Skip to content
cri-o.md 2.08 KiB
Newer Older
Maxime Guyot's avatar
Maxime Guyot committed
# CRI-O
Takashi Okamoto's avatar
Takashi Okamoto committed

[CRI-O] is a lightweight container runtime for Kubernetes.
Kubespray supports basic functionality for using CRI-O as the default container runtime in a cluster.
Takashi Okamoto's avatar
Takashi Okamoto committed

* Kubernetes supports CRI-O on v1.11.1 or later.
* etcd: configure either kubeadm managed etcd or host deployment
Takashi Okamoto's avatar
Takashi Okamoto committed

_To use the CRI-O container runtime set the following variables:_
## all/all.yml
Takashi Okamoto's avatar
Takashi Okamoto committed
download_container: false
skip_downloads: false
Takashi Okamoto's avatar
Takashi Okamoto committed
```

## k8s_cluster/k8s_cluster.yml
container_manager: crio
Takashi Okamoto's avatar
Takashi Okamoto committed
```
## all/crio.yml

Enable docker hub registry mirrors

```yaml
  - prefix: docker.io
    insecure: false
    blocked: false
    location: registry-1.docker.io
    mirrors:
      - location: 192.168.100.100:5000
        insecure: true
      - location: mirror.gcr.io
        insecure: false
```

[CRI-O]: https://cri-o.io/
qlijin's avatar
qlijin committed
The following is a method to enable insecure registries.

```yaml
crio_insecure_registries:
  - 10.0.0.2:5000
```

And you can config authentication for these registries after `crio_insecure_registries`.

```yaml
crio_registry_auth:
  - registry: 10.0.0.2:5000
    username: user
    password: pass
```

## Note about user namespaces

CRI-O has support for user namespaces. This feature is optional and can be enabled by setting the following two variables.

```yaml
crio_runtimes:
  - name: runc
    path: /usr/bin/runc
    type: oci
    root: /run/runc
    allowed_annotations:
    - "io.kubernetes.cri-o.userns-mode"

crio_remap_enable: true
```

The `allowed_annotations` configures `crio.conf` accordingly.

The `crio_remap_enable` configures the `/etc/subuid` and `/etc/subgid` files to add an entry for the **containers** user.
By default, 16M uids and gids are reserved for user namespaces (256 pods * 65536 uids/gids) at the end of the uid/gid space.

## Optional : NRI

[Node Resource Interface](https://github.com/containerd/nri) (NRI) is disabled by default for the CRI-O. If you
are using CRI-O version v1.26.0 or above, then you can enable it with the
following configuration:

```yaml
nri_enabled: true
```