Add Kata Containers support to CRI-O runtime #6830
Conversation
k8s-ci-robot
added
kind/feature
|
Hi @electrocucaracha. Thanks for your PR. I'm waiting for a kubernetes-sigs member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
k8s-ci-robot
added
needs-ok-to-test
|
/ok-to-test |
k8s-ci-robot
added
ok-to-test
|
You are setting the firecracker runtime in CRIO even if it is not created the RuntimeClass. It's not an issue, we just have to add the other RuntimeClass to make it works out of box in another PR. |
|
@pasqualet: changing LGTM is restricted to collaborators In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
@pasqualet you're right, adding firecracker as Runtimeclass will affect the configuration file of containerd as well right? |
Kata Containers is an OCI runtime where containers are run inside lightweight VMs. This runtime has been enabled for containerd runtime thru the kata_containers_enabled variable. This change enables Kata Containers to CRI-O container runtime. Signed-off-by: Victor Morales <v.morales@samsung.com>
electrocucaracha
force-pushed
the
support_crio_kata
branch
from
2405fc0
to
190e952
Compare
@electrocucaracha containerd is not configured to use firecracker and it will fail if the RuntimeClass is created and used with containerd. Anyway I forgot that firecracker is not configured also in the kata-containers, so we have to configure also in there. |
I tried to enable it but that requires more than I was expecting so I decided to change this patch to only support kata-qemu |
Fix with cgroupfs and enable network namespace management
|
Neat! /approve |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: electrocucaracha, Miouge1 The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
k8s-ci-robot
added
the
approved
Signed-off-by: Victor Morales <v.morales@samsung.com>
|
Where/how are kata containers installed? |
This was done in #6256 |
|
/lgtm |
k8s-ci-robot
added
the
lgtm
* Enable Kata Containers for CRI-O runtime Kata Containers is an OCI runtime where containers are run inside lightweight VMs. This runtime has been enabled for containerd runtime thru the kata_containers_enabled variable. This change enables Kata Containers to CRI-O container runtime. Signed-off-by: Victor Morales <v.morales@samsung.com> * Set appropiate conmon_cgroup when crio_cgroup_manager is 'cgroupfs' * Set manage_ns_lifecycle=true when KataContainers is enabed * Add preinstall check for katacontainers Signed-off-by: Victor Morales <v.morales@samsung.com> Co-authored-by: Pasquale Toscano <pasqualetoscano90@gmail.com>
What type of PR is this?
/kind feature
What this PR does / why we need it:
This change enables Kata Containers runtime for CRI-O container manager. Kata Containers is an OCI runtime where containers are run inside lightweight VMs resulting in an extra security layer.
Which issue(s) this PR fixes:
Fixes #
Special notes for your reviewer:
This change requires to setup the following variables:
Does this PR introduce a user-facing change?:
NONE