diff options
author | Fabricio Voznika <fvoznika@google.com> | 2018-12-08 09:20:55 -0800 |
---|---|---|
committer | Shentubot <shentubot@google.com> | 2018-12-08 09:21:48 -0800 |
commit | b89f9909d77c9b41adf15c032bf588c99fc4b7eb (patch) | |
tree | 8e7f093d3bd05c4eff3eec4bae21186da9efcc84 | |
parent | 9984138abee51d6145469f9298bfeb8a98589709 (diff) |
Update K8s support
Add pointers to Minikube and gvisor-containerd-shim.
PiperOrigin-RevId: 224654334
Change-Id: Icefefbe531e901fe4807ba81904de8b01baf8a15
-rw-r--r-- | README.md | 28 |
1 files changed, 12 insertions, 16 deletions
@@ -191,9 +191,9 @@ chmod a+x runsc sudo mv runsc /usr/local/bin ``` -### Configuring Docker +### Running with Docker -Next, configure Docker to use `runsc` by adding a runtime entry to your Docker +To use gVisor with Docker you must add `runsc` as a runtime to your Docker configuration (`/etc/docker/daemon.json`). You may have to create this file if it does not exist. Also, some Docker versions also require you to [specify the `storage-driver` field][docker-storage-driver]. @@ -229,20 +229,16 @@ Terminal support works too: docker run --runtime=runsc -it ubuntu /bin/bash ``` -### Kubernetes Support (Experimental) +### Running with Kubernetes -gVisor can run sandboxed containers in a Kubernetes cluster with cri-o, although -this is not recommended for production environments yet. Follow -[these instructions][cri-o-k8s] to run [cri-o][cri-o] on a node in a Kubernetes -cluster. Build `runsc` and put it on the node, and set it as the -`runtime_untrusted_workload` in `/etc/crio/crio.conf`. +gVisor can run sandboxed containers in a Kubernetes cluster with Minikube. After +the gVisor addon is enabled, pods with `io.kubernetes.cri.untrusted-workload` +set to true will execute with `runsc`. Follow [these instructions][minikube] to +enable gVisor addon. -Any Pod without the `io.kubernetes.cri-o.TrustedSandbox` annotation (or with the -annotation set to false) will be run with `runsc`. - -Currently, gVisor only supports Pods with a single container (not counting the -ever-present pause container). Support for multiple containers within a single -Pod is coming soon. +You can also setup Kubernetes node to use `gvisor-containerd-shim`. Pods with +`io.kubernetes.cri.untrusted-workload` annotation will execute with `runsc`. You +can find instructions [here][gvisor-containerd-shim]. ## Advanced Usage @@ -444,14 +440,14 @@ See [Contributing.md](CONTRIBUTING.md). [bazel]: https://bazel.build [bug]: https://github.com/google/gvisor/issues [checkpoint-restore]: https://gvisor.googlesource.com/gvisor/+/master/g3doc/checkpoint_restore.md -[cri-o-k8s]: https://github.com/kubernetes-incubator/cri-o/blob/master/kubernetes.md -[cri-o]: https://github.com/kubernetes-incubator/cri-o [docker-storage-driver]: https://docs.docker.com/engine/reference/commandline/dockerd/#daemon-storage-driver [docker]: https://www.docker.com [git]: https://git-scm.com +[gvisor-containerd-shim]: https://github.com/google/gvisor-containerd-shim [gvisor-security-list]: https://groups.google.com/forum/#!forum/gvisor-security [gvisor-users-list]: https://groups.google.com/forum/#!forum/gvisor-users [kvm]: https://www.linux-kvm.org +[minikube]: https://github.com/kubernetes/minikube/blob/master/deploy/addons/gvisor/README.md [netstack]: https://github.com/google/netstack [oci]: https://www.opencontainers.org [python]: https://python.org |