-
Notifications
You must be signed in to change notification settings - Fork 39.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support 'mixed' container runtime mode #39685
Conversation
Any comments on whether/why such a change is acceptable/not acceptable are welcome. |
Supporting privileged pods and/or pods with host networking is important for hypervisor-based runtimes in kubernetes, but running kubelet in the "mixed" node seems clumsy to me. You could simply run a standalone CRI shim for docker, or any other container runtime of your choosing, and let them hide behind your proxy. @kubernetes/sig-node-misc |
@yujuhong is it possible to run docker-shim without kubelet? I didn't know this is possible. It seems to me I saw somewhere some mentions of a plan to make docker-shim out-of-process, but couldn't find them again lately. And if I have to extract the docker shim code this will mean that I'll have to track changes in original implementation which is extra burden. Or am I missing something and there's some existing external docker shim project? As a side note the proxy I mentioned is not tied to other parts of virtlet, so if there's interest in it we can extract it so it can be used by hyper and other runtimes. |
It's not possible right now, but that doesn't mean we should exclude this option, and it may happen in the future :) If you don't really need to run all daemonset right away, you could also run kube-proxy directly on the node as a daemon. I believe hypernetes does the same. |
Agreed.
Hypernetes also doesn't support host networking today, so it just run kube-proxy on the host. But a full-featured CRI implementation could indeed help a lot of managing various applications (including daemons). Adding a runtime proxy in the shim is one easiest way. |
@ivan4th I think using a separate proxy to dispatch requests and aggregate results to/from multiple runtimes is completely fine (and can benefits other hypervisor-based runtimes. For the short-term, you may need to fork and run dockershim as a separate process, or pick another shim that has similar features. |
There are other places that assume one runtime as well. For example, I think the |
@yujuhong thanks for the advice. I tried running |
@euank is this a serious problem? I can handle |
@ivan4th that one's only cosmetic, but I worry there are other places where the kubelet has ingrained assumptions there is a single runtime where it will cause more serious issues. |
Not sure I understand your question completely, but the redirect URL needs to be accessible from the apiserver (not from the kubectl client). You can read the design doc in #29579 (comment) for more information.
It's true that working with multiple runtimes on a node has never been on the roadmap of kubelet, so @ivan4th, you may run into problems from time to time. On the other hand, since kubelet sees only a proxy (i.e., a single runtime), I think it's possible to solve some (if not most) of the issues by implementing better coalescing logic in the proxy. It does require more work though. |
@yujuhong actually the problem was that I needed to pass Anyway, closing this PR because there appears to be a better solution (docker-shim in the proxy). |
(The PR is here for the purpose of discussion first)
This PR adds
mixed
CRI mode to kubelet. For example, the followingkubelet args may be used with this patch:
--experimental-cri --container-runtime=mixed --container-runtime-endpoint=/run/criproxy.sock --image-service-endpoint=/run/criproxy.sock
In
mixed
mode, kubelet starts in-processdocker-shim
, but connects to the specified container runtime / image service endpoints instead. This makes it possible to have multiple CRI implementations on the same node using CRI proxy (here's an example of such a proxy).Why this may be necessary: currently using an 'exotic' CRI implementation like virtlet or other VM-based one means that the node that supports the runtime must be deployed in a manner different from the other nodes. E.g. kubeadm runs
kube-proxy
as a DaemonSet and thus it can't be used to prepare nodes for alternative CRI impls. Also, depending on the cluster, it may be necessary to have housekeeping / hardware support / etc. DaemonSets that should be run by all/most nodes, and the 'exotic' nodes will have no way to run pods from these DaemonSets. Last but not least, deploying and updating these CRI implementations themselves may be extra burden, while with 'proxy' mechanism in place it's possible to just run them as DaemonSets themselves.This mechanism makes it possible to solve #29913 using an external solution.