-
Notifications
You must be signed in to change notification settings - Fork 4.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Registry mirrors authentication missing #12916
Comments
The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs. This bot triages issues and PRs according to the following rules:
You can:
Please send feedback to sig-contributor-experience at kubernetes/community. /lifecycle stale |
@hakman is there a way to achieve containerd auth with kOps? Is the current option to use containerd Similarly, I also didn't find a way to configure an insecure (http) registryMirror for containerd ref containerd/containerd#3847 (comment) |
/remove-lifecycle stale |
It seems containerd deprecated the |
Yes, we are planning to review this config in the near future. |
so we're currently using but now we want to add GPU nodes to our cluster and enable the nvidia runtime for containerd (containerd 1.6.1 from kops 1.23 with k8s 1.23.5) ref https://github.com/kubernetes/kops/blob/v1.23.2/docs/gpu.md which won't get injected due to the early return from configOverride ref https://github.com/kubernetes/kops/blob/v1.23.2/nodeup/pkg/model/containerd.go#L479-L503 @hakman do you have any suggestions how to move forward here in the meantime? is currently the only way to additionally manually inject the nvidia runtime in configOverride? |
My preference is to add something similar to |
The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs. This bot triages issues and PRs according to the following rules:
You can:
Please send feedback to sig-contributor-experience at kubernetes/community. /lifecycle stale |
/remove-lifecycle stale |
hi @hakman 👋 should we get some extra thoughts on your last message? for the full disclosure, I'm pasting our custom version = 2
[plugins]
[plugins."io.containerd.grpc.v1.cri"]
[plugins."io.containerd.grpc.v1.cri".containerd]
default_runtime_name = "runc"
[plugins."io.containerd.grpc.v1.cri".containerd.runtimes]
[plugins."io.containerd.grpc.v1.cri".containerd.runtimes.runc]
runtime_type = "io.containerd.runc.v2"
[plugins."io.containerd.grpc.v1.cri".containerd.runtimes.runc.options]
SystemdCgroup = true
[plugins."io.containerd.grpc.v1.cri".containerd.runtimes.nvidia]
runtime_type = "io.containerd.runc.v1"
privileged_without_host_devices = false
runtime_engine = ""
runtime_root = ""
[plugins."io.containerd.grpc.v1.cri".containerd.runtimes.nvidia.options]
SystemdCgroup = true
BinaryName = "/usr/bin/nvidia-container-runtime"
# added for registry basicauth ref https://github.com/kubernetes/kops/issues/12916#issuecomment-1083066051
[plugins."io.containerd.grpc.v1.cri".registry]
[plugins."io.containerd.grpc.v1.cri".registry.mirrors]
[plugins."io.containerd.grpc.v1.cri".registry.mirrors."${local.docker_registry__dns}"]
endpoint = ["${local.docker_registry__dns}"]
[plugins."io.containerd.grpc.v1.cri".registry.configs]
[plugins."io.containerd.grpc.v1.cri".registry.configs."${local.docker_registry__dns}".auth]
# base64 encoded string from the concatenation of user:pass https://github.com/containerd/cri/pull/838/files#diff-a3d824da3c42420cd5cbb0a4a2c0e7b5bfddd819652788a0596d195dc6e31fa5R77
auth = "${base64encode(var.docker_registry_basicauth)}" |
my hope is that a mechanism for this will still make it into kOps 1.26 but maybe that ship has sailed? ☸️ |
#16067 is adding configAdditions. Hopefully that is flexible enough for this use case for now. |
/kind feature
1. Describe IN DETAIL the feature/behavior/change you would like to see.
There is a way to set registry mirrors which is great: https://github.com/kubernetes/kops/blob/master/docs/cluster_spec.md#registry-mirrors
But looks like there is no way to provide authentication or maybe I'm missing something.
2. Feel free to provide a design supporting your feature request.
Based on https://github.com/containerd/containerd/blob/main/docs/cri/registry.md#configure-registry-credentials config structure could look like:
The text was updated successfully, but these errors were encountered: