RuntimeClass gVisor and Kata containers
How to configure Kubernetes RuntimeClass resources for gVisor and Kata containers to run workloads in sandboxed runtimes.
RuntimeClass gVisor and Kata containers
Prepare runtimeClass YAML specification
First, list the existing RuntimeClasses available in the cluster to see what container runtimes are already configured. Then create a YAML file that defines a new RuntimeClass pointing to the desired handler.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
k get runtimeclasses.node.k8s.io -A
NAME HANDLER AGE
gvisor runsc 2m58s
kata-containers kata-runtime 2m57s
vim runtimeclass.yaml
...
apiVersion: node.k8s.io/v1 # RuntimeClass is defined in the node.k8s.io API group
kind: RuntimeClass
metadata:
name: secure-runtime # The name the RuntimeClass will be referenced by
# RuntimeClass is a non-namespaced resource
handler: runsc # The name of the corresponding CRI configuration
:wq!
Create a custom runtimeClass by using kubectl command
Apply the YAML file to create the new RuntimeClass, then verify that it appears alongside the existing ones.
1
2
3
4
5
6
7
8
9
10
# apply this file
k create -f runtimeclass.yaml
runtimeclass.node.k8s.io/secure-runtime created
# check a newly created runtimeClass
k get runtimeclasses.node.k8s.io -A
NAME HANDLER AGE
gvisor runsc 7m25s
kata-containers kata-runtime 7m24s
secure-runtime runsc 2m48s
Create a pod using secure-runtime runtimeClass
To use the new RuntimeClass, set the runtimeClassName field in the pod spec. This ensures the pod runs using the gVisor (runsc) sandboxed runtime instead of the default container runtime.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
# create a pod using secure-runtime runtimeclass
cat simple-webapp-1.yaml
apiVersion: v1
kind: Pod
metadata:
name: simple-webapp-1
labels:
name: simple-webapp
spec:
runtimeClassName: secure-runtime
containers:
-
name: simple-webapp
image: kodekloud/webapp-delayed-start
ports:
-
containerPort: 8080
This post is licensed under CC BY 4.0 by the author.