Merge pull request #2438 from BenTheElder/pr2408

PR 2408 rebase + image bumps

images/base/files/usr/local/bin/entrypoint

@@ -51,30 +51,6 @@ validate_userns() {
   done
 }
 
-fake_file_with_content(){
-  local path="$1"
-  local content="$2"
-  local base="/run/fake"
-  local fake_path="${base}/${path}"
-  mkdir -p "$(dirname "${fake_path}")"
-  echo "INFO: UserNS: faking ${path} to be \"${content}\" (writable)"
-  echo "${content}" > "${fake_path}"
-  mount --bind "${fake_path}" "${path}"
-}
-
-fake_sysctl() {
-  local key="$1"
-  local key_slash
-  # shellcheck disable=SC2001
-  key_slash="$(echo "${key}" | sed -e s@\\.@/@g)"
-  local path="/proc/sys/${key_slash}"
-  if [[ -f "${path}" ]]; then
-    local content
-    content="$(cat "${path}")"
-    fake_file_with_content "${path}" "${content}"
-  fi
-}
-
 configure_containerd() {
   local snapshotter=${KIND_EXPERIMENTAL_CONTAINERD_SNAPSHOTTER:-}
   if [[ -n "$userns" ]]; then
@@ -85,15 +61,6 @@ configure_containerd() {
 
     # Use fuse-overlayfs by default: https://github.com/kubernetes-sigs/kind/issues/2275
     snapshotter="fuse-overlayfs"
-
-    # To run vanilla kubelet inside UserNS, we need to fake several unwritable sysctl to be writable.
-    # Workaround until https://github.com/kubernetes/kubernetes/pull/92863 gets merged in the upstream.
-    fake_sysctl "vm.overcommit_memory"
-    fake_sysctl "vm.panic_on_oom"
-    fake_sysctl "kernel.panic"
-    fake_sysctl "kernel.panic_on_oops"
-    fake_sysctl "kernel.keys.root_maxkeys"
-    fake_sysctl "kernel.keys.root_maxbytes"
   else
     # we need to switch to the 'native' snapshotter on zfs
     if [[ "$(stat -f -c %T /kind)" == 'zfs' ]]; then
@@ -301,13 +268,6 @@ fix_kmsg() {
     else
       echo 'WARN: /dev/kmsg does not exist, nor does /dev/console!' >&2
     fi
-  elif [[ -n "${userns}" ]]; then
-    if [[ -f "/proc/sys/kernel/dmesg_restrict" ]]; then
-      if [[ "$(cat /proc/sys/kernel/dmesg_restrict)" = "1" ]]; then
-        echo 'WARN: UserNS: /dev/kmsg is not readable, faking with /dev/null (hint: set sysctl value "kernel.dmesg_restrict" to 0)' >&2
-        mount --bind /dev/null /dev/kmsg
-      fi
-    fi
   fi
 }
 

pkg/apis/config/defaults/image.go

@@ -18,4 +18,4 @@ limitations under the License.
 package defaults
 
 // Image is the default for the Config.Image field, aka the default node image.
-const Image = "kindest/node:v1.22.0@sha256:b8bda84bb3a190e6e028b1760d277454a72267a5454b57db34437c34a588d047"
+const Image = "kindest/node:v1.22.1@sha256:2f8d6b023f2b443bfa283a92ef8c02f9665e5fe1d1347ca1f61693d2b04f01fd"

pkg/build/nodeimage/defaults.go

@@ -20,4 +20,4 @@ package nodeimage
 const DefaultImage = "kindest/node:latest"
 
 // DefaultBaseImage is the default base image used
-const DefaultBaseImage = "docker.io/kindest/base:v20210729-302b42d2"
+const DefaultBaseImage = "docker.io/kindest/base:v20210825-cb7eab3f"

pkg/cluster/internal/kubeadm/config.go

@@ -440,12 +440,18 @@ func Config(data ConfigData) (config string, err error) {
 		data.FeatureGates = make(map[string]bool)
 	}
 
+	if data.RootlessProvider {
+		if ver.LessThan(version.MustParseSemantic("v1.22.0")) {
+			// rootless kind v0.12.x supports Kubernetes v1.22 with KubeletInUserNamespace gate.
+			// rootless kind v0.11.x supports older Kubernetes with fake procfs.
+			return "", errors.Errorf("version %q is not compatible with rootless provider (hint: kind v0.11.x may work with this version)", ver)
+		}
+		data.FeatureGates["KubeletInUserNamespace"] = true
+	}
+
 	// assume the latest API version, then fallback if the k8s version is too low
 	templateSource := ConfigTemplateBetaV2
 	if ver.LessThan(version.MustParseSemantic("v1.15.0")) {
-		if data.RootlessProvider {
-			return "", errors.Errorf("version %q is not compatible with rootless provider", ver)
-		}
 		templateSource = ConfigTemplateBetaV1
 	}