cri: pull on fix for selinux relabel of /dev/shm (#2485)

see https://github.com/rancher/cri/pull/7 addresses https://github.com/rancher/k3s/issues/2240 for 1.18 backport of https://github.com/rancher/k3s/pull/2478 to 1.3.x Signed-off-by: Jacob Blain Christen <jacob@rancher.com>
2020-11-09 10:19:37 -07:00 · 2020-11-09 10:19:37 -07:00 · f92c04868f
parent a095b455f6
commit f92c04868f
20 changed files with 368 additions and 177 deletions
--- a/go.mod
+++ b/go.mod
@ -9,7 +9,7 @@ replace (
 	github.com/containerd/console => github.com/containerd/console v0.0.0-20181022165439-0650fd9eeb50
 	github.com/containerd/containerd => github.com/rancher/containerd v1.3.3-k3s2
 	github.com/containerd/continuity => github.com/containerd/continuity v0.0.0-20190815185530-f2a389ac0a02
-	github.com/containerd/cri => github.com/rancher/cri v1.3.0-k3s.6
+	github.com/containerd/cri => github.com/rancher/cri v1.3.0-k3s.8 // k3s-release/1.3
 	github.com/containerd/fifo => github.com/containerd/fifo v0.0.0-20190816180239-bda0ff6ed73c
 	github.com/containerd/go-runc => github.com/containerd/go-runc v0.0.0-20190911050354-e029b79d8cda
 	github.com/containerd/typeurl => github.com/containerd/typeurl v0.0.0-20180627222232-a93fcdb778cd
--- a/go.sum
+++ b/go.sum
@ -410,7 +410,9 @@ github.com/grpc-ecosystem/go-grpc-prometheus v1.2.0 h1:Ovs26xHkKqVztRpIrF/92Bcuy
 github.com/grpc-ecosystem/go-grpc-prometheus v1.2.0/go.mod h1:8NvIoxWQoOIhqOTXgfV/d3M/q6VIi02HzZEHgUlZvzk=
 github.com/grpc-ecosystem/grpc-gateway v1.9.5 h1:UImYN5qQ8tuGpGE16ZmjvcTtTw24zw1QAp/SlnNrZhI=
 github.com/grpc-ecosystem/grpc-gateway v1.9.5/go.mod h1:vNeuVxBJEsws4ogUvrchl83t/GYV9WGTSLVdBhOQFDY=
 github.com/hashicorp/errwrap v0.0.0-20141028054710-7554cd9344ce h1:prjrVgOk2Yg6w+PflHoszQNLTUh4kaByUcEWM/9uin4=
 github.com/hashicorp/errwrap v0.0.0-20141028054710-7554cd9344ce/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4=
 github.com/hashicorp/go-multierror v0.0.0-20161216184304-ed905158d874 h1:cAv7ZbSmyb1wjn6T4TIiyFCkpcfgpbcNNC3bM2srLaI=
 github.com/hashicorp/go-multierror v0.0.0-20161216184304-ed905158d874/go.mod h1:JMRHfdO9jKNzS/+BTlxCjKNQHg/jZAft8U7LloJvN7I=
 github.com/hashicorp/go-syslog v1.0.0/go.mod h1:qPfqrKkXGihmCqbJM2mZgkZGvKG1dFdvsLplgctolz4=
 github.com/hashicorp/golang-lru v0.0.0-20180201235237-0fb14efe8c47/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8=
@ -622,8 +624,8 @@ github.com/rakelkar/gonetsh v0.0.0-20190719023240-501daadcadf8 h1:83l9gPhYtgxODl
 github.com/rakelkar/gonetsh v0.0.0-20190719023240-501daadcadf8/go.mod h1:4XHkfaUj+URzGO9sohoAgt2V9Y8nIW7fugpu0E6gShk=
 github.com/rancher/containerd v1.3.3-k3s2 h1:RZr+TqFt7+YsrSYkyytlhW4HmneWeFNM7IymNOoGW6A=
 github.com/rancher/containerd v1.3.3-k3s2/go.mod h1:ZMfzmqce2Z+QSEqdHMfeJs1TZ/UeJ1aDrazjpQT4ehM=
-github.com/rancher/cri v1.3.0-k3s.6 h1:jeom53pNYUJHlZBHpax8vpQeBoW19vSVGAQn9jPyIcc=
+github.com/rancher/cri v1.3.0-k3s.8 h1:qUdbZ6n3hAg3ImloQ6FMOtG8CG/JMNZ8vSuL47BCABA=
-github.com/rancher/cri v1.3.0-k3s.6/go.mod h1:Ht5T1dIKzm+4NExmb7wDVG6qR+j0xeXIjjhCv1d9geY=
+github.com/rancher/cri v1.3.0-k3s.8/go.mod h1:Ht5T1dIKzm+4NExmb7wDVG6qR+j0xeXIjjhCv1d9geY=
 github.com/rancher/cri-tools v1.18.0-k3s1 h1:pLYthxpSu6k3Up9tNAMA0MK2ERqB6FC1sZQPRSW1qSg=
 github.com/rancher/cri-tools v1.18.0-k3s1/go.mod h1:Ij/GWNRcEDP6zVN6eQpvN/s0nhuJVtPQFy7RAdl+Wu8=
 github.com/rancher/dynamiclistener v0.2.0 h1:KucYwJXVVGhZ/NndfMCeQoCafT/VN7kvqSGgmlX8Lxk=
--- a/vendor/github.com/containerd/cri/Makefile
+++ b/vendor/github.com/containerd/cri/Makefile
@ -1,23 +1,27 @@
-# Copyright 2018 The containerd Authors.
+#   Copyright The containerd Authors.
-#
+
-# Licensed under the Apache License, Version 2.0 (the "License");
+#   Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
+#   you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
+#   You may obtain a copy of the License at
-#
+
-#     http://www.apache.org/licenses/LICENSE-2.0
+#       http://www.apache.org/licenses/LICENSE-2.0
-#
+
-# Unless required by applicable law or agreed to in writing, software
+#   Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
+#   distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+#   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
+#   See the License for the specific language governing permissions and
-# limitations under the License.
+#   limitations under the License.
 GO := go
 GOOS := $(shell $(GO) env GOOS)
 GOARCH := $(shell $(GO) env GOARCH)
-WHALE = "🇩"
+WHALE := "🇩"
-ONI = "👹"
+ONI := "👹"
-EPOCH_TEST_COMMIT := f9e02affccd51702191e5312665a16045ffef8ab
+ifeq ($(GOOS),windows)
 	WHALE = "+"
 	ONI = "-"
 endif
 EPOCH_TEST_COMMIT := 67de3e4ccf2b2a69b8398798af7cfca01abf7a7e
 PROJECT := github.com/containerd/cri
 BINDIR := ${DESTDIR}/usr/local/bin
 BUILD_DIR := _output
@ -26,35 +30,39 @@ BUILD_DIR := _output
 VERSION := $(shell git rev-parse --short HEAD)
 TARBALL_PREFIX := cri-containerd
 TARBALL := $(TARBALL_PREFIX)-$(VERSION).$(GOOS)-$(GOARCH).tar.gz
-BUILD_TAGS := seccomp apparmor
+ifneq ($(GOOS),windows)
 	BUILD_TAGS := seccomp apparmor selinux no_btrfs
 endif
 export BUILDTAGS := $(BUILD_TAGS)
 # Add `-TEST` suffix to indicate that all binaries built from this repo are for test.
 GO_LDFLAGS := -X $(PROJECT)/vendor/github.com/containerd/containerd/version.Version=$(VERSION)-TEST
 SOURCES := $(shell find cmd/ pkg/ vendor/ -name '*.go')
 PLUGIN_SOURCES := $(shell ls *.go)
 INTEGRATION_SOURCES := $(shell find integration/ -name '*.go')
 CONTAINERD_BIN := containerd
 ifeq ($(GOOS),windows)
 	CONTAINERD_BIN := $(CONTAINERD_BIN).exe
 endif
 all: binaries
 help: ## this help
 	@awk 'BEGIN {FS = ":.*?## "} /^[a-zA-Z0-9._-]+:.*?## / {printf "\033[36m%-30s\033[0m %s\n", $$1, $$2}' $(MAKEFILE_LIST) | sort
-verify: lint gofmt boiler check-vendor ## execute the source code verification tools
+verify: lint gofmt check-vendor ## execute the source code verification tools
 version: ## print current cri plugin release version
 	@echo $(VERSION)
 lint:
 	@echo "$(WHALE) $@"
-	golangci-lint run --skip-files .*_test.go
+	golangci-lint run
 gofmt:
 	@echo "$(WHALE) $@"
 	@./hack/verify-gofmt.sh
 boiler:
 	@echo "$(WHALE) $@"
 	@./hack/verify-boilerplate.sh
 check-vendor:
 	@echo "$(WHALE) $@"
 	@./hack/verify-vendor.sh
@ -72,7 +80,7 @@ sync-vendor:
 update-vendor: sync-vendor sort-vendor ## Syncs containerd/vendor.conf -> vendor.conf and sorts vendor.conf
 	@echo "$(WHALE) $@"
-$(BUILD_DIR)/containerd: $(SOURCES) $(PLUGIN_SOURCES)
+$(BUILD_DIR)/$(CONTAINERD_BIN): $(SOURCES) $(PLUGIN_SOURCES)
 	@echo "$(WHALE) $@"
 	$(GO) build -o $@ \
 		-tags '$(BUILD_TAGS)' \
@ -84,7 +92,7 @@ test: ## unit test
 	@echo "$(WHALE) $@"
 	$(GO) test -timeout=10m -race ./pkg/... \
 		-tags '$(BUILD_TAGS)' \
-	        -ldflags '$(GO_LDFLAGS)' \
+		-ldflags '$(GO_LDFLAGS)' \
 		-gcflags '$(GO_GCFLAGS)'
 $(BUILD_DIR)/integration.test: $(INTEGRATION_SOURCES)
@ -107,29 +115,34 @@ clean: ## cleanup binaries
 	@echo "$(WHALE) $@"
 	@rm -rf $(BUILD_DIR)/*
-binaries: $(BUILD_DIR)/containerd ## build a customized containerd (same result as make containerd)
+binaries: $(BUILD_DIR)/$(CONTAINERD_BIN) ## build a customized containerd (same result as make containerd)
 	@echo "$(WHALE) $@"
 static-binaries: GO_LDFLAGS += -extldflags "-fno-PIC -static"
-static-binaries: $(BUILD_DIR)/containerd ## build static containerd
+static-binaries: $(BUILD_DIR)/$(CONTAINERD_BIN) ## build static containerd
 	@echo "$(WHALE) $@"
-containerd: $(BUILD_DIR)/containerd ## build a customized containerd with CRI plugin for testing
+containerd: $(BUILD_DIR)/$(CONTAINERD_BIN) ## build a customized containerd with CRI plugin for testing
 	@echo "$(WHALE) $@"
 install-containerd: containerd ## installs customized containerd to system location
 	@echo "$(WHALE) $@"
-	@install -D -m 755 $(BUILD_DIR)/containerd $(BINDIR)/containerd
+	@install -D -m 755 $(BUILD_DIR)/$(CONTAINERD_BIN) "$(BINDIR)/$(CONTAINERD_BIN)"
 install: install-containerd ## installs customized containerd to system location
 	@echo "$(WHALE) $@"
 uninstall: ## remove containerd from system location
 	@echo "$(WHALE) $@"
-	@rm -f $(BINDIR)/containerd
+	@rm -f "$(BINDIR)/$(CONTAINERD_BIN)"
 ifeq ($(GOOS),windows)
 $(BUILD_DIR)/$(TARBALL): static-binaries vendor.conf
 	@BUILD_DIR=$(BUILD_DIR) TARBALL=$(TARBALL) VERSION=$(VERSION) ./hack/release-windows.sh
 else
 $(BUILD_DIR)/$(TARBALL): static-binaries vendor.conf
 	@BUILD_DIR=$(BUILD_DIR) TARBALL=$(TARBALL) VERSION=$(VERSION) ./hack/release.sh
 endif
 release: $(BUILD_DIR)/$(TARBALL) ## build release tarball
@ -142,22 +155,29 @@ proto: ## update protobuf of the cri plugin api
 	@API_PATH=pkg/api/v1 hack/update-proto.sh
 	@API_PATH=pkg/api/runtimeoptions/v1 hack/update-proto.sh
-.PHONY: install.deps
+.PHONY: install.deps .install.deps.linux .install.deps.windows
-install.deps: ## install dependencies of cri (default 'seccomp apparmor' BUILDTAGS for runc build)
+ifeq ($(GOOS),windows)
 install.deps: .install.deps.windows ## install windows deps on windows
 else
 install.deps: .install.deps.linux ## install windows deps on linux
 endif
 .install.deps.linux: ## install dependencies of cri
 	@echo "$(WHALE) $@"
 	@./hack/install/install-deps.sh
 .install.deps.windows: ## install dependencies of cri on windows
 	@echo "$(WHALE) $@"
 	@./hack/install/windows/install-deps.sh
 .PHONY: .gitvalidation
-# When this is running in travis, it will only check the travis commit range.
+# make .gitvalidation is only used localy for manual testing
-# When running outside travis, it will check from $(EPOCH_TEST_COMMIT)..HEAD.
+# requires a clone of github.com/containerd/project
 # containerd/project DCO validation runs automatically with github actions in ci.yml for each pull
 .gitvalidation:
 	@echo "$(WHALE) $@"
-ifeq ($(TRAVIS),true)
+	DCO_VERBOSITY=-v DCO_RANGE=$(EPOCH_TEST_COMMIT)..HEAD ../project/script/validate/dco
 	git-validation -q -run DCO,short-subject
 else
 	git-validation -v -run DCO,short-subject -range $(EPOCH_TEST_COMMIT)..HEAD
 endif
 .PHONY: install.tools .install.gitvalidation .install.golangci-lint .install.vndr
@ -186,7 +206,6 @@ install.tools: .install.gitvalidation .install.golangci-lint .install.vndr ## in
 	install-containerd \
 	release \
 	push \
 	boiler \
 	clean \
 	default \
 	gofmt \
--- a/vendor/github.com/containerd/cri/cri.go
+++ b/vendor/github.com/containerd/cri/cri.go
@ -63,6 +63,10 @@ func initCRIService(ic *plugin.InitContext) (interface{}, error) {
 	ic.Meta.Exports = map[string]string{"CRIVersion": constants.CRIVersion}
 	ctx := ic.Context
 	pluginConfig := ic.Config.(*criconfig.PluginConfig)
 	if err := criconfig.ValidatePluginConfig(ctx, pluginConfig); err != nil {
 		return nil, errors.Wrap(err, "invalid plugin config")
 	}
 	c := criconfig.Config{
 		PluginConfig:       *pluginConfig,
 		ContainerdRootDir:  filepath.Dir(ic.Root),
@ -72,10 +76,6 @@ func initCRIService(ic *plugin.InitContext) (interface{}, error) {
 	}
 	log.G(ctx).Infof("Start cri plugin with config %+v", c)
 	if err := criconfig.ValidatePluginConfig(ctx, pluginConfig); err != nil {
 		return nil, errors.Wrap(err, "invalid plugin config")
 	}
 	if err := setGLogLevel(); err != nil {
 		return nil, errors.Wrap(err, "failed to set glog level")
 	}
--- a/vendor/github.com/containerd/cri/pkg/config/config.go
+++ b/vendor/github.com/containerd/cri/pkg/config/config.go
@ -122,9 +122,10 @@ type AuthConfig struct {
 // TLSConfig contains the CA/Cert/Key used for a registry
 type TLSConfig struct {
-	CAFile   string `toml:"ca_file" json:"caFile"`
+	InsecureSkipVerify bool   `toml:"insecure_skip_verify" json:"insecure_skip_verify"`
-	CertFile string `toml:"cert_file" json:"certFile"`
+	CAFile             string `toml:"ca_file" json:"caFile"`
-	KeyFile  string `toml:"key_file" json:"keyFile"`
+	CertFile           string `toml:"cert_file" json:"certFile"`
 	KeyFile            string `toml:"key_file" json:"keyFile"`
 }
 // Registry is registry settings configured
--- a/vendor/github.com/containerd/cri/pkg/seccomp/seccomp_linux.go
+++ b/vendor/github.com/containerd/cri/pkg/seccomp/seccomp_linux.go
@ -0,0 +1,88 @@
 /*
 Copyright The containerd Authors.
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
 You may obtain a copy of the License at
    http://www.apache.org/licenses/LICENSE-2.0
 Unless required by applicable law or agreed to in writing, software
 distributed under the License is distributed on an "AS IS" BASIS,
 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 */
 /*
   Copyright The runc Authors.
   Licensed under the Apache License, Version 2.0 (the "License");
   you may not use this file except in compliance with the License.
   You may obtain a copy of the License at
       http://www.apache.org/licenses/LICENSE-2.0
   Unless required by applicable law or agreed to in writing, software
   distributed under the License is distributed on an "AS IS" BASIS,
   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
   See the License for the specific language governing permissions and
   limitations under the License.
 */
 package seccomp
 import (
 	"bufio"
 	"os"
 	"strings"
 	"golang.org/x/sys/unix"
 )
 // IsEnabled returns if the kernel has been configured to support seccomp.
 // From https://github.com/opencontainers/runc/blob/v1.0.0-rc91/libcontainer/seccomp/seccomp_linux.go#L86-L102
 func IsEnabled() bool {
 	// Try to read from /proc/self/status for kernels > 3.8
 	s, err := parseStatusFile("/proc/self/status")
 	if err != nil {
 		// Check if Seccomp is supported, via CONFIG_SECCOMP.
 		if err := unix.Prctl(unix.PR_GET_SECCOMP, 0, 0, 0, 0); err != unix.EINVAL {
 			// Make sure the kernel has CONFIG_SECCOMP_FILTER.
 			if err := unix.Prctl(unix.PR_SET_SECCOMP, unix.SECCOMP_MODE_FILTER, 0, 0, 0); err != unix.EINVAL {
 				return true
 			}
 		}
 		return false
 	}
 	_, ok := s["Seccomp"]
 	return ok
 }
 // parseStatusFile is from https://github.com/opencontainers/runc/blob/v1.0.0-rc91/libcontainer/seccomp/seccomp_linux.go#L243-L268
 func parseStatusFile(path string) (map[string]string, error) {
 	f, err := os.Open(path)
 	if err != nil {
 		return nil, err
 	}
 	defer f.Close()
 	s := bufio.NewScanner(f)
 	status := make(map[string]string)
 	for s.Scan() {
 		text := s.Text()
 		parts := strings.Split(text, ":")
 		if len(parts) <= 1 {
 			continue
 		}
 		status[parts[0]] = parts[1]
 	}
 	if err := s.Err(); err != nil {
 		return nil, err
 	}
 	return status, nil
 }
--- a/vendor/github.com/containerd/cri/pkg/seccomp/seccomp_unsupported.go
+++ b/vendor/github.com/containerd/cri/pkg/seccomp/seccomp_unsupported.go
@ -0,0 +1,23 @@
 // +build !linux
 /*
 Copyright The containerd Authors.
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
 You may obtain a copy of the License at
    http://www.apache.org/licenses/LICENSE-2.0
 Unless required by applicable law or agreed to in writing, software
 distributed under the License is distributed on an "AS IS" BASIS,
 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 */
 package seccomp
 func IsEnabled() bool {
 	return false
 }
--- a/vendor/github.com/containerd/cri/pkg/server/container_create.go
+++ b/vendor/github.com/containerd/cri/pkg/server/container_create.go
@ -39,6 +39,7 @@ import (
 	"github.com/davecgh/go-spew/spew"
 	imagespec "github.com/opencontainers/image-spec/specs-go/v1"
 	runtimespec "github.com/opencontainers/runtime-spec/specs-go"
 	selinux "github.com/opencontainers/selinux/go-selinux"
 	"github.com/opencontainers/selinux/go-selinux/label"
 	"github.com/pkg/errors"
 	"golang.org/x/net/context"
@ -182,7 +183,7 @@ func (c *criService) CreateContainer(ctx context.Context, r *runtime.CreateConta
 	}
 	defer func() {
 		if retErr != nil {
-			_ = label.ReleaseLabel(spec.Process.SelinuxLabel)
+			selinux.ReleaseLabel(spec.Process.SelinuxLabel)
 		}
 	}()
@ -379,11 +380,13 @@ func (c *criService) generateContainerSpec(id string, sandboxID string, sandboxP
 	specOpts = append(specOpts, oci.WithEnv(env))
 	securityContext := config.GetLinux().GetSecurityContext()
-	labelOptions := toLabel(securityContext.GetSelinuxOptions())
+	labelOptions, err := toLabel(securityContext.GetSelinuxOptions())
-	if len(labelOptions) == 0 {
+	if err != nil {
-		// Use pod level SELinux config
+		return nil, err
 	}
 	if len(labelOptions) == 0 { // Use pod level SELinux config
 		if sandbox, err := c.sandboxStore.Get(sandboxID); err == nil {
-			labelOptions, err = label.DupSecOpt(sandbox.ProcessLabel)
+			labelOptions, err = selinux.DupSecOpt(sandbox.ProcessLabel)
 			if err != nil {
 				return nil, err
 			}
@ -396,7 +399,7 @@ func (c *criService) generateContainerSpec(id string, sandboxID string, sandboxP
 	}
 	defer func() {
 		if retErr != nil {
-			_ = label.ReleaseLabel(processLabel)
+			selinux.ReleaseLabel(processLabel)
 		}
 	}()
@ -544,9 +547,10 @@ func (c *criService) generateContainerMounts(sandboxID string, config *runtime.C
 			sandboxDevShm = devShm
 		}
 		mounts = append(mounts, &runtime.Mount{
-			ContainerPath: devShm,
+			ContainerPath:  devShm,
-			HostPath:      sandboxDevShm,
+			HostPath:       sandboxDevShm,
-			Readonly:      false,
+			Readonly:       false,
 			SelinuxRelabel: true,
 		})
 	}
 	return mounts
--- a/vendor/github.com/containerd/cri/pkg/server/container_remove.go
+++ b/vendor/github.com/containerd/cri/pkg/server/container_remove.go
@ -22,6 +22,7 @@ import (
 	"github.com/containerd/containerd/log"
 	"github.com/docker/docker/pkg/system"
 	"github.com/pkg/errors"
 	"github.com/sirupsen/logrus"
 	"golang.org/x/net/context"
 	runtime "k8s.io/cri-api/pkg/apis/runtime/v1alpha2"
@ -30,7 +31,6 @@ import (
 )
 // RemoveContainer removes the container.
 // TODO(random-liu): Forcibly stop container if it's running.
 func (c *criService) RemoveContainer(ctx context.Context, r *runtime.RemoveContainerRequest) (_ *runtime.RemoveContainerResponse, retErr error) {
 	container, err := c.containerStore.Get(r.GetContainerId())
 	if err != nil {
@ -43,6 +43,17 @@ func (c *criService) RemoveContainer(ctx context.Context, r *runtime.RemoveConta
 	}
 	id := container.ID
 	// Forcibly stop the containers if they are in running or unknown state
 	state := container.Status.Get().State()
 	if state == runtime.ContainerState_CONTAINER_RUNNING ||
 		state == runtime.ContainerState_CONTAINER_UNKNOWN {
 		logrus.Infof("Forcibly stopping container %q", id)
 		if err := c.stopContainer(ctx, container, 0); err != nil {
 			return nil, errors.Wrapf(err, "failed to forcibly stop container %q", id)
 		}
 	}
 	// Set removing state to prevent other start/remove operations against this container
 	// while it's being removed.
 	if err := setContainerRemoving(container); err != nil {
--- a/vendor/github.com/containerd/cri/pkg/server/events.go
+++ b/vendor/github.com/containerd/cri/pkg/server/events.go
@ -333,6 +333,12 @@ func handleContainerExit(ctx context.Context, e *eventtypes.TaskExit, cntr conta
 		status.Pid = 0
 		status.FinishedAt = e.ExitedAt.UnixNano()
 		status.ExitCode = int32(e.ExitStatus)
 		// Unknown state can only transit to EXITED state, so we need
 		// to handle unknown state here.
 		if status.Unknown {
 			logrus.Debugf("Container %q transited from UNKNOWN to EXITED", cntr.ID)
 			status.Unknown = false
 		}
 		return status, nil
 	})
 	if err != nil {
--- a/vendor/github.com/containerd/cri/pkg/server/helpers.go
+++ b/vendor/github.com/containerd/cri/pkg/server/helpers.go
@ -298,11 +298,15 @@ func (c *criService) ensureImageExists(ctx context.Context, ref string, config *
 	return &newImage, nil
 }
-func toLabel(selinuxOptions *runtime.SELinuxOption) (labels []string) {
+func toLabel(selinuxOptions *runtime.SELinuxOption) ([]string, error) {
-	if selinuxOptions == nil {
+	var labels []string
 		return nil
 	}
 	if selinuxOptions == nil {
 		return nil, nil
 	}
 	if err := checkSelinuxLevel(selinuxOptions.Level); err != nil {
 		return nil, err
 	}
 	if selinuxOptions.User != "" {
 		labels = append(labels, "user:"+selinuxOptions.User)
 	}
@ -316,11 +320,15 @@ func toLabel(selinuxOptions *runtime.SELinuxOption) (labels []string) {
 		labels = append(labels, "level:"+selinuxOptions.Level)
 	}
-	return
+	return labels, nil
 }
 func initLabelsFromOpt(selinuxOpts *runtime.SELinuxOption) (string, string, error) {
-	return initLabels(toLabel(selinuxOpts))
+	labels, err := toLabel(selinuxOpts)
 	if err != nil {
 		return "", "", err
 	}
 	return label.InitLabels(labels)
 }
 func initLabels(options []string) (string, string, error) {
@ -339,7 +347,7 @@ func checkSelinuxLevel(level string) error {
 		return nil
 	}
-	matched, err := regexp.MatchString(`^s\d(-s\d)??(:c\d{1,4}((.c\d{1,4})?,c\d{1,4})*(.c\d{1,4})?(,c\d{1,4}(.c\d{1,4})?)*)?$`, level)
+	matched, err := regexp.MatchString(`^s\d(-s\d)??(:c\d{1,4}(\.c\d{1,4})?(,c\d{1,4}(\.c\d{1,4})?)*)?$`, level)
 	if err != nil {
 		return errors.Wrapf(err, "the format of 'level' %q is not correct", level)
 	}
@ -473,6 +481,7 @@ func unknownContainerStatus() containerstore.Status {
 		FinishedAt: 0,
 		ExitCode:   unknownExitCode,
 		Reason:     unknownExitReason,
 		Unknown:    true,
 	}
 }
--- a/vendor/github.com/containerd/cri/pkg/server/image_pull.go
+++ b/vendor/github.com/containerd/cri/pkg/server/image_pull.go
@ -253,39 +253,41 @@ func (c *criService) updateImage(ctx context.Context, r string) error {
 // getTLSConfig returns a TLSConfig configured with a CA/Cert/Key specified by registryTLSConfig
 func (c *criService) getTLSConfig(registryTLSConfig criconfig.TLSConfig) (*tls.Config, error) {
 	var (
-		cert tls.Certificate
+		tlsConfig = &tls.Config{}
-		err  error
+		cert      tls.Certificate
 		err       error
 	)
 	if registryTLSConfig.CertFile != "" && registryTLSConfig.KeyFile != "" {
 		cert, err = tls.LoadX509KeyPair(registryTLSConfig.CertFile, registryTLSConfig.KeyFile)
 		if err != nil {
 			return nil, errors.Wrap(err, "failed to load cert file")
 		}
 	}
 	if registryTLSConfig.CertFile != "" && registryTLSConfig.KeyFile == "" {
 		return nil, errors.Errorf("cert file %q was specified, but no corresponding key file was specified", registryTLSConfig.CertFile)
 	}
 	if registryTLSConfig.CertFile == "" && registryTLSConfig.KeyFile != "" {
 		return nil, errors.Errorf("key file %q was specified, but no corresponding cert file was specified", registryTLSConfig.KeyFile)
 	}
 	if registryTLSConfig.CertFile != "" && registryTLSConfig.KeyFile != "" {
 		cert, err = tls.LoadX509KeyPair(registryTLSConfig.CertFile, registryTLSConfig.KeyFile)
 		if err != nil {
 			return nil, errors.Wrap(err, "failed to load cert file")
 		}
 		if len(cert.Certificate) != 0 {
 			tlsConfig.Certificates = []tls.Certificate{cert}
 		}
 		tlsConfig.BuildNameToCertificate() // nolint:staticcheck
 	}
-	caCertPool, err := x509.SystemCertPool()
+	if registryTLSConfig.CAFile != "" {
-	if err != nil {
+		caCertPool, err := x509.SystemCertPool()
-		return nil, errors.Wrap(err, "failed to get system cert pool")
+		if err != nil {
 			return nil, errors.Wrap(err, "failed to get system cert pool")
 		}
 		caCert, err := ioutil.ReadFile(registryTLSConfig.CAFile)
 		if err != nil {
 			return nil, errors.Wrap(err, "failed to load CA file")
 		}
 		caCertPool.AppendCertsFromPEM(caCert)
 		tlsConfig.RootCAs = caCertPool
 	}
 	caCert, err := ioutil.ReadFile(registryTLSConfig.CAFile)
 	if err != nil {
 		return nil, errors.Wrap(err, "failed to load CA file")
 	}
 	caCertPool.AppendCertsFromPEM(caCert)
-	tlsConfig := &tls.Config{
+	tlsConfig.InsecureSkipVerify = registryTLSConfig.InsecureSkipVerify
 		RootCAs: caCertPool,
 	}
 	if len(cert.Certificate) != 0 {
 		tlsConfig.Certificates = []tls.Certificate{cert}
 	}
 	tlsConfig.BuildNameToCertificate()
 	return tlsConfig, nil
 }
--- a/vendor/github.com/containerd/cri/pkg/server/restart.go
+++ b/vendor/github.com/containerd/cri/pkg/server/restart.go
@ -307,7 +307,9 @@ func (c *criService) loadContainer(ctx context.Context, cntr containerd.Containe
 	}()
 	if err != nil {
 		log.G(ctx).WithError(err).Errorf("Failed to load container status for %q", id)
-		status = unknownContainerStatus()
+		// Only set the unknown field in this case, because other fields may
 		// contain useful information loaded from the checkpoint.
 		status.Unknown = true
 	}
 	opts := []containerstore.Opts{
 		containerstore.WithStatus(status, containerDir),
--- a/vendor/github.com/containerd/cri/pkg/server/sandbox_remove.go
+++ b/vendor/github.com/containerd/cri/pkg/server/sandbox_remove.go
@ -22,6 +22,7 @@ import (
 	"github.com/containerd/containerd/log"
 	"github.com/docker/docker/pkg/system"
 	"github.com/pkg/errors"
 	"github.com/sirupsen/logrus"
 	"golang.org/x/net/context"
 	runtime "k8s.io/cri-api/pkg/apis/runtime/v1alpha2"
@ -49,7 +50,10 @@ func (c *criService) RemovePodSandbox(ctx context.Context, r *runtime.RemovePodS
 	// Return error if sandbox container is still running or unknown.
 	state := sandbox.Status.Get().State
 	if state == sandboxstore.StateReady || state == sandboxstore.StateUnknown {
-		return nil, errors.Errorf("sandbox container %q is not fully stopped", id)
+		logrus.Infof("Forcibly stopping sandbox %q", id)
 		if err := c.stopPodSandbox(ctx, sandbox); err != nil {
 			return nil, errors.Wrapf(err, "failed to forcibly stop sandbox %q", id)
 		}
 	}
 	// Return error if sandbox network namespace is not closed yet.
--- a/vendor/github.com/containerd/cri/pkg/server/sandbox_run.go
+++ b/vendor/github.com/containerd/cri/pkg/server/sandbox_run.go
@ -34,7 +34,7 @@ import (
 	"github.com/davecgh/go-spew/spew"
 	imagespec "github.com/opencontainers/image-spec/specs-go/v1"
 	runtimespec "github.com/opencontainers/runtime-spec/specs-go"
-	"github.com/opencontainers/selinux/go-selinux/label"
+	selinux "github.com/opencontainers/selinux/go-selinux"
 	"github.com/pkg/errors"
 	"github.com/sirupsen/logrus"
 	"golang.org/x/net/context"
@ -162,7 +162,7 @@ func (c *criService) RunPodSandbox(ctx context.Context, r *runtime.RunPodSandbox
 	sandbox.ProcessLabel = spec.Process.SelinuxLabel
 	defer func() {
 		if retErr != nil {
-			_ = label.ReleaseLabel(sandbox.ProcessLabel)
+			selinux.ReleaseLabel(sandbox.ProcessLabel)
 		}
 	}()
@ -284,7 +284,7 @@ func (c *criService) RunPodSandbox(ctx context.Context, r *runtime.RunPodSandbox
 	var taskOpts []containerd.NewTaskOpts
 	// TODO(random-liu): Remove this after shim v1 is deprecated.
-	if c.config.NoPivot && ociRuntime.Type == plugin.RuntimeRuncV1 {
+	if c.config.NoPivot && (ociRuntime.Type == plugin.RuntimeRuncV1 || ociRuntime.Type == plugin.RuntimeRuncV2) {
 		taskOpts = append(taskOpts, containerd.WithNoPivotRoot)
 	}
 	// We don't need stdio for sandbox container.
@ -422,7 +422,7 @@ func (c *criService) generateSandboxContainerSpec(id string, config *runtime.Pod
 	}
 	defer func() {
 		if retErr != nil && processLabel != "" {
-			_ = label.ReleaseLabel(processLabel)
+			selinux.ReleaseLabel(processLabel)
 		}
 	}()
--- a/vendor/github.com/containerd/cri/pkg/server/sandbox_stop.go
+++ b/vendor/github.com/containerd/cri/pkg/server/sandbox_stop.go
@ -1,17 +1,17 @@
 /*
-Copyright 2017 The Kubernetes Authors.
+   Copyright The containerd Authors.
-Licensed under the Apache License, Version 2.0 (the "License");
+   Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
+   you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
+   You may obtain a copy of the License at
-    http://www.apache.org/licenses/LICENSE-2.0
+       http://www.apache.org/licenses/LICENSE-2.0
-Unless required by applicable law or agreed to in writing, software
+   Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
+   distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
+   See the License for the specific language governing permissions and
-limitations under the License.
+   limitations under the License.
 */
 package server
@ -40,6 +40,15 @@ func (c *criService) StopPodSandbox(ctx context.Context, r *runtime.StopPodSandb
 		return nil, errors.Wrapf(err, "an error occurred when try to find sandbox %q",
 			r.GetPodSandboxId())
 	}
 	if err := c.stopPodSandbox(ctx, sandbox); err != nil {
 		return nil, err
 	}
 	return &runtime.StopPodSandboxResponse{}, nil
 }
 func (c *criService) stopPodSandbox(ctx context.Context, sandbox sandboxstore.Sandbox) error {
 	// Use the full sandbox id.
 	id := sandbox.ID
@ -53,20 +62,20 @@ func (c *criService) StopPodSandbox(ctx context.Context, r *runtime.StopPodSandb
 		}
 		// Forcibly stop the container. Do not use `StopContainer`, because it introduces a race
 		// if a container is removed after list.
-		if err = c.stopContainer(ctx, container, 0); err != nil {
+		if err := c.stopContainer(ctx, container, 0); err != nil {
-			return nil, errors.Wrapf(err, "failed to stop container %q", container.ID)
+			return errors.Wrapf(err, "failed to stop container %q", container.ID)
 		}
 	}
 	if err := c.unmountSandboxFiles(id, sandbox.Config); err != nil {
-		return nil, errors.Wrap(err, "failed to unmount sandbox files")
+		return errors.Wrap(err, "failed to unmount sandbox files")
 	}
 	// Only stop sandbox container when it's running or unknown.
 	state := sandbox.Status.Get().State
 	if state == sandboxstore.StateReady || state == sandboxstore.StateUnknown {
 		if err := c.stopSandboxContainer(ctx, sandbox); err != nil {
-			return nil, errors.Wrapf(err, "failed to stop sandbox container %q in %q state", id, state)
+			return errors.Wrapf(err, "failed to stop sandbox container %q in %q state", id, state)
 		}
 	}
@ -75,21 +84,21 @@ func (c *criService) StopPodSandbox(ctx context.Context, r *runtime.StopPodSandb
 		// Use empty netns path if netns is not available. This is defined in:
 		// https://github.com/containernetworking/cni/blob/v0.7.0-alpha1/SPEC.md
 		if closed, err := sandbox.NetNS.Closed(); err != nil {
-			return nil, errors.Wrap(err, "failed to check network namespace closed")
+			return errors.Wrap(err, "failed to check network namespace closed")
 		} else if closed {
 			sandbox.NetNSPath = ""
 		}
 		if err := c.teardownPodNetwork(ctx, sandbox); err != nil {
-			return nil, errors.Wrapf(err, "failed to destroy network for sandbox %q", id)
+			return errors.Wrapf(err, "failed to destroy network for sandbox %q", id)
 		}
-		if err = sandbox.NetNS.Remove(); err != nil {
+		if err := sandbox.NetNS.Remove(); err != nil {
-			return nil, errors.Wrapf(err, "failed to remove network namespace for sandbox %q", id)
+			return errors.Wrapf(err, "failed to remove network namespace for sandbox %q", id)
 		}
 	}
 	log.G(ctx).Infof("TearDown network for sandbox %q successfully", id)
-	return &runtime.StopPodSandboxResponse{}, nil
+	return nil
 }
 // stopSandboxContainer kills the sandbox container.
--- a/vendor/github.com/containerd/cri/pkg/server/service.go
+++ b/vendor/github.com/containerd/cri/pkg/server/service.go
@ -28,7 +28,6 @@ import (
 	"github.com/containerd/cri/pkg/store/label"
 	cni "github.com/containerd/go-cni"
 	runcapparmor "github.com/opencontainers/runc/libcontainer/apparmor"
 	runcseccomp "github.com/opencontainers/runc/libcontainer/seccomp"
 	runcsystem "github.com/opencontainers/runc/libcontainer/system"
 	"github.com/opencontainers/selinux/go-selinux"
 	"github.com/pkg/errors"
@ -42,6 +41,7 @@ import (
 	ctrdutil "github.com/containerd/cri/pkg/containerd/util"
 	osinterface "github.com/containerd/cri/pkg/os"
 	"github.com/containerd/cri/pkg/registrar"
 	"github.com/containerd/cri/pkg/seccomp"
 	containerstore "github.com/containerd/cri/pkg/store/container"
 	imagestore "github.com/containerd/cri/pkg/store/image"
 	sandboxstore "github.com/containerd/cri/pkg/store/sandbox"
@ -110,7 +110,7 @@ func NewCRIService(config criconfig.Config, client *containerd.Client) (CRIServi
 		config:             config,
 		client:             client,
 		apparmorEnabled:    runcapparmor.IsEnabled() && !config.DisableApparmor,
-		seccompEnabled:     runcseccomp.IsEnabled(),
+		seccompEnabled:     seccomp.IsEnabled(),
 		os:                 osinterface.RealOS{},
 		sandboxStore:       sandboxstore.NewStore(labels),
 		containerStore:     containerstore.NewStore(labels),
--- a/vendor/github.com/containerd/cri/pkg/store/container/status.go
+++ b/vendor/github.com/containerd/cri/pkg/store/container/status.go
@ -94,10 +94,16 @@ type Status struct {
 	// Removing indicates that the container is in removing state.
 	// This field doesn't need to be checkpointed.
 	Removing bool `json:"-"`
 	// Unknown indicates that the container status is not fully loaded.
 	// This field doesn't need to be checkpointed.
 	Unknown bool `json:"-"`
 }
 // State returns current state of the container based on the container status.
 func (s Status) State() runtime.ContainerState {
 	if s.Unknown {
 		return runtime.ContainerState_CONTAINER_UNKNOWN
 	}
 	if s.FinishedAt != 0 {
 		return runtime.ContainerState_CONTAINER_EXITED
 	}
--- a/vendor/github.com/containerd/cri/vendor.conf
+++ b/vendor/github.com/containerd/cri/vendor.conf
@ -1,75 +1,79 @@
 # cri dependencies
 github.com/tchap/go-patricia v2.2.6
-github.com/opencontainers/selinux v1.2.2
+github.com/opencontainers/selinux bb88c45a3863dc4c38320d71b890bb30ef9feba4
 github.com/docker/docker 86f080cff0914e9694068ed78d503701667c4c00
 github.com/docker/distribution 0d3efadf0154c2b8a4e7b6621fff9809655cc580
 # containerd dependencies
 go.etcd.io/bbolt 2eb7227adea1d5cf85f0bc2a82b7059b13c2fa68
 google.golang.org/grpc 25c4f928eaa6d96443009bd842389fb4fa48664e # v1.20.1
 google.golang.org/genproto d80a6e20e776b0b17a324d0ba1ab50a39c8e8944
 golang.org/x/text 19e51611da83d6be54ddafce4a4af510cb3e9ea4
 golang.org/x/sys 4c4f7f33c9ed00de01c4c741d2177abfcfe19307 https://github.com/golang/sys
 golang.org/x/sync 42b317875d0fa942474b76e1b46a6060d720ae6e
 golang.org/x/net f3200d17e092c607f615320ecaad13d87ad9a2b3
 github.com/urfave/cli 7bc6a0acffa589f415f88aca16cc1de5ffd66f9c
 github.com/syndtr/gocapability d98352740cb2c55f81556b63d4a1ec64c5a319c2
 github.com/sirupsen/logrus v1.4.1
 github.com/prometheus/procfs cb4147076ac75738c9a7d279075a253c0cc5acbd
 github.com/prometheus/common 89604d197083d4781071d3c65855d24ecfb0a563
 github.com/prometheus/client_model 99fa1f4be8e564e8a6b613da7fa6f46c9edafc6c
 github.com/prometheus/client_golang f4fb1b73fb099f396a7f0036bf86aa8def4ed823
 github.com/pkg/errors v0.8.1
 github.com/opencontainers/runtime-spec 29686dbc5559d93fb1ef402eeda3e35c38d75af4 # v1.0.1-59-g29686db
 github.com/opencontainers/runc f4982d86f7fde0b6f953cc62ccc4022c519a10a9 # v1.0.0-rc8-32-gf4982d86
 github.com/opencontainers/image-spec v1.0.1
 github.com/opencontainers/go-digest c9281466c8b2f606084ac71339773efd177436e7
 github.com/matttproud/golang_protobuf_extensions v1.0.1
 github.com/grpc-ecosystem/go-grpc-prometheus v1.1
 github.com/google/uuid v1.1.1
 github.com/golang/protobuf v1.2.0
 github.com/gogo/protobuf v1.2.1
 github.com/gogo/googleapis v1.2.0
 github.com/godbus/dbus v3
 github.com/docker/go-units v0.4.0
 github.com/docker/go-metrics 4ea375f7759c82740c893fc030bc37088d2ec098
 github.com/docker/go-events 9461782956ad83b30282bf90e31fa6a70c255ba9
 github.com/coreos/go-systemd v14
 github.com/containerd/typeurl a93fcdb778cd272c6e9b3028b2f42d813e785d40
 github.com/containerd/ttrpc 92c8520ef9f86600c650dd540266a007bf03670f
 github.com/containerd/go-runc e029b79d8cda8374981c64eba71f28ec38e5526f
 github.com/containerd/fifo bda0ff6ed73c67bfb5e62bc9c697f146b7fd7f13
 github.com/containerd/continuity f2a389ac0a02ce21c09edd7344677a601970f41c
 github.com/containerd/containerd d4802a64f9737f02db3426751f380d97fc878dec
 github.com/containerd/console 0650fd9eeb50bab4fc99dceb9f2e14cf58f36e7f
 github.com/containerd/cgroups c4b9ac5c7601384c965b9646fc515884e091ebb9
 github.com/beorn7/perks 4c0e84591b9aa9e6dcfdf3e020114cd81f89d5f9
 github.com/Microsoft/hcsshim 9e921883ac929bbe515b39793ece99ce3a9d7706
 github.com/Microsoft/go-winio v0.4.14
 github.com/BurntSushi/toml v0.3.1
-github.com/imdario/mergo v0.3.7
+github.com/Microsoft/go-winio v0.4.14
 github.com/Microsoft/hcsshim 9e921883ac929bbe515b39793ece99ce3a9d7706
 github.com/beorn7/perks 4c0e84591b9aa9e6dcfdf3e020114cd81f89d5f9
 github.com/containerd/cgroups c4b9ac5c7601384c965b9646fc515884e091ebb9
 github.com/containerd/console 0650fd9eeb50bab4fc99dceb9f2e14cf58f36e7f
 github.com/containerd/containerd v1.3.6
 github.com/containerd/continuity f2a389ac0a02ce21c09edd7344677a601970f41c
 github.com/containerd/fifo bda0ff6ed73c67bfb5e62bc9c697f146b7fd7f13
 github.com/containerd/go-runc e029b79d8cda8374981c64eba71f28ec38e5526f
 github.com/containerd/ttrpc 92c8520ef9f86600c650dd540266a007bf03670f
 github.com/containerd/typeurl a93fcdb778cd272c6e9b3028b2f42d813e785d40
 github.com/coreos/go-systemd 48702e0da86bd25e76cfef347e2adeb434a0d0a6 # v14
 github.com/cpuguy83/go-md2man 7762f7e404f8416dfa1d9bb6a8c192aa9acb4d19 # v1.0.10
 github.com/docker/go-events 9461782956ad83b30282bf90e31fa6a70c255ba9
 github.com/docker/go-metrics 4ea375f7759c82740c893fc030bc37088d2ec098
 github.com/docker/go-units v0.4.0
 github.com/godbus/dbus c7fdd8b5cd55e87b4e1f4e372cdb1db61dd6c66f # v3
 github.com/gogo/googleapis v1.2.0
 github.com/gogo/protobuf v1.2.1
 github.com/golang/protobuf v1.2.0
 github.com/google/uuid 0cd6bf5da1e1c83f8b45653022c74f71af0538a4 # v1.1.1
 github.com/grpc-ecosystem/go-grpc-prometheus 6b7015e65d366bf3f19b2b2a000a831940f0f7e0 # v1.1
 github.com/hashicorp/golang-lru v0.5.3
 github.com/imdario/mergo 7c29201646fa3de8506f701213473dd407f19646 # v0.3.7
 github.com/matttproud/golang_protobuf_extensions v1.0.1
 github.com/opencontainers/go-digest c9281466c8b2f606084ac71339773efd177436e7
 github.com/opencontainers/image-spec v1.0.1
 github.com/opencontainers/runc d736ef14f0288d6993a1845745d6756cfc9ddd5a # v1.0.0-rc9
 github.com/opencontainers/runtime-spec 29686dbc5559d93fb1ef402eeda3e35c38d75af4 # v1.0.1-59-g29686db
 github.com/pkg/errors v0.8.1
 github.com/prometheus/client_golang f4fb1b73fb099f396a7f0036bf86aa8def4ed823
 github.com/prometheus/client_model 99fa1f4be8e564e8a6b613da7fa6f46c9edafc6c
 github.com/prometheus/common 89604d197083d4781071d3c65855d24ecfb0a563
 github.com/prometheus/procfs cb4147076ac75738c9a7d279075a253c0cc5acbd
 github.com/russross/blackfriday 05f3235734ad95d0016f6a23902f06461fcf567a # v1.5.2
 github.com/sirupsen/logrus v1.4.1
 github.com/syndtr/gocapability d98352740cb2c55f81556b63d4a1ec64c5a319c2
 github.com/urfave/cli v1.22.0
 go.etcd.io/bbolt v1.3.3
 go.opencensus.io v0.22.0
 golang.org/x/net f3200d17e092c607f615320ecaad13d87ad9a2b3
 golang.org/x/sync 42b317875d0fa942474b76e1b46a6060d720ae6e
 golang.org/x/sys 9eafafc0a87e0fd0aeeba439a4573537970c44c7 https://github.com/golang/sys
 golang.org/x/text 19e51611da83d6be54ddafce4a4af510cb3e9ea4
 google.golang.org/appengine v1.5.0
 google.golang.org/genproto d80a6e20e776b0b17a324d0ba1ab50a39c8e8944
 google.golang.org/grpc 6eaf6f47437a6b4e2153a190160ef39a92c7eceb # v1.23.0
 # kubernetes dependencies
 sigs.k8s.io/yaml v1.1.0
-k8s.io/utils c2654d5206da6b7b6ace12841e8f359bb89b443c
+k8s.io/utils e782cd3c129fc98ee807f3c889c0f26eb7c9daf5
-k8s.io/kubernetes v1.16.0-rc.2
+k8s.io/kubernetes v1.16.6
-k8s.io/klog v0.4.0
+k8s.io/klog v1.0.0
-k8s.io/cri-api kubernetes-1.16.0-rc.2
+k8s.io/cri-api kubernetes-1.16.6
-k8s.io/client-go kubernetes-1.16.0-rc.2
+k8s.io/client-go kubernetes-1.16.6
-k8s.io/api kubernetes-1.16.0-rc.2
+k8s.io/api kubernetes-1.16.6
-k8s.io/apiserver kubernetes-1.16.0-rc.2
+k8s.io/apiserver kubernetes-1.16.6
-k8s.io/apimachinery kubernetes-1.16.0-rc.2
+k8s.io/apimachinery kubernetes-1.16.6
-gopkg.in/yaml.v2 v2.2.2
+gopkg.in/yaml.v2 53403b58ad1b561927d19068c655246f2db79d48 # v2.2.8
-gopkg.in/inf.v0 v0.9.0
+gopkg.in/inf.v0 v0.9.1
-golang.org/x/time 85acf8d2951cb2a3bde7632f9ff273ef0379bcbd
+golang.org/x/time 9d24e82272b4f38b78bc8cff74fa936d31ccd8ef
 golang.org/x/oauth2 0f29369cfe4552d0e4bcddc57cc75f4d7e672a33
-golang.org/x/crypto 5c40567a22f818bd14a1ea7245dad9f8ef0691aa
+golang.org/x/crypto 60c769a6c58655dab1b9adac0d58967dd517cfba
-github.com/stretchr/testify v1.3.0
+github.com/stretchr/testify v1.4.0
 github.com/seccomp/libseccomp-golang v0.9.1
 github.com/pmezard/go-difflib v1.0.0
-github.com/modern-go/reflect2 1.0.1
+github.com/modern-go/reflect2 v1.0.1
 github.com/modern-go/concurrent 1.0.3
-github.com/json-iterator/go v1.1.7
+github.com/json-iterator/go v1.1.8
 github.com/google/gofuzz v1.0.0
 github.com/emicklei/go-restful v2.9.5
 github.com/docker/spdystream 449fdfce4d962303d702fec724ef0ad181c92528
--- a/vendor/modules.txt
+++ b/vendor/modules.txt
@ -297,7 +297,7 @@ github.com/containerd/continuity/pathdriver
 github.com/containerd/continuity/proto
 github.com/containerd/continuity/syscallx
 github.com/containerd/continuity/sysx
-# github.com/containerd/cri v0.0.0-00010101000000-000000000000 => github.com/rancher/cri v1.3.0-k3s.6
+# github.com/containerd/cri v0.0.0-00010101000000-000000000000 => github.com/rancher/cri v1.3.0-k3s.8
 github.com/containerd/cri
 github.com/containerd/cri/pkg/annotations
 github.com/containerd/cri/pkg/api/runtimeoptions/v1
@ -310,6 +310,7 @@ github.com/containerd/cri/pkg/ioutil
 github.com/containerd/cri/pkg/netns
 github.com/containerd/cri/pkg/os
 github.com/containerd/cri/pkg/registrar
 github.com/containerd/cri/pkg/seccomp
 github.com/containerd/cri/pkg/server
 github.com/containerd/cri/pkg/server/io
 github.com/containerd/cri/pkg/store