helm-charts
helm-charts copied to clipboard
newrelic
Migrate from deprecated CRI v1alpha2 API to v1, prepare for containerd 2.0
Description
v1.33 of GKE will move to containerd 2.0 which does not support v1alpha2 of the CRI API. Google identified these daemonsets as mounting a volume using a path on which the containerd socket could be reached:
- /var
- /
- /run/containerd/containerd.sock
Merely mounting these paths is not a definitive indicator that v1alpha2 of the CRI API is actually used, it just indicates that these daemonsets potentially use the API and therefore potentially use the deprecated version of the API. GKE can tell the v1alpha2 API is being called, but it can't tell definitively which workload is calling the API. It's using this path mechanism as a best guess.
See Google's doc about migrating to containerd 2.0 here.
Acceptance Criteria
- Migrate to v1 of the CRI API
- OR confirm that v1alpha2 of the CRI API is not used
Design Consideration/Limitations
This will make the nri-bundle chart compatible with an upcoming release of GKE, which is scheduled for late April 2025. See kuberentes release summary here. GKE will block the upgrade to v1.33 until the v1alpha2 API is no longer in use.
Dependencies
N/A
Additional context
As of newrelic/nri-bundle chart version 5.0.115
![workato-integration[bot] avatar](https://avatars.githubusercontent.com/in/221230?v=4 "Published by a pub.dev verified publisher"){kind=small}
Hi @yvjessestephens - thank you for reporting this issue! This looks to be a false positive due to us mounting the containerd socket for our workloads. We verified this for a similar report from another customer using our integration in their GKE cluster around the beginning of September - here is the command output for that investigation:
Verified presence of the mounted containerd socket:
kubectl get pods --all-namespaces -o json | \
jq -r '
[
"/", "/var", "/var/","/var/run", "/var/run/",
"/var/run/containerd", "/var/run/containerd/", "/var/run/containerd/containerd.sock",
"/run", "/run/", "/run/containerd", "/run/containerd/",
"/run/containerd/containerd.sock"
] as $socket_paths |
[
"kube-system", "kube-node-lease", "istio-system", "asm-system",
"gatekeeper-system", "config-management-system", "config-management-monitoring",
"cnrm-system", "hnc-system", "gke-managed-system", "gke-gmp-system",
"gmp-system", "gke-managed-cim"
] as $excluded_namespaces |
.items[] |
select(
(.spec.volumes[]?.hostPath.path as $p | $socket_paths | index($p))
and
([.metadata.namespace] | inside($excluded_namespaces) | not)
) |
.metadata.namespace + "/" + .metadata.name
'
newrelic/newrelic-bundle-newrelic-logging-v2khj
newrelic/newrelic-bundle-newrelic-logging-zg5wg
newrelic/newrelic-bundle-nrk8s-kubelet-99vf6
newrelic/newrelic-bundle-nrk8s-kubelet-99vf6
newrelic/newrelic-bundle-nrk8s-kubelet-lbs88
newrelic/newrelic-bundle-nrk8s-kubelet-lbs88
The GKE documentation for migrating away from the deprecated API explicitly states that this isn’t enough to confirm usage of the API, which you also note in the issue description.
Using some resources from k8s-node-tools/containerd/socket-tracer at master · GoogleCloudPlatform/k8s-node-tools, I was able to further verify that we do not use the deprecated v1alpha2 API.
time="2025-09-05T20:34:18Z" msg="checking for CRI v1alpha2 API deprecation warnings" node="gke-kondracek-cri-kondracek-cri-l-e8b32679-7qq6"
time="2025-09-05T20:34:18Z" msg="CRI v1alpha2 API deprecation warning not found on this node" node="gke-kondracek-cri-kondracek-cri-l-e8b32679-7qq6"
time="2025-09-05T20:35:18Z" msg="CRI v1alpha2 API deprecation warning not found on this node" node="gke-kondracek-cri-kondracek-cri-l-e8b32679-7qq6"
time="2025-09-05T20:36:18Z" msg="CRI v1alpha2 API deprecation warning not found on this node" node="gke-kondracek-cri-kondracek-cri-l-e8b32679-7qq6"
time="2025-09-05T20:37:18Z" msg="CRI v1alpha2 API deprecation warning not found on this node" node="gke-kondracek-cri-kondracek-cri-l-e8b32679-7qq6"
