CRI: Enable custom infra container image #33488
Conversation
k8s-github-robot
added
size/L
resouer
force-pushed
the
infra-image
branch
from
7d1d050
to
0db3893
Compare
k8s-github-robot
added
the
needs-rebase
resouer
force-pushed
the
infra-image
branch
from
0db3893
to
555f957
Compare
k8s-github-robot
removed
the
needs-rebase
|
Jenkins GKE smoke e2e failed for commit 555f957. Full PR test history. The magic incantation to run this job again is |
| XXX_unrecognized []byte `json:"-"` | ||
| Linux *LinuxPodSandboxConfig `protobuf:"bytes,8,opt,name=linux" json:"linux,omitempty"` | ||
| // Optional custom image of pod's infra container | ||
| PodInfraContainerImage *string `protobuf:"bytes,9,opt,name=podInfraContainerImage" json:"podInfraContainerImage,omitempty"` |
There was a problem hiding this comment.
I'm not sure whether we want to pass this through CRI. At least, currently infra container is a docker specific thing.
IIRC, we can only specify infra container image per-node not per-container, if so I feel like we should pass this to dockershim when creating docker service instead of passing through CRI.
There was a problem hiding this comment.
Yes, "infra" image is a docker-specific implementation detail. I think we'll be better off passing this to the internal DockerService for now, and eventually this should be configured directly for the CRI shim (either through flags or a configuartion file).
There was a problem hiding this comment.
hmm, only passing PodInfraContainerImage to dockershim is enough. It shouldn't be part of CRI.
Random-Liu
added
release-note-none
We have an issue discussing this before #22344. |
|
I don't see why the infra container needs to be in kubelet. It is a runtime specific implementation detail. I'd also not recommend making |
As @Random-Liu mentioned above, infra container is a docker-specific implementation detail. The issue was to support the current behavior in the CRI shim for docker, not via the API. As for "custom" infra containers, this is already a thing since we have a kubelet flag for it, and there are users relying on it. I don't see how we can suddently stop supporting it. |
|
Agree with @yujuhong, the infra container image feature shouldn't be dropped, but it also shouldn't be part of CRI. I think pass the image to dockershim directly in kubelet is ok. |
|
Will use http://kubernetes.io/docs/user-guide/images/#configuring-nodes-to-authenticate-to-a-private-repository to deal with credentials, and move commits to DockerService |
k8s-github-robot
added
the
needs-rebase
resouer
force-pushed
the
infra-image
branch
2 times, most recently
from
d6275a2
to
b8013d2
Compare
k8s-github-robot
added
size/S
|
Jenkins GCE Node e2e failed for commit b8013d2. Full PR test history. The magic incantation to run this job again is |
|
Jenkins Kubemark GCE e2e failed for commit b8013d2. Full PR test history. The magic incantation to run this job again is |
|
The result of Jenkins Kubemark has no clue for what's failing ... |
| // (with credentials)? | ||
| image := defaultSandboxImage | ||
| var ( | ||
| image string |
|
LGTM with one nit. |
| var ( | ||
| image string | ||
| ) | ||
| infraContainerImage := ds.podInfraContainerImage |
There was a problem hiding this comment.
You can simplify line 48 to 56 by doing
image := defaultSandboxImage
if len(infraContainerImage) != 0 {
image = infraContainerImage
}
| image = defaultSandboxImage | ||
| } | ||
|
|
||
| // NOTE(harryz) Assume user to handle custom pod infra container image pulling by following: |
There was a problem hiding this comment.
Is this a TODO or just a regular comment? If it's the latter, there is no need to add your name here (as there is no action item).
nit: Change it to To use a custom sandbox image in a private repository, users need to configure the nodes with credentials properly. http://kubernetes.io/docs/user-guide/images/#configuring-nodes-to-authenticate-to-a-private-repository
| @@ -76,7 +77,8 @@ type DockerLegacyService interface { | |||
| } | |||
|
|
|||
| type dockerService struct { | |||
| client dockertools.DockerInterface | |||
| client dockertools.DockerInterface | |||
| podInfraContainerImage string | |||
There was a problem hiding this comment.
Rename the field to podSandboxImage. We should not use the "infra container" name anymore in this package.
k8s-github-robot
added
the
needs-rebase
Modify api protoc for infra
|
rebased and nit fixed in latest commit |
k8s-github-robot
removed
the
needs-rebase
|
LGTM. Wait for @yujuhong to approve because she had change request before. |
|
LGTM. Thanks for the PR! |
yujuhong
added
the
lgtm
|
@k8s-bot test this [submit-queue is verifying that this PR is safe to merge] |
|
Automatic merge from submit-queue |
A minor fix to enable custom infra container image ref #29478
Not sure how do deal with infra image credential, leave it as it is today. Should we allow user to specify credentials in pod yaml?
This change is