Make dockershim support kata-containers #67009
Conversation
k8s-ci-robot
added
release-note-none
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: miaoyq If they are not already assigned, you can assign the PR to them by writing The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
/assign @Random-Liu |
Signed-off-by: Yanqiang Miao <[email protected]>
|
/retest |
|
/kind node @miaoyq Nice work! |
|
/cc @kubernetes/sig-node-pr-reviews |
k8s-ci-robot
added
the
sig/node
|
Sorry, but I don't think it's reasonable to expand upstream dockershim + Kata like this, as dockershim is not even a independent running CRI shim, this will not align with RuntimeClass proposal #67049 we are trying to push recently. In my mind, keeping dockershim as simple as specific for Docker, and use RuntimeClass to route request to another Kata shim (containerd, cri-o, frakti or DIY) sounds more reasonable. |
|
@resouer Thanks for sharing the new feature. |
make k8s(dockershim) to support selecting oci-runtime, and fixes the unit test failure. Signed-off-by: Yanqiang Miao <[email protected]>
|
/retest |
|
@miaoyq: The following tests failed, say
Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
|
I don't read through the RuntimeClass proposal. I'm not sure if there is still the issue this PR wants to fix even if we adopt RuntimeClass. If so, the fix is still needed :) |
This actually concerns me. I don't feel it's the right direction to use dockershim + Kata as I've mentioned, dockershim is not even a independent CRI implementation and is tightly coupled with kubelet code base, I'm afraid of shipping another temporary workaround will only make things worse ... Would like to know your thoughts, especially why not cri-containerd + Kata instead. |
@resouer |
|
/assign |
|
Making more changes to in-tree dockershim to support different types of runtimes defeats the purpose of creating CRI. I think in general, we should carefully examine new features being added to dockershim. In this case, I'd prefer not adding the support. |
|
Agree with @yujuhong . That said, we have discussed supporting RuntimeClass in dockershim. |
|
RuntimeClass is a new api in kubernetes & CRI, which makes it very different from extending dockershim to support various runtimes that we don't even have tests for :-) |
@tallclair It's a good news. That will do the same thing as this PR. |
|
@miaoyq: PR needs rebase. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
k8s-ci-robot
added
the
needs-rebase
|
Issues go stale after 90d of inactivity. If this issue is safe to close now please do so with Send feedback to sig-testing, kubernetes/test-infra and/or fejta. |
k8s-ci-robot
added
the
lifecycle/stale
|
Stale issues rot after 30d of inactivity. If this issue is safe to close now please do so with Send feedback to sig-testing, kubernetes/test-infra and/or fejta. |
k8s-ci-robot
added
lifecycle/rotten
|
Rotten issues close after 30d of inactivity. Send feedback to sig-testing, kubernetes/test-infra and/or fejta. |
|
@fejta-bot: Closed this PR. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
What this PR does / why we need it:
This PR contains 3 commits
return IP info when setting up network
cache Pod IP
Above two commits, mainly to obtain IP address of sandbox when cni pugin is called, and cache the sandbox IP locally.
Because the IP address that set by cni plugin will be removed from the veth device in network namespace by kata-runtime when creating the VM (in which containers will be created), if we use
kata-containersas the oci-runtime, This will cause dockershim to fail to get the pod IP through cni plugin. Just like this issue description incontainerd/cri. So, we should cache the pod IP.make k8s(dockershim) to support selecting oci-runtime
Add an annotation field in pod definition, so that dockershim can select the oci-runtime according to pod definition.
Which issue(s) this PR fixes (optional, in
fixes #<issue number>(, fixes #<issue_number>, ...)format, will close the issue(s) when PR gets merged):Fixes #67007
Special notes for your reviewer:
Release note: