Is Your Cluster Ready for v1.24?

您的集群准备好使用 v1.24 了吗？

By Kat Cosgrove |
作者 Kat Cosgrove |Thursday, March 31, 2022

Way back in December of 2020, Kubernetes announced the deprecation of Dockershim. In Kubernetes, dockershim is a software shim that allows you to use the entire Docker engine as your container runtime within Kubernetes. In the upcoming v1.24 release, we are removing Dockershim - the delay between deprecation and removal in line with the project’s policy of supporting features for at least one year after deprecation. If you are a cluster operator, this guide includes the practical realities of what you need to know going into this release. Also, what do you need to do to ensure your cluster doesn’t fall over!
早在 2020 年 12 月，Kubernetes 就宣布弃用 Dockershim。在 Kubernetes 中，dockershim 是一个软件 shim，允许您将整个 Docker 引擎用作 Kubernetes 中的容器运行时。在即将到来的 v1.24 版本中，我们将删除 Dockershim - 根据项目在弃用后至少一年内支持功能的政策，弃用和删除之间的延迟。如果您是集群作员，本指南包括您需要了解的此版本的实际情况。此外，您需要做些什么来确保您的集群不会崩溃！

First, does this even affect you?

首先，这是否会影响您？

If you are rolling your own cluster or are otherwise unsure whether or not this removal affects you, stay on the safe side and check to see if you have any dependencies on Docker Engine. Please note that using Docker Desktop to build your application containers is not a Docker dependency for your cluster. Container images created by Docker are compliant with the Open Container Initiative (OCI), a Linux Foundation governance structure that defines industry standards around container formats and runtimes. They will work just fine on any container runtime supported by Kubernetes.
如果您正在滚动自己的集群，或者不确定此删除是否会影响您，请保持安全并检查您是否对 Docker Engine 有任何依赖关系。请注意，使用 Docker Desktop 构建应用程序容器不是集群的 Docker 依赖项。Docker 创建的容器映像符合开放容器计划（OCI），OCI 是一种 Linux Foundation 治理结构，用于定义容器格式和运行时的行业标准。它们在 Kubernetes 支持的任何容器运行时上都能正常工作。

If you are using a managed Kubernetes service from a cloud provider, and you haven’t explicitly changed the container runtime, there may be nothing else for you to do. Amazon EKS, Azure AKS, and Google GKE all default to containerd now, though you should make sure they do not need updating if you have any node customizations. To check the runtime of your nodes, follow Find Out What Container Runtime is Used on a Node.
如果您使用的是云提供商提供的托管 Kubernetes 服务，并且尚未明确更改容器运行时，则可能无需执行任何其他作。Amazon EKS、Azure AKS 和 Google GKE 现在都默认为 containerd，但如果您有任何节点自定义，则应确保它们不需要更新。要检查节点的运行时，请按照找出节点上使用的容器运行时。

Regardless of whether you are rolling your own cluster or using a managed Kubernetes service from a cloud provider, you may need to migrate telemetry or security agents that rely on Docker Engine.
无论您是滚动自己的集群还是使用云提供商提供的托管 Kubernetes 服务，您都可能需要迁移依赖于 Docker Engine 的遥测或安全代理。

I have a Docker dependency. What now?

我有一个 Docker 依赖项。现在怎么办？

If your Kubernetes cluster depends on Docker Engine and you intend to upgrade to Kubernetes v1.24 (which you should eventually do for security and similar reasons), you will need to change your container runtime from Docker Engine to something else or use cri-dockerd. Since containerd is a graduated CNCF project and the runtime within Docker itself, it’s a safe bet as an alternative container runtime. Fortunately, the Kubernetes project has already documented the process of changing a node’s container runtime, using containerd as an example. Instructions are similar for switching to one of the other supported runtimes.
如果你的 Kubernetes 集群依赖于 Docker Engine，并且你打算升级到 Kubernetes v1.24（出于安全和类似原因，你最终应该这样做），你需要将容器运行时从 Docker Engine 更改为其他引擎或使用 cri-dockerd。由于 containerd 是一个已毕业的 CNCF 项目，并且是 Docker 本身的运行时，因此它可以作为替代容器运行时。幸运的是，Kubernetes 项目已经以 containerd 为例记录了更改节点容器运行时的过程。切换到其他受支持的运行时之一的说明类似。

I want to upgrade Kubernetes, and I need to maintain compatibility with Docker as a runtime. What are my options?

我想升级 Kubernetes，并且需要保持与 Docker 作为运行时的兼容性。我有哪些选择？

Fear not, you aren’t being left out in the cold and you don’t have to take the security risk of staying on an old version of Kubernetes. Mirantis and Docker have jointly released, and are maintaining, a replacement for dockershim. That replacement is called cri-dockerd. If you do need to maintain compatibility with Docker as a runtime, install cri-dockerd following the instructions in the project’s documentation.
不要害怕，您不会被冷落，也不必冒着继续使用旧版本 Kubernetes 的安全风险。Mirantis 和 Docker 联合发布并正在维护 dockershim 的替代品。该替换称为 cri-dockerd。如果您确实需要保持与 Docker 作为运行时的兼容性，请按照项目文档中的说明安装 cri-dockerd。

Is that it? 就这样吗？

Yes. As long as you go into this release aware of the changes being made and the details of your own clusters, and you make sure to communicate clearly with your development teams, it will be minimally dramatic. You may have some changes to make to your cluster, application code, or scripts, but all of these requirements are documented. Switching from using Docker Engine as your runtime to using one of the other supported container runtimes effectively means removing the middleman, since the purpose of dockershim is to access the container runtime used by Docker itself. From a practical perspective, this removal is better both for you and for Kubernetes maintainers in the long-run.
是的。只要您了解正在进行的更改和您自己的集群的详细信息，并确保与开发团队进行清晰的沟通，它就会产生最小的戏剧性影响。您可能需要对集群、应用程序代码或脚本进行一些更改，但所有这些要求都已记录在案。从使用 Docker Engine 作为运行时切换到使用其他受支持的容器运行时之一实际上意味着移除中间人，因为 dockershim 的目的是访问 Docker 本身使用的容器运行时。从实际角度来看，从长远来看，这种删除对您和 Kubernetes 维护者都有好处。

If you still have questions, please first check the Dockershim Removal FAQ.
如果您仍有疑问，请先查看 Dockershim 移除常见问题解答。