Skip to content
This repository has been archived by the owner on May 12, 2021. It is now read-only.

Commit

Permalink
howto: k8s grammar and format changes
Browse files Browse the repository at this point in the history
Went through and made a few grammar and format updates to make how-to guide
easier to follow, as well as adddirect links to project Github pages where applicable.

Fixes: #127

Signed-off-by: trilliams <tribecca@tribecc.us>

howto: k8s grammar and format changes

Went through and made a few grammar and format updates to make how-to guide
easier to follow, as well as adddirect links to project Github pages where applicable.

Fixes: #127
Signed-off-by: trilliams <tribecca@tribecc.us>
  • Loading branch information
OGtrilliams committed Jul 26, 2018
1 parent c22d45e commit 6486053
Showing 1 changed file with 63 additions and 15 deletions.
78 changes: 63 additions & 15 deletions how-to/how-to-use-k8s-with-cri-containerd-and-kata.md
Original file line number Diff line number Diff line change
@@ -1,67 +1,83 @@
# How to use Kata Containers and CRI (containerd plugin) with Kubernetes

<<<<<<< HEAD
This document describes how to set up a single-machine Kubernetes cluster.
The Kubernetes cluster will use the [CRI containerd plugin](https://github.com/containerd/cri) and [Kata Containers](https://katacontainers.io) to launch untrusted workloads.

## Requirements
=======
This document describes how to set up a single-machine Kubernetes cluster.
<<<<<<< HEAD
The Kubernetes cluster will use the [CRI containerd plugin](https://github.com/containerd/cri) and [Kata Containers](https://github.com/kata-containers) to launch untrusted workloads.
>>>>>>> f208a33... howto: k8s grammar and format changes
=======
The Kubernetes cluster will use the [CRI containerd plugin](https://github.com/containerd/cri/blob/master/README.md) and [Kata Containers](https://katacontainers.io) to launch untrusted workloads.
>>>>>>> 592bf58... edit
## Requirements
- Kubernetes, kubelet, kubeadm
- cri-containerd
- Kata Containers

<<<<<<< HEAD
Note|
----------------- |
|For information about the supported versions of these components, see the Kata Containers [versions.yaml](https://github.com/kata-containers/runtime/blob/master/versions.yaml) file. |

=======
For information about the supported versions of these components, see the Kata Containers [versions.yaml](https://github.com/kata-containers/runtime/blob/master/versions.yaml) file.
>>>>>>> f208a33... howto: k8s grammar and format changes

## Install containerd(with CRI plugin enabled)

Follow the instructions from [CRI installation guide](http://github.com/containerd/cri/blob/master/docs/installation.md)

<!---
```bash
# Check if containerd is installed
$ command -v containerd
```
--->

## Install Kata Containers
## Install Kata Containers

Follow the instructions to [install Kata](https://github.com/kata-containers/documentation/blob/master/install/README.md).

<!---
```bash
# Check if kata-runtime is installed
$ command -v kata-runtime
# Check kata is well configured
$ kata-runtime kata-env
```
--->

## Install Kubernetes
Install Kubernetes in your host. See kubeadm [installation](https://kubernetes.io/docs/tasks/tools/install-kubeadm/)
<!---
Install Kubernetes in your host. See kubeadm [installation](https://kubernetes.io/docs/setup/independent/install-kubeadm/)

```bash
# Check if kubadm is installed
$ command -v kubeadm
```
--->

### Configure containerd to use Kata Containers

The CRI containerd plugin supports configuration for two runtime types.

- **Default runtime:** A runtime that is used by default to run workloads.
<<<<<<< HEAD
- **Untrusted workload runtime:** A runtime that will be used run untrusted workloads.
=======
- **Untrusted workload runtime:** A runtime that will be used to run untrusted workloads.
>>>>>>> f208a33... howto: k8s grammar and format changes
#### Define the Kata runtime as `untrusted_workload_runtime`
#### Define the Kata runtime as `untrusted_workload_runtime`

Configure the Kata runtime for untrusted workload with the [config option](https://github.com/containerd/cri/blob/v1.0.0-rc.0/docs/config.md)
Configure the Kata runtime for untrusted workloads with the [config option](https://github.com/containerd/cri/blob/v1.0.0-rc.0/docs/config.md)
`plugins.cri.containerd.untrusted_workload_runtime`.

Unless configured otherwise, the default runtime is set to `runc`.

<<<<<<< HEAD
- Configure containerd to use Kata as `untrusted_workload_runtime`
=======
- Configure containerd to use Kata as `untrusted_workload_runtime`:
>>>>>>> f208a33... howto: k8s grammar and format changes
```bash
$ sudo mkdir -p /etc/containerd/
Expand All @@ -78,8 +94,12 @@ EOT

### Configure Kubelet to use containerd

<<<<<<< HEAD
In order to allow kubelet use containerd (using CRI interface), configure the service to
point to the `containerd` socket.
=======
In order to allow kubelet to use containerd (using CRI interface), configure the service to point to the `containerd` socket.
>>>>>>> f208a33... howto: k8s grammar and format changes

- Configure k8s to use containerd
Expand All @@ -99,8 +119,12 @@ $ sudo systemctl daemon-reload

### Optional: Configure proxy

<<<<<<< HEAD
If you are behind a proxy, use this script to configure your proxy for docker,
kubelet, and containerd.
=======
If you are behind a proxy, use the following script to configure your proxy for docker, kubelet, and containerd:
>>>>>>> f208a33... howto: k8s grammar and format changes
```bash
# Set proxys
Expand Down Expand Up @@ -136,6 +160,17 @@ $ sudo systemctl daemon-reload
$ sudo systemctl restart containerd
$ sudo systemctl status containerd
```
<<<<<<< HEAD

- Prevent conflicts of docker iptables rules & k8s pod communication

```bash
$ sudo iptables -P FORWARD ACCEPT
```

- Start cluster using `kubeadm`

=======

- Prevent conflicts of docker iptables rules & k8s pod communication

Expand All @@ -145,6 +180,7 @@ $ sudo iptables -P FORWARD ACCEPT

- Start cluster using `kubeadm`

>>>>>>> f208a33... howto: k8s grammar and format changes
```bash
$ sudo kubeadm init --skip-preflight-checks \
--cri-socket /run/containerd/containerd.sock --pod-network-cidr=10.244.0.0/16
Expand All @@ -156,19 +192,23 @@ $ sudo -E kubectl get pods
```

### Install a Pod Network
<<<<<<< HEAD

A pod network plugin is needed to allow pods to communicate with each other.

=======

A pod network plugin is needed to allow pods to communicate with each other.

>>>>>>> f208a33... howto: k8s grammar and format changes
Install the `flannel` plugin by following the [Using kubeadm to Create a Cluster](https://kubernetes.io/docs/setup/independent/create-cluster-kubeadm/#instructions) guide, starting from the **Installing a pod network** section.

<!---
```bash
# Install a pod network using flannel
# There is not a programmatic way to know last what flannel commit use
# See https://github.com/coreos/flannel/issues/995
$ sudo -E kubectl apply -f https://raw.githubusercontent.com/coreos/flannel/master/Documentation/kube-flannel.yml
```
--->


```bash
Expand Down Expand Up @@ -196,11 +236,19 @@ $ sudo -E kubectl taint nodes --all node-role.kubernetes.io/master-
```


### Create a unstrusted pod using Kata Containers
### Create an unstrusted pod using Kata Containers

By default, all pods are created with the default runtime configured in CRI containerd plugin.
If a pod has the `io.kubernetes.cri.untrusted-workload` annotation set to
<<<<<<< HEAD
<<<<<<< HEAD
`"true"`, the CRI plugin will run the pod with the [Kata Containers runtime](https://github.com/kata-containers/runtime).
=======
`"true"`, the CRI plugin runs the pod with the [Kata Containers runtime](https://github.com/kata-containers/runtime).
>>>>>>> f208a33... howto: k8s grammar and format changes
=======
`"true"`, the CRI plugin runs the pod with the [Kata Containers runtime](https://github.com/kata-containers/runtime/blob/master/README.md).
>>>>>>> 592bf58... edit
```bash
# Create untrusted pod configuration
Expand Down

0 comments on commit 6486053

Please sign in to comment.