From 0d2a493a8f8367e76bbbf2b7b68aba86cdcb01bf Mon Sep 17 00:00:00 2001
From: Giuseppe Scrivano <gscrivan@redhat.com>
Date: Tue, 7 Jul 2020 08:56:15 +0200
Subject: [PATCH] kubelet: skip setting the devices cgroup

use the new libcontainer feature of skipping setting the devices
cgroup.  This is necessary on cgroup v2 to avoid leaking a eBPF
program every time the cgroup is re-configured.

Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
---
 pkg/kubelet/cm/cgroup_manager_linux.go               | 2 ++
 pkg/kubelet/cm/container_manager_linux.go            | 1 +
 pkg/kubelet/dockershim/cm/container_manager_linux.go | 5 +++--
 3 files changed, 6 insertions(+), 2 deletions(-)

diff --git a/pkg/kubelet/cm/cgroup_manager_linux.go b/pkg/kubelet/cm/cgroup_manager_linux.go
index c7c7026da40..b0986bd3767 100644
--- a/pkg/kubelet/cm/cgroup_manager_linux.go
+++ b/pkg/kubelet/cm/cgroup_manager_linux.go
@@ -495,6 +495,7 @@ func setResourcesV2(cgroupConfig *libcontainerconfigs.Cgroup) error {
 			Major:       libcontainerconfigs.Wildcard,
 		},
 	}
+	cgroupConfig.Resources.SkipDevices = true
 
 	manager, err := cgroupfs2.NewManager(cgroupConfig, cgroupConfig.Path, false)
 	if err != nil {
@@ -517,6 +518,7 @@ func (m *cgroupManagerImpl) toResources(resourceConfig *ResourceConfig) *libcont
 				Major:       libcontainerconfigs.Wildcard,
 			},
 		},
+		SkipDevices: true,
 	}
 	if resourceConfig == nil {
 		return resources
diff --git a/pkg/kubelet/cm/container_manager_linux.go b/pkg/kubelet/cm/container_manager_linux.go
index 3bc8e5f45a5..57110ed7745 100644
--- a/pkg/kubelet/cm/container_manager_linux.go
+++ b/pkg/kubelet/cm/container_manager_linux.go
@@ -384,6 +384,7 @@ func createManager(containerName string) (cgroups.Manager, error) {
 					Major:       configs.Wildcard,
 				},
 			},
+			SkipDevices: true,
 		},
 	}
 
diff --git a/pkg/kubelet/dockershim/cm/container_manager_linux.go b/pkg/kubelet/dockershim/cm/container_manager_linux.go
index 2599517716d..4430efb538c 100644
--- a/pkg/kubelet/dockershim/cm/container_manager_linux.go
+++ b/pkg/kubelet/dockershim/cm/container_manager_linux.go
@@ -123,8 +123,9 @@ func createCgroupManager(name string) (cgroups.Manager, error) {
 		Parent: "/",
 		Name:   name,
 		Resources: &configs.Resources{
-			Memory:     int64(memoryLimit),
-			MemorySwap: -1,
+			Memory:      int64(memoryLimit),
+			MemorySwap:  -1,
+			SkipDevices: true,
 			Devices: []*configs.DeviceRule{
 				{
 					Minor:       configs.Wildcard,