Skip to content
Snippets Groups Projects
Select Git revision
  • master default protected
  • v2.28.0
  • v2.27.0
  • v2.25.1
  • v2.24.3
  • v2.26.0
  • v2.24.2
  • v2.25.0
  • v2.24.1
  • v2.22.2
  • v2.23.3
  • v2.24.0
  • v2.23.2
  • v2.23.1
  • v2.23.0
  • v2.22.1
  • v2.22.0
  • v2.21.0
  • v2.20.0
  • v2.19.1
  • v2.18.2
21 results

cri-o.md

Blame
    • Feruzjon Muyassarov's avatar
      1fd31ccc
      Refactor NRI activation for containerd and CRI-O (#10470) · 1fd31ccc
      Feruzjon Muyassarov authored 
      
Refactor NRI (Node Resource Interface) activation in CRI-O and
containerd. Introduce a shared variable, nri_enabled, to streamline
the process. Currently, enabling NRI requires a separate update of
defaults for each container runtime independently, without any
verification of NRI support for the specific version of containerd
or CRI-O in use.

With this commit, the previous approach is replaced. Now, a single
variable, nri_enabled, handles this functionality. Also, this commit
separates the responsibility of verifying NRI supported versions of
containerd and CRI-O from cluster administrators, and leaves it to
Ansible.

Signed-off-by: default avatarFeruzjon Muyassarov <feruzjon.muyassarov@intel.com>
      Unverified
      1fd31ccc
      History
      Refactor NRI activation for containerd and CRI-O (#10470)
      Feruzjon Muyassarov authored 
      
Refactor NRI (Node Resource Interface) activation in CRI-O and
containerd. Introduce a shared variable, nri_enabled, to streamline
the process. Currently, enabling NRI requires a separate update of
defaults for each container runtime independently, without any
verification of NRI support for the specific version of containerd
or CRI-O in use.

With this commit, the previous approach is replaced. Now, a single
variable, nri_enabled, handles this functionality. Also, this commit
separates the responsibility of verifying NRI supported versions of
containerd and CRI-O from cluster administrators, and leaves it to
Ansible.

Signed-off-by: default avatarFeruzjon Muyassarov <feruzjon.muyassarov@intel.com>
    cri-o.md 1.78 KiB

    CRI-O

    CRI-O is a lightweight container runtime for Kubernetes. Kubespray supports basic functionality for using CRI-O as the default container runtime in a cluster.

    • Kubernetes supports CRI-O on v1.11.1 or later.
    • etcd: configure either kubeadm managed etcd or host deployment

    To use the CRI-O container runtime set the following variables:

    all/all.yml

    download_container: false
skip_downloads: false
etcd_deployment_type: host # optionally kubeadm

    k8s_cluster/k8s_cluster.yml

    container_manager: crio

    all/crio.yml

    Enable docker hub registry mirrors

    crio_registries:
  - prefix: docker.io
    insecure: false
    blocked: false
    location: registry-1.docker.io
    unqualified: false
    mirrors:
      - location: 192.168.100.100:5000
        insecure: true
      - location: mirror.gcr.io
        insecure: false

    Note about user namespaces

    CRI-O has support for user namespaces. This feature is optional and can be enabled by setting the following two variables.

    crio_runtimes:
  - name: runc
    path: /usr/bin/runc
    type: oci
    root: /run/runc
    allowed_annotations:
    - "io.kubernetes.cri-o.userns-mode"

crio_remap_enable: true

    The allowed_annotations configures crio.conf accordingly.

    The crio_remap_enable configures the /etc/subuid and /etc/subgid files to add an entry for the containers user. By default, 16M uids and gids are reserved for user namespaces (256 pods * 65536 uids/gids) at the end of the uid/gid space.

    Optional : NRI

    Node Resource Interface (NRI) is disabled by default for the CRI-O. If you are using CRI-O version v1.26.0 or above, then you can enable it with the following configuration:

    nri_enabled: true