diff --git a/cmd/kubelet/app/options/options.go b/cmd/kubelet/app/options/options.go index 69b57edbe48..513f58b0442 100644 --- a/cmd/kubelet/app/options/options.go +++ b/cmd/kubelet/app/options/options.go @@ -314,7 +314,7 @@ func (c *kubeletConfiguration) addFlags(fs *pflag.FlagSet) { fs.StringVar(&c.RemoteRuntimeEndpoint, "container-runtime-endpoint", c.RemoteRuntimeEndpoint, "[Experimental] The unix socket endpoint of remote runtime service. The endpoint is used only when CRI integration is enabled (--enable-cri)") fs.StringVar(&c.RemoteImageEndpoint, "image-service-endpoint", c.RemoteImageEndpoint, "[Experimental] The unix socket endpoint of remote image service. If not specified, it will be the same with container-runtime-endpoint by default. The endpoint is used only when CRI integration is enabled (--enable-cri)") - fs.BoolVar(&c.DockerEnableSharedPID, "experimental-docker-enable-shared-pid", c.DockerEnableSharedPID, "[Experimental] The Container Runtime Interface (CRI) will eventually default to using a shared PID namespace for containers in a pod. Setting this flag allows previewing this behavior when running with the CRI enabled and Docker version 1.13.1 or higher.") + fs.BoolVar(&c.DockerDisableSharedPID, "docker-disable-shared-pid", c.DockerDisableSharedPID, "The Container Runtime Interface (CRI) defaults to using a shared PID namespace for containers in a pod when running with Docker 1.13.1 or higher. Setting this flag reverts to the previous behavior of isolated PID namespaces. This ability will be removed in a future Kubernetes release.") fs.BoolVar(&c.ExperimentalCheckNodeCapabilitiesBeforeMount, "experimental-check-node-capabilities-before-mount", c.ExperimentalCheckNodeCapabilitiesBeforeMount, "[Experimental] if set true, the kubelet will check the underlying node for required componenets (binaries, etc.) before performing the mount") diff --git a/cmd/kubelet/app/server.go b/cmd/kubelet/app/server.go index 2ef65365648..48351b91b42 100644 --- a/cmd/kubelet/app/server.go +++ b/cmd/kubelet/app/server.go @@ -968,7 +968,7 @@ func RunDockershim(c *componentconfig.KubeletConfiguration, dockershimRootDir st ds, err := dockershim.NewDockerService(dockerClient, c.SeccompProfileRoot, c.PodInfraContainerImage, streamingConfig, &pluginSettings, c.RuntimeCgroups, c.CgroupDriver, c.DockerExecHandlerName, dockershimRootDir, - !c.DockerEnableSharedPID) + c.DockerDisableSharedPID) if err != nil { return err } diff --git a/hack/verify-flags/known-flags.txt b/hack/verify-flags/known-flags.txt index 80e9af6f47e..96857f0f5ca 100644 --- a/hack/verify-flags/known-flags.txt +++ b/hack/verify-flags/known-flags.txt @@ -178,6 +178,7 @@ dns-provider dns-provider-config dns-zone-name dockercfg-path +docker-disable-shared-pid docker-email docker-endpoint docker-exec-handler @@ -245,7 +246,6 @@ experimental-check-node-capabilities-before-mount experimental-cri experimental-dockershim experimental-dockershim-root-directory -experimental-docker-enable-shared-pid experimental-fail-swap-on experimental-kernel-memcg-notification experimental-keystone-ca-file diff --git a/pkg/apis/componentconfig/types.go b/pkg/apis/componentconfig/types.go index ef8d0ca23dc..1b619003ccd 100644 --- a/pkg/apis/componentconfig/types.go +++ b/pkg/apis/componentconfig/types.go @@ -524,11 +524,11 @@ type KubeletConfiguration struct { // This flag, if set, instructs the kubelet to keep volumes from terminated pods mounted to the node. // This can be useful for debugging volume related issues. KeepTerminatedPodVolumes bool - // This flag, if set, enables use of a shared PID namespace for pods running in the docker CRI runtime. + // This flag, if set, disables use of a shared PID namespace for pods running in the docker CRI runtime. // A shared PID namespace is the only option in non-docker runtimes and is required by the CRI. The ability to // disable it for docker will be removed unless a compelling use case is discovered with widespread use. // TODO: Remove once we no longer support disabling shared PID namespace (https://issues.k8s.io/41938) - DockerEnableSharedPID bool + DockerDisableSharedPID bool /* following flags are meant for Node Allocatable */ diff --git a/pkg/apis/componentconfig/v1alpha1/types.go b/pkg/apis/componentconfig/v1alpha1/types.go index 90b982099e4..bcb6e80d2e4 100644 --- a/pkg/apis/componentconfig/v1alpha1/types.go +++ b/pkg/apis/componentconfig/v1alpha1/types.go @@ -579,8 +579,8 @@ type KubeletConfiguration struct { // This flag, if set, instructs the kubelet to keep volumes from terminated pods mounted to the node. // This can be useful for debugging volume related issues. KeepTerminatedPodVolumes bool `json:"keepTerminatedPodVolumes,omitempty"` - // This flag, if set, enables use of a shared PID namespace for pods run by the docker CRI runtime. - DockerEnableSharedPID *bool `json:"dockerEnableSharedPID,omitempty"` + // This flag, if set, disables use of a shared PID namespace for pods run by the docker CRI runtime. + DockerDisableSharedPID *bool `json:"dockerDisableSharedPID,omitempty"` /* following flags are meant for Node Allocatable */ diff --git a/pkg/apis/componentconfig/v1alpha1/zz_generated.conversion.go b/pkg/apis/componentconfig/v1alpha1/zz_generated.conversion.go index be30b4956eb..f4c1c3f1535 100644 --- a/pkg/apis/componentconfig/v1alpha1/zz_generated.conversion.go +++ b/pkg/apis/componentconfig/v1alpha1/zz_generated.conversion.go @@ -524,7 +524,7 @@ func autoConvert_v1alpha1_KubeletConfiguration_To_componentconfig_KubeletConfigu out.ExperimentalFailSwapOn = in.ExperimentalFailSwapOn out.ExperimentalCheckNodeCapabilitiesBeforeMount = in.ExperimentalCheckNodeCapabilitiesBeforeMount out.KeepTerminatedPodVolumes = in.KeepTerminatedPodVolumes - if err := v1.Convert_Pointer_bool_To_bool(&in.DockerEnableSharedPID, &out.DockerEnableSharedPID, s); err != nil { + if err := v1.Convert_Pointer_bool_To_bool(&in.DockerDisableSharedPID, &out.DockerDisableSharedPID, s); err != nil { return err } out.SystemReserved = *(*componentconfig.ConfigurationMap)(unsafe.Pointer(&in.SystemReserved)) @@ -728,7 +728,7 @@ func autoConvert_componentconfig_KubeletConfiguration_To_v1alpha1_KubeletConfigu out.ExperimentalFailSwapOn = in.ExperimentalFailSwapOn out.ExperimentalCheckNodeCapabilitiesBeforeMount = in.ExperimentalCheckNodeCapabilitiesBeforeMount out.KeepTerminatedPodVolumes = in.KeepTerminatedPodVolumes - if err := v1.Convert_bool_To_Pointer_bool(&in.DockerEnableSharedPID, &out.DockerEnableSharedPID, s); err != nil { + if err := v1.Convert_bool_To_Pointer_bool(&in.DockerDisableSharedPID, &out.DockerDisableSharedPID, s); err != nil { return err } out.SystemReserved = *(*map[string]string)(unsafe.Pointer(&in.SystemReserved)) diff --git a/pkg/apis/componentconfig/v1alpha1/zz_generated.deepcopy.go b/pkg/apis/componentconfig/v1alpha1/zz_generated.deepcopy.go index e4c717473ba..772699238c5 100644 --- a/pkg/apis/componentconfig/v1alpha1/zz_generated.deepcopy.go +++ b/pkg/apis/componentconfig/v1alpha1/zz_generated.deepcopy.go @@ -336,8 +336,8 @@ func DeepCopy_v1alpha1_KubeletConfiguration(in interface{}, out interface{}, c * *out = new(bool) **out = **in } - if in.DockerEnableSharedPID != nil { - in, out := &in.DockerEnableSharedPID, &out.DockerEnableSharedPID + if in.DockerDisableSharedPID != nil { + in, out := &in.DockerDisableSharedPID, &out.DockerDisableSharedPID *out = new(bool) **out = **in } diff --git a/pkg/kubelet/kubelet.go b/pkg/kubelet/kubelet.go index 61713494119..047eda537d5 100644 --- a/pkg/kubelet/kubelet.go +++ b/pkg/kubelet/kubelet.go @@ -548,7 +548,7 @@ func NewMainKubelet(kubeCfg *componentconfig.KubeletConfiguration, kubeDeps *Kub streamingConfig := getStreamingConfig(kubeCfg, kubeDeps) ds, err := dockershim.NewDockerService(klet.dockerClient, kubeCfg.SeccompProfileRoot, kubeCfg.PodInfraContainerImage, streamingConfig, &pluginSettings, kubeCfg.RuntimeCgroups, kubeCfg.CgroupDriver, kubeCfg.DockerExecHandlerName, dockershimRootDir, - !kubeCfg.DockerEnableSharedPID) + kubeCfg.DockerDisableSharedPID) if err != nil { return nil, err }