kata-containers/tools/testing/kata-webhook/README.md

Kata Admission controller webhook

Implement a simple admission controller webhook to annotate pods with the Kata runtime class.

How to build the admission controller

Note: Only run this step if you are modifying the current webhook or don't want to use the webhook available in docker hub.

First build the admission controller image and the associated Kubernetes YAML files required to instantiate the admission controller.

docker build -t quay.io/kata-containers/kata-webhook-example:latest -f Dockerfile .

Note

Image needs to be published for the webhook needs to work. Alternately on a single machine cluster change the imagePullPolicy to use the locally built image.

Making Kata the default runtime using an admission controller

Today in crio.conf runc is the default runtime when a user does not specify runtimeClass in the pod spec. If you want to run a cluster where Kata is used by default, except for workloads we know for sure will not work with Kata, use the admission webhook and sample admission controller we created by running the commands below:

Note

By default, the runtimeClass name used in this webhook is kata. If your cluster is configured with another runtimeClass, you'll need to change the value of the RUNTIME_CLASS environment variable defined in the webhook file. You can manually edit the file or run:

export RUNTIME_CLASS=<>

kubectl create cm kata-webhook --from-literal runtime_class=$RUNTIME_CLASS

./create-certs.sh
kubectl apply -f deploy/

Afterwards you can run the webhook-check.sh script to check the webhook was deployed correctly and is working:

./webhook-check.sh

The webhook mutates pods to use the Kata runtime class for all pods except those with

• hostNetwork: true
• namespace: rook-ceph and rook-ceph-system