With Kubernetes v1.20, the built-in dockershim was deprecated and is scheduled to be removed with v1.24. Don't Panic! The Kubernetes community has published a blogpost and an FAQ with more information.
Gardener also needs to switch from using the built-in dockershim to containerd.
Gardener will not change already running Shoot clusters. But changes to the container runtime will be coupled to the K8s version selected by the Shoot:
- Starting with K8s version 1.22, Shoots not explicitly selecting a container runtime will get
containerdinstead ofdocker. Shoots can still selectdockerexplicitly if needed. - Starting with K8s version 1.23
dockercan no longer be selected.
At this point in time, we have no plans to support other container runtimes, such as cri-o.
As a Gardener operator:
- Add
containerdanddockerto.spec.machineImages[].versions[].cri.namein your CloudProfile to allow users selecting a container runtime for their Shoots (see below).
Note: Please take a look at our detailed information regarding container runtime support in Gardener Operating System Extensions.
- Update your cloud provider extensions to avoid a node rollout when a Shoot is configured from
cri: niltocri.name: docker.
Note: Please take a look at our detailed information regarding stable Worker node hash support in Gardener Provider Extensions.
As a shoot owner:
Note: This is not only about your actual workload, but also concerns ops tooling as well as logging, monitoring, and metric agents installed on the nodes.
- Test with
containerd:- Create a new Shoot or add a Worker Pool to an existing one.
- Set
.spec.provider.workers[].cri.name: containerdfor your Shoot.
- Once testing is successful, switch to
containerdwith your production workload. You don't need to wait for kubernetes v1.22,containerdis considered production ready as of today. - If you find dependencies to
docker, set.spec.provider.workers[].cri.name: dockerexplicitly to avoid defaulting tocontainerdonce you update your Shoot to kubernetes v1.22.
- 2021-08-04: Kubernetes v1.22 released. Shoots using this version get
containerdas default container runtime. Shoots can still selectdockerexplicitly if needed. - 2021-12-07: Kubernetes v1.23 released. Shoots using this version can no longer select
dockeras container runtime. - 2022-06-28: Kubernetes v1.21 goes out of maintenance. This is the last version not affected by these changes. Make sure you have tested thoroughly and set the correct configuration for your Shoots!
- 2022-10-28: Kubernetes v1.22 goes out of maintenance. This is the last version that you can use with
dockeras container runtime. Make sure you have removed any dependencies todockeras container runtime!
See the official kubernetes documentation for the exact dates for all releases.
| Operating System | docker support | containerd support |
|---|---|---|
| GardenLinux | ✅ | >= v0.3.0 |
| Ubuntu | ✅ | >= v1.4.0 |
| SuSE CHost | ✅ | >= v1.14.0 |
| CoreOS/FlatCar | ✅ | >= v1.8.0 |
Note: If you're using a different Operating System Extension, start evaluating now if it provides support for
containerd. Please refer to our documentation of theoperatingsystemconfigcontract to understand how to supportcontainerdfor an Operating System Extension.
Upgrade to these versions to avoid a node rollout when a Shoot is configured from cri: nil to cri.name: docker.
| Provider Extension | Stable worker hash support |
|---|---|
| Alicloud | >= 1.26.0 |
| AWS | >= 1.27.0 |
| Azure | >= 1.21.0 |
| GCP | >= 1.18.0 |
| OpenStack | >= 1.21.0 |
| vSphere | >= 0.11.0 |
Note: If you're using a different Provider Extension, start evaluating now if it keeps the worker hash stable when switching from
.spec.provider.workers[].cri: nilto.spec.provider.workers[].cri.name: docker. This doesn't impact functional correctness, however, a node rollout will be triggered when users decide to configuredockerfor their shoots.