epostnikof/kubespray
1
0
Fork 0
mirror of https://github.com/kubernetes-sigs/kubespray.git synced 2026-03-07 02:27:43 +03:00
Code Issues Packages Projects Releases Wiki Activity

Add Kata Containers support to CRI-O runtime (#6830)

Browse Source 
* Enable Kata Containers for CRI-O runtime

Kata Containers is an OCI runtime where containers are run inside
lightweight VMs. This runtime has been enabled for containerd runtime
thru the kata_containers_enabled variable. This change enables Kata
Containers to CRI-O container runtime.

Signed-off-by: Victor Morales <v.morales@samsung.com>

* Set appropiate conmon_cgroup when crio_cgroup_manager is 'cgroupfs'

* Set manage_ns_lifecycle=true when KataContainers is enabed

* Add preinstall check for katacontainers

Signed-off-by: Victor Morales <v.morales@samsung.com>

Co-authored-by: Pasquale Toscano <pasqualetoscano90@gmail.com>
This commit is contained in:
Victor Morales
2020-10-23 03:07:46 -07:00
committed by GitHub
parent 91f1edbdd4
commit e03e3c4582
7 changed files with 61 additions and 20 deletions
Download Patch File Download Diff File Expand all files Collapse all files

23
roles/container-engine/cri-o/defaults/main.yml
View File

@@ -11,7 +11,6 @@ crio_pause_image: "{{ pod_infra_image_repo }}:{{ pod_infra_version }}"
# By default unqualified images are not allowed for security reasons
crio_registries: []
crio_runc_path: "/usr/bin/runc"
crio_seccomp_profile: ""
crio_selinux: "{{ (preinstall_selinux_state == 'enforcing')|lower }}"
crio_signature_policy: "{% if ansible_os_family == 'ClearLinux' %}/usr/share/defaults/crio/policy.json{% endif %}"
@@ -29,3 +28,25 @@ crio_kubernetes_version_matrix:
"1.17": "1.17"
crio_version: "{{ crio_kubernetes_version_matrix[crio_required_version] | default('1.19') }}"
# The crio_runtimes variable defines a list of OCI compatible runtimes.
crio_runtimes:
- name: runc
path: /usr/bin/runc
type: oci
root: /run/runc
# Kata Containers is an OCI runtime, where containers are run inside lightweight
# VMs. Kata provides additional isolation towards the host, minimizing the host attack
# surface and mitigating the consequences of containers breakout.
kata_runtimes:
# Kata Containers with the default configured VMM
- name: kata-runtime
path: /opt/kata/bin/kata-runtime
type: oci
root: /run/kata-containers
# Kata Containers with the QEMU VMM
- name: kata-qemu
path: /opt/kata/bin/kata-qemu
type: oci
root: /run/kata-containers