Delete the sysctl runtime admit handler

As of https://github.com/kubernetes/kubernetes/pull/72831, the minimum docker version is 1.13.1. (and the minimum API version is 1.26). The only time the `RuntimeAdmitHandler` returns anything other than accept is when the Docker API version < 1.24. In other words, we can be confident that Docker will always support sysctl. As a result, we can delete this unnecessary and docker-specific code.
2025-08-06 10:43:56 +00:00 · 2020-01-20 11:07:22 -05:00 · 2020-01-20 11:07:22 -05:00 · 9e1c99c4e2
commit 9e1c99c4e2
parent dcd0755f84
8 changed files with 2 additions and 125 deletions
--- a/pkg/kubelet/kubelet.go
+++ b/pkg/kubelet/kubelet.go
@ -850,12 +850,6 @@ func NewMainKubelet(kubeCfg *kubeletconfiginternal.KubeletConfiguration,
 	klet.admitHandlers.AddPodAdmitHandler(evictionAdmitHandler)
 	if utilfeature.DefaultFeatureGate.Enabled(features.Sysctls) {
 		// add sysctl admission
 		runtimeSupport, err := sysctl.NewRuntimeAdmitHandler(klet.containerRuntime)
 		if err != nil {
 			return nil, err
 		}
 		// Safe, whitelisted sysctls can always be used as unsafe sysctls in the spec.
 		// Hence, we concatenate those two lists.
 		safeAndUnsafeSysctls := append(sysctlwhitelist.SafeSysctlWhitelist(), allowedUnsafeSysctls...)
@ -863,7 +857,6 @@ func NewMainKubelet(kubeCfg *kubeletconfiginternal.KubeletConfiguration,
 		if err != nil {
 			return nil, err
 		}
 		klet.admitHandlers.AddPodAdmitHandler(runtimeSupport)
 		klet.admitHandlers.AddPodAdmitHandler(sysctlsWhitelist)
 	}
--- a/pkg/kubelet/sysctl/BUILD
+++ b/pkg/kubelet/sysctl/BUILD
@ -10,14 +10,12 @@ go_library(
    name = "go_default_library",
    srcs = [
        "namespace.go",
        "runtime.go",
        "whitelist.go",
    ],
    importpath = "k8s.io/kubernetes/pkg/kubelet/sysctl",
    deps = [
        "//pkg/apis/core/validation:go_default_library",
        "//pkg/apis/policy/validation:go_default_library",
        "//pkg/kubelet/container:go_default_library",
        "//pkg/kubelet/lifecycle:go_default_library",
    ],
 )
--- a/pkg/kubelet/sysctl/runtime.go
+++ b/pkg/kubelet/sysctl/runtime.go
@ -1,95 +0,0 @@
 /*
 Copyright 2016 The Kubernetes Authors.
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
 You may obtain a copy of the License at
    http://www.apache.org/licenses/LICENSE-2.0
 Unless required by applicable law or agreed to in writing, software
 distributed under the License is distributed on an "AS IS" BASIS,
 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 */
 package sysctl
 import (
 	"fmt"
 	"k8s.io/kubernetes/pkg/kubelet/container"
 	"k8s.io/kubernetes/pkg/kubelet/lifecycle"
 )
 const (
 	UnsupportedReason = "SysctlUnsupported"
 	// CRI uses semver-compatible API version, while docker does not
 	// (e.g., 1.24). Append the version with a ".0".
 	dockerMinimumAPIVersion = "1.24.0"
 	dockerTypeName = "docker"
 )
 // TODO: The admission logic in this file is runtime-dependent. It should be
 // changed to be generic and CRI-compatible.
 type runtimeAdmitHandler struct {
 	result lifecycle.PodAdmitResult
 }
 var _ lifecycle.PodAdmitHandler = &runtimeAdmitHandler{}
 // NewRuntimeAdmitHandler returns a sysctlRuntimeAdmitHandler which checks whether
 // the given runtime support sysctls.
 func NewRuntimeAdmitHandler(runtime container.Runtime) (*runtimeAdmitHandler, error) {
 	switch runtime.Type() {
 	case dockerTypeName:
 		v, err := runtime.APIVersion()
 		if err != nil {
 			return nil, fmt.Errorf("failed to get runtime version: %v", err)
 		}
 		// only Docker API version >= 1.24 supports sysctls
 		c, err := v.Compare(dockerMinimumAPIVersion)
 		if err != nil {
 			return nil, fmt.Errorf("failed to compare Docker version for sysctl support: %v", err)
 		}
 		if c >= 0 {
 			return &runtimeAdmitHandler{
 				result: lifecycle.PodAdmitResult{
 					Admit: true,
 				},
 			}, nil
 		}
 		return &runtimeAdmitHandler{
 			result: lifecycle.PodAdmitResult{
 				Admit:   false,
 				Reason:  UnsupportedReason,
 				Message: "Docker API version before 1.24 does not support sysctls",
 			},
 		}, nil
 	default:
 		// Return admit for other runtimes.
 		return &runtimeAdmitHandler{
 			result: lifecycle.PodAdmitResult{
 				Admit: true,
 			},
 		}, nil
 	}
 }
 // Admit checks whether the runtime supports sysctls.
 func (w *runtimeAdmitHandler) Admit(attrs *lifecycle.PodAdmitAttributes) lifecycle.PodAdmitResult {
 	if attrs.Pod.Spec.SecurityContext != nil {
 		if len(attrs.Pod.Spec.SecurityContext.Sysctls) > 0 {
 			return w.result
 		}
 	}
 	return lifecycle.PodAdmitResult{
 		Admit: true,
 	}
 }
--- a/test/e2e/common/BUILD
+++ b/test/e2e/common/BUILD
@ -48,7 +48,6 @@ go_library(
        "//pkg/kubelet/events:go_default_library",
        "//pkg/kubelet/images:go_default_library",
        "//pkg/kubelet/runtimeclass/testing:go_default_library",
        "//pkg/kubelet/sysctl:go_default_library",
        "//staging/src/k8s.io/api/coordination/v1:go_default_library",
        "//staging/src/k8s.io/api/core/v1:go_default_library",
        "//staging/src/k8s.io/apimachinery/pkg/api/equality:go_default_library",
--- a/test/e2e/common/sysctl.go
+++ b/test/e2e/common/sysctl.go
@ -20,7 +20,6 @@ import (
 	"k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/util/uuid"
 	"k8s.io/kubernetes/pkg/kubelet/sysctl"
 	"k8s.io/kubernetes/test/e2e/framework"
 	e2epod "k8s.io/kubernetes/test/e2e/framework/pod"
 	e2eskipper "k8s.io/kubernetes/test/e2e/framework/skipper"
@ -86,9 +85,6 @@ var _ = framework.KubeDescribe("Sysctls [LinuxOnly] [NodeFeature:Sysctls]", func
 		// might have already been deleted here.
 		ev, err := f.PodClient().WaitForErrorEventOrSuccess(pod)
 		framework.ExpectNoError(err)
 		if ev != nil && ev.Reason == sysctl.UnsupportedReason {
 			e2eskipper.Skipf("No sysctl support in Docker <1.12")
 		}
 		gomega.Expect(ev).To(gomega.BeNil())
 		ginkgo.By("Waiting for pod completion")
@ -129,9 +125,6 @@ var _ = framework.KubeDescribe("Sysctls [LinuxOnly] [NodeFeature:Sysctls]", func
 		// might have already been deleted here.
 		ev, err := f.PodClient().WaitForErrorEventOrSuccess(pod)
 		framework.ExpectNoError(err)
 		if ev != nil && ev.Reason == sysctl.UnsupportedReason {
 			e2eskipper.Skipf("No sysctl support in Docker <1.12")
 		}
 		gomega.Expect(ev).To(gomega.BeNil())
 		ginkgo.By("Waiting for pod completion")
@ -206,9 +199,6 @@ var _ = framework.KubeDescribe("Sysctls [LinuxOnly] [NodeFeature:Sysctls]", func
 		// might have already been deleted here.
 		ev, err := f.PodClient().WaitForErrorEventOrSuccess(pod)
 		framework.ExpectNoError(err)
 		if ev != nil && ev.Reason == sysctl.UnsupportedReason {
 			e2eskipper.Skipf("No sysctl support in Docker <1.12")
 		}
 		ginkgo.By("Checking that the pod was rejected")
 		gomega.Expect(ev).ToNot(gomega.BeNil())
--- a/test/e2e/framework/pods.go
+++ b/test/e2e/framework/pods.go
@ -226,7 +226,7 @@ func (c *PodClient) WaitForErrorEventOrSuccess(pod *v1.Pod) (*v1.Event, error) {
 		}
 		for _, e := range evnts.Items {
 			switch e.Reason {
-			case events.KillingContainer, events.FailedToCreateContainer, sysctl.UnsupportedReason, sysctl.ForbiddenReason:
+			case events.KillingContainer, events.FailedToCreateContainer, sysctl.ForbiddenReason:
 				ev = &e
 				return true, nil
 			case events.StartedContainer:
--- a/test/e2e/upgrades/BUILD
+++ b/test/e2e/upgrades/BUILD
@ -41,7 +41,6 @@ go_library(
        "//test/e2e/framework/node:go_default_library",
        "//test/e2e/framework/security:go_default_library",
        "//test/e2e/framework/service:go_default_library",
        "//test/e2e/framework/skipper:go_default_library",
        "//test/e2e/framework/statefulset:go_default_library",
        "//test/e2e/framework/testfiles:go_default_library",
        "//test/e2e/scheduling:go_default_library",
--- a/test/e2e/upgrades/sysctl.go
+++ b/test/e2e/upgrades/sysctl.go
@ -28,7 +28,6 @@ import (
 	"k8s.io/kubernetes/pkg/kubelet/sysctl"
 	"k8s.io/kubernetes/test/e2e/framework"
 	e2eskipper "k8s.io/kubernetes/test/e2e/framework/skipper"
 	imageutils "k8s.io/kubernetes/test/utils/image"
 )
@ -85,11 +84,8 @@ func (t *SysctlUpgradeTest) verifySafeSysctlWork(f *framework.Framework) *v1.Pod
 	validPod := f.PodClient().Create(t.validPod)
 	ginkgo.By("Making sure the valid pod launches")
-	ev, err := f.PodClient().WaitForErrorEventOrSuccess(t.validPod)
+	_, err := f.PodClient().WaitForErrorEventOrSuccess(t.validPod)
 	framework.ExpectNoError(err)
 	if ev != nil && ev.Reason == sysctl.UnsupportedReason {
 		e2eskipper.Skipf("No sysctl support in Docker <1.12")
 	}
 	f.TestContainerOutput("pod with safe sysctl launched", t.validPod, 0, []string{fmt.Sprintf("%s = %s", safeSysctl, safeSysctlValue)})
 	return validPod
@ -105,9 +101,6 @@ func (t *SysctlUpgradeTest) verifyUnsafeSysctlsAreRejected(f *framework.Framewor
 	ginkgo.By("Making sure the invalid pod failed")
 	ev, err := f.PodClient().WaitForErrorEventOrSuccess(invalidPod)
 	framework.ExpectNoError(err)
 	if ev != nil && ev.Reason == sysctl.UnsupportedReason {
 		e2eskipper.Skipf("No sysctl support in Docker <1.12")
 	}
 	framework.ExpectEqual(ev.Reason, sysctl.ForbiddenReason)
 	return invalidPod