kubelet: skip setting the devices cgroup

use the new libcontainer feature of skipping setting the devices cgroup. This is necessary on cgroup v2 to avoid leaking a eBPF program every time the cgroup is re-configured. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
2020-07-07 08:56:15 +02:00
parent c655a5b636
commit 0d2a493a8f
3 changed files with 6 additions and 2 deletions
--- a/pkg/kubelet/cm/cgroup_manager_linux.go
+++ b/pkg/kubelet/cm/cgroup_manager_linux.go
@@ -495,6 +495,7 @@ func setResourcesV2(cgroupConfig *libcontainerconfigs.Cgroup) error {
 			Major:       libcontainerconfigs.Wildcard,
 		},
 	}
+	cgroupConfig.Resources.SkipDevices = true

 	manager, err := cgroupfs2.NewManager(cgroupConfig, cgroupConfig.Path, false)
 	if err != nil {
@@ -517,6 +518,7 @@ func (m *cgroupManagerImpl) toResources(resourceConfig *ResourceConfig) *libcont
 				Major:       libcontainerconfigs.Wildcard,
 			},
 		},
+		SkipDevices: true,
 	}
 	if resourceConfig == nil {
 		return resources