remove pod infra flag on 1.29+ since its a noop

awslabs · Feb 1, 2024 · 9aaa063 · 9aaa063
1 parent a200bde
commit 9aaa063
Show file tree

Hide file tree

Showing 2 changed files with 33 additions and 25 deletions.
diff --git a/nodeadm/internal/kubelet/config.go b/nodeadm/internal/kubelet/config.go
@@ -240,30 +240,34 @@ func (ksc *kubeletConfig) withDefaultReservedResources() {
 	ksc.KubeReservedCgroup = ptr.String("/runtime")
 }
 
-// The '--pod-infra-container-image' flags is added so that the sandbox image is
-// not garbage collected. There are several way in which we could remove this:
-//   - wait until a minimum supported version of kubernetes which implements the
-//     image pinning CRI support: https://github.com/kubernetes/kubernetes/pull/118544
-//   - update to containerd 2.0, which reworks the abstraction and no longer
-//     requires sandbox image
-func (ksc *kubeletConfig) withPodInfraContainerImage(cfg *api.NodeConfig, flags map[string]string) error {
-	awsDomain, err := util.GetAwsDomain(context.TODO(), imds.New(imds.Options{}))
-	if err != nil {
-		return err
-	}
-	ecrUri, err := util.GetEcrUri(util.GetEcrUriRequest{
-		Region:    cfg.Status.Instance.Region,
-		Domain:    awsDomain,
-		AllowFips: true,
-	})
-	if err != nil {
-		return err
-	}
-	pauseContainerImage, err := util.GetPauseContainer(ecrUri)
-	if err != nil {
-		return err
+// withPodInfraContainerImage determines whether to add the
+// '--pod-infra-container-image' flag, which is used to ensure the sandbox image
+// is not garbage collected.
+//
+// TODO: revisit once the minimum supportted version catches up or the container
+// runtime is moved to containerd 2.0
+func (ksc *kubeletConfig) withPodInfraContainerImage(cfg *api.NodeConfig, kubeletVersion string, flags map[string]string) error {
+	// the flag is a noop on 1.29+, since the behavior was changed to use the
+	// CRI image pinning behavior and no longer considers the flag value.
+	if semver.Compare(kubeletVersion, "v1.29.0") < 0 {
+		awsDomain, err := util.GetAwsDomain(context.TODO(), imds.New(imds.Options{}))
+		if err != nil {
+			return err
+		}
+		ecrUri, err := util.GetEcrUri(util.GetEcrUriRequest{
+			Region:    cfg.Status.Instance.Region,
+			Domain:    awsDomain,
+			AllowFips: true,
+		})
+		if err != nil {
+			return err
+		}
+		pauseContainerImage, err := util.GetPauseContainer(ecrUri)
+		if err != nil {
+			return err
+		}
+		flags["pod-infra-container-image"] = pauseContainerImage
 	}
-	flags["pod-infra-container-image"] = pauseContainerImage
 	return nil
 }
 
@@ -286,7 +290,7 @@ func (k *kubelet) GenerateKubeletConfig(cfg *api.NodeConfig) (*kubeletConfig, er
 	if err := kubeletConfig.withNodeIp(cfg, k.flags); err != nil {
 		return nil, err
 	}
-	if err := kubeletConfig.withPodInfraContainerImage(cfg, k.flags); err != nil {
+	if err := kubeletConfig.withPodInfraContainerImage(cfg, kubeletVersion, k.flags); err != nil {
 		return nil, err
 	}
 

diff --git a/nodeadm/test/e2e/cases/pod-infra-container/run.sh b/nodeadm/test/e2e/cases/pod-infra-container/run.sh
@@ -9,6 +9,10 @@ source /helpers.sh
 mock::imds
 wait::dbus-ready
 
-mock::kubelet 1.27.0
+mock::kubelet 1.28.0
 nodeadm init --skip run --config-source file://config.yaml
 assert::file-contains /etc/eks/kubelet/environment '--pod-infra-container-image=602401143452.dkr.ecr.us-west-2.amazonaws.com/eks/pause:3.5'
+
+mock::kubelet 1.29.0
+nodeadm init --skip run --config-source file://config.yaml
+assert::file-not-contains /etc/eks/kubelet/environment 'pod-infra-container-image'