What this PR does / why we need it: Vendor [email protected]

Which issue(s) this PR fixes: Part of https://github.com/gardener/gardener/issues/6567

Special notes for your reviewer:

Release note:

The following dependency is updated:
- github.com/gardener/machine-controller-manager v0.45.0 -> 0.47.0

What this PR does / why we need it: Bump kindest/node to v1.21.12. This implicitly upgrades the containerd version which itself upgrades the version of the github.com/imdario/mergo dependency which fixes https://github.com/imdario/mergo/issues/90 which is required to properly import additional containerd configuration.

Otherwise, the Machine object might already disappear from the system while the "backing VM" (aka the Pod) still exists. This can lead to interesting situations (e.g. we saw that the Node of a deleted machine was re-registered after deletion).

Related to https://github.com/gardener/gardener/issues/5895

ref https://github.com/gardener/gardener/blob/master/docs/extensions/operatingsystemconfig.md#contract-operatingsystemconfig-resource

/invite @timebertt

What happened: machine-controller-manager-provider-local node image build fails with:

#10 [linux/amd64 2/9] RUN apt-get update -yq &&     apt-get install -yq --no-install-recommends wget apparmor apparmor-utils jq
#0 0.193 Ign:1 http://security.ubuntu.com/ubuntu impish-security InRelease
#0 0.210 Err:2 http://security.ubuntu.com/ubuntu impish-security Release
#0 0.210   404  Not Found [IP: 91.189.91.39 80]
#0 0.318 Ign:3 http://archive.ubuntu.com/ubuntu impish InRelease
#0 0.396 Ign:4 http://archive.ubuntu.com/ubuntu impish-updates InRelease
...
#0 0.711 Err:8 http://archive.ubuntu.com/ubuntu impish-backports Release
#0 0.712   404  Not Found [IP: 185.125.190.39 80]
#0 0.719 Reading package lists...
#0 0.725 E: The repository 'http://security.ubuntu.com/ubuntu impish-security Release' does not have a Release file.
#0 0.726 E: The repository 'http://archive.ubuntu.com/ubuntu impish Release' does not have a Release file.
#0 0.728 E: The repository 'http://archive.ubuntu.com/ubuntu impish-updates Release' does not have a Release file.
#0 0.728 E: The repository 'http://archive.ubuntu.com/ubuntu impish-backports Release' does not have a Release file.
#10 ERROR: process "/bin/sh -c apt-get update -yq &&     apt-get install -yq --no-install-recommends wget apparmor apparmor-utils jq" did not complete successfully: exit code: 100
------

Ref This is due to https://github.com/kubernetes-sigs/kind/issues/2863, and it is fixed in the kindest/node:v1.25.0 image but we cannot use this yet because of https://github.com/gardener/gardener/issues/5325

What you expected to happen: Node image build to be successful.

How to reproduce it (as minimally and precisely as possible): Run docker build -t test:v1 ./node/. locally with the current kind image (https://github.com/gardener/machine-controller-manager-provider-local/blob/c85c4eaf942d87fa1cb694d6df79016c5ffe28e2/node/Dockerfile#L1). and see it fail on step: https://github.com/gardener/machine-controller-manager-provider-local/blob/c85c4eaf942d87fa1cb694d6df79016c5ffe28e2/node/Dockerfile#L6-L7 with the above error.

Run again with kindest/node:v1.25.0 and see it passes. Anything else we need to know:

Environment:

After restarting the docker deamon on my local machine and subsequent reconciliation of the local Shoot, I observed that the pod representing the Shoot's machine reported the following event:

Warning  Unhealthy  2m36s (x543 over 92m)  kubelet  Readiness probe failed: sh: 1: /opt/bin/kubectl: not found

Relevant MCM logs

• it seems like the machine was detected as orphaned and terminated

I0321 10:37:11.826964       1 machine_safety.go:297] SafetyController: Orphan VM found and terminated VM: machine-shoot--local--local-local-58d9b-dvnb7, machine-shoot--local--local-local-58d9b-dvnb7
I0321 10:37:11.827059       1 machine_safety.go:68] reconcileClusterMachineSafetyOrphanVMs: End, reSync-Period: 30m0s
W0321 10:42:20.627178       1 warnings.go:70] policy/v1beta1 PodDisruptionBudget is deprecated in v1.21+, unavailable in v1.25+; use policy/v1 PodDisruptionBudget
I0321 10:43:14.405600       1 machine_util.go:554] Conditions of Machine "shoot--local--local-local-58d9b-dvnb7" with providerID "machine-shoot--local--local-local-58d9b-dvnb7" and backing node "machine-shoot--local--local-local-58d9b-dvnb7" are changing
W0321 10:43:14.405711       1 machine_util.go:562] Machine shoot--local--local-local-58d9b-dvnb7 is unhealthy - changing MachineState to Unknown
I0321 10:43:14.417333       1 machine_util.go:715] Machine State has been updated for "shoot--local--local-local-58d9b-dvnb7" with providerID "machine-shoot--local--local-local-58d9b-dvnb7" and backing node "machine-shoot--local--local-local-58d9b-dvnb7"
W0321 10:47:40.397396       1 warnings.go:70] policy/v1beta1 PodDisruptionBudget is deprecated in v1.21+, unavailable in v1.25+; use policy/v1 PodDisruptionBudget
W0321 10:52:48.194677       1 warnings.go:70] policy/v1beta1 PodDisruptionBudget is deprecated in v1.21+, unavailable in v1.25+; use policy/v1 PodDisruptionBudget
E0321 10:53:29.006090       1 machine_util.go:688] Machine shoot--local--local-local-58d9b-dvnb7 is not healthy since 10m0s minutes. Changing status to failed. Node Conditions: [{Type:KernelDeadlock Status:False LastHeartbeatTime:2022-03-18 18:37:41 +0000 UTC LastTransitionTime:2022-03-18 14:02:18 +0000 UTC Reason:KernelHasNoDeadlock Message:kernel has no deadlock} {Type:ReadonlyFilesystem Status:False LastHeartbeatTime:2022-03-18 18:37:41 +0000 UTC LastTransitionTime:2022-03-18 14:02:18 +0000 UTC Reason:FilesystemIsNotReadOnly Message:Filesystem is not read-only} {Type:FrequentKubeletRestart Status:Unknown LastHeartbeatTime:2022-03-18 18:37:41 +0000 UTC LastTransitionTime:2022-03-18 14:02:20 +0000 UTC Reason:NoFrequentKubeletRestart Message:error watching journald: failed to stat the log path "/var/log/journal": stat /v} {Type:FrequentDockerRestart Status:Unknown LastHeartbeatTime:2022-03-18 18:37:41 +0000 UTC LastTransitionTime:2022-03-18 14:02:21 +0000 UTC Reason:NoFrequentDockerRestart Message:error watching journald: failed to stat the log path "/var/log/journal": stat /v} {Type:FrequentContainerdRestart Status:Unknown LastHeartbeatTime:2022-03-18 18:37:41 +0000 UTC LastTransitionTime:2022-03-18 14:02:21 +0000 UTC Reason:NoFrequentContainerdRestart Message:error watching journald: failed to stat the log path "/var/log/journal": stat /v} {Type:FrequentUnregisterNetDevice Status:Unknown LastHeartbeatTime:2022-03-18 18:37:41 +0000 UTC LastTransitionTime:2022-03-18 14:02:20 +0000 UTC Reason:NoFrequentUnregisterNetDevice Message:error watching journald: failed to stat the log path "/var/log/journal": stat /v} {Type:MemoryPressure Status:Unknown LastHeartbeatTime:2022-03-18 18:38:04 +0000 UTC LastTransitionTime:2022-03-21 10:43:14 +0000 UTC Reason:NodeStatusUnknown Message:Kubelet stopped posting node status.} {Type:DiskPressure Status:Unknown LastHeartbeatTime:2022-03-18 18:38:04 +0000 UTC LastTransitionTime:2022-03-21 10:43:14 +0000 UTC Reason:NodeStatusUnknown Message:Kubelet stopped posting node status.} {Type:PIDPressure Status:Unknown LastHeartbeatTime:2022-03-18 18:38:04 +0000 UTC LastTransitionTime:2022-03-21 10:43:14 +0000 UTC Reason:NodeStatusUnknown Message:Kubelet stopped posting node status.} {Type:Ready Status:Unknown LastHeartbeatTime:2022-03-18 18:38:04 +0000 UTC LastTransitionTime:2022-03-21 10:43:14 +0000 UTC Reason:NodeStatusUnknown Message:Kubelet stopped posting node status.}]

I suspect that it is related to the docker deamon restart, but I was unable to investigate the issue as the machine was replaced by the MCM - will update this issue if it happens again.

Currently the machine objects are deployed in the shoot namespace in the seed. This is not compatible with the control plane migration, because at the end of the migration that namespace is deleted and with it all machine objects. This is not desired in a scenario with control plane migration, so the the machine objects should be created in a different namespace, most probably dedicated only for them.

cc @plkokanov @rfranzke