
4 times, most recently
from
0b65bb8
to
f6434f5
Compare
|
/test-windows-all |
build/yamls/windows/containerd/conf/Install-WindowsCNI-Containerd.ps1
Outdated
Show resolved
Hide resolved
rajnkamr
added
the
area/OS/windows
NamanAg30
force-pushed
the
updatek8sandcontainerd
branch
2 times, most recently
from
c60c29c
to
25a3d6d
Compare
|
/test-windows-all |
|
LGTM, did all CI tests pass on the 1.28 testbed? @NamanAg30 |
NamanAg30
force-pushed
the
updatek8sandcontainerd
branch
3 times, most recently
from
f3b4a3a
to
eab7706
Compare
NamanAg30
force-pushed
the
updatek8sandcontainerd
branch
2 times, most recently
from
f3574f5
to
61e84b7
Compare
build/yamls/windows/containerd/conf/Install-WindowsCNI-Containerd.ps1
Outdated
Show resolved
Hide resolved
XinShuYang
force-pushed
the
updatek8sandcontainerd
branch
from
28b9ff1
to
fda949e
Compare
XinShuYang
force-pushed
the
updatek8sandcontainerd
branch
from
fda949e
to
bff5ce2
Compare
| cp $mountPath/var/run/secrets/kubernetes.io/serviceaccount/ca.crt C:/var/run/secrets/kubernetes.io/serviceaccount | ||
| cp $mountPath/var/run/secrets/kubernetes.io/serviceaccount/token C:/var/run/secrets/kubernetes.io/serviceaccount | ||
|
|
||
| # From containerd version 1.7 onwards, the servcieaccount directory, the ca.cert and token files will automatically be created. |
There was a problem hiding this comment.
why the new code use a different indent?
|
|
||
| # From containerd version 1.7 onwards, the servcieaccount directory, the ca.cert and token files will automatically be created. | ||
| $serviceAccountPath = "C:\var\run\secrets\kubernetes.io\serviceaccount" | ||
| if (-Not $(Test-Path $serviceAccountPath)) { |
There was a problem hiding this comment.
I understand this is better, but will the original code fail if the path exists?
Does the PR fix anything or just improve code? This is important to understand what's the compatibility of previous Antrea releases.
There was a problem hiding this comment.
Yes, it will fail in containerd 1.7. If the path exists, related files can not be modified.
There was a problem hiding this comment.
Then how does it fix it if the PR just skips creating the path when it exists. The related files still cannot be modified, right?
There was a problem hiding this comment.
So basically there are three cases:
- If paths exist and files are unchanged, the agent skips copying files.
- If paths don't exist, the agent copies files to the destination.
- If paths exist and files have been modified, there is no way to modify the file, and the pod is expected to crash. The user should clean up the related paths by themselves.
Previously, the agent always copied related files, regardless of their existence, which could lead to agent crashes due to authorization issues. This PR fixes the case 1.
After discussing with Wenying, now I know that these 3 cases only can happen with containerd 1.6. For contianerd 1.7 since the destination and source path is the same path so we can just skip coping files, the code change in this PR is only to make it compatible for containerd1.6. @tnqn
There was a problem hiding this comment.
According to this link (https://kubernetes.io/docs/tasks/configure-pod-container/create-hostprocess-pod/), with containerd versions <=1.6, the ca file and token of the service account only exists inside containers, but antrea-agent needs files under path "c:\var\run\secrets\kubernetes.io\serviceaccount" to create kubeClient, so we should copy the files to the target path. However, since containerd 1.7, containerd would automatically place the files under path "c:\var\run\secrets\kubernetes.io\serviceaccount" ( it is supposed to be 3 links to the same file), so we don't perform "copy" actions.
So the change here is to be consistent of the previous versions.
XinShuYang
force-pushed
the
updatek8sandcontainerd
branch
3 times, most recently
from
93c05d0
to
e9981e9
Compare
|
/test-windows-containerd-conformance |
|
/test-windows-containerd-e2e |
|
/test-windows-containerd-e2e |
…ins.sh w.r.t new k8s and containerd version Upgrade StartKubelet script and ci test script for k8s 1.28 version and antrea-windows-containerd.yaml for containerd 1.7 version. Signed-off-by: Naman Agarwal <naman.agarwal75@gmail.com> Signed-off-by: Shuyang Xin <gavinx@vmware.com>
XinShuYang
force-pushed
the
updatek8sandcontainerd
branch
from
e9981e9
to
47630ea
Compare
|
This change is only for checksum update and code rebase. |
|
/test-windows-containerd-e2e |
|
/test-windows-containerd-e2e |
|
/skip-all |
1 similar comment
|
/skip-all |
The patch is required to handle following cases:-
1.To handle WindowsHostProcessContainer for k8s 1.28 and and make required adjustment in antrea-windows-containerd.yaml for containerd 1.7.
2.To change commands to clean containerd environment on jumper node from ci/jenkins.sh (since on new tested we only have docker runtime)