New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CRI: Sandbox IP not present after containerd restart #7843
Comments
cc @samuelkarp @MikeZappa87 as we were discussing on Slack |
Let me take a look. |
This needs to be backported to v1.6 ASAP. All releases since 1.6.9 have this critical regression that breaks containerd's guarantees around non-disruptive restarts. Unaffected versions are affected by CVEs, so users are currently forced to pick between CVEs or or having their pods all restarted whenever containerd restarts. |
I believe the issue I reported here is also resolved by this fix: |
Description
First reported on the CNCF slack https://cloud-native.slack.com/archives/C4RJZ9Z6Y/p1671470742340569
Before containerd process restart:
After restarting containerd:
This means that kubelet sees the sandbox as changed and thus will restart each pod.
Steps to reproduce the issue
crictl -r unix:///run/k0s/containerd.sock inspectp $podID | jq .status.network
Describe the results you received and expected
containerd to correctly preserve the sandbox's IP/networking information. This behavior regressed in 1.6.9 and may be related to #7456
What version of containerd are you using?
1.6.12
Any other relevant information
No response
Show configuration if it is related to CRI plugin.
Default containerd config
The text was updated successfully, but these errors were encountered: