-
Notifications
You must be signed in to change notification settings - Fork 39k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CRI: Enable custom infra container image #33488
Conversation
7d1d050
to
0db3893
Compare
0db3893
to
555f957
Compare
Jenkins GKE smoke e2e failed for commit 555f957. Full PR test history. The magic incantation to run this job again is |
XXX_unrecognized []byte `json:"-"` | ||
Linux *LinuxPodSandboxConfig `protobuf:"bytes,8,opt,name=linux" json:"linux,omitempty"` | ||
// Optional custom image of pod's infra container | ||
PodInfraContainerImage *string `protobuf:"bytes,9,opt,name=podInfraContainerImage" json:"podInfraContainerImage,omitempty"` |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm not sure whether we want to pass this through CRI. At least, currently infra container is a docker specific thing.
IIRC, we can only specify infra container image per-node not per-container, if so I feel like we should pass this to dockershim when creating docker service instead of passing through CRI.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, "infra" image is a docker-specific implementation detail. I think we'll be better off passing this to the internal DockerService
for now, and eventually this should be configured directly for the CRI shim (either through flags or a configuartion file).
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
hmm, only passing PodInfraContainerImage to dockershim is enough. It shouldn't be part of CRI.
We have an issue discussing this before #22344. |
I don't see why the infra container needs to be in kubelet. It is a runtime specific implementation detail. I'd also not recommend making |
As @Random-Liu mentioned above, infra container is a docker-specific implementation detail. The issue was to support the current behavior in the CRI shim for docker, not via the API. As for "custom" infra containers, this is already a thing since we have a kubelet flag for it, and there are users relying on it. I don't see how we can suddently stop supporting it. |
Agree with @yujuhong, the infra container image feature shouldn't be dropped, but it also shouldn't be part of CRI. I think pass the image to dockershim directly in kubelet is ok. |
Will use http://kubernetes.io/docs/user-guide/images/#configuring-nodes-to-authenticate-to-a-private-repository to deal with credentials, and move commits to DockerService |
d6275a2
to
b8013d2
Compare
Jenkins GCE Node e2e failed for commit b8013d2. Full PR test history. The magic incantation to run this job again is |
Jenkins Kubemark GCE e2e failed for commit b8013d2. Full PR test history. The magic incantation to run this job again is |
The result of Jenkins Kubemark has no clue for what's failing ... |
// (with credentials)? | ||
image := defaultSandboxImage | ||
var ( | ||
image string |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why not var image string
?
LGTM with one nit. |
var ( | ||
image string | ||
) | ||
infraContainerImage := ds.podInfraContainerImage |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You can simplify line 48 to 56 by doing
image := defaultSandboxImage
if len(infraContainerImage) != 0 {
image = infraContainerImage
}
image = defaultSandboxImage | ||
} | ||
|
||
// NOTE(harryz) Assume user to handle custom pod infra container image pulling by following: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is this a TODO or just a regular comment? If it's the latter, there is no need to add your name here (as there is no action item).
nit: Change it to To use a custom sandbox image in a private repository, users need to configure the nodes with credentials properly. http://kubernetes.io/docs/user-guide/images/#configuring-nodes-to-authenticate-to-a-private-repository
@@ -76,7 +77,8 @@ type DockerLegacyService interface { | |||
} | |||
|
|||
type dockerService struct { | |||
client dockertools.DockerInterface | |||
client dockertools.DockerInterface | |||
podInfraContainerImage string |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Rename the field to podSandboxImage
. We should not use the "infra container" name anymore in this package.
Modify api protoc for infra
rebased and nit fixed in latest commit |
LGTM. Wait for @yujuhong to approve because she had change request before. |
LGTM. Thanks for the PR! |
@k8s-bot test this [submit-queue is verifying that this PR is safe to merge] |
Automatic merge from submit-queue |
A minor fix to enable custom infra container image ref #29478
Not sure how do deal with infra image credential, leave it as it is today. Should we allow user to specify credentials in pod yaml?
This change is