From 7dd02e9964e313bd5044738e152b36aca2d2a0f4 Mon Sep 17 00:00:00 2001
From: Thomas Dy <thatsmydoing@gmail.com>
Date: Mon, 15 Dec 2025 16:15:07 +0900
Subject: [PATCH] nixos/kubernetes: fix infra image pinning

All kubernetes pods have an infra container (using `pause:latest`) to
setup networking etc. This image is loaded into containerd when kubelet
starts. However, due to a misconfiguration the image can get GC-ed and
kubelet tries to pull it from Docker Hub but the image does not exist
there. This prevents any new pods from being created.

Pinning of the infra image for kubernetes is delegated to the CRI
implementation (containerd) since Kubernetes 1.29, and the
`--pod-infra-container-image` flag does nothing and will be fully
removed in 1.35.

containerd (config version 2) uses the `sandbox_image` setting to know
what images to pin. However, while it normalizes `pause:latest` to
`docker.io/library/pause:latest` in the image list, it does not
normalize the setting value when checking if the image should be pinned
or not. Using the fully qualified name in the setting is enough to make
it be correctly pinned after a full containerd restart.
---
 nixos/modules/services/cluster/kubernetes/default.nix | 2 +-
 nixos/modules/services/cluster/kubernetes/kubelet.nix | 1 -
 2 files changed, 1 insertion(+), 2 deletions(-)

diff --git a/nixos/modules/services/cluster/kubernetes/default.nix b/nixos/modules/services/cluster/kubernetes/default.nix
index b29c8ece73214..2c64cbafa4ece 100644
--- a/nixos/modules/services/cluster/kubernetes/default.nix
+++ b/nixos/modules/services/cluster/kubernetes/default.nix
@@ -20,7 +20,7 @@ let
     };
 
     plugins."io.containerd.grpc.v1.cri" = {
-      sandbox_image = "pause:latest";
+      sandbox_image = "docker.io/library/pause:latest";
 
       cni = {
         bin_dir = "/opt/cni/bin";
diff --git a/nixos/modules/services/cluster/kubernetes/kubelet.nix b/nixos/modules/services/cluster/kubernetes/kubelet.nix
index 46e7c7c2550a1..9290ba8e72377 100644
--- a/nixos/modules/services/cluster/kubernetes/kubelet.nix
+++ b/nixos/modules/services/cluster/kubernetes/kubelet.nix
@@ -371,7 +371,6 @@ in
                         --hostname-override=${cfg.hostname} \
                         --kubeconfig=${kubeconfig} \
                         ${optionalString (cfg.nodeIp != null) "--node-ip=${cfg.nodeIp}"} \
-                        --pod-infra-container-image=pause \
                         ${optionalString (cfg.manifests != { }) "--pod-manifest-path=/etc/${manifestPath}"} \
                         ${optionalString (taints != "") "--register-with-taints=${taints}"} \
                         --root-dir=${top.dataDir} \