This guide describes how to run Kata Containers with Kubernetes on StarlingX.
StarlingX has supported Kata Containers in master since January 2020, and coming Release 4.0 will include it. Release 3.0 and before will not support it.
To support Kata Containers, pods are created by containerd instead of Docker. Also containerd is configured to support both runc and Kata Containers, while the default runtime is still runc. If you want to launch a pod with Kata Containers, you must declare it explicitly.
Run Kata Containers in Kubernetes¶
There are two methods to run Kata Containers in Kubernetes: by runtime class or by annotation. Runtime class is supported in Kubernetes since v1.12.0, and it is the recommended method for running Kata Containers.
To run by runtime class, create a RuntimeClass with
handler set to
Then reference this class in the pod spec, as shown in the following example:
kind: RuntimeClass apiVersion: node.k8s.io/v1 metadata: name: kata-containers handler: kata --- apiVersion: v1 kind: Pod metadata: name: busybox-runtime spec: runtimeClassName: kata-containers containers: - name: busybox command: - sleep - "3600" image: busybox
To run a pod with Kata Containers by annotation, set
true in the annotations section of a pod spec.
This method is deprecated and may not be supported in future Kubernetes releases. We recommend using the RuntimeClass method.
Example of using annotation:
apiVersion: v1 kind: Pod metadata: name: busybox-untrusted annotations: io.kubernetes.cri.untrusted-workload: "true" spec: containers: - name: busybox command: - sleep - "3600" image: busybox
Kata configuration in containerd¶
No action is required for end user. This section just shows the configuration in containerd to support Kata Containers.
Containerd’s configuration file
/etc/containerd/config.toml is customized
to support Kata Containers.
For RuntimeClass, here is the configuration in config.toml:
[plugins.cri.containerd.runtimes.kata] runtime_type = "io.containerd.kata.v2"
For annotation, here is the configuration in config.toml:
[plugins.cri.containerd.runtimes.untrusted] runtime_type = "io.containerd.kata.v2"
In this example,
helps Kubernetes to launch pods and OCI-compatible containers with one shim per
Check Kata Containers use¶
Here are two methods to check whether the pod is running with Kata Containers or not:
uname -ain both container and host. The host kernel version should be 4.18.0, while the container kernel version should be 4.19 or higher. For normal container, the host kernel version is the same as the container.
ps auxin the host. A normal container is triggered by containerd-shim-runc-v1, while Kata Containers is triggered by containerd-shim-kata-v2.
For technical details about how Kata Containers is implemented on StarlingX, refer to:
Kata Containers is supported for Kubernetes only, since Kubernetes is the only supported container orchestration tool in StarlingX. Kata Container support for Docker is not implemented in StarlingX. The Docker runtime also may be removed in future releases of StarlingX, since all containers in StarlingX are run by Kubernetes at this time.
To try Kata Containers with Docker in StarlingX, refer to this link: https://github.com/kata-containers/documentation/blob/master/install/docker/centos-docker-install.md
To support Kata Containers, the CRI runtime in Kubernetes was switched from
containerd. This means you cannot view/operate a Kubernetes container with the Docker client. You must use
crictlinstead, which supports commands that are similar to Docker commands. There is no difference in kubectl commands before and after the switch to containerd.
More information is available at:
Kata Containers: https://katacontainers.io/
Kubernetes RuntimeClass: https://kubernetes.io/docs/concepts/containers/runtime-class/