Merge pull request #93263 from liggitt/windows

Fix windows kubelet startup

pkg/kubelet/cm/BUILD

@@ -156,7 +156,6 @@ go_library(
         ],
         "@io_bazel_rules_go//go/platform:windows": [
             "//pkg/kubelet/cadvisor:go_default_library",
-            "//pkg/kubelet/cm/devicemanager:go_default_library",
             "//staging/src/k8s.io/client-go/tools/record:go_default_library",
             "//vendor/k8s.io/utils/mount:go_default_library",
         ],

pkg/kubelet/cm/container_manager_windows.go

@@ -36,7 +36,6 @@ import (
 	podresourcesapi "k8s.io/kubernetes/pkg/kubelet/apis/podresources/v1alpha1"
 	"k8s.io/kubernetes/pkg/kubelet/cadvisor"
 	"k8s.io/kubernetes/pkg/kubelet/cm/cpumanager"
-	"k8s.io/kubernetes/pkg/kubelet/cm/devicemanager"
 	"k8s.io/kubernetes/pkg/kubelet/cm/topologymanager"
 	"k8s.io/kubernetes/pkg/kubelet/config"
 	kubecontainer "k8s.io/kubernetes/pkg/kubelet/container"
@@ -53,10 +52,6 @@ type containerManagerImpl struct {
 	cadvisorInterface cadvisor.Interface
 	// Config of this node.
 	nodeConfig NodeConfig
-	// Interface for exporting and allocating devices reported by device plugins.
-	deviceManager devicemanager.Manager
-	// Interface for Topology resource co-ordination
-	topologyManager topologymanager.Manager
 }
 
 type noopWindowsResourceAllocator struct{}
@@ -84,11 +79,6 @@ func (cm *containerManagerImpl) Start(node *v1.Node,
 		}
 	}
 
-	// Starts device manager.
-	if err := cm.deviceManager.Start(devicemanager.ActivePodsFunc(activePods), sourcesReady); err != nil {
-		return err
-	}
-
 	return nil
 }
 
@@ -103,23 +93,11 @@ func NewContainerManager(mountUtil mount.Interface, cadvisorInterface cadvisor.I
 	}
 	capacity := cadvisor.CapacityFromMachineInfo(machineInfo)
 
-	cm := &containerManagerImpl{
+	return &containerManagerImpl{
 		capacity:          capacity,
 		nodeConfig:        nodeConfig,
 		cadvisorInterface: cadvisorInterface,
-	}
+	}, nil
-
-	klog.Infof("Creating device plugin manager: %t", devicePluginEnabled)
-	if devicePluginEnabled {
-		cm.deviceManager, err = devicemanager.NewManagerImpl(nil, cm.topologyManager)
-	} else {
-		cm.deviceManager, err = devicemanager.NewManagerStub()
-	}
-	if err != nil {
-		return nil, err
-	}
-
-	return cm, nil
 }
 
 func (cm *containerManagerImpl) SystemCgroupsLimit() v1.ResourceList {
@@ -172,11 +150,11 @@ func (cm *containerManagerImpl) GetCapacity() v1.ResourceList {
 }
 
 func (cm *containerManagerImpl) GetPluginRegistrationHandler() cache.PluginHandler {
-	return cm.deviceManager.GetWatcherHandler()
+	return nil
 }
 
 func (cm *containerManagerImpl) GetDevicePluginResourceCapacity() (v1.ResourceList, v1.ResourceList, []string) {
-	return cm.deviceManager.GetCapacity()
+	return nil, nil, []string{}
 }
 
 func (cm *containerManagerImpl) NewPodContainerManager() PodContainerManager {
@@ -184,24 +162,11 @@ func (cm *containerManagerImpl) NewPodContainerManager() PodContainerManager {
 }
 
 func (cm *containerManagerImpl) GetResources(pod *v1.Pod, container *v1.Container) (*kubecontainer.RunContainerOptions, error) {
-	opts := &kubecontainer.RunContainerOptions{}
+	return &kubecontainer.RunContainerOptions{}, nil
-	// Allocate should already be called during predicateAdmitHandler.Admit(),
-	// just try to fetch device runtime information from cached state here
-	devOpts, err := cm.deviceManager.GetDeviceRunContainerOptions(pod, container)
-	if err != nil {
-		return nil, err
-	} else if devOpts == nil {
-		return opts, nil
-	}
-	opts.Devices = append(opts.Devices, devOpts.Devices...)
-	opts.Mounts = append(opts.Mounts, devOpts.Mounts...)
-	opts.Envs = append(opts.Envs, devOpts.Envs...)
-	opts.Annotations = append(opts.Annotations, devOpts.Annotations...)
-	return opts, nil
 }
 
-func (cm *containerManagerImpl) UpdatePluginResources(node *schedulerframework.NodeInfo, attrs *lifecycle.PodAdmitAttributes) error {
+func (cm *containerManagerImpl) UpdatePluginResources(*schedulerframework.NodeInfo, *lifecycle.PodAdmitAttributes) error {
-	return cm.deviceManager.UpdatePluginResources(node, attrs)
+	return nil
 }
 
 func (cm *containerManagerImpl) InternalContainerLifecycle() InternalContainerLifecycle {
@@ -212,12 +177,12 @@ func (cm *containerManagerImpl) GetPodCgroupRoot() string {
 	return ""
 }
 
-func (cm *containerManagerImpl) GetDevices(podUID, containerName string) []*podresourcesapi.ContainerDevices {
+func (cm *containerManagerImpl) GetDevices(_, _ string) []*podresourcesapi.ContainerDevices {
-	return cm.deviceManager.GetDevices(podUID, containerName)
+	return nil
 }
 
 func (cm *containerManagerImpl) ShouldResetExtendedResourceCapacity() bool {
-	return cm.deviceManager.ShouldResetExtendedResourceCapacity()
+	return false
 }
 
 func (cm *containerManagerImpl) GetAllocateResourcesPodAdmitHandler() lifecycle.PodAdmitHandler {

pkg/kubelet/dockershim/docker_sandbox.go

@@ -666,12 +666,6 @@ func (ds *dockerService) makeSandboxDockerConfig(c *runtimeapi.PodSandboxConfig,
 	return createConfig, nil
 }
 
-func (ds *dockerService) getSandBoxSecurityOpts(separator rune) []string {
-	// run sandbox with no-new-privileges and using runtime/default
-	// sending no "seccomp=" means docker will use default profile
-	return []string{"no-new-privileges"}
-}
-
 // networkNamespaceMode returns the network runtimeapi.NamespaceMode for this container.
 // Supports: POD, NODE
 func networkNamespaceMode(container *dockertypes.ContainerJSON) runtimeapi.NamespaceMode {

pkg/kubelet/dockershim/helpers_linux.go

@@ -48,6 +48,12 @@ func (ds *dockerService) getSecurityOpts(seccompProfile string, separator rune)
 	return seccompSecurityOpts, nil
 }
 
+func (ds *dockerService) getSandBoxSecurityOpts(separator rune) []string {
+	// run sandbox with no-new-privileges and using runtime/default
+	// sending no "seccomp=" means docker will use default profile
+	return []string{"no-new-privileges"}
+}
+
 func getSeccompDockerOpts(seccompProfile string) ([]dockerOpt, error) {
 	if seccompProfile == "" || seccompProfile == v1.SeccompProfileNameUnconfined {
 		// return early the default

pkg/kubelet/dockershim/helpers_unsupported.go

@@ -36,6 +36,11 @@ func (ds *dockerService) getSecurityOpts(seccompProfile string, separator rune)
 	return nil, nil
 }
 
+func (ds *dockerService) getSandBoxSecurityOpts(separator rune) []string {
+	klog.Warningf("getSandBoxSecurityOpts is unsupported in this build")
+	return nil
+}
+
 func (ds *dockerService) updateCreateConfig(
 	createConfig *dockertypes.ContainerCreateConfig,
 	config *runtimeapi.ContainerConfig,

pkg/kubelet/dockershim/helpers_windows.go

@@ -43,6 +43,12 @@ func (ds *dockerService) getSecurityOpts(seccompProfile string, separator rune)
 	return nil, nil
 }
 
+func (ds *dockerService) getSandBoxSecurityOpts(separator rune) []string {
+	// Currently, Windows container does not support privileged mode, so no no-new-privileges flag can be returned directly like Linux
+	// If the future Windows container has new support for privileged mode, we can adjust it here
+	return nil
+}
+
 // applyExperimentalCreateConfig applys experimental configures from sandbox annotations.
 func applyExperimentalCreateConfig(createConfig *dockertypes.ContainerCreateConfig, annotations map[string]string) {
 	if kubeletapis.ShouldIsolatedByHyperV(annotations) {