The batch/v1beta1 API version of RuntimeClass is no longer served as of v1.25 Migrate API clients to use the batch/v1 API version instead which is available since 1.20. Note: It can't be tested until we add back in support for Kata containers on debian. Story: 2010368 Task: 47293 Signed-off-by: Sachin Gopala Krishna <saching.krishna@windriver.com> Change-Id: Id483f97775931d319c4f44113ada1595c74b3aed
5.1 KiB
Kata Containers
This guide describes how to run Kata Containers with Kubernetes on StarlingX.
Overview
StarlingX has supported Kata Containers in master since January 2020, and coming Release 4.0 will include it. Release 3.0 and before will not support it.
To support Kata Containers, pods are created by containerd instead of Docker. Also containerd is configured to support both runc and Kata Containers, while the default runtime is still runc. If you want to launch a pod with Kata Containers, you must declare it explicitly.
Run Kata Containers in Kubernetes
There are two methods to run Kata Containers in Kubernetes: by runtime class or by annotation. Runtime class is supported in Kubernetes since v1.12.0, and it is the recommended method for running Kata Containers.
To run by runtime class, create a RuntimeClass with
handler
set to kata
. Then reference this class
in the pod spec, as shown in the following example:
kind: RuntimeClass
apiVersion: node.k8s.io/v1
metadata:
name: kata-containers
handler: kata
---
apiVersion: v1
kind: Pod
metadata:
name: busybox-runtime
spec:
runtimeClassName: kata-containers
containers:
- name: busybox
command:
- sleep
- "3600"
image: busybox
To run a pod with Kata Containers by annotation, set
io.kubernetes.cri.untrusted-workload
to true
in the annotations section of a pod spec.
Note
This method is deprecated and may not be supported in future Kubernetes releases. We recommend using the RuntimeClass method.
Example of using annotation:
apiVersion: v1
kind: Pod
metadata:
name: busybox-untrusted
annotations:
io.kubernetes.cri.untrusted-workload: "true"
spec:
containers:
- name: busybox
command:
- sleep
- "3600"
image: busybox
Kata configuration in containerd
Note
No action is required for end user. This section just shows the configuration in containerd to support Kata Containers.
Containerd's configuration file
/etc/containerd/config.toml
is customized to support Kata
Containers.
For RuntimeClass, here is the configuration in config.toml:
[plugins.cri.containerd.runtimes.kata]
runtime_type = "io.containerd.kata.v2"
For annotation, here is the configuration in config.toml:
[plugins.cri.containerd.runtimes.untrusted]
runtime_type = "io.containerd.kata.v2"
In this example, kata.v2
means
shimv2(containerd-shim-kata-v2)
, which helps Kubernetes to
launch pods and OCI-compatible containers with one shim per pod.
Check Kata Containers use
Here are two methods to check whether the pod is running with Kata Containers or not:
- Run
uname -a
in both container and host. The host kernel version should be 4.18.0, while the container kernel version should be 4.19 or higher. For normal container, the host kernel version is the same as the container. - Run
ps aux
in the host. A normal container is triggered by containerd-shim-runc-v1, while Kata Containers is triggered by containerd-shim-kata-v2.
References
For technical details about how Kata Containers is implemented on StarlingX, refer to:
Kata Containers is supported for Kubernetes only, since Kubernetes is the only supported container orchestration tool in StarlingX. Kata Container support for Docker is not implemented in StarlingX. The Docker runtime also may be removed in future releases of StarlingX, since all containers in StarlingX are run by Kubernetes at this time.
To try Kata Containers with Docker in StarlingX, refer to this link: https://github.com/kata-containers/documentation/blob/master/install/docker/centos-docker-install.md
To support Kata Containers, the CRI runtime in Kubernetes was switched from
dockershim
tocontainerd
. This means you cannot view/operate a Kubernetes container with the Docker client. You must usecrictl
instead, which supports commands that are similar to Docker commands. There is no difference in kubectl commands before and after the switch to containerd.More information is available at:
- Kata Containers: https://katacontainers.io/
- containerd: https://containerd.io/
- Kubernetes RuntimeClass: https://kubernetes.io/docs/concepts/containers/runtime-class/