github/kata-containers
1
0
Fork 1
mirror of https://github.com/kata-containers/kata-containers.git synced 2025-06-24 06:27:39 +00:00
Code Issues Projects Releases Wiki Activity

docs: Update k8s documentation

Browse Source 
Update documentation with missing step to untaint node to enable
scheduling and update the example to run a pod using the kata runtime
class instead of untrusted workloads, which applies to versions of CRI-O
prior to v1.12.

Fixes #3863

Signed-off-by: Chelsea Mafrica <chelsea.e.mafrica@intel.com>
This commit is contained in:
Chelsea Mafrica 2022-03-09 17:30:41 -08:00
parent 036a76e79c
commit 5c434270d1
1 changed files with 60 additions and 17 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

77
docs/how-to/run-kata-with-k8s.md
View File

@ -104,26 +104,69 @@ $ sudo kubeadm init --ignore-preflight-errors=all --cri-socket /run/containerd/c
$ export KUBECONFIG=/etc/kubernetes/admin.conf $ export KUBECONFIG=/etc/kubernetes/admin.conf
``` ```
You can force Kubelet to use Kata Containers by adding some `untrusted` ### Allow pods to run in the master node
annotation to your pod configuration. In our case, this ensures Kata
Containers is the selected runtime to run the described workload.
`nginx-untrusted.yaml` By default, the cluster will not schedule pods in the master node. To enable master node scheduling:
```yaml ```bash
apiVersion: v1 $ sudo -E kubectl taint nodes --all node-role.kubernetes.io/master-
kind: Pod ```
### Create runtime class for Kata Containers
Users can use [`RuntimeClass`](https://kubernetes.io/docs/concepts/containers/runtime-class/#runtime-class) to specify a different runtime for Pods.
```bash
$ cat > runtime.yaml <<EOF
apiVersion: node.k8s.io/v1
kind: RuntimeClass
metadata: metadata:
name: nginx-untrusted name: kata
annotations: handler: kata
io.kubernetes.cri.untrusted-workload: "true" EOF
spec:
containers: $ sudo -E kubectl apply -f runtime.yaml
```
### Run pod in Kata Containers
If a pod has the `runtimeClassName` set to `kata`, the CRI plugin runs the pod with the
[Kata Containers runtime](../../src/runtime/README.md).
- Create an pod configuration that using Kata Containers runtime
```bash
$ cat << EOF | tee nginx-kata.yaml
apiVersion: v1
kind: Pod
metadata:
name: nginx-kata
spec:
runtimeClassName: kata
containers:
- name: nginx - name: nginx
image: nginx image: nginx
```
Next, you run your pod: EOF
``` ```
$ sudo -E kubectl apply -f nginx-untrusted.yaml
```
- Create the pod
```bash
$ sudo -E kubectl apply -f nginx-kata.yaml
```
- Check pod is running
```bash
$ sudo -E kubectl get pods
```
- Check hypervisor is running
```bash
$ ps aux | grep qemu
```
### Delete created pod
```bash
$ sudo -E kubectl delete -f nginx-kata.yaml
```