Expose full cgroups hierarchy to kubelet + runtime

Previously kubelet, docker and cri-containerd had their own individual private
sub-hierarchies at /sys/fs/cgroups. However at least kubelet needs to be able
to see the entire hosts hierarchy in order to manage things like capacity and
evictions.

It then seems to make sense for the runtime component (docker or
cri-containerd) to also see the full hierarchy.

Fixes #38.

Signed-off-by: Ian Campbell <ijc@docker.com>

Author: Ian Campbell

pkg/cri-containerd/build.yml

@@ -16,8 +16,10 @@ config:
   - /run/containerd/containerd.sock:/run/containerd/containerd.sock
   - /var/lib/kubelet-plugins:/usr/libexec/kubernetes/kubelet-plugins:rshared,rbind
   mounts:
-  - type: cgroup
-    options: ["rw","nosuid","noexec","nodev","relatime"]
+  - type: bind
+    source: /sys/fs/cgroup
+    destination: /sys/fs/cgroup
+    options: ["rw","rbind","rshared","nosuid","noexec","nodev","relatime"]
   capabilities:
   - all
   rootfsPropagation: shared

pkg/kubelet/build.yml

@@ -17,8 +17,10 @@ config:
   - /var/lib/cni/conf:/etc/cni/net.d:rshared,rbind
   - /var/lib/cni/bin:/opt/cni/bin:rshared,rbind
   mounts:
-  - type: cgroup
-    options: ["rw","nosuid","noexec","nodev","relatime"]
+  - type: bind
+    source: /sys/fs/cgroup
+    destination: /sys/fs/cgroup
+    options: ["rw","rbind","rshared","nosuid","noexec","nodev","relatime"]
   capabilities:
   - all
   rootfsPropagation: shared

yml/docker.yml

@@ -5,8 +5,10 @@ services:
      - all
     pid: host
     mounts:
-     - type: cgroup
-       options: ["rw","nosuid","noexec","nodev","relatime"]
+     - type: bind
+       source: /sys/fs/cgroup
+       destination: /sys/fs/cgroup
+       options: ["rw","rbind","rshared","nosuid","noexec","nodev","relatime"]
     binds:
      - /dev:/dev
      - /etc/resolv.conf:/etc/resolv.conf