Add runtime handler as annotations to ImageSpec #1448
Conversation
k8s-ci-robot
added
cncf-cla: yes
k8s-ci-robot
added
kind/kep
k8s-ci-robot
added
lgtm
|
/lgtm This looks good to me. |
|
/assign @mikebrow |
| The runtimeHandler annotation will be based on the Runtime Class specified by the user: | ||
| ``` | ||
| “runtimehandler”: “<corresponding values>” |
There was a problem hiding this comment.
Can we also add kubernetes.io domain?
There was a problem hiding this comment.
as in kubernetes.io/runtimehandler ?
There was a problem hiding this comment.
Suggest adding a note with a link to the oci annotations for the oci image spec... https://github.com/opencontainers/image-spec/blob/master/annotations.md#annotations given that oci reserves org.opencontainers.image domain
There was a problem hiding this comment.
Yeah, I think kubernetes.io/runtimehandler sounds good to me. :)
There was a problem hiding this comment.
those annotations are bit different scope though - they're stored in the container manifest. We're talking about changing CRI, not OCI
There was a problem hiding this comment.
right just a mention regarding another reserved annotation domain for these annotations.
| “kubernetes.io/os”: ”linux” | ||
| ``` | ||
| Note that these are currently arrived from GOARCH and GOOS at runtime, which does not reflect the image which needs to be pulled but instead corresponds to the system on which kubelet is running. The runtime handler specified in the annotation will provide more accurate indication of the user intend to the runtime. |
There was a problem hiding this comment.
I thought someone would jut make new runtime handler configs to indicate if they wanted a particular arch/os/variant.. Seems odd to have runtime handler be a first class string then switches on the handler be a suggested annotation evaluated by container runtimes... Maybe just mention that this is a temporary soln to use annotations for this arch/os/variant selection pattern..
There was a problem hiding this comment.
another example of use is where we need per container runtime container image cache storage policies passed to the integration. For example: kubernetes.io/cache_image = "node", "pod", "container", "userid", "groupid", ...
In this example "node" is the default where images pulled on the node are cacheable... "pod" would mean one cache per pod no sharing of images across pods... etc... TBD for details based on container image policy kep WIP.
|
@Random-Liu - Is there any expectation at all that on |
| We could potentially also add the kubernetes specification annotations for consideration of the runtime: | ||
| ``` | ||
| “kubernetes.io/arch”: “amd64” | ||
| “kubernetes.io/os”: ”linux” |
There was a problem hiding this comment.
Should we define these in the kubernetes.io/image/* namespace?
There was a problem hiding this comment.
And have:
.../arch
.../os
.../variant
as known values?
There was a problem hiding this comment.
Ah good point. I see why this is confusing. Today we already have well-known labels applied to the node by the kubelet doc
kubernetes.io/oskubernetes.io/arch
Those are intended to be used for scheduling as nodeSelectors, not for determining what image to pull.
In this KEP I propose to encode a user's desired os/arch as part of the RuntimeClass. This may be different from the node labels above, so it would be good to use different names. RuntimeClass is the only thing passed in the pod sandbox config. I think for image/* to be useful, we'd need matching ones in the pod sandbox config too.
There was a problem hiding this comment.
Ah I see. Ok then yes we will just have one known annotation kubernetes.io/runtimehandler that is passed in the ImageSpec.Annotations. Thanks
There was a problem hiding this comment.
Should we define these in the kubernetes.io/image/* namespace?
Only one / is allowed for Kubernetes annotation, we may want to follow the same rule.
https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/#syntax-and-character-set
I think we should return the annotation in all Responses. We may want to make that clear in the doc. |
|
|
||
| #### Adding handler to CRI pull API | ||
|
|
||
| > As per discussions in sig-node meetings based on the PR https://github.com/kubernetes/kubernetes/pull/84486, this approach will no longer be considered. An alternate approach to add annotations to the ImageSpec will be path taken. |
There was a problem hiding this comment.
I think we can just delete this section since it's no longer being considered and delete other lines discussing handler.
| The runtimeHandler annotation will be based on the Runtime Class specified by the user: | ||
| ``` | ||
| “runtimehandler”: “<corresponding values>” |
There was a problem hiding this comment.
Suggest adding a note with a link to the oci annotations for the oci image spec... https://github.com/opencontainers/image-spec/blob/master/annotations.md#annotations given that oci reserves org.opencontainers.image domain
| “kubernetes.io/os”: ”linux” | ||
| ``` | ||
| Note that these are currently arrived from GOARCH and GOOS at runtime, which does not reflect the image which needs to be pulled but instead corresponds to the system on which kubelet is running. The runtime handler specified in the annotation will provide more accurate indication of the user intend to the runtime. |
| “kubernetes.io/os”: ”linux” | ||
| ``` | ||
| Note that these are currently arrived from GOARCH and GOOS at runtime, which does not reflect the image which needs to be pulled but instead corresponds to the system on which kubelet is running. The runtime handler specified in the annotation will provide more accurate indication of the user intend to the runtime. |
There was a problem hiding this comment.
I thought someone would jut make new runtime handler configs to indicate if they wanted a particular arch/os/variant.. Seems odd to have runtime handler be a first class string then switches on the handler be a suggested annotation evaluated by container runtimes... Maybe just mention that this is a temporary soln to use annotations for this arch/os/variant selection pattern..
| “kubernetes.io/os”: ”linux” | ||
| ``` | ||
| Note that these are currently arrived from GOARCH and GOOS at runtime, which does not reflect the image which needs to be pulled but instead corresponds to the system on which kubelet is running. The runtime handler specified in the annotation will provide more accurate indication of the user intend to the runtime. |
There was a problem hiding this comment.
another example of use is where we need per container runtime container image cache storage policies passed to the integration. For example: kubernetes.io/cache_image = "node", "pod", "container", "userid", "groupid", ...
In this example "node" is the default where images pulled on the node are cacheable... "pod" would mean one cache per pod no sharing of images across pods... etc... TBD for details based on container image policy kep WIP.
| This will be reviewed with contributors from both Kubernetes and ContainerD and tested together while Windows support in CRI-ContainerD is still in development. As this is an optional field today in `RunPodSandboxRequest`, there's no risk if someone wants to not specify it in `RuntimeClass`. In that case ContainerD will use the default configuration for pull, create sandbox, and so on. | ||
| #### Adding annotations to ImageSpec | ||
| These annotation will be an optional parameter and default configuration is used by `ContainerD`(or any other runtime involved) when no annotations are specified. |
There was a problem hiding this comment.
s/annotation/annotations/
Support for annotations will be on a container runtime implementation basis. A table should be built by each container runtime mentioning which annotations are supported by CR version.
I don't think we can "force" annotation support.... unless we want to have an api querying for a list of supported annotations from the CR.
There was a problem hiding this comment.
Have reframed the words to reflect this.
k8s-ci-robot
added
needs-rebase
kkmsft
force-pushed
the
kkmsft-patch-1
branch
2 times, most recently
from
e5bdec4 to
427fc40
Compare
k8s-ci-robot
removed
the
needs-rebase
kkmsft
force-pushed
the
kkmsft-patch-1
branch
from
edd74b9 to
993b8f7
Compare
|
@Random-Liu @PatrickLang - Have update the ImageSpec usage in List. PTAL. |
|
/LGTM |
k8s-ci-robot
added
the
do-not-merge/hold
k8s-ci-robot
added
the
lgtm
| // the local storage. It returns ("", nil) if the image isn't in the local storage. | ||
| GetImageRef(image ImageSpec) (string, error) | ||
| // Gets all images currently on the machine. | ||
| ListImages() ([]ImageSpec, error) |
There was a problem hiding this comment.
ListImages should continue return Images, we just need to add ImageSpec information into Image.
There was a problem hiding this comment.
ok - can we work out the specifics of that during phase 2 PR? We don't have the background on why Image and ImageSpec are different
There was a problem hiding this comment.
Thanks you @Random-Liu . I have modified the struct Image to include the ImageSpec in the updated PR. Please have a look - @Random-Liu @PatrickLang
There was a problem hiding this comment.
oh ok - that makes sense
There was a problem hiding this comment.
/lgtm
/hold
(remove once @Random-Liu ok with final update)
k8s-ci-robot
removed
the
lgtm
kkmsft
force-pushed
the
kkmsft-patch-1
branch
from
4218da0 to
61263eb
Compare
k8s-ci-robot
added
the
lgtm
kkmsft
force-pushed
the
kkmsft-patch-1
branch
from
61263eb to
1f185c9
Compare
k8s-ci-robot
removed
the
lgtm
|
/lgtm |
k8s-ci-robot
added
the
lgtm
|
/lgtm |
|
/cancel hold |
|
/lgtm |
k8s-ci-robot
removed
the
do-not-merge/hold
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: dchen1107, kkmsft, michmike, PatrickLang, Random-Liu The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
this-week: 2023-07-28
8 participants
No description provided.