docs: Clean up k8s with cri-containerd howto #251
Conversation
jodh-intel
force-pushed
the
improve-k8s+cri-containerd-howto
branch
from
184a293 to
34ad1e3
Compare
|
A couple of points on this PR:
@OGtrilliams - ptal! ;) |
jodh-intel
force-pushed
the
improve-k8s+cri-containerd-howto
branch
from
34ad1e3 to
2325113
Compare
There was a problem hiding this comment.
Overall looking good to me. thanks for picking this up @jodh-intel Just a few minor questions.
| - Kubernetes, kubelet, kubeadm | ||
| - cri-containerd | ||
| - Kata Containers | ||
|
|
||
| For information about the supported version of these components see | ||
| Kata Containers [versions.yaml](https://github.com/kata-containers/runtime/blob/master/versions.yaml) file. | ||
| **Note:** For information about the supported versions of these components, |
There was a problem hiding this comment.
Should this be an > indented note as per our guidelines
|
|
||
| ```bash | ||
| # Set proxys |
There was a problem hiding this comment.
I wonder if coding this as a #!/bin/bash script here will make it easier for a cut/paste for the user. I know we don't tend to do that for other inline scripts, so am happy to leave as is as well.
There was a problem hiding this comment.
Good point - I've simplified that block to not require bash now.
|
|
||
| $ export KUBECONFIG=/etc/kubernetes/admin.conf | ||
| ```bash | ||
| $ sudo iptables -P FORWARD ACCEPT |
There was a problem hiding this comment.
Ideally I'd like a touch more info around what this is fixing, how, and why it's not a gaping security hole (or, a caveat note if it is ;-) ).
There was a problem hiding this comment.
Well, this PR is for reworking the formatting but I'm happy to take input from @jcvenegas with more details... :)
There was a problem hiding this comment.
@jodh-intel this is used for the case that docker is installed in the node, docker set iptables rules that not allow containers communication, the issue is kubernetes/kubernetes#40182
There was a problem hiding this comment.
I did not test if this is not needed anymore, but keep as legacy from our initial k8s installation script.
There was a problem hiding this comment.
Thanks @jcvenegas - branch updated.
There was a problem hiding this comment.
@grahamwhaley, @jcvenegas - can you provide some suitable "security hole or not" words I can add?
/cc @mcastelino.
There was a problem hiding this comment.
Phew. Well, that thread over on kubernetes/kubernetes#40182 shows some less broad-spectrum fixes, and also points to what look like two supported solutions:
containernetworking/plugins#75
kubernetes/kubernetes#52569
From reading the thread, it seems the above fix as is is only transient, and not 'sticky' over reboots as well. I think we should say something like:
For testing, temporarily apply the following rule. Please see thread https://github.com/kubernetes/kubernetes/issues/40182 for more details on how to configure the k8s networking to route Docker traffic on your system.
But, let's get some feedback on if that is the right thing...
There was a problem hiding this comment.
We didn't resolve this. I'm not happy with it as is, as it applies a broad spectrum port forwared/allow, which is then not sticky. We need a decision. /cc @mcastelino @egernst .
|
|
||
| ### Allow run pods in master node | ||
| **Note:** There is not a programmatic way to know last what flannel commit use. See https://github.com/coreos/flannel/issues/995. |
There was a problem hiding this comment.
Yoda speak I read this: know last what flannel commit use (and how can there be no :yoda: emoji!) ;-)
| If a pod has the `io.kubernetes.cri.untrusted-workload annotation` set as | ||
| `"true"`, the CRI plugin will run the pod with the Kata Containers runtime. | ||
| sleep 1s | ||
| ((timeout_dns-=1)) |
There was a problem hiding this comment.
tiddly nit - I think you can use ((timeout_dns--)) here :-)
jodh-intel
force-pushed
the
improve-k8s+cri-containerd-howto
branch
from
2325113 to
ed60798
Compare
|
Hi @grahamwhaley - good catches! Branch updated ;) |
|
Ping @egernst, @jcvenegas, @chavafg, @sboeuf - ptal y'all! |
jodh-intel
force-pushed
the
improve-k8s+cri-containerd-howto
branch
from
ed60798 to
e651f4c
Compare
|
Hi @klynnrif and @kata-containers/documentation - ptal. |
|
|
||
| By default, the cluster will not schedule pods in the master node to allow that run: | ||
| > **Note:** There is no known way to determine programmatically the best version (commit) of to use. |
There was a problem hiding this comment.
Remove "of": ...to determine programmatically the best version (commit) to use.
This PR is based on kata-containers#124 but has been reworked and updated to take into account review feedback and extra cleanups to bring this howto in line with the latest documentation requirements. Fixes kata-containers#127. Signed-off-by: T. Nichole Williams <tribecca@tribecc.us> Signed-off-by: James O. D. Hunt <james.o.hunt@intel.com>
jodh-intel
force-pushed
the
improve-k8s+cri-containerd-howto
branch
from
e651f4c to
4cc9efe
Compare
|
Thanks @klynnrif - branch updated. /test |
|
@jcvenegas - did you check this still works - if so, please re-review :-) |
|
Hi @grahamwhaley - one ack from you and we can land this at long last :) |
|
|
||
| Configure `containerd` to use the Kata runtime to run untrusted workloads by | ||
| setting the `plugins.cri.containerd.untrusted_workload_runtime` | ||
| [config option](https://github.com/containerd/cri/blob/v1.0.0-rc.0/docs/config.md): |
There was a problem hiding this comment.
The link here points to a specific, and old, version of containerd. Is that deliberate? Feels wrong. Probably should either point at the master branch - or the version that matches the one in your versions.yaml ? I vote for master.
|
|
||
| $ export KUBECONFIG=/etc/kubernetes/admin.conf | ||
| ```bash | ||
| $ sudo iptables -P FORWARD ACCEPT |
There was a problem hiding this comment.
We didn't resolve this. I'm not happy with it as is, as it applies a broad spectrum port forwared/allow, which is then not sticky. We need a decision. /cc @mcastelino @egernst .
|
Hi @grahamwhaley - the problem is, I didn't write this document. I understand we're trying to improve this, but I'm also worried that we're now reviewing even the bits of the doc that the original PR didn't touch. I think we're going to have to therefore wait until someone with more intimate knowledge of this can help me out. /cc @egernst, @mcastelino, @egernst maybe? |
|
How about we use the usual compromise: I raise an issue for these outstanding niggles so we can atleast get the majority of these improvements landed? The overall issue has been outstanding for ~ 5 months now... :) |
|
OK, let's see if we can get some feedback from those pinged in the next 24h - otherwise we'll go the Issue-and-move-on pragmatic route. |
|
Feedback didn't materialise.... @jodh-intel - merging this, and let's open Issues for any remaining outstanding items. |
|
Thanks - #265 raised for the |
With the old code it was possible to see odd messages like: "INFO: Create root disk image. Attempt 6 out of 5." Move the attempt number print to after we check against the max Fixes kata-containers#251 Signed-off-by: Matt Fischer <matt@mattfischer.com>
This PR is based on #124 but has been reworked and updated to take into
account review feedback and extra cleanups to bring this howto in line
with the latest documentation requirements.
Fixes #127.
Contributions-from: T. Nichole Williams tribecca@tribecc.us
Signed-off-by: James O. D. Hunt james.o.hunt@intel.com