Don't enable unprivileged ports and icmp on old kernels

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>

pkg/agent/containerd/config_linux.go

@@ -10,6 +10,7 @@ import (
 	"time"
 
 	"github.com/containerd/containerd"
+	"github.com/docker/docker/pkg/parsers/kernel"
 	"github.com/k3s-io/k3s/pkg/agent/templates"
 	util2 "github.com/k3s-io/k3s/pkg/agent/util"
 	"github.com/k3s-io/k3s/pkg/cgroups"
@@ -64,6 +65,7 @@ func setupContainerdConfig(ctx context.Context, cfg *config.Node) error {
 		DisableCgroup:         disableCgroup,
 		SystemdCgroup:         cfg.AgentConfig.Systemd,
 		IsRunningInUserNS:     isRunningInUserNS,
+		EnableUnprivileged:    kernel.CheckKernelVersion(4, 11, 0),
 		PrivateRegistryConfig: privRegistries.Registry,
 		ExtraRuntimes:         findNvidiaContainerRuntimes(os.DirFS(string(os.PathSeparator))),
 	}

pkg/agent/templates/templates.go

@@ -16,6 +16,7 @@ type ContainerdConfig struct {
 	DisableCgroup         bool
 	SystemdCgroup         bool
 	IsRunningInUserNS     bool
+	EnableUnprivileged    bool
 	PrivateRegistryConfig *registries.Registry
 	ExtraRuntimes         map[string]ContainerdRuntimeConfig
 }

pkg/agent/templates/templates_linux.go

@@ -15,8 +15,8 @@ const ContainerdConfigTemplate = `
   stream_server_address = "127.0.0.1"
   stream_server_port = "10010"
   enable_selinux = {{ .NodeConfig.SELinux }}
-  enable_unprivileged_ports = true
-  enable_unprivileged_icmp = true
+  enable_unprivileged_ports = {{ .EnableUnprivileged }}
+  enable_unprivileged_icmp = {{ .EnableUnprivileged }}
 
 {{- if .DisableCgroup}}
   disable_cgroup = true