diff --git a/pkg/kubelet/dockershim/helpers_linux.go b/pkg/kubelet/dockershim/helpers_linux.go index 34635413a00..11931a9ba9a 100644 --- a/pkg/kubelet/dockershim/helpers_linux.go +++ b/pkg/kubelet/dockershim/helpers_linux.go @@ -120,7 +120,6 @@ func (ds *dockerService) updateCreateConfig( if err := applyContainerSecurityContext(lc, podSandboxID, createConfig.Config, createConfig.HostConfig, securityOptSep); err != nil { return fmt.Errorf("failed to apply container security context for container %q: %v", config.Metadata.Name, err) } - modifyContainerPIDNamespaceOverrides(apiVersion, createConfig.HostConfig, podSandboxID) } // Apply cgroupsParent derived from the sandbox config. diff --git a/pkg/kubelet/dockershim/security_context.go b/pkg/kubelet/dockershim/security_context.go index d1ffbf78ea8..8f52b261154 100644 --- a/pkg/kubelet/dockershim/security_context.go +++ b/pkg/kubelet/dockershim/security_context.go @@ -19,9 +19,7 @@ package dockershim import ( "fmt" "strconv" - "strings" - "github.com/blang/semver" dockercontainer "github.com/docker/docker/api/types/container" runtimeapi "k8s.io/cri-api/pkg/apis/runtime/v1alpha2" @@ -204,14 +202,3 @@ func modifyHostOptionsForContainer(nsOpts *runtimeapi.NamespaceOption, podSandbo hc.UTSMode = namespaceModeHost } } - -// modifyPIDNamespaceOverrides implements a temporary override for the default PID namespace sharing for Docker: -// 1. Docker engine prior to API Version 1.24 doesn't support attaching to another container's -// PID namespace, and it didn't stabilize until 1.26. This check can be removed when Kubernetes' -// minimum Docker version is at least 1.13.1 (API version 1.26). -// TODO(verb): remove entirely once these two conditions are satisfied -func modifyContainerPIDNamespaceOverrides(version *semver.Version, hc *dockercontainer.HostConfig, podSandboxID string) { - if version.LT(semver.Version{Major: 1, Minor: 26}) && strings.HasPrefix(string(hc.PidMode), "container:") { - hc.PidMode = "" - } -} diff --git a/pkg/kubelet/dockershim/security_context_test.go b/pkg/kubelet/dockershim/security_context_test.go index 3ce1366205d..d653c071179 100644 --- a/pkg/kubelet/dockershim/security_context_test.go +++ b/pkg/kubelet/dockershim/security_context_test.go @@ -21,7 +21,6 @@ import ( "strconv" "testing" - "github.com/blang/semver" dockercontainer "github.com/docker/docker/api/types/container" "github.com/stretchr/testify/assert" @@ -404,56 +403,6 @@ func TestModifyContainerNamespaceOptions(t *testing.T) { } } -func TestModifyContainerNamespacePIDOverride(t *testing.T) { - cases := []struct { - name string - version *semver.Version - input, expected dockercontainer.PidMode - }{ - { - name: "mode:CONTAINER docker:NEW", - version: &semver.Version{Major: 1, Minor: 26}, - input: "", - expected: "", - }, - { - name: "mode:CONTAINER docker:OLD", - version: &semver.Version{Major: 1, Minor: 25}, - input: "", - expected: "", - }, - { - name: "mode:HOST docker:NEW", - version: &semver.Version{Major: 1, Minor: 26}, - input: "host", - expected: "host", - }, - { - name: "mode:HOST docker:OLD", - version: &semver.Version{Major: 1, Minor: 25}, - input: "host", - expected: "host", - }, - { - name: "mode:POD docker:NEW", - version: &semver.Version{Major: 1, Minor: 26}, - input: "container:sandbox", - expected: "container:sandbox", - }, - { - name: "mode:POD docker:OLD", - version: &semver.Version{Major: 1, Minor: 25}, - input: "container:sandbox", - expected: "", - }, - } - for _, tc := range cases { - dockerCfg := &dockercontainer.HostConfig{PidMode: tc.input} - modifyContainerPIDNamespaceOverrides(tc.version, dockerCfg, "sandbox") - assert.Equal(t, tc.expected, dockerCfg.PidMode, "[Test case %q]", tc.name) - } -} - func fullValidSecurityContext() *runtimeapi.LinuxContainerSecurityContext { return &runtimeapi.LinuxContainerSecurityContext{ Privileged: true,