kubelet: skip setting the devices cgroup

use the new libcontainer feature of skipping setting the devices
cgroup.  This is necessary on cgroup v2 to avoid leaking a eBPF
program every time the cgroup is re-configured.

Signed-off-by: Giuseppe Scrivano <[email protected]>

Author: giuseppe

pkg/kubelet/cm/cgroup_manager_linux.go

@@ -495,6 +495,7 @@ func setResourcesV2(cgroupConfig *libcontainerconfigs.Cgroup) error {
 			Major:       libcontainerconfigs.Wildcard,
 		},
 	}
+	cgroupConfig.Resources.SkipDevices = true
 
 	manager, err := cgroupfs2.NewManager(cgroupConfig, cgroupConfig.Path, false)
 	if err != nil {
@@ -517,6 +518,7 @@ func (m *cgroupManagerImpl) toResources(resourceConfig *ResourceConfig) *libcont
 				Major:       libcontainerconfigs.Wildcard,
 			},
 		},
+		SkipDevices: true,
 	}
 	if resourceConfig == nil {
 		return resources

pkg/kubelet/cm/container_manager_linux.go

@@ -384,6 +384,7 @@ func createManager(containerName string) (cgroups.Manager, error) {
 					Major:       configs.Wildcard,
 				},
 			},
+			SkipDevices: true,
 		},
 	}
 

pkg/kubelet/dockershim/cm/container_manager_linux.go

@@ -123,8 +123,9 @@ func createCgroupManager(name string) (cgroups.Manager, error) {
 		Parent: "/",
 		Name:   name,
 		Resources: &configs.Resources{
-			Memory:     int64(memoryLimit),
-			MemorySwap: -1,
+			Memory:      int64(memoryLimit),
+			MemorySwap:  -1,
+			SkipDevices: true,
 			Devices: []*configs.DeviceRule{
 				{
 					Minor:       configs.Wildcard,