Update dependency kubernetes-sigs/kind to v0.29.0 #12151
Conversation
gardener-prow
bot
added
the
cla: yes
gardener-prow
bot
added
the
size/XS
|
/retest |
|
LGTM label has been added. Git tree hash: 816cf11099783f478ccca8e734d30fc2ec525aed
|
gardener-prow
bot
added
approved
gardener-prow
bot
removed
the
size/XS
|
/cc @LucaBernstein |
gardener-prow
bot
added
the
size/S
Edited/Blocked NotificationRenovate will not automatically rebase this PR, because it does not recognize the last commit author and assumes somebody else may have edited the PR. You can manually request rebase by checking the rebase/retry box above. |
| # TODO(LucaBernstein): kindest/node images built with kind version `v0.26.0` and `v0.27.0` must not be used for the following reasons: | ||
| # - `runc`: Starting with `v1.2.0`, we see tun/tap device issues with our vpn. We need to ensure at least `v1.2.4`: https://github.com/opencontainers/runc/pull/4555. | ||
| # - `containerd`: Starting with `v2.0.1`, we see issues where nodes become unready due to a race condition with the go-sni. We need to ensure the next version after `v2.0.2`: https://github.com/containerd/containerd/issues/11275. | ||
| # The root cause is fixed with go-cni >= v1.1.12 (https://github.com/containerd/containerd/pull/11244). | ||
| image: kindest/node:v1.32.0@sha256:2458b423d635d7b01637cac2d6de7e1c1dca1148a2ba2e90975e214ca849e7cb | ||
| image: kindest/node:v1.32.5@sha256:e3b2327e3a5ab8c76f5ece68936e4cafaa82edf58486b769727ab0b3b97a5b0d |
There was a problem hiding this comment.
See the release notes of KinD v0.29.0 & v0.28.0:
https://github.com/kubernetes-sigs/kind/releases/tag/v0.29.0
Updated to containerd 2.1.1
...
Updated to containerd 2.1 and runc 1.3
Double-checking in a running kindest/node container:
# runc --version
runc version 1.3.0
commit: v1.3.0-0-g4ca628d
spec: 1.2.1
go: go1.24.2
libseccomp: 2.5.4
# containerd --version
containerd github.com/containerd/containerd/v2 v2.1.1 cb1076646aa3740577fafbf3d914198b7fe8e3f7
containerd@v2.1.1 is using go-cni@v1.1.12:
https://github.com/containerd/containerd/blob/cb1076646aa3740577fafbf3d914198b7fe8e3f7/go.mod#L20
|
/assign |
sha256:e3b2327e3a5ab8c76f5ece68936e4cafaa82edf58486b769727ab0b3b97a5b0d # runc --version runc version 1.3.0 commit: v1.3.0-0-g4ca628d spec: 1.2.1 go: go1.24.2 libseccomp: 2.5.4 # containerd --version containerd github.com/containerd/containerd/v2 v2.1.1 cb1076646aa3740577fafbf3d914198b7fe8e3f7 go-cni v1.1.12 https://github.com/containerd/containerd/blob/cb1076646aa3740577fafbf3d914198b7fe8e3f7/go.mod#L20
marc1404
force-pushed
the
renovate/kubernetes-sigs-kind-0.x
branch
from
3be7db1 to
2c8a2ed
Compare
| Requires=containerd.service | ||
| After=containerd.service |
There was a problem hiding this comment.
The following gardenadm e2e test was failing:
[FAIL] gardenadm high-touch scenario tests Single-node control plane [It] should generate a bootstrap token and join the worker node [gardenadm, high-touch, single]
gardener/test/e2e/gardenadm/hightouch/gardenadm.go
Lines 193 to 194 in c7d6189
The gardenadm output logs the following:
[err] 2025-05-28T11:50:54.225Z ERROR Error {"flow": "join", "task": "Applying OperatingSystemConfig using gardener-node-agent's reconciliation logic", "error": "failed executing unit commands: 1 error occurred:\n\t* unable to restart unit \"gardener-node-init.service\": restart failed for gardener-node-init.service, due failed\n\n"}
[err] github.com/gardener/gardener/pkg/utils/flow.(*execution).runNode.func2
[err] github.com/gardener/gardener/pkg/utils/flow/flow.go:239
[err] 2025-05-28T11:50:54.225Z INFO Finished {"flow": "join"}
[err] Error: 1 error occurred:
[err] * task "Applying OperatingSystemConfig using gardener-node-agent's reconciliation logic" failed: failed executing unit commands: 1 error occurred:
[err] * unable to restart unit "gardener-node-init.service": restart failed for gardener-node-init.service, due failed
Checking the logs of the gardener-node-init unit:
root@machine-1:/# journalctl -u gardener-node-init
May 28 12:16:13 machine-1 systemd[1]: Starting gardener-node-init.service - Downloads the gardener-node-agent binary from the container registry and bootstraps it....
May 28 12:16:13 machine-1 init.sh[179]: > Prepare temporary directory for image pull and mount
May 28 12:16:13 machine-1 init.sh[179]: > Pull gardener-node-agent image and mount it to the temporary directory
May 28 12:16:13 machine-1 init.sh[183]: ctr: cannot access socket /run/containerd/containerd.sock: stat /run/containerd/containerd.sock: no such file or directory
May 28 12:16:13 machine-1 init.sh[194]: ctr: cannot access socket /run/containerd/containerd.sock: stat /run/containerd/containerd.sock: no such file or directory
May 28 12:16:13 machine-1 systemd[1]: gardener-node-init.service: Main process exited, code=exited, status=1/FAILURE
May 28 12:16:13 machine-1 systemd[1]: gardener-node-init.service: Failed with result 'exit-code'.
It seems as the init.sh script relies on containerd to be available:
Checking the containerd socket on machine-1:
root@machine-1:/# stat /run/containerd/containerd.sock
File: /run/containerd/containerd.sock
Size: 0 Blocks: 0 IO Block: 4096 socket
Device: 0,371 Inode: 175 Links: 1
Access: (0660/srw-rw----) Uid: ( 0/ root) Gid: ( 0/ root)
Access: 2025-05-28 12:21:50.808906000 +0000
Modify: 2025-05-28 12:16:20.297863000 +0000
Change: 2025-05-28 12:16:20.297863000 +0000
Birth: 2025-05-28 12:16:20.297863000 +0000
It was available a few seconds after gardenadm tried to join the Node:
# gardenadm
May 28 12:16:13 machine-1 init.sh[194]: ctr: cannot access socket /run/containerd/containerd.sock: stat /run/containerd/containerd.sock: no such file or directory
# containerd
Birth: 2025-05-28 12:16:20.297863000 +0000
Therefore, I added containerd.service to the Requires and After directives of the gardener-node-init unit.
/cc @rfranzke @oliver-goetz
|
/test pull-gardener-integration Instance of: #11787 |
|
LGTM label has been added. Git tree hash: 94497ed80170e7c51c13f28fc97a9dc653ea547a
|
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: acumino, rfranzke The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
This PR contains the following updates:
v0.28.0->v0.29.0Release Notes
kubernetes-sigs/kind (kubernetes-sigs/kind)
v0.29.0Compare Source
This is a quick security release to pickup the containerd 2.1.1 CVE-2025-47290 fix.
See v0.28.0 (release days ago!) for full release notes with recent changes:
https://github.com/kubernetes-sigs/kind/releases/tag/v0.28.0
Breaking Changes
The default node image is now
kindest/node:v1.33.1@​sha256:050072256b9a903bd914c0b2866828150cb229cea0efe5892e2b644d5dd3b34fNew Features
Images pre-built for this release:
kindest/node:v1.33.1@​sha256:050072256b9a903bd914c0b2866828150cb229cea0efe5892e2b644d5dd3b34fkindest/node:v1.32.5@​sha256:e3b2327e3a5ab8c76f5ece68936e4cafaa82edf58486b769727ab0b3b97a5b0dkindest/node:v1.31.9@​sha256:b94a3a6c06198d17f59cca8c6f486236fa05e2fb359cbd75dabbfc348a10b211kindest/node:v1.30.13@​sha256:397209b3d947d154f6641f2d0ce8d473732bd91c87d9575ade99049aa33cd648NOTE: You must use the
@sha256digest to guarantee an image built for this release, until such a time as we switch to a different tagging scheme. Even then we will highly encourage digest pinning for security and reproducibility reasons.See also:
NOTE: These node images support amd64 and arm64, both of our supported platforms. You must use the same platform as your host, for more context see https://github.com/kubernetes-sigs/kind/issues/2718
Fixes
Contributors
Committers for this release:
(Please see v0.28.0 https://github.com/kubernetes-sigs/kind/releases/tag/v0.28.0#Contributors)
Configuration
📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
Release note: