bug: pull pod infra container image if not cached for network isolated cluster (#7155)

Author: fseldow

e2e/node_config.go

@@ -23,7 +23,7 @@ var baseKubeletConfig = &aksnodeconfigv1.KubeletConfig{
 		"--cloud-config":              "",
 		"--cloud-provider":            "external",
 		"--kubeconfig":                "/var/lib/kubelet/kubeconfig",
-		"--pod-infra-container-image": "mcr.microsoft.com/oss/kubernetes/pause:3.6",
+		"--pod-infra-container-image": "mcr.microsoft.com/oss/v2/kubernetes/pause:3.6",
 	},
 	KubeletNodeLabels: map[string]string{
 		"agentpool":                               "nodepool2",
@@ -547,7 +547,7 @@ func baseTemplateLinux(t testing.TB, location string, k8sVersion string, arch st
 			OSImageConfig: map[datamodel.Distro]datamodel.AzureOSImageConfig(nil),
 		},
 		K8sComponents: &datamodel.K8sComponents{
-			PodInfraContainerImageURL:  "mcr.microsoft.com/oss/kubernetes/pause:3.6",
+			PodInfraContainerImageURL:  "mcr.microsoft.com/oss/v2/kubernetes/pause:3.6",
 			HyperkubeImageURL:          "mcr.microsoft.com/oss/kubernetes/",
 			WindowsPackageURL:          "windowspackage",
 			LinuxCredentialProviderURL: "",
@@ -681,7 +681,7 @@ func baseTemplateLinux(t testing.TB, location string, k8sVersion string, arch st
 			"--max-pods":                          "110",
 			"--network-plugin":                    "kubenet",
 			"--node-status-update-frequency":      "10s",
-			"--pod-infra-container-image":         "mcr.microsoft.com/oss/kubernetes/pause:3.6",
+			"--pod-infra-container-image":         "mcr.microsoft.com/oss/v2/kubernetes/pause:3.6",
 			"--pod-manifest-path":                 "/etc/kubernetes/manifests",
 			"--pod-max-pids":                      "-1",
 			"--protect-kernel-defaults":           "true",

e2e/scenario_test.go

@@ -123,6 +123,7 @@ func Test_AzureLinuxV2_AirGap(t *testing.T) {
 						ContainerRegistryServer: fmt.Sprintf("%s.azurecr.io", config.PrivateACRName(config.Config.DefaultLocation)),
 					},
 				}
+				nbc.KubeletConfig["--pod-infra-container-image"] = "mcr.microsoft.com/oss/v2/kubernetes/pause:3.6"
 			},
 			Validator: func(ctx context.Context, s *Scenario) {
 				ValidateDirectoryContent(ctx, s, "/run", []string{"outbound-check-skipped"})
@@ -768,6 +769,7 @@ func Test_Ubuntu2204_AirGap_NonAnonymousACR(t *testing.T) {
 					nbc.ContainerService.Properties.OrchestratorProfile.OrchestratorVersion)
 				nbc.KubeletConfig["--image-credential-provider-config"] = "/var/lib/kubelet/credential-provider-config.yaml"
 				nbc.KubeletConfig["--image-credential-provider-bin-dir"] = "/var/lib/kubelet/credential-provider"
+				nbc.KubeletConfig["--pod-infra-container-image"] = "mcr.microsoft.com/oss/v2/kubernetes/pause:3.6"
 			},
 			Validator: func(ctx context.Context, s *Scenario) {
 				ValidateDirectoryContent(ctx, s, "/run", []string{"outbound-check-skipped"})
@@ -842,6 +844,7 @@ func Test_Ubuntu2204Gen2_ContainerdAirgappedNonAnonymousK8sNotCached(t *testing.
 					nbc.ContainerService.Properties.OrchestratorProfile.OrchestratorVersion)
 				nbc.KubeletConfig["--image-credential-provider-config"] = "/var/lib/kubelet/credential-provider-config.yaml"
 				nbc.KubeletConfig["--image-credential-provider-bin-dir"] = "/var/lib/kubelet/credential-provider"
+				nbc.KubeletConfig["--pod-infra-container-image"] = "mcr.microsoft.com/oss/v2/kubernetes/pause:3.6"
 			},
 			Validator: func(ctx context.Context, s *Scenario) {
 				ValidateDirectoryContent(ctx, s, "/run", []string{"outbound-check-skipped"})

parts/linux/cloud-init/artifacts/cse_config.sh

@@ -576,6 +576,44 @@ configureKubeletAndKubectl() {
     fi
 }
 
+ensurePodInfraContainerImage() {
+    POD_INFRA_CONTAINER_IMAGE_DOWNLOAD_DIR="/opt/pod-infra-container-image/downloads"
+    POD_INFRA_CONTAINER_IMAGE_TAR="/opt/pod-infra-container-image/pod-infra-container-image.tar"
+
+    pod_infra_container_image=$(get_sandbox_image)
+
+    echo "Checking if $pod_infra_container_image already exists locally..."
+    if ctr -n k8s.io images list -q | grep -q "^${pod_infra_container_image}$"; then
+        echo "Image $pod_infra_container_image already exists locally, skipping pull"
+        echo "Cached image details:"
+        return 0
+    fi
+    base_name="${pod_infra_container_image%@:*}"
+    base_name="${pod_infra_container_image%:*}"
+    tag="local"
+
+    image="${pod_infra_container_image//mcr.microsoft.com/${BOOTSTRAP_PROFILE_CONTAINER_REGISTRY_SERVER}}"
+    acr_url=$(echo "$image" | cut -d/ -f1)
+
+    mkdir -p ${POD_INFRA_CONTAINER_IMAGE_DOWNLOAD_DIR}
+
+    echo "Pulling with authentication for $image"
+    retrycmd_cp_oci_layout_with_oras 10 5 "${POD_INFRA_CONTAINER_IMAGE_DOWNLOAD_DIR}" "$tag" "$image" || exit $ERR_PULL_POD_INFRA_CONTAINER_IMAGE
+
+    tar -cvf ${POD_INFRA_CONTAINER_IMAGE_TAR} -C ${POD_INFRA_CONTAINER_IMAGE_DOWNLOAD_DIR} .
+    if ctr -n k8s.io image import --base-name $base_name ${POD_INFRA_CONTAINER_IMAGE_TAR}; then
+        ctr -n k8s.io image tag "${base_name}:${tag}" "${pod_infra_container_image}"
+        echo "Successfully imported $pod_infra_container_image"
+        labelContainerImage "${pod_infra_container_image}" "io.cri-containerd.pinned" "pinned"
+    else
+        echo "Failed to import $pod_infra_container_image"
+        exit $ERR_PULL_POD_INFRA_CONTAINER_IMAGE
+    fi
+
+    rm -rf ${POD_INFRA_CONTAINER_IMAGE_DOWNLOAD_DIR}
+    rm -f ${POD_INFRA_CONTAINER_IMAGE_TAR}
+}
+
 ensureKubelet() {
     KUBELET_DEFAULT_FILE=/etc/default/kubelet
     mkdir -p /etc/default
@@ -741,6 +779,11 @@ EOF
         fi
     fi
 
+    # kubelet cannot pull pause image from anonymous disabled registry during runtime
+    if [ -n "${BOOTSTRAP_PROFILE_CONTAINER_REGISTRY_SERVER}" ]; then
+        logs_to_events "AKS.CSE.ensureKubelet.ensurePodInfraContainerImage" ensurePodInfraContainerImage
+    fi
+
     # start measure-tls-bootstrapping-latency.service without waiting for the main process to start, while ignoring any failures
     if ! systemctlEnableAndStartNoBlock measure-tls-bootstrapping-latency 30; then
         echo "failed to start measure-tls-bootstrapping-latency.service"

parts/linux/cloud-init/artifacts/cse_helpers.sh

@@ -139,6 +139,8 @@ ERR_SECURE_TLS_BOOTSTRAP_START_FAILURE=220 # Error starting the secure TLS boots
 ERR_CLOUD_INIT_FAILED=223 # Error indicating that cloud-init returned exit code 1 in cse_cmd.sh
 ERR_NVIDIA_DRIVER_INSTALL=224 # Error determining if nvidia driver install should be skipped
 
+ERR_PULL_POD_INFRA_CONTAINER_IMAGE=225 # Error pulling pause image
+
 # For both Ubuntu and Mariner, /etc/*-release should exist.
 # For unit tests, the OS and OS_VERSION will be set in the unit test script.
 # So whether it's if or else actually doesn't matter to our unit test.
@@ -337,6 +339,28 @@ retrycmd_get_tarball_from_registry_with_oras() {
     done
 }
 
+retrycmd_cp_oci_layout_with_oras() {
+    retries=$1; wait_sleep=$2; path=$3; tag=$4; url=$5
+    mkdir -p "$path"
+    echo "${retries} retries"
+    for i in $(seq 1 $retries); do
+        if [ "$i" -eq "$retries" ]; then
+            echo "Failed to oras cp $url to $path:$tag after $retries attempts"
+            return $ERR_PULL_POD_INFRA_CONTAINER_IMAGE
+        else
+            if [ "$i" -gt 1 ]; then
+                sleep $wait_sleep
+            fi
+            timeout 120 oras cp "$url" "$path:$tag" --to-oci-layout --from-registry-config ${ORAS_REGISTRY_CONFIG_FILE} > $ORAS_OUTPUT 2>&1
+            if [ "$?" -ne 0 ]; then
+                cat $ORAS_OUTPUT
+            else
+                return 0
+            fi
+        fi
+    done
+}
+
 retrycmd_get_aad_access_token() {
     retries=$1; wait_sleep=$2; url=$3
     for i in $(seq 1 $retries); do
@@ -1104,4 +1128,46 @@ extract_tarball() {
     esac
 }
 
+function get_sandbox_image(){
+    sandbox_image=$(get_sandbox_image_from_containerd_config "/etc/containerd/config.toml")
+    if [ -z "$sandbox_image" ]; then
+        sandbox_image=$(extract_value_from_kubelet_flags "$KUBELET_FLAGS" "pod-infra-container-image")
+    fi
+
+    echo $sandbox_image
+}
+
+function extract_value_from_kubelet_flags(){
+    local kubelet_flags=$1
+    local key=$2
+
+    key="${key#--}"
+    value=$(echo "$kubelet_flags" | sed -n "s/.*--${key}=\([^ ]*\).*/\1/p")
+    echo "$value"
+}
+
+function get_sandbox_image_from_containerd_config() {
+    local config_file=$1
+    local sandbox_image=""
+
+    if [ ! -f "$config_file" ]; then
+        echo ""
+        return
+    fi
+
+    # Extract sandbox_image value from the CRI plugin section
+    # The sandbox_image is typically under [plugins."io.containerd.grpc.v1.cri"]
+    sandbox_image=$(awk '/sandbox_image/ && /=/ {
+        # Remove quotes and spaces
+        gsub(/[" ]/, "", $3)
+        print $3
+    }' FS='=' "$config_file")
+
+    # Alternative method if the above doesn't work
+    if [ -z "$sandbox_image" ]; then
+        sandbox_image=$(grep -E '^\s*sandbox_image\s*=' "$config_file" | sed 's/.*sandbox_image\s*=\s*"\([^"]*\)".*/\1/')
+    fi
+
+    echo "$sandbox_image"
+}
 #HELPERSEOF