WIP: kubelet/rkt: Support rkt for container runtime. (Splitted into other PRs) #7244
Conversation
|
PR description SGTM. Is PR itself ready for review? |
|
@dchen1107 No... I will remove WIP and split the commits once ready :) |
yifan-gu
changed the title
|
/cc @bakins |
yifan-gu
force-pushed
the
rkt
branch
2 times, most recently
from
603d2bf
to
3cdd2e3
Compare
|
@pweil- please be aware of this w.r.t. security context so that the changes you are making are appropriately abstractable for Yifan |
|
We also need to accommodate rocket with pre-start hooks
|
|
@yifan-gu thanks for the rkt support. I was experimenting with rkt on k8s through a privileged docker container a few days ago. Nice to see it coming in as a first class citizen. Are you planning to accommodate per namespace trusted keys, maybe through secrets or some other means? |
|
Cc @liggitt re: pull secrets - the delivery method for pull secrets to the kubelet will differ between rocket and docker unless rocket supports .dockercfg. I think we can let supporting pull secrets be a follow on for the rocket plugin.
|
|
Sounds good, thanks @smarterclayton
|
|
@smarterclayton - will read through this today. Thanks for the heads up |
|
btw can we get the Godeps merged first as a separate PR? GitHub chokes trying to review such a large change and doesn't let us see the important parts of this PR. |
|
Do you expect to use secrets for credentials for image pull in this PR? |
Good idea. Will do after one more commit (trying to get pid, exit code in status) |
|
+1 on separate PR on Godeps. Thanks! |
|
@pmorie Good question. I haven't plan for using secrets in this PR. I'm not sure what's the plan for secrets for image pulling. Are we going to add a credential provider for secret volumes ?? |
|
@yifan-gu excellent question. We definitely need to support secrets from a
|
|
The plan is no, at this moment - pull secrets are outside of the volumes (because they are managed outside of the containers)
|
|
Got it, thanks! @smarterclayton @pmorie |
|
@pmorie yes, it may take some time to do completely though. |
yifan-gu
force-pushed
the
rkt
branch
2 times, most recently
from
f28903a
to
d9bb48e
Compare
|
@vmarmol @dchen1107 I have most the missing functions implemented. Will do a cleanup and rebase. Note that Also a few functions' signature needs to sync with runtime. |
yifan-gu
changed the title
Let's use this PR to track the missing functions for experimental rkt support in k8s:
(Expected version of rkt: 0.5.4)
Unify the container image format, let's assume it's docker images for now.I decided to abort this for now, let's just dodocker://for now until we get a solution for Add RunInContainer/ExecInContainer to container Runtime API. #7208What I am missing? @vmarmol @dchen1107 @jonboulle
Update: