kubeadm: change the default CRI socket to containerd

Change the default container runtime CRI socket endpoint to the one of containerd. Previously it was the one for Docker - Rename constants.DefaultDockerCRISocket to DefaultCRISocket - Make the constants files include the endpoints for all supported container runtimes for Unix/Windows. - Update unit tests related to docker runtime testing. - In kubelet/flags.go hardcode the legacy docker socket as a check to allow kubeadm 1.24 to run against kubelet 1.23 if the user explicitly sets the criSocket field to "npipe:////./pipe/dockershim" on Windows or "unix:///var/run/dockershim.sock" on Linux.
2025-07-22 03:11:40 +00:00 · 2022-01-04 23:15:12 +02:00 · 2022-01-04 23:15:12 +02:00 · ea2c948799
commit ea2c948799
parent 936e12c930
15 changed files with 50 additions and 47 deletions
--- a/cmd/kubeadm/app/apis/kubeadm/v1beta2/doc.go
+++ b/cmd/kubeadm/app/apis/kubeadm/v1beta2/doc.go
@ -169,7 +169,7 @@ limitations under the License.
 // 	  - system:bootstrappers:kubeadm:default-node-token
 // 	nodeRegistration:
 // 	  name: "ec2-10-100-0-1"
-// 	  criSocket: "unix:///var/run/dockershim.sock"
+// 	  criSocket: "unix:///var/run/containerd/containerd.sock"
 // 	  taints:
 // 	  - key: "kubeadmNode"
 // 	    value: "master"
--- a/cmd/kubeadm/app/apis/kubeadm/v1beta3/doc.go
+++ b/cmd/kubeadm/app/apis/kubeadm/v1beta3/doc.go
@ -173,7 +173,7 @@ limitations under the License.
 // 	  - system:bootstrappers:kubeadm:default-node-token
 // 	nodeRegistration:
 // 	  name: "ec2-10-100-0-1"
-// 	  criSocket: "unix:///var/run/dockershim.sock"
+// 	  criSocket: "unix:///var/run/containerd/containerd.sock"
 // 	  taints:
 // 	  - key: "kubeadmNode"
 // 	    value: "master"
--- a/cmd/kubeadm/app/apis/kubeadm/validation/validation_test.go
+++ b/cmd/kubeadm/app/apis/kubeadm/validation/validation_test.go
@ -579,7 +579,7 @@ func TestValidateJoinConfiguration(t *testing.T) {
 			},
 			NodeRegistration: kubeadmapi.NodeRegistrationOptions{
 				Name:      "aaa",
-				CRISocket: "unix:///var/run/dockershim.sock",
+				CRISocket: "unix:///var/run/containerd/containerd.sock",
 			},
 		}, true},
 		{&kubeadmapi.JoinConfiguration{ // Pass with JoinControlPlane
@ -594,7 +594,7 @@ func TestValidateJoinConfiguration(t *testing.T) {
 			},
 			NodeRegistration: kubeadmapi.NodeRegistrationOptions{
 				Name:      "aaa",
-				CRISocket: "unix:///var/run/dockershim.sock",
+				CRISocket: "unix:///var/run/containerd/containerd.sock",
 			},
 			ControlPlane: &kubeadmapi.JoinControlPlane{
 				LocalAPIEndpoint: kubeadmapi.APIEndpoint{
@ -615,7 +615,7 @@ func TestValidateJoinConfiguration(t *testing.T) {
 			},
 			NodeRegistration: kubeadmapi.NodeRegistrationOptions{
 				Name:      "aaa",
-				CRISocket: "unix:///var/run/dockershim.sock",
+				CRISocket: "unix:///var/run/containerd/containerd.sock",
 			},
 			ControlPlane: &kubeadmapi.JoinControlPlane{
 				LocalAPIEndpoint: kubeadmapi.APIEndpoint{
@ -636,7 +636,7 @@ func TestValidateJoinConfiguration(t *testing.T) {
 			},
 			NodeRegistration: kubeadmapi.NodeRegistrationOptions{
 				Name:      "aaa",
-				CRISocket: "/var/run/dockershim.sock",
+				CRISocket: "unix:///var/run/containerd/containerd.sock",
 			},
 			ControlPlane: &kubeadmapi.JoinControlPlane{
 				LocalAPIEndpoint: kubeadmapi.APIEndpoint{
--- a/cmd/kubeadm/app/cmd/certs_test.go
+++ b/cmd/kubeadm/app/cmd/certs_test.go
@ -359,7 +359,7 @@ kind: InitConfiguration
 localAPIEndpoint:
  advertiseAddress: 192.0.2.1
 nodeRegistration:
-  criSocket: /path/to/dockershim.sock
+  criSocket: "unix:///var/run/containerd/containerd.sock"
 ---
 apiVersion: %[1]s
 kind: ClusterConfiguration
--- a/cmd/kubeadm/app/cmd/config.go
+++ b/cmd/kubeadm/app/cmd/config.go
@ -211,7 +211,7 @@ func getDefaultNodeConfigBytes() ([]byte, error) {
 			},
 		},
 		NodeRegistration: kubeadmapiv1.NodeRegistrationOptions{
-			CRISocket: constants.DefaultDockerCRISocket, // avoid CRI detection
+			CRISocket: constants.DefaultCRISocket, // avoid CRI detection
 		},
 	})
 	if err != nil {
--- a/cmd/kubeadm/app/cmd/config_test.go
+++ b/cmd/kubeadm/app/cmd/config_test.go
@ -363,10 +363,10 @@ func TestImagesPull(t *testing.T) {
 			func(cmd string, args ...string) exec.Cmd { return fakeexec.InitFakeCmd(&fcmd, cmd, args...) },
 			func(cmd string, args ...string) exec.Cmd { return fakeexec.InitFakeCmd(&fcmd, cmd, args...) },
 		},
-		LookPathFunc: func(cmd string) (string, error) { return "/usr/bin/docker", nil },
+		LookPathFunc: func(cmd string) (string, error) { return "/usr/bin/crictl", nil },
 	}

-	containerRuntime, err := utilruntime.NewContainerRuntime(&fexec, constants.DefaultDockerCRISocket)
+	containerRuntime, err := utilruntime.NewContainerRuntime(&fexec, constants.DefaultCRISocket)
 	if err != nil {
 		t.Errorf("unexpected NewContainerRuntime error: %v", err)
 	}
--- a/cmd/kubeadm/app/cmd/phases/reset/cleanupnode.go
+++ b/cmd/kubeadm/app/cmd/phases/reset/cleanupnode.go
@ -84,6 +84,8 @@ func runCleanupNode(c workflow.RunData) error {
 		klog.Warningf("[reset] Failed to remove containers: %v\n", err)
 	}

+	// TODO: remove the dockershim directory cleanup in 1.25
+	// https://github.com/kubernetes/kubeadm/issues/2626
 	r.AddDirsToClean("/var/lib/dockershim", "/var/run/kubernetes", "/var/lib/cni")

 	// Remove contents from the config and pki directories
--- a/cmd/kubeadm/app/constants/constants_unix.go
+++ b/cmd/kubeadm/app/constants/constants_unix.go
@ -20,6 +20,13 @@ limitations under the License.
 package constants

 const (
-	// DefaultDockerCRISocket defines the default Docker CRI socket
-	DefaultDockerCRISocket = "unix:///var/run/dockershim.sock"
+	// CRISocketContainerd is the containerd CRI endpoint
+	CRISocketContainerd = "unix:///var/run/containerd/containerd.sock"
+	// CRISocketCRIO is the cri-o CRI endpoint
+	CRISocketCRIO = "unix:///var/run/crio/crio.sock"
+	// CRISocketDocker is the cri-dockerd CRI endpoint
+	CRISocketDocker = "unix:///var/run/cri-dockerd.sock"
+
+	// DefaultCRISocket defines the default CRI socket
+	DefaultCRISocket = CRISocketContainerd
 )
--- a/cmd/kubeadm/app/constants/constants_windows.go
+++ b/cmd/kubeadm/app/constants/constants_windows.go
@ -20,6 +20,14 @@ limitations under the License.
 package constants

 const (
-	// DefaultDockerCRISocket defines the default Docker CRI socket
-	DefaultDockerCRISocket = "npipe:////./pipe/docker_engine"
+	// CRISocketContainerd is the containerd CRI endpoint
+	CRISocketContainerd = "npipe:////./pipe/containerd-containerd"
+	// CRISocketCRIO is the cri-o CRI endpoint
+	// NOTE: this is a placeholder as CRI-O does not support Windows
+	CRISocketCRIO = "npipe:////./pipe/cri-o"
+	// CRISocketDocker is the cri-dockerd CRI endpoint
+	CRISocketDocker = "npipe:////./pipe/cri-dockerd"
+
+	// DefaultCRISocket defines the default CRI socket
+	DefaultCRISocket = CRISocketContainerd
 )
--- a/cmd/kubeadm/app/phases/kubelet/flags.go
+++ b/cmd/kubeadm/app/phases/kubelet/flags.go
@ -21,6 +21,7 @@ import (
 	"io/ioutil"
 	"os"
 	"path/filepath"
+	"runtime"
 	"strings"

 	"github.com/pkg/errors"
@ -102,7 +103,13 @@ func buildKubeletArgMapCommon(opts kubeletFlagsOpts) map[string]string {
 	// Once that happens only the "remote" branch option should be left.
 	// TODO: https://github.com/kubernetes/kubeadm/issues/2626
 	hasDockershim := opts.kubeletVersion.Major() == 1 && opts.kubeletVersion.Minor() < 24
-	if opts.nodeRegOpts.CRISocket == constants.DefaultDockerCRISocket && hasDockershim {
+	var dockerSocket string
+	if runtime.GOOS == "windows" {
+		dockerSocket = "npipe:////./pipe/dockershim"
+	} else {
+		dockerSocket = "unix:///var/run/dockershim.sock"
+	}
+	if opts.nodeRegOpts.CRISocket == dockerSocket && hasDockershim {
 		kubeletFlags["network-plugin"] = "cni"
 	} else {
 		kubeletFlags["container-runtime"] = "remote"
--- a/cmd/kubeadm/app/phases/patchnode/patchnode_test.go
+++ b/cmd/kubeadm/app/phases/patchnode/patchnode_test.go
@ -52,7 +52,7 @@ func TestAnnotateCRISocket(t *testing.T) {
 		},
 		{
 			name:                       "CRI-socket annotation needs to be updated",
-			currentCRISocketAnnotation: "unix:///var/run/dockershim.sock",
+			currentCRISocketAnnotation: "unix:///foo/bar",
 			newCRISocketAnnotation:     "unix:///run/containerd/containerd.sock",
 			expectedPatch:              `{"metadata":{"annotations":{"kubeadm.alpha.kubernetes.io/cri-socket":"unix:///run/containerd/containerd.sock"}}}`,
 		},
--- a/cmd/kubeadm/app/preflight/checks_test.go
+++ b/cmd/kubeadm/app/preflight/checks_test.go
@ -917,10 +917,10 @@ func TestImagePullCheck(t *testing.T) {
 			func(cmd string, args ...string) exec.Cmd { return fakeexec.InitFakeCmd(&fcmd, cmd, args...) },
 			func(cmd string, args ...string) exec.Cmd { return fakeexec.InitFakeCmd(&fcmd, cmd, args...) },
 		},
-		LookPathFunc: func(cmd string) (string, error) { return "/usr/bin/docker", nil },
+		LookPathFunc: func(cmd string) (string, error) { return "/usr/bin/crictl", nil },
 	}

-	containerRuntime, err := utilruntime.NewContainerRuntime(&fexec, constants.DefaultDockerCRISocket)
+	containerRuntime, err := utilruntime.NewContainerRuntime(&fexec, constants.DefaultCRISocket)
 	if err != nil {
 		t.Errorf("unexpected NewContainerRuntime error: %v", err)
 	}
--- a/cmd/kubeadm/app/util/config/initconfiguration.go
+++ b/cmd/kubeadm/app/util/config/initconfiguration.go
@ -196,7 +196,7 @@ func DefaultedStaticInitConfiguration() (*kubeadmapi.InitConfiguration, error) {
 		LocalAPIEndpoint: kubeadmapiv1.APIEndpoint{AdvertiseAddress: "1.2.3.4"},
 		BootstrapTokens:  []bootstraptokenv1.BootstrapToken{PlaceholderToken},
 		NodeRegistration: kubeadmapiv1.NodeRegistrationOptions{
-			CRISocket: kubeadmconstants.DefaultDockerCRISocket, // avoid CRI detection
+			CRISocket: kubeadmconstants.DefaultCRISocket, // avoid CRI detection
 			Name:      "node",
 		},
 	}
--- a/cmd/kubeadm/app/util/runtime/runtime.go
+++ b/cmd/kubeadm/app/util/runtime/runtime.go
@ -124,7 +124,7 @@ func detectCRISocketImpl(isSocket func(string) bool) (string, error) {

 	if isSocket(dockerSocket) {
 		// the path in dockerSocket is not CRI compatible, hence we should replace it with a CRI compatible socket
-		foundCRISockets = append(foundCRISockets, constants.DefaultDockerCRISocket)
+		foundCRISockets = append(foundCRISockets, constants.DefaultCRISocket)
 	} else if isSocket(containerdSocket) {
 		// Docker 18.09 gets bundled together with containerd, thus having both dockerSocket and containerdSocket present.
 		// For compatibility reasons, we use the containerd socket only if Docker is not detected.
@ -140,7 +140,7 @@ func detectCRISocketImpl(isSocket func(string) bool) (string, error) {
 	switch len(foundCRISockets) {
 	case 0:
 		// Fall back to Docker if no CRI is detected, we can error out later on if we need it
-		return constants.DefaultDockerCRISocket, nil
+		return constants.DefaultCRISocket, nil
 	case 1:
 		// Precisely one CRI found, use that
 		return foundCRISockets[0], nil
--- a/cmd/kubeadm/app/util/runtime/runtime_test.go
+++ b/cmd/kubeadm/app/util/runtime/runtime_test.go
@ -89,11 +89,6 @@ func TestIsRunning(t *testing.T) {
 		LookPathFunc:  func(cmd string) (string, error) { return "/usr/bin/crictl", nil },
 	}

-	dockerExecer := fakeexec.FakeExec{
-		CommandScript: genFakeActions(&fcmd, len(fcmd.CombinedOutputScript)),
-		LookPathFunc:  func(cmd string) (string, error) { return "/usr/bin/docker", nil },
-	}
-
 	cases := []struct {
 		name      string
 		criSocket string
@ -102,8 +97,6 @@ func TestIsRunning(t *testing.T) {
 	}{
 		{"valid: CRI-O is running", "unix:///var/run/crio/crio.sock", criExecer, false},
 		{"invalid: CRI-O is not running", "unix:///var/run/crio/crio.sock", criExecer, true},
-		{"valid: docker is running", constants.DefaultDockerCRISocket, dockerExecer, false},
-		{"invalid: docker is not running", constants.DefaultDockerCRISocket, dockerExecer, true},
 	}

 	for _, tc := range cases {
@ -143,7 +136,6 @@ func TestListKubeContainers(t *testing.T) {
 	}{
 		{"valid: list containers using CRI socket url", "unix:///var/run/crio/crio.sock", false},
 		{"invalid: list containers using CRI socket url", "unix:///var/run/crio/crio.sock", true},
-		{"valid: list containers using docker", constants.DefaultDockerCRISocket, false},
 	}

 	for _, tc := range cases {
@ -197,9 +189,6 @@ func TestRemoveContainers(t *testing.T) {
 		{"valid: remove containers using CRI", "unix:///var/run/crio/crio.sock", []string{"k8s_p1", "k8s_p2", "k8s_p3"}, false}, // Test case 1
 		{"invalid: CRI rmp failure", "unix:///var/run/crio/crio.sock", []string{"k8s_p1", "k8s_p2", "k8s_p3"}, true},
 		{"invalid: CRI stopp failure", "unix:///var/run/crio/crio.sock", []string{"k8s_p1", "k8s_p2", "k8s_p3"}, true},
-		{"valid: remove containers using docker", constants.DefaultDockerCRISocket, []string{"k8s_c1", "k8s_c2", "k8s_c3"}, false},
-		{"invalid: docker rm failure", constants.DefaultDockerCRISocket, []string{"k8s_c1", "k8s_c2", "k8s_c3"}, true},
-		{"invalid: docker stop failure", constants.DefaultDockerCRISocket, []string{"k8s_c1", "k8s_c2", "k8s_c3"}, true},
 	}

 	for _, tc := range cases {
@ -252,8 +241,6 @@ func TestPullImage(t *testing.T) {
 	}{
 		{"valid: pull image using CRI", "unix:///var/run/crio/crio.sock", "image1", false},
 		{"invalid: CRI pull error", "unix:///var/run/crio/crio.sock", "image2", true},
-		{"valid: pull image using docker", constants.DefaultDockerCRISocket, "image1", false},
-		{"invalid: docker pull error", constants.DefaultDockerCRISocket, "image2", true},
 	}

 	for _, tc := range cases {
@ -295,9 +282,7 @@ func TestImageExists(t *testing.T) {
 		result    bool
 	}{
 		{"valid: test if image exists using CRI", "unix:///var/run/crio/crio.sock", "image1", false},
-		{"invalid: CRI inspecti failure", "unix:///var/run/crio/crio.sock", "image2", true},
-		{"valid: test if image exists using docker", constants.DefaultDockerCRISocket, "image1", false},
-		{"invalid: docker inspect failure", constants.DefaultDockerCRISocket, "image2", true},
+		{"invalid: CRI inspect failure", "unix:///var/run/crio/crio.sock", "image2", true},
 	}

 	for _, tc := range cases {
@ -388,10 +373,10 @@ func TestDetectCRISocketImpl(t *testing.T) {
 		expectedSocket  string
 	}{
 		{
-			name:            "No existing sockets, use Docker",
+			name:            "No existing sockets, use default",
 			existingSockets: []string{},
 			expectedError:   false,
-			expectedSocket:  constants.DefaultDockerCRISocket,
+			expectedSocket:  constants.DefaultCRISocket,
 		},
 		{
 			name:            "One valid CRI socket leads to success",
@ -399,12 +384,6 @@ func TestDetectCRISocketImpl(t *testing.T) {
 			expectedError:   false,
 			expectedSocket:  "unix:///var/run/crio/crio.sock",
 		},
-		{
-			name:            "Correct Docker CRI socket is returned",
-			existingSockets: []string{"unix:///var/run/docker.sock"},
-			expectedError:   false,
-			expectedSocket:  constants.DefaultDockerCRISocket,
-		},
 		{
 			name: "CRI and Docker sockets lead to an error",
 			existingSockets: []string{
@ -420,10 +399,10 @@ func TestDetectCRISocketImpl(t *testing.T) {
 				"unix:///run/containerd/containerd.sock",
 			},
 			expectedError:  false,
-			expectedSocket: constants.DefaultDockerCRISocket,
+			expectedSocket: constants.DefaultCRISocket,
 		},
 		{
-			name: "A couple of CRI sockets lead to an error",
+			name: "Multiple CRI sockets lead to an error",
 			existingSockets: []string{
 				"unix:///var/run/crio/crio.sock",
 				"unix:///run/containerd/containerd.sock",