kubernetes: force cri sandbox image

3 files changed, 4 insertions, 1 deletions

diff --git a/roles/kubernetes/base/defaults/main.yml b/roles/kubernetes/base/defaults/main.yml
index af48181c..2b69fb5e 100644
--- a/roles/kubernetes/base/defaults/main.yml
+++ b/roles/kubernetes/base/defaults/main.yml
@@ -1,2 +1,4 @@
 ---
 kubernetes_cri_tools_pkg_version: "{{ ([0, 1] | map('extract', kubernetes_version.split('.'))) | join('.') }}.0-00"
+
+kubernetes_cri_sandbox_image: "registry.k8s.io/pause:3.9"
diff --git a/roles/kubernetes/base/tasks/cri_containerd.yml b/roles/kubernetes/base/tasks/cri_containerd.yml
index e13799b0..cf8adc4e 100644
--- a/roles/kubernetes/base/tasks/cri_containerd.yml
+++ b/roles/kubernetes/base/tasks/cri_containerd.yml
@@ -11,6 +11,7 @@
       plugins:
         "io.containerd.grpc.v1.cri":
           disable_apparmor: true
+          sandbox_image: "{{ kubernetes_cri_sandbox_image }}"
           containerd:
             runtimes:
               runc:
diff --git a/roles/kubernetes/base/templates/cri-docker.service.j2 b/roles/kubernetes/base/templates/cri-docker.service.j2
index 14f21a7c..2ccdc5bc 100644
--- a/roles/kubernetes/base/templates/cri-docker.service.j2
+++ b/roles/kubernetes/base/templates/cri-docker.service.j2
@@ -9,7 +9,7 @@ StartLimitIntervalSec=60s
 
 [Service]
 Type=notify
-ExecStart=/usr/bin/cri-dockerd --container-runtime-endpoint fd:// --network-plugin=cni --cni-bin-dir=/opt/cni/bin --cni-conf-dir=/etc/cni/net.d
+ExecStart=/usr/bin/cri-dockerd --container-runtime-endpoint fd:// --network-plugin=cni --cni-bin-dir=/opt/cni/bin --cni-conf-dir=/etc/cni/net.d --pod-infra-container-image "{{ kubernetes_cri_sandbox_image }}"
 ExecReload=/bin/kill -s HUP $MAINPID
 TimeoutSec=0
 RestartSec=2