[k8s series] gvisor installation and containerd integration

Enterprise 2023-08-23 01:25:27 views: null

Article directory


author: ningan123
date: ‘2023-01-11 21:23’
updated: ‘2023-01-11 21:31’

Install

Installation address: Installation - gVisor

  ARCH=$(uname -m)
  URL=https://storage.googleapis.com/gvisor/releases/release/latest/${ARCH}
  wget ${URL}/runsc ${URL}/runsc.sha512 \
    ${URL}/containerd-shim-runsc-v1 ${URL}/containerd-shim-runsc-v1.sha512
  sha512sum -c runsc.sha512 \
    -c containerd-shim-runsc-v1.sha512
  rm -f *.sha512
  chmod a+rx runsc containerd-shim-runsc-v1
  sudo mv runsc containerd-shim-runsc-v1 /usr/local/bin

Integrate with containerd

Deliver runtimeclass resources

root@node01:~# cat rc.yaml
apiVersion: node.k8s.io/v1
kind: RuntimeClass
metadata:
  name: untrusted
handler: runsc
root@node01:~# kubectl apply -f rc.yaml
root@node01:~# kubectl get runtimeclass
NAME        HANDLER   AGE
untrusted   runsc     7m34s

Modify the containerd configuration file

Increase

        # gVisor: https://gvisor.dev/
        [plugins."io.containerd.grpc.v1.cri".containerd.runtimes.runsc]
          runtime_type = "io.containerd.runsc.v1"

image.png

# 重启containerd
root@node01:~# systemctl restart containerd

Prepare pod's yaml file

root@node01:~# kubectl run nginx-gvisor --image=nginx --dry-run=client -oyaml
apiVersion: v1
kind: Pod
metadata:
  creationTimestamp: null
  labels:
    run: nginx-gvisor
  name: nginx-gvisor
spec:
  containers:
  - image: nginx
    name: nginx-gvisor
    resources: {
    
    }
  dnsPolicy: ClusterFirst
  restartPolicy: Always
status: {
    
    }

root@node01:~#  kubectl run nginx-gvisor --image=nginx --dry-run=client -oyaml > nginx-gvisor.yaml


## 稍加修改,最终如下
root@node01:~# cat nginx-gvisor.yaml
apiVersion: v1
kind: Pod
metadata:
  name: nginx-gvisor
spec:
  runtimeClassName: untrusted
  containers:
  - image: nginx
    name: nginx-gvisor

root@node01:~# kubectl apply -f nginx-gvisor.yaml

root@node01:~# kubectl get pod
NAME           READY   STATUS    RESTARTS        AGE
nginx-gvisor   1/1     Running   0               8m3s

It's done~

References

### Kubernetes minimizes microservice vulnerabilities gVisor integrates with Containerd

Guess you like

Origin blog.csdn.net/weixin_42072280/article/details/128651329
Recommended
Ranking
Linux关机和重启详解(shutdown、halt、poweroff、reboot、init)
Netty work notes 0007---NIO's three core component relationships
Knife4j tutorial
2021.10.29,内容:什么时候用接口和抽象类
How to solve the problem that changing the memory frequency causes the computer to become unusable?
SpringMVC Tutorial - Controller
linux learning skills -Linux 25 transport Vega paid special privileges and facl extension
Financial quarterly report evaluation report data automatic generation 1.0
Agile Development Series - The Values of Agile Development
scrapy achieve browsercookie Middleware
Daily
More
2024-05-19(0)
2024-05-18(31)
2024-05-17(6)
2024-05-16(23)
2024-05-15(5)
2024-05-14(9)
2024-05-13(8)
2024-05-12(28)
2024-05-11(32)
2024-05-10(34)

Code World

© 2018 codetd.com