sandbox: Allows the sandbox to be deleted in NotReady state

The Pod Sandbox can enter in a NotReady state if the task associated
with it no longer exists (it died, or it was killed). In this state,
the Pod network namespace could still be open, which means we can't
remove the sandbox, even if --force was used.

Signed-off-by: Claudiu Belu <cbelu@cloudbasesolutions.com>

pkg/cri/server/sandbox_remove.go

@@ -26,7 +26,6 @@ import (
 	runtime "k8s.io/cri-api/pkg/apis/runtime/v1"
 
 	"github.com/containerd/containerd/pkg/cri/store"
-	sandboxstore "github.com/containerd/containerd/pkg/cri/store/sandbox"
 )
 
 // RemovePodSandbox removes the sandbox. If there are running containers in the
@@ -46,13 +45,12 @@ func (c *criService) RemovePodSandbox(ctx context.Context, r *runtime.RemovePodS
 	// Use the full sandbox id.
 	id := sandbox.ID
 
-	// If the sandbox is still running or in an unknown state, forcibly stop it.
+	// If the sandbox is still running, not ready, or in an unknown state, forcibly stop it.
-	state := sandbox.Status.Get().State
+	// Even if it's in a NotReady state, this will close its network namespace, if open.
-	if state == sandboxstore.StateReady || state == sandboxstore.StateUnknown {
+	// This can happen if the task process associated with the Pod died or it was killed.
-		logrus.Infof("Forcibly stopping sandbox %q", id)
+	logrus.Infof("Forcibly stopping sandbox %q", id)
-		if err := c.stopPodSandbox(ctx, sandbox); err != nil {
+	if err := c.stopPodSandbox(ctx, sandbox); err != nil {
-			return nil, errors.Wrapf(err, "failed to forcibly stop sandbox %q", id)
+		return nil, errors.Wrapf(err, "failed to forcibly stop sandbox %q", id)
-		}
 	}
 
 	// Return error if sandbox network namespace is not closed yet.