Support runtimeClassName in pod templates #1363
Conversation
googlebot
added
the
cla: yes
tekton-robot
added
size/M
|
Hi @impl. Thanks for your PR. I'm waiting for a tektoncd member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
tekton-robot
added
ok-to-test
tekton-robot
added
the
do-not-merge/hold
tekton-robot
added
lgtm
There was a problem hiding this comment.
That's an interesting feature to have. It is still alpha in k8s - but I suppose it won't hurt.
We cannot really test it E2E - but I expect any error handling will be done by K8s.
One question, what happens if the class is not defined or not available? Is the pod not scheduled until the class becomes available?
|
/lgtm |
|
Hi! Thanks for the review!
It has been promoted to beta as of v1.14, so we should have some reasonable assurance that the API won't change, at least.
This indeed seems to be the case.
If it isn't defined, the task will simply fail: In the case where it isn't available (e.g., the runtime handler exists but can't process the spec), I have seen the pods wait for the runtime. This is usually indicative of a serious system issue though; in my case, the GKE Sandbox nodes we were running somehow lost the process administering the sandbox. This caused basically every pod on the cluster to become effectively unschedulable. |
|
Looks like this has had enough eyes on it to confirm it can go in! /hold cancel |
tekton-robot
removed
the
do-not-merge/hold
This change adds support for the Kubernetes 1.12+ runtime class (https://github.com/kubernetes/enhancements/blob/master/keps/sig-node/runtime-class.md) feature by adding the runtimeClassName field to pod templates and propagating that to the underlying pod spec.
impl
force-pushed
the
support-pod-runtimeclassname
branch
from
b5f4615
to
422053c
Compare
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: vdemeester The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
Hi friends! @sbwsg and I tried to merge this earlier today but I needed to update my new test against latest master (which I have done above -- just a one-line change). Please let me know if there's anything else needed to get this in! |
|
/lgtm |
Changes
This change adds support for the Kubernetes 1.12+ runtime class feature by adding the
runtimeClassNamefield to pod templates and propagating that to the underlying pod spec.At Puppet, we're using Tekton in a fully untrusted environment (i.e., letting arbitrary users run containers à la GitHub Actions). We'd like to use gVisor (GKE Sandbox) as an additional layer of security as we approach a GA release of our product.
As a quick demo, here's the output of
dmesg | tail -n20using the legacy runtime and the gVisor runtime:Submitter Checklist
These are the criteria that every PR should meet, please check them off as you
review them:
See the contribution guide for more details.
Double check this list of stuff that's easy to miss:
cmddir, please updatethe release Task to build and release this image.
Reviewer Notes
If API changes are included, additive changes must be approved by at least two OWNERS and backwards incompatible changes must be approved by more than 50% of the OWNERS, and they must first be added in a backwards compatible way.
Release Notes
runtimeClassNamefield in pod templates