Enable gvisor addon in minikube #3399
Conversation
This PR adds the code for enabling gvisor in minikube. It adds the pod that will run when the addon is enabled, and the code for the image which will run when this happens. When gvisor is enabled, the pod will download runsc and the gvisor-containerd-shim. It will replace the containerd config.toml and restart containerd. When gvisor is disabled, the pod will be deleted by the addon manager. This will trigger a pre-stop hook which will revert the config.toml to it's original state and restart containerd.
k8s-ci-robot
added
the
do-not-merge/work-in-progress
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: priyawadhwa If they are not already assigned, you can assign the PR to them by writing The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
k8s-ci-robot
added
the
size/XL
k8s-ci-robot
added
the
cncf-cla: yes
|
@minikube-bot OK to test hyperkit issue seems interesting, but more likely due to the recently merged #3332 |
priyawadhwa
force-pushed
the
gvisoraddon
branch
from
85b7a4d
to
f885f4b
Compare
docs/gvisor.md
Outdated
| To run a pod in gVisor, add this annotation to the Kubernetes yaml: | ||
|
|
||
| ``` | ||
| io.kubernetes.cri.untrusted-workload: "true" |
There was a problem hiding this comment.
This is because we are still using containerd 1.1 right?
| namespace: kube-system | ||
| labels: | ||
| addonmanager.kubernetes.io/mode: Reconcile | ||
| spec: |
There was a problem hiding this comment.
nit: Consider setting terminationGracePeriodSeconds to something sane but less than 30s (an upper bound for what the preStop hook should take to run). AFAICT deleting the pod will take the full 30s since we are just sleeping for 1y
There was a problem hiding this comment.
I ended up removing the prestop hook because it wasn't consistently running without errors; I've changed the code to intercept the SIGTERM kill signal and disable gvisor then.
Instead of checking in default config.toml, save it at /tmp/config.toml on the node upon enable and copy it back upon disable. Also, instead of using the prestop hook, intercept the SIGTERM kill signal upon pod termination, disable gvisor, and then exit with code 0. This should work better because now we will be able to see the logs from disabling, and because the prestop hook wouldn't consistenly run the disable command and clean up the pod correctly.
priyawadhwa
force-pushed
the
gvisoraddon
branch
from
47738c8
to
ac963e2
Compare
|
@minikube-bot OK to test |
When enabling gvisor, first validate that the container runtime is containerd.
Added integration test which follows these steps: 1. enable gvisor 2. make sure untrusted workload runs correctly 3. disable gvisor 4. make sure untrusted workload results in FailedCreateSandboxEvent event I also added a link to the iso url for starting containerd until the integration tests start using the new version of the iso.
priyawadhwa
changed the title
k8s-ci-robot
removed
the
do-not-merge/work-in-progress
priyawadhwa
force-pushed
the
gvisoraddon
branch
from
095bfc6
to
6e6020f
Compare
|
@minikube-bot OK to test |
priyawadhwa
force-pushed
the
gvisoraddon
branch
2 times, most recently
from
022122a
to
adf2b61
Compare
also remove extra logs
priyawadhwa
force-pushed
the
gvisoraddon
branch
from
adf2b61
to
0e4a28c
Compare
|
@minikube-bot OK to test |
|
@minikube-bot OK to test |
|
@minikube-bot OK to test |
This PR adds the code for enabling gvisor in minikube. It adds the pod
that will run when the addon is enabled, and the code for the image
which will run when this happens.
When gvisor is enabled, the pod will download runsc and the
gvisor-containerd-shim. It will replace the containerd config.toml and
restart containerd.
When gvisor is disabled, the pod will be deleted by the addon manager.
This will trigger a pre-stop hook which will revert the config.toml to
it's original state and restart containerd.
TODO: