nixos/kubernetes: fix infra image pinning

All kubernetes pods have an infra container (using `pause:latest`) to
setup networking etc. This image is loaded into containerd when kubelet
starts. However, due to a misconfiguration the image can get GC-ed and
kubelet tries to pull it from Docker Hub but the image does not exist
there. This prevents any new pods from being created.

Pinning of the infra image for kubernetes is delegated to the CRI
implementation (containerd) since Kubernetes 1.29, and the
`--pod-infra-container-image` flag does nothing and will be fully
removed in 1.35.

containerd (config version 2) uses the `sandbox_image` setting to know
what images to pin. However, while it normalizes `pause:latest` to
`docker.io/library/pause:latest` in the image list, it does not
normalize the setting value when checking if the image should be pinned
or not. Using the fully qualified name in the setting is enough to make
it be correctly pinned after a full containerd restart.

0 files changed, 0 insertions, 0 deletions