Do not remove sandbox when netns is not closed.

Signed-off-by: Lantao Liu <lantaol@google.com>

pkg/server/sandbox_remove.go

@@ -47,7 +47,6 @@ func (c *criContainerdService) RemovePodSandbox(ctx context.Context, r *runtime.
 	id := sandbox.ID
 
 	// Return error if sandbox container is not fully stopped.
-	// TODO(random-liu): [P0] Make sure network is torn down, may need to introduce a state.
 	_, err = sandbox.Container.Task(ctx, nil)
 	if err != nil && !errdefs.IsNotFound(err) {
 		return nil, fmt.Errorf("failed to get sandbox container info for %q: %v", id, err)
@@ -56,6 +55,11 @@ func (c *criContainerdService) RemovePodSandbox(ctx context.Context, r *runtime.
 		return nil, fmt.Errorf("sandbox container %q is not fully stopped", id)
 	}
 
+	// Return error if sandbox network namespace is not closed yet.
+	if sandbox.NetNS != nil && !sandbox.NetNS.Closed() {
+		return nil, fmt.Errorf("sandbox network namespace %q is not fully closed", sandbox.NetNS.GetPath())
+	}
+
 	// Remove all containers inside the sandbox.
 	// NOTE(random-liu): container could still be created after this point, Kubelet should
 	// not rely on this behavior.

pkg/store/sandbox/netns.go

@@ -107,6 +107,7 @@ func (n *NetNS) Remove() error {
 		if err := os.RemoveAll(path); err != nil {
 			return fmt.Errorf("failed to remove netns: %v", err)
 		}
+		n.restored = false
 	}
 	return nil
 }
@@ -115,7 +116,7 @@ func (n *NetNS) Remove() error {
 func (n *NetNS) Closed() bool {
 	n.Lock()
 	defer n.Unlock()
-	return n.closed
+	return n.closed && !n.restored
 }
 
 // GetPath returns network namespace path for sandbox container