kubernetes
/
minikube
mirror of https://github.com/kubernetes/minikube.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
minikube/deploy/addons/gvisor
History
Martynas Pumputis d982c4bf74 Do not include the default CNI config by default 
Previously, minikube has been shipped with the default CNI config
(/etc/cni/net.d/k8s.conf) in its rootfs. This complicated a lot
when using a custom CNI plugin, as the default config was picked
by kubelet before the custom CNI plugin has installed its own CNI
config. So, the end result was that some Pods were attached to a
network defined in the default config, and some got managed by
the custom plugin.

This commit introduces the flag "--enable-default-cni" to
"minikube start" to trigger the provisioning of the default CNI
config.

Signed-off-by: Martynas Pumputis <m@lambda.lt>
 		2019-01-03 09:23:29 +01:00
..
README.md Do not include the default CNI config by default 2019-01-03 09:23:29 +01:00
gvisor-config.toml Enable gvisor addon in minikube (#3399) 2018-12-07 15:27:22 -08:00
gvisor-containerd-shim.toml Enable gvisor addon in minikube (#3399) 2018-12-07 15:27:22 -08:00
gvisor-pod.yaml Change restart policy on gvisor pod (#3445) 2018-12-11 18:39:57 -08:00

README.md

gVisor Addon

gVisor, a sandboxed container runtime, allows users to securely run pods with untrusted workloads within Minikube.

Starting Minikube

gVisor depends on the containerd runtime to run in Minikube. When starting minikube, specify the following flags, along with any additional desired flags:

$ minikube start --container-runtime=containerd  \
    --docker-opt containerd=/var/run/containerd/containerd.sock \
    --network-plugin=cni --enable-default-cni

Enabling gVisor

To enable this addon, simply run:

$ minikube addons enable gvisor

Within one minute, the addon manager should pick up the change and you should see the gvisor pod:

$ kubectl get pod gvisor -n kube-system
NAME      READY     STATUS    RESTARTS   AGE
gvisor    1/1       Running   0          3m

Once the pod has status Running, gVisor is enabled in Minikube.

Running pods in gVisor

To run a pod in gVisor, add this annotation to the Kubernetes yaml:

io.kubernetes.cri.untrusted-workload: "true"

An example Pod is shown below:

apiVersion: v1
kind: Pod
metadata:
  name: nginx-untrusted
  annotations:
    io.kubernetes.cri.untrusted-workload: "true"
spec:
  containers:
  - name: nginx
    image: nginx

Note: this annotation will not be necessary once the RuntimeClass Kubernetes feature is available broadly.

Disabling gVisor

To disable gVisor, run:

$ minikube addons disable gvisor

Within one minute, the addon manager should pick up the change. Once the gvisor pod has status Terminating, or has been deleted, the gvisor addon should be disabled.

$ kubectl get pod gvisor -n kube-system
NAME      READY     STATUS        RESTARTS   AGE
gvisor    1/1       Terminating   0          5m

Note: Once gVisor is disabled, any pod with the io.kubernetes.cri.untrusted-workload annotation will fail with a FailedCreatePodSandBox error.