Description

Containerd was upgraded in #735, but the related patch does not work, since it does not handle specific problems with iptables which occur during containerd 1.6 -> 1.7 upgrade (from ubuntu repositories)

Solution

• Patch from v0.37.0 was marked to have known issue and recommended to skip
• Added new patch for next KM release, which helps to upgrade containerd correctly
  • This patch works only if it detects that some nodes have containerd package different from inventory version
  • On problematic nodes, containerd upgrade is performed with caution:
    • Node is drained first (best-effort)
    • Kubelet is stopped
    • Containerd pod sandboxes removed
    • Required containerd version is installed
    • Kubelet started, node uncordoned (with retries)
    • For control-plane nodes, we also wait control-plane pods to become healthy, before moving to next node

Test Cases

TestCase 1

Steps:

1. Install cluster with containerd.io=1.6*. Note that this should be explicitly specified in cluster.yaml, since regular containerd=1.6* package (without .io) is no longer available.
2. Specify version containerd.io=1.7* in cluster.yaml, without running install tasks (just inventory update). This step simulates inconsistency between nodes and "cluster.yaml"
3. Run migrate_kubemarine

Results:

Checklist

• I have commented my code, particularly in hard-to-understand areas
• I have made corresponding changes to the documentation
• There is no breaking changes, or migration patch is provided
• Integration CI passed
• Unit tests. If Yes list of new/changed tests with brief description
• There is no merge conflicts