mirror of
https://github.com/kata-containers/kata-containers.git
synced 2025-04-27 03:21:04 +00:00
4c58478536
Move the f15be37d9bef58a0128bcba006f8abb3ea13e8da version of scripts required for openshift-ci from "kata-containers/tests/.ci/openshift-ci" into "kata-containers/kata-containers/ci/openshift-ci" and required webhook+libs into "kata-containers/kata-containers/tools/testing" as is to simplify verification, the different location handling will be added in following commit. Signed-off-by: Lukáš Doktor <ldoktor@redhat.com>
61 lines
2.0 KiB
Markdown
61 lines
2.0 KiB
Markdown
# Kata Admission controller webhook
|
|
|
|
Implement a simple admission controller webhook to annotate pods with the
|
|
Kata runtime class.
|
|
|
|
## How to build the admission controller
|
|
|
|
> **Note:**
|
|
> Only run this step if you are modifying the current webhook or don't
|
|
> want to use the webhook available in docker hub.
|
|
|
|
First build the admission controller image and the associated
|
|
Kubernetes YAML files required to instantiate the admission
|
|
controller.
|
|
|
|
```bash
|
|
docker build -t quay.io/kata-containers/kata-webhook-example:latest -f Dockerfile .
|
|
```
|
|
|
|
> **Note**
|
|
> Image needs to be published for the webhook needs to work. Alternately
|
|
> on a single machine cluster change the `imagePullPolicy` to use the locally
|
|
> built image.
|
|
|
|
## Making Kata the default runtime using an admission controller
|
|
|
|
Today in `crio.conf` `runc` is the default runtime when a user does not specify
|
|
`runtimeClass` in the pod spec. If you want to run a cluster where Kata is used
|
|
by default, except for workloads we know for sure will not work with Kata, use
|
|
the [admission webhook](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#admission-webhooks)
|
|
and sample admission controller we created by running the commands below:
|
|
|
|
> **Note**
|
|
>
|
|
> By default, the `runtimeClass` name used in this webhook is `kata`. If your
|
|
> cluster is configured with another `runtimeClass`, you'll need to change the
|
|
> value of the `RUNTIME_CLASS` environment variable defined in the
|
|
> [webhook file](deploy/webhook.yaml). You can manually edit the file or run:
|
|
>
|
|
> `export RUNTIME_CLASS=<>`
|
|
>
|
|
> `kubectl create cm kata-webhook --from-literal runtime_class=$RUNTIME_CLASS`
|
|
|
|
```bash
|
|
./create-certs.sh
|
|
kubectl apply -f deploy/
|
|
```
|
|
|
|
Afterwards you can run the `webhook-check.sh` script to check the webhook was
|
|
deployed correctly and is working:
|
|
|
|
```bash
|
|
./webhook-check.sh
|
|
```
|
|
|
|
The webhook mutates pods to use the Kata runtime class for all pods except
|
|
those with
|
|
|
|
* `hostNetwork: true`
|
|
* namespace: `rook-ceph` and `rook-ceph-system`
|