3 minute read
Kubernetes dockershim removal
With Kubernetes v1.20 the built-in dockershim was deprecated and is scheduled to be removed with v1.24. Don’t Panic! The Kubernetes community has published a blogpost and an FAQ with more information.
Gardener also needs to switch from using the built-in dockershim to
Gardener will not change running Shoot clusters. But changes to the container runtime will be coupled to the K8s version selected by the Shoot:
- starting with K8s version 1.22 Shoots not explicitly selecting a container runtime will get
docker. Shoots can still select
dockerexplicitly if needed.
- starting with K8s version 1.23
dockercan no longer be selected.
At this point in time, we have no plans to support other container runtimes, such as
What should I do?
As a gardener operator:
.spec.machineImages.versions.cri.namein your CloudProfile to allow users selecting a container runtime for their Shoots (see below). Note: Please take a look at our detailed information regarding container runtime support in Gardener Operating System Extensions
- update your cloud provider extensions to avoid a node rollout when a Shoot is configured from
cri.name: docker. Note: Please take a look at our detailed information regarding stable Worker node hash support in Gardener Provider Extensions
As a shoot owner:
- check if you have dependencies to the
dockercontainer runtime. Note: This is not only about your actual workload, but also concerns ops tooling as well as logging, monitoring and metric agents installed on the nodes
- test with
- create a new Shoot or add a Worker Pool to an existing one
.spec.provider.workers.cri.name: containerdfor your Shoot
- once testing is successful, switch to
containerdwith your production workload. You don’t need to wait for kubernetes v1.22,
containerdis considered production ready as of today
- if you find dependencies to
.spec.provider.workers.cri.name: dockerexplicitly to avoid defaulting to
containerdonce you update your Shoot to kubernetes v1.22
- 2021-08-04: Kubernetes v1.22 released. Shoots using this version get
containerdas default container runtime. Shoots can still select
dockerexplicitly if needed.
- 2021-12-07: Kubernetes v1.23 released. Shoots using this version can no longer select
dockeras container runtime.
- 2022-06-28: Kubernetes v1.21 goes out of maintenance. This is the last version not affected by these changes. Make sure you have tested thoroughly and set the correct configuration for your Shoots!
- 2022-10-28: Kubernetes v1.22 goes out of maintenance. This is the last version that you can use with
dockeras container runtime. Make sure you have removed any dependencies to
dockeras container runtime!
See the official kubernetes documentation for the exact dates for all releases.
Container Runtime support in Gardener Operating System Extensions
|Operating System||docker support||containerd support|
|SuSE CHost||✅||>= v1.14.0|
Note: If you’re using a different Operating System Extension, start evaluating now if it provides support for
containerd. Please refer to our documentation of the
operatingsystemconfig contract to understand how to support
containerd for an Operating System Extension.
Stable Worker node hash support in Gardener Provider Extensions
Upgrade to these versions to avoid a node rollout when a Shoot is configured from
cri: nil to
|Provider Extension||Stable worker hash support|
Note: If you’re using a different Provider Extension, start evaluating now if it keeps the worker hash stable when switching from
.spec.provider.workers.cri: nil to
.spec.provider.workers.cri.name: docker. This doesn’t impact functional correctness, however, a node rollout will be triggered when users decide to configure
docker for their shoots.