Merge pull request #64189 from alinbalutoiu/master

Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>. Fix Windows CNI for the sandbox case **What this PR does / why we need it**: Windows supports both sandbox and non-sandbox cases. The non-sandbox case is for Windows Server 2016 and for Windows Server version greater than 1709 which use Hyper-V containers. Currently, the CNI on Windows fetches the IP from the containers within the pods regardless of the mode. This should be done only in the non-sandbox mode where the IP of the actual container will be different than the IP of the sandbox container. In the case where the sandbox container is supported, all the containers from the same pod will share the network details of the sandbox container. This patch updates the CNI to fetch the IP from the sandbox container when this mode is supported. **Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*: Fixes #64188 **Special notes for your reviewer**: **Release note**: ```release-note NONE ```
2025-07-30 06:54:01 +00:00 · 2018-06-01 20:32:28 -07:00 · 2018-06-01 20:32:28 -07:00 · 91b9b62ae8
commit 91b9b62ae8
parent 5da925ad4f 49e762ab3a
4 changed files with 28 additions and 43 deletions
--- a/pkg/kubelet/dockershim/docker_sandbox.go
+++ b/pkg/kubelet/dockershim/docker_sandbox.go
@ -412,8 +412,9 @@ func (ds *dockerService) PodSandboxStatus(ctx context.Context, req *runtimeapi.P

 	var IP string
 	// TODO: Remove this when sandbox is available on windows
+	// Currently windows supports both sandbox and non-sandbox cases.
 	// This is a workaround for windows, where sandbox is not in use, and pod IP is determined through containers belonging to the Pod.
-	if IP = ds.determinePodIPBySandboxID(podSandboxID); IP == "" {
+	if IP = ds.determinePodIPBySandboxID(podSandboxID, r); IP == "" {
 		IP = ds.getIP(podSandboxID, r)
 	}

--- a/pkg/kubelet/dockershim/helpers_linux.go
+++ b/pkg/kubelet/dockershim/helpers_linux.go
@ -136,7 +136,7 @@ func (ds *dockerService) updateCreateConfig(
 	return nil
 }

-func (ds *dockerService) determinePodIPBySandboxID(uid string) string {
+func (ds *dockerService) determinePodIPBySandboxID(uid string, sandbox *dockertypes.ContainerJSON) string {
 	return ""
 }

--- a/pkg/kubelet/dockershim/helpers_unsupported.go
+++ b/pkg/kubelet/dockershim/helpers_unsupported.go
@ -45,7 +45,7 @@ func (ds *dockerService) updateCreateConfig(
 	return nil
 }

-func (ds *dockerService) determinePodIPBySandboxID(uid string) string {
+func (ds *dockerService) determinePodIPBySandboxID(uid string, sandbox *dockertypes.ContainerJSON) string {
 	glog.Warningf("determinePodIPBySandboxID is unsupported in this build")
 	return ""
 }
--- a/pkg/kubelet/dockershim/helpers_windows.go
+++ b/pkg/kubelet/dockershim/helpers_windows.go
@ -83,7 +83,28 @@ func (ds *dockerService) updateCreateConfig(
 	return nil
 }

-func (ds *dockerService) determinePodIPBySandboxID(sandboxID string) string {
+func (ds *dockerService) determinePodIPBySandboxID(sandboxID string, sandbox *dockertypes.ContainerJSON) string {
+	// Versions and feature support
+	// ============================
+	// Windows version >= Windows Server, Version 1709, Supports both sandbox and non-sandbox case
+	// Windows version == Windows Server 2016 Support only non-sandbox case
+	// Windows version < Windows Server 2016 is Not Supported
+
+	// Sandbox support in Windows mandates CNI Plugin.
+	// Presence of CONTAINER_NETWORK flag is considered as non-Sandbox cases here
+	// Hyper-V isolated containers are also considered as non-Sandbox cases
+
+	// Todo: Add a kernel version check for more validation
+
+	// Hyper-V only supports one container per Pod yet and the container will have a different
+	// IP address from sandbox. Retrieve the IP from the containers as this is a non-Sandbox case.
+	// TODO(feiskyer): remove this workaround after Hyper-V supports multiple containers per Pod.
+	if networkMode := os.Getenv("CONTAINER_NETWORK"); networkMode == "" && sandbox.HostConfig.Isolation != kubeletapis.HypervIsolationValue {
+		// Sandbox case, fetch the IP from the sandbox container.
+		return ds.getIP(sandboxID, sandbox)
+	}
+
+	// Non-Sandbox case, fetch the IP from the containers within the Pod.
 	opts := dockertypes.ContainerListOptions{
 		All:     true,
 		Filters: dockerfilters.NewArgs(),
@ -103,45 +124,8 @@ func (ds *dockerService) determinePodIPBySandboxID(sandboxID string) string {
 			continue
 		}

-		// Versions and feature support
-		// ============================
-		// Windows version == Windows Server, Version 1709,, Supports both sandbox and non-sandbox case
-		// Windows version == Windows Server 2016   Support only non-sandbox case
-		// Windows version < Windows Server 2016 is Not Supported
-
-		// Sandbox support in Windows mandates CNI Plugin.
-		// Presence of CONTAINER_NETWORK flag is considered as non-Sandbox cases here
-
-		// Todo: Add a kernel version check for more validation
-
-		if networkMode := os.Getenv("CONTAINER_NETWORK"); networkMode == "" {
-			// On Windows, every container that is created in a Sandbox, needs to invoke CNI plugin again for adding the Network,
-			// with the shared container name as NetNS info,
-			// This is passed down to the platform to replicate some necessary information to the new container
-
-			//
-			// This place is chosen as a hack for now, since ds.getIP would end up calling CNI's addToNetwork
-			// That is why addToNetwork is required to be idempotent
-
-			// Instead of relying on this call, an explicit call to addToNetwork should be
-			// done immediately after ContainerCreation, in case of Windows only. TBD Issue # to handle this
-
-			if r.HostConfig.Isolation == kubeletapis.HypervIsolationValue {
-				// Hyper-V only supports one container per Pod yet and the container will have a different
-				// IP address from sandbox. Return the first non-sandbox container IP as POD IP.
-				// TODO(feiskyer): remove this workaround after Hyper-V supports multiple containers per Pod.
-				if containerIP := ds.getIP(c.ID, r); containerIP != "" {
-					return containerIP
-				}
-			} else {
-				// Do not return any IP, so that we would continue and get the IP of the Sandbox
-				ds.getIP(sandboxID, r)
-			}
-		} else {
-			// ds.getIP will call the CNI plugin to fetch the IP
-			if containerIP := ds.getIP(c.ID, r); containerIP != "" {
-				return containerIP
-			}
+		if containerIP := ds.getIP(c.ID, r); containerIP != "" {
+			return containerIP
 		}
 	}