diff --git a/docs/how-to/run-kata-with-k8s.md b/docs/how-to/run-kata-with-k8s.md index 98da0622fa..88939bb1a9 100644 --- a/docs/how-to/run-kata-with-k8s.md +++ b/docs/how-to/run-kata-with-k8s.md @@ -59,57 +59,6 @@ You can also add multiple entries to specify alternatives hypervisors, e.g.: runtime_type = "oci" ``` -#### Untrusted annotation (until CRI-O v1.12) -The untrusted annotation is used to specify a runtime for __untrusted__ workloads, i.e. -a runtime to be used when the workload cannot be trusted and a higher level of security -is required. An additional flag can be used to let CRI-O know if a workload -should be considered _trusted_ or _untrusted_ by default. -For further details, see the documentation -[here](../design/architecture.md#mixing-vm-based-and-namespace-based-runtimes). - -```toml -# runtime is the OCI compatible runtime used for trusted container workloads. -# This is a mandatory setting as this runtime will be the default one -# and will also be used for untrusted container workloads if -# runtime_untrusted_workload is not set. -runtime = "/usr/bin/runc" - -# runtime_untrusted_workload is the OCI compatible runtime used for untrusted -# container workloads. This is an optional setting, except if -# default_container_trust is set to "untrusted". -runtime_untrusted_workload = "/usr/bin/kata-runtime" - -# default_workload_trust is the default level of trust crio puts in container -# workloads. It can either be "trusted" or "untrusted", and the default -# is "trusted". -# Containers can be run through different container runtimes, depending on -# the trust hints we receive from kubelet: -# - If kubelet tags a container workload as untrusted, crio will try first to -# run it through the untrusted container workload runtime. If it is not set, -# crio will use the trusted runtime. -# - If kubelet does not provide any information about the container workload trust -# level, the selected runtime will depend on the default_container_trust setting. -# If it is set to "untrusted", then all containers except for the host privileged -# ones, will be run by the runtime_untrusted_workload runtime. Host privileged -# containers are by definition trusted and will always use the trusted container -# runtime. If default_container_trust is set to "trusted", crio will use the trusted -# container runtime for all containers. -default_workload_trust = "untrusted" -``` - -#### Network namespace management -To enable networking for the workloads run by Kata, CRI-O needs to be configured to -manage network namespaces, by setting the following key to `true`. - -In CRI-O v1.16: -```toml -manage_network_ns_lifecycle = true -``` -In CRI-O v1.17+: -```toml -manage_ns_lifecycle = true -``` - ### containerd