Merge pull request #11986 from chrischdi/pr-preload-kindnetd-everywhere

🌱 e2e: ensure to always preload kindnetd to not hit ImagePullBackoff

Author: k8s-ci-robot

scripts/ci-e2e-lib.sh

@@ -259,6 +259,11 @@ kind:prepullAdditionalImages () {
   kind::prepullImage "quay.io/jetstack/cert-manager-cainjector:v1.16.3"
   kind::prepullImage "quay.io/jetstack/cert-manager-webhook:v1.16.3"
   kind::prepullImage "quay.io/jetstack/cert-manager-controller:v1.16.3"
+
+  # Pull all images defined in DOCKER_PRELOAD_IMAGES.
+  for IMAGE in $(grep DOCKER_PRELOAD_IMAGES: < "$E2E_CONF_FILE" | sed -E 's/.*\[(.*)\].*/\1/' | tr ',' ' '); do
+    kind::prepullImage "${IMAGE}"
+  done
 }
 
 # kind:prepullImage pre-pull a docker image if no already present locally.

test/e2e/config/docker.yaml

@@ -380,6 +380,8 @@ variables:
   DOCKER_POD_CIDRS: "192.168.0.0/16"
   DOCKER_SERVICE_IPV6_CIDRS: "fd00:100:64::/108"
   DOCKER_POD_IPV6_CIDRS: "fd00:100:96::/48"
+  # Needs to be kept in sync the CNI file referenced below for caching purposes.
+  DOCKER_PRELOAD_IMAGES: "[kindest/kindnetd:v20250214-acbabc1a]"
   CNI: "./data/cni/kindnet/kindnet.yaml"
   KUBETEST_CONFIGURATION: "./data/kubetest/conformance.yaml"
   AUTOSCALER_WORKLOAD: "./data/autoscaler/autoscaler-to-workload-workload.yaml"

test/e2e/data/cni/kindnet/kindnet.yaml

@@ -1,24 +1,34 @@
-# kindnetd networking manifest
+# source: https://github.com/kubernetes-sigs/kind/blob/v0.27.0/pkg/build/nodeimage/const_cni.go#L28
 ---
 kind: ClusterRole
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
   name: kindnet
 rules:
+  - apiGroups:
+    - policy
+    resources:
+    - podsecuritypolicies
+    verbs:
+    - use
+    resourceNames:
+    - kindnet
   - apiGroups:
       - ""
     resources:
       - nodes
+      - pods
+      - namespaces
     verbs:
       - list
       - watch
-      - patch
   - apiGroups:
-      - ""
+     - "networking.k8s.io"
     resources:
-      - configmaps
+      - networkpolicies
     verbs:
-      - get
+      - list
+      - watch
 ---
 kind: ClusterRoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
@@ -29,9 +39,9 @@ roleRef:
   kind: ClusterRole
   name: kindnet
 subjects:
-  - kind: ServiceAccount
-    name: kindnet
-    namespace: kube-system
+- kind: ServiceAccount
+  name: kindnet
+  namespace: kube-system
 ---
 apiVersion: v1
 kind: ServiceAccount
@@ -60,55 +70,52 @@ spec:
         k8s-app: kindnet
     spec:
       hostNetwork: true
+      nodeSelector:
+        kubernetes.io/os: linux
       tolerations:
-        - operator: Exists
-          effect: NoSchedule
+      - operator: Exists
       serviceAccountName: kindnet
       containers:
-        - name: kindnet-cni
-          image: kindest/kindnetd:v20230511-dc714da8
-          env:
-            - name: HOST_IP
-              valueFrom:
-                fieldRef:
-                  fieldPath: status.hostIP
-            - name: POD_IP
-              valueFrom:
-                fieldRef:
-                  fieldPath: status.podIP
-            # We're using the dualstack CIDRs here. The order doesn't matter for kindnet as the loops are run concurrently.
-            # REF: https://github.com/kubernetes-sigs/kind/blob/3dbeb894e3092a336ab4278d3823e73a1d66aff7/images/kindnetd/cmd/kindnetd/main.go#L149-L175
-            - name: POD_SUBNET
-              value: '${DOCKER_POD_CIDRS},${DOCKER_POD_IPV6_CIDRS}'
-          volumeMounts:
-            - name: cni-cfg
-              mountPath: /etc/cni/net.d
-            - name: xtables-lock
-              mountPath: /run/xtables.lock
-              readOnly: false
-            - name: lib-modules
-              mountPath: /lib/modules
-              readOnly: true
-          resources:
-            requests:
-              cpu: "100m"
-              memory: "50Mi"
-            limits:
-              cpu: "100m"
-              memory: "50Mi"
-          securityContext:
-            privileged: false
-            capabilities:
-              add: ["NET_RAW", "NET_ADMIN"]
+      - name: kindnet-cni
+        # Needs to be kept in sync with DOCKER_PRELOAD_IMAGES in test/e2e/config/docker.yaml for caching purposes.
+        image: kindest/kindnetd:v20250214-acbabc1a
+        env:
+        - name: HOST_IP
+          valueFrom:
+            fieldRef:
+              fieldPath: status.hostIP
+        - name: POD_IP
+          valueFrom:
+            fieldRef:
+              fieldPath: status.podIP
+        # We're using the dualstack CIDRs here. The order doesn't matter for kindnet as the loops are run concurrently.
+        # REF: https://github.com/kubernetes-sigs/kind/blob/3dbeb894e3092a336ab4278d3823e73a1d66aff7/images/kindnetd/cmd/kindnetd/main.go#L149-L175
+        - name: POD_SUBNET
+          value: '${DOCKER_POD_CIDRS},${DOCKER_POD_IPV6_CIDRS}'
+        volumeMounts:
+        - name: cni-cfg
+          mountPath: /etc/cni/net.d
+        - name: xtables-lock
+          mountPath: /run/xtables.lock
+          readOnly: false
+        - name: lib-modules
+          mountPath: /lib/modules
+          readOnly: true
+        resources:
+          requests:
+            cpu: "100m"
+            memory: "50Mi"
+          limits:
+            cpu: "100m"
+            memory: "50Mi"
+        securityContext:
+          privileged: false
+          capabilities:
+            add: ["NET_RAW", "NET_ADMIN"]
       volumes:
-        - name: cni-bin
-          hostPath:
-            path: /opt/cni/bin
-            type: DirectoryOrCreate
         - name: cni-cfg
           hostPath:
             path: /etc/cni/net.d
-            type: DirectoryOrCreate
         - name: xtables-lock
           hostPath:
             path: /run/xtables.lock

test/e2e/data/infrastructure-docker/main/cluster-template-kcp-remediation/cluster-with-kcp.yaml

@@ -37,7 +37,8 @@ metadata:
   name: "${CLUSTER_NAME}-control-plane"
 spec:
   template:
-    spec: {}
+    spec:
+      preLoadImages: ${DOCKER_PRELOAD_IMAGES:-[]}
 ---
 # KubeadmControlPlane referenced by the Cluster
 kind: KubeadmControlPlane

test/e2e/data/infrastructure-docker/main/clusterclass-quick-start-runtimesdk.yaml

@@ -114,6 +114,7 @@ spec:
       extraMounts:
       - containerPath: "/var/run/docker.sock"
         hostPath: "/var/run/docker.sock"
+      preLoadImages: ${DOCKER_PRELOAD_IMAGES:-[]}
 ---
 apiVersion: infrastructure.cluster.x-k8s.io/v1beta1
 kind: DockerMachineTemplate
@@ -125,6 +126,7 @@ spec:
       extraMounts:
       - containerPath: "/var/run/docker.sock"
         hostPath: "/var/run/docker.sock"
+      preLoadImages: ${DOCKER_PRELOAD_IMAGES:-[]}
 ---
 apiVersion: infrastructure.cluster.x-k8s.io/v1beta1
 kind: DockerMachinePoolTemplate
@@ -137,6 +139,7 @@ spec:
         extraMounts:
         - containerPath: "/var/run/docker.sock"
           hostPath: "/var/run/docker.sock"
+        preLoadImages: ${DOCKER_PRELOAD_IMAGES:-[]}
 ---
 apiVersion: bootstrap.cluster.x-k8s.io/v1beta1
 kind: KubeadmConfigTemplate

test/e2e/data/infrastructure-docker/main/clusterclass-quick-start.yaml

@@ -582,6 +582,7 @@ spec:
       extraMounts:
       - containerPath: "/var/run/docker.sock"
         hostPath: "/var/run/docker.sock"
+      preLoadImages: ${DOCKER_PRELOAD_IMAGES:-[]}
 ---
 apiVersion: infrastructure.cluster.x-k8s.io/v1beta1
 kind: DockerMachineTemplate
@@ -602,6 +603,7 @@ spec:
       extraMounts:
       - containerPath: "/var/run/docker.sock"
         hostPath: "/var/run/docker.sock"
+      preLoadImages: ${DOCKER_PRELOAD_IMAGES:-[]}
 ---
 apiVersion: infrastructure.cluster.x-k8s.io/v1beta1
 kind: DockerMachinePoolTemplate
@@ -623,6 +625,7 @@ spec:
         extraMounts:
         - containerPath: "/var/run/docker.sock"
           hostPath: "/var/run/docker.sock"
+        preLoadImages: ${DOCKER_PRELOAD_IMAGES:-[]}
 ---
 apiVersion: bootstrap.cluster.x-k8s.io/v1beta1
 kind: KubeadmConfigTemplate

test/e2e/data/infrastructure-docker/v0.3/bases/cluster-with-kcp.yaml

@@ -43,6 +43,7 @@ spec:
       extraMounts:
         - containerPath: "/var/run/docker.sock"
           hostPath: "/var/run/docker.sock"
+      preLoadImages: ${DOCKER_PRELOAD_IMAGES:-[]}
 ---
 # KubeadmControlPlane referenced by the Cluster object with
 # - the label kcp-adoption.step2, because it should be created in the second step of the kcp-adoption test.

test/e2e/data/infrastructure-docker/v0.3/bases/md.yaml

@@ -13,6 +13,7 @@ spec:
       extraMounts:
         - containerPath: "/var/run/docker.sock"
           hostPath: "/var/run/docker.sock"
+      preLoadImages: ${DOCKER_PRELOAD_IMAGES:-[]}
 ---
 # KubeadmConfigTemplate referenced by the MachineDeployment
 apiVersion: bootstrap.cluster.x-k8s.io/v1alpha3

test/e2e/data/infrastructure-docker/v0.4/bases/cluster-with-kcp.yaml

@@ -43,6 +43,7 @@ spec:
       extraMounts:
         - containerPath: "/var/run/docker.sock"
           hostPath: "/var/run/docker.sock"
+      preLoadImages: ${DOCKER_PRELOAD_IMAGES:-[]}
 ---
 # KubeadmControlPlane referenced by the Cluster object with
 # - the label kcp-adoption.step2, because it should be created in the second step of the kcp-adoption test.

test/e2e/data/infrastructure-docker/v0.4/bases/md.yaml

@@ -13,6 +13,7 @@ spec:
       extraMounts:
         - containerPath: "/var/run/docker.sock"
           hostPath: "/var/run/docker.sock"
+      preLoadImages: ${DOCKER_PRELOAD_IMAGES:-[]}
 ---
 # KubeadmConfigTemplate referenced by the MachineDeployment
 apiVersion: bootstrap.cluster.x-k8s.io/v1alpha4