github/kata-containers
1
0
Fork 1
mirror of https://github.com/kata-containers/kata-containers.git synced 2025-06-28 16:27:50 +00:00
Code Issues Projects Releases Wiki Activity

how-to: add shimv2 as the default in the k8s and containerd howto

Browse Source 
move the  containerd+kata parts to containerd-kata.md and make
this file simpler

Signed-off-by: Xu Wang <xu@hyper.sh>
This commit is contained in:
Xu Wang 2019-01-23 14:12:12 +08:00
parent c06e9f241f
commit 75501df2fa
No known key found for this signature in database
GPG Key ID: 77C677FBD478547A
1 changed files with 16 additions and 55 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

71
how-to/how-to-use-k8s-with-cri-containerd-and-kata.md
View File

@ -1,13 +1,11 @@
# How to use Kata Containers and CRI (containerd plugin) with Kubernetes # How to use Kata Containers and CRI (containerd plugin) with Kubernetes
* [Requirements](#requirements) * [Requirements](#requirements)
* [Install containerd with CRI plugin enabled](#install-containerd-with-cri-plugin-enabled) * [Install and configure containerd](#install-and-configure-containerd)
* [Install Kata Containers](#install-kata-containers) * [Install and configure Kubernetes](#install-and-configure-kubernetes)
* [Install Kubernetes](#install-kubernetes) * [Install Kubernetes](#install-kubernetes)
* [Configure containerd to use Kata Containers](#configure-containerd-to-use-kata-containers) * [Configure Kubelet to use containerd](#configure-kubelet-to-use-containerd)
* [Define the Kata runtime as the untrusted workload runtime](#define-the-kata-runtime-as-the-untrusted-workload-runtime) * [Configure HTTP proxy - OPTIONAL](#configure-http-proxy---optional)
* [Configure Kubelet to use containerd](#configure-kubelet-to-use-containerd)
* [Configure proxy - OPTIONAL](#configure-proxy---optional)
* [Start Kubernetes](#start-kubernetes) * [Start Kubernetes](#start-kubernetes)
* [Install a Pod Network](#install-a-pod-network) * [Install a Pod Network](#install-a-pod-network)
* [Allow pods to run in the master node](#allow-pods-to-run-in-the-master-node) * [Allow pods to run in the master node](#allow-pods-to-run-in-the-master-node)
@ -20,10 +18,13 @@ The Kubernetes cluster will use the
[CRI containerd plugin](https://github.com/containerd/cri) and [CRI containerd plugin](https://github.com/containerd/cri) and
[Kata Containers](https://katacontainers.io) to launch untrusted workloads. [Kata Containers](https://katacontainers.io) to launch untrusted workloads.
For Kata Containers 1.5.0-rc2 and above, we will use [`containerd-shim-kata-v2` (short as `shimv2` in this documentation)](../design/shimv2.md)
to launch Kata Containers. For the previous version of Kata Containers, the Pods are launched with `kata-runtime`.
## Requirements ## Requirements
- Kubernetes, kubelet, kubeadm - Kubernetes, kubelet, kubeadm
- cri-containerd - containerd with `cri` plug-in
- Kata Containers - Kata Containers
> **Note:** For information about the supported versions of these components, > **Note:** For information about the supported versions of these components,
@ -31,22 +32,14 @@ The Kubernetes cluster will use the
> [versions.yaml](https://github.com/kata-containers/runtime/blob/master/versions.yaml) > [versions.yaml](https://github.com/kata-containers/runtime/blob/master/versions.yaml)
> file. > file.
## Install containerd with CRI plugin enabled ## Install and configure containerd
- Follow the instructions from the First, follow the [How to use Kata Containers and Containerd](containerd-kata.md) to install and configure containerd.
[CRI installation guide](http://github.com/containerd/cri/blob/master/docs/installation.md). Then, make sure the containerd works with the [examples in it](containerd-kata.md#run).
- Check if `containerd` is now available ## Install and configure Kubernetes
```bash
$ command -v containerd
```
## Install Kata Containers ### Install Kubernetes
Follow the instructions to
[install Kata Containers](https://github.com/kata-containers/documentation/blob/master/install/README.md).
## Install Kubernetes
- Follow the instructions for - Follow the instructions for
[kubeadm installation](https://kubernetes.io/docs/setup/independent/install-kubeadm/). [kubeadm installation](https://kubernetes.io/docs/setup/independent/install-kubeadm/).
@ -57,39 +50,7 @@ Follow the instructions to
$ command -v kubeadm $ command -v kubeadm
``` ```
## Configure containerd to use Kata Containers ### Configure Kubelet to use containerd
The CRI `containerd` plugin supports configuration for two runtime types.
- **Default runtime:**
A runtime that is used by default to run workloads.
- **Untrusted workload runtime:**
A runtime that will be used to run untrusted workloads. This is appropriate
for workloads that require a higher degree of security isolation.
#### Define the Kata runtime as the untrusted workload runtime
Configure `containerd` to use the Kata runtime to run untrusted workloads by
setting the `plugins.cri.containerd.untrusted_workload_runtime`
[config option](https://github.com/containerd/cri/blob/v1.0.0-rc.0/docs/config.md):
```bash
$ sudo mkdir -p /etc/containerd/
$ cat << EOT | sudo tee /etc/containerd/config.toml
[plugins]
[plugins.cri.containerd]
[plugins.cri.containerd.untrusted_workload_runtime]
runtime_type = "io.containerd.runtime.v1.linux"
runtime_engine = "/usr/bin/kata-runtime"
EOT
```
> **Note:** Unless configured otherwise, the default runtime is set to `runc`.
## Configure Kubelet to use containerd
In order to allow kubelet to use containerd (using the CRI interface), configure the service to point to the `containerd` socket. In order to allow kubelet to use containerd (using the CRI interface), configure the service to point to the `containerd` socket.
@ -109,7 +70,7 @@ In order to allow kubelet to use containerd (using the CRI interface), configure
$ sudo systemctl daemon-reload $ sudo systemctl daemon-reload
``` ```
## Configure proxy - OPTIONAL ### Configure HTTP proxy - OPTIONAL
If you are behind a proxy, use the following script to configure your proxy for docker, kubelet, and containerd: If you are behind a proxy, use the following script to configure your proxy for docker, kubelet, and containerd: