From 9c8dacb03742665fadc8bb2e1cc522c6c0378b24 Mon Sep 17 00:00:00 2001
From: Yuan Wang <yuanwangyw@google.com>
Date: Sun, 27 Jul 2025 23:13:35 +0000
Subject: [PATCH 1/3] ContainerRestartRules feature gate should work with
 probes

---
 pkg/kubelet/kuberuntime/kuberuntime_container.go    | 4 +++-
 pkg/kubelet/kuberuntime/kuberuntime_manager.go      | 4 +++-
 pkg/kubelet/kuberuntime/kuberuntime_manager_test.go | 6 +++++-
 3 files changed, 11 insertions(+), 3 deletions(-)

diff --git a/pkg/kubelet/kuberuntime/kuberuntime_container.go b/pkg/kubelet/kuberuntime/kuberuntime_container.go
index 3075566105f..621f06934ab 100644
--- a/pkg/kubelet/kuberuntime/kuberuntime_container.go
+++ b/pkg/kubelet/kuberuntime/kuberuntime_container.go
@@ -1222,7 +1222,9 @@ func (m *kubeGenericRuntimeManager) computeInitContainerActions(ctx context.Cont
 
 				restartOnFailure := restartOnFailure
 				if utilfeature.DefaultFeatureGate.Enabled(features.ContainerRestartRules) {
-					restartOnFailure = kubecontainer.ShouldContainerBeRestarted(container, pod, podStatus)
+					if container.RestartPolicy != nil {
+						restartOnFailure = *container.RestartPolicy != v1.ContainerRestartPolicyNever
+					}
 				}
 				if !restartOnFailure {
 					changes.KillPod = true
diff --git a/pkg/kubelet/kuberuntime/kuberuntime_manager.go b/pkg/kubelet/kuberuntime/kuberuntime_manager.go
index 26ba815fee2..37762fc0eac 100644
--- a/pkg/kubelet/kuberuntime/kuberuntime_manager.go
+++ b/pkg/kubelet/kuberuntime/kuberuntime_manager.go
@@ -1147,7 +1147,9 @@ func (m *kubeGenericRuntimeManager) computePodActions(ctx context.Context, pod *
 		var reason containerKillReason
 		restart := shouldRestartOnFailure(pod)
 		if utilfeature.DefaultFeatureGate.Enabled(features.ContainerRestartRules) {
-			restart = kubecontainer.ShouldContainerBeRestarted(&container, pod, podStatus)
+			if container.RestartPolicy != nil {
+				restart = *container.RestartPolicy != v1.ContainerRestartPolicyNever
+			}
 		}
 		if _, _, changed := containerChanged(&container, containerStatus); changed {
 			message = fmt.Sprintf("Container %s definition changed", container.Name)
diff --git a/pkg/kubelet/kuberuntime/kuberuntime_manager_test.go b/pkg/kubelet/kuberuntime/kuberuntime_manager_test.go
index 118590b7f9d..4dc328bb499 100644
--- a/pkg/kubelet/kuberuntime/kuberuntime_manager_test.go
+++ b/pkg/kubelet/kuberuntime/kuberuntime_manager_test.go
@@ -2110,6 +2110,11 @@ func TestComputePodActionsWithInitAndEphemeralContainers(t *testing.T) {
 }
 
 func TestComputePodActionsWithContainerRestartRules(t *testing.T) {
+	// Make sure existing test cases pass with feature enabled
+	featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.ContainerRestartRules, true)
+	TestComputePodActions(t)
+	TestComputePodActionsWithInitContainers(t)
+
 	var (
 		containerRestartPolicyAlways    = v1.ContainerRestartPolicyAlways
 		containerRestartPolicyOnFailure = v1.ContainerRestartPolicyOnFailure
@@ -2231,7 +2236,6 @@ func TestComputePodActionsWithContainerRestartRules(t *testing.T) {
 			},
 		},
 	} {
-		featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.ContainerRestartRules, true)
 		pod, status := makeBasePodAndStatus()
 		if test.mutatePodFn != nil {
 			test.mutatePodFn(pod)

From 4b479da4b5b42481b18ba038b57852c467b00492 Mon Sep 17 00:00:00 2001
From: Yuan Wang <yuanwangyw@google.com>
Date: Mon, 28 Jul 2025 16:33:20 +0000
Subject: [PATCH 2/3] Remove the feature from e2e test

---
 test/e2e/node/pods.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/test/e2e/node/pods.go b/test/e2e/node/pods.go
index 94171ea245f..dd8528bcf74 100644
--- a/test/e2e/node/pods.go
+++ b/test/e2e/node/pods.go
@@ -718,7 +718,7 @@ var _ = SIGDescribe("Pods Extended (pod generation)", feature.PodObservedGenerat
 	})
 })
 
-var _ = SIGDescribe("Pod Extended (container restart policy)", feature.ContainerRestartRules, framework.WithFeatureGate(features.ContainerRestartRules), func() {
+var _ = SIGDescribe("Pod Extended (container restart policy)", framework.WithFeatureGate(features.ContainerRestartRules), func() {
 	f := framework.NewDefaultFramework("pods")
 	f.NamespacePodSecurityLevel = admissionapi.LevelBaseline
 

From fd206a0efb3029c20ee15bbb36b792182689b363 Mon Sep 17 00:00:00 2001
From: Yuan Wang <yuanwangyw@google.com>
Date: Mon, 28 Jul 2025 17:19:07 +0000
Subject: [PATCH 3/3] Add comments for restart rules not used for unknown
 container status and probes

---
 pkg/kubelet/kuberuntime/kuberuntime_container.go |  3 +++
 pkg/kubelet/kuberuntime/kuberuntime_manager.go   | 12 ++----------
 2 files changed, 5 insertions(+), 10 deletions(-)

diff --git a/pkg/kubelet/kuberuntime/kuberuntime_container.go b/pkg/kubelet/kuberuntime/kuberuntime_container.go
index 621f06934ab..a1d9453f891 100644
--- a/pkg/kubelet/kuberuntime/kuberuntime_container.go
+++ b/pkg/kubelet/kuberuntime/kuberuntime_container.go
@@ -1222,6 +1222,9 @@ func (m *kubeGenericRuntimeManager) computeInitContainerActions(ctx context.Cont
 
 				restartOnFailure := restartOnFailure
 				if utilfeature.DefaultFeatureGate.Enabled(features.ContainerRestartRules) {
+					// Only container-level restart policy is used. The container-level restart
+					// rules are not evaluated because the container might not have exited, so
+					// there is no exit code on which the rules can be used.
 					if container.RestartPolicy != nil {
 						restartOnFailure = *container.RestartPolicy != v1.ContainerRestartPolicyNever
 					}
diff --git a/pkg/kubelet/kuberuntime/kuberuntime_manager.go b/pkg/kubelet/kuberuntime/kuberuntime_manager.go
index 37762fc0eac..a2a112c4bc3 100644
--- a/pkg/kubelet/kuberuntime/kuberuntime_manager.go
+++ b/pkg/kubelet/kuberuntime/kuberuntime_manager.go
@@ -589,16 +589,6 @@ func containerChanged(container *v1.Container, containerStatus *kubecontainer.St
 }
 
 func shouldRestartOnFailure(pod *v1.Pod) bool {
-	// With feature ContainerRestartRules enabled, the pod should be restarted
-	// on failure if any of its containers have container-level restart policy
-	// that is restartable.
-	if utilfeature.DefaultFeatureGate.Enabled(features.ContainerRestartRules) {
-		for _, c := range pod.Spec.Containers {
-			if podutil.IsContainerRestartable(pod.Spec, c) {
-				return true
-			}
-		}
-	}
 	return pod.Spec.RestartPolicy != v1.RestartPolicyNever
 }
 
@@ -1147,6 +1137,8 @@ func (m *kubeGenericRuntimeManager) computePodActions(ctx context.Context, pod *
 		var reason containerKillReason
 		restart := shouldRestartOnFailure(pod)
 		if utilfeature.DefaultFeatureGate.Enabled(features.ContainerRestartRules) {
+			// For probe failures, use container-level restart policy only. Container-level restart
+			// rules are not evaluated because the container is still running.
 			if container.RestartPolicy != nil {
 				restart = *container.RestartPolicy != v1.ContainerRestartPolicyNever
 			}