Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add documentation for executors #1778

Merged
merged 1 commit into from
Nov 22, 2019
Merged

Add documentation for executors #1778

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions docs/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,3 +7,4 @@
* [RBAC](workflow-rbac.md)
* [REST API](rest-api.md)
* [Workflow Variables](variables.md)
* [Workflow Executors](workflow-executors.md)
58 changes: 58 additions & 0 deletions docs/workflow-executors.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,58 @@
# Workflow Executors

A workflow executor is a process that conforms to a specific interface that allows Argo to perform certain actions like monitoring pod logs, collecting artifacts, managing container lifecycles, etc..

The executor to be used in your workflows can be changed in [the configmap](./workflow-controller-configmap.yaml) under the `containerRuntimeExecutor` key.

## Docker (docker)

**default**

### Pros

* Most reliable and well-tested executor
* Supports all workflow examples
* Highly scalable as it communicates directly with the docker daemon for heavy lifting
* Output artifacts can be located on the base layer (e.g. /tmp)

### Cons

* Least secure as it required `docker.sock` of the host to be mounted which is often rejected by OPA.

## Kubelet (kubelet)

### Pros

* Secure since you cannot escape the privileges of the pod's service account
* Moderately scalable Log retrieval and container operations are performed against the kubelet

### Cons

* Additional kubelet configuration may be required
* Output artifacts can only be saved on volumes (e.g. emptyDir) and not the base image layer (e.g. /tmp)

## Kubernetes API (k8sapi)

### Pros

* Secure since you cannot escape the privileges of the pod's service account
* No extra configuration is required

### Cons

* Least scalable since log retrieval and container operations are performed against the kubernetes api
* Output artifacts can only be saved on volumes (e.g. emptyDir) and not the base image layer (e.g. /tmp)

## Process Namespace Sharing (pns)

### Pros

* Secure since you cannot escape the privileges of the pod's service account
* Output artifacts can be located on the base layer (e.g. /tmp)
* Highly scalable. Process polling is done over procfs rather than the Kubernetes/Kubelet API
* Process will no longer run with PID 1

### Cons

* Immature
* Cannot capture artifact directories from base image layer which has a volume mounted under it