Skip to content

Latest commit

 

History

History

k8s

Folders and files

NameName
Last commit message
Last commit date

parent directory

..
Dockerfile
Dockerfile
 
 
README.md
README.md
 
 
generic-device-plugin.yaml
generic-device-plugin.yaml
 
 
smolbozo.yaml
smolbozo.yaml
 
 

README.md

smolBSD pod example

A smolBSD system can be spawned inside a container, thus bringing a decent level of security to the service which will be isolated in a virtual machine.

Building the docker image

Let's use the bozohttpd service as an example image.

Fetch the kernel image and generate the smolBSD image as usual

$ make kernfetch
$ make SERVICE=bozohttpd base

Build the docker image using the created smolBSD image

$ docker build -t smolbozo -f k8s/Dockerfile .

The following arguments can be passed to the build process using the --build-arg flag:

  • NBIMG: the name of the smolBSD image, defaults to bozohttpd-amd64.img
  • MEM: the amount of memory for the virtual machine, defaults to 256m
  • KERNEL: the name of the kernel to use, defaults to netbsd-SMOL
  • PORTFWD: port forwarding between host and guest, defaults to 8080:80

Try launching the container:

$ docker run -it --rm --device=/dev/kvm -p 8080:8080 smolbozo

And access it

$ curl http://localhost:8080
<html><body>up!</body></html>

smolBSD pod

The generic device plugin is needed in order to expose /dev/kvm to the container without running the smolBSD pod it in privileged mode.

Apply this modified version of k8s/generic-device-plugin.yaml to your k8s cluster:

$ kubectl apply -f k8s/generic-device-plugin.yaml

Check it is running:

$ kubectl get pods -n kube-system -l app.kubernetes.io/name=generic-device-plugin
NAME                          READY   STATUS    RESTARTS   AGE
generic-device-plugin-c74cc   1/1     Running   0          40h

Finally, here is a simple pod example for the bozohttpd smolBSD image, this example implies the image is already loaded in the cluster and the pod port 8080 will be mapped to the node IP.

apiVersion: v1
kind: Pod
metadata:
  name: smolbozo
  namespace: smolbsd
  labels:
    app: smolbozo
spec:
  containers:
  - name: bozohttpd
    image: smolbozo:0.1
    ports:
    - containerPort: 8080
      hostPort: 8080
    resources:
      limits:
        squat.ai/kvm: 1

Note

you will either need to change the repository address for the image or setup a local repository:

With Kind, you can also import the image into the cluster, but beware to use fixed versions for the image, if :latest is used, the pull policy defaults to Always.

Create the smolbsd namespace and apply the manifest:

$ kubectl create namespace smolbsd
$ kubectl apply -f k8s/smolbozo.yaml

Check it is running

$ kubectl get pods -n smolbsd -o wide
NAME       READY   STATUS    RESTARTS   AGE   IP           NODE   NOMINATED NODE   READINESS GATES
smolbozo   1/1     Running   0          41h   10.42.0.21   k3s    <none>           <none>

And curl it!

$ curl http://10.42.0.21:8080
<html><body>up!</body></html>