Skip to content
Snippets Groups Projects
Select Git revision
  • master default protected
  • v2.27.0
  • v2.25.1
  • v2.24.3
  • v2.26.0
  • v2.24.2
  • v2.25.0
  • v2.24.1
  • v2.22.2
  • v2.23.3
  • v2.24.0
  • v2.23.2
  • v2.23.1
  • v2.23.0
  • v2.22.1
  • v2.22.0
  • v2.21.0
  • v2.20.0
  • v2.19.1
  • v2.18.2
  • v2.19.0
21 results
Blame Permalink
  • Feruzjon Muyassarov's avatar
    1fd31ccc
    Refactor NRI activation for containerd and CRI-O (#10470) · 1fd31ccc
    Feruzjon Muyassarov authored 
    
Refactor NRI (Node Resource Interface) activation in CRI-O and
containerd. Introduce a shared variable, nri_enabled, to streamline
the process. Currently, enabling NRI requires a separate update of
defaults for each container runtime independently, without any
verification of NRI support for the specific version of containerd
or CRI-O in use.

With this commit, the previous approach is replaced. Now, a single
variable, nri_enabled, handles this functionality. Also, this commit
separates the responsibility of verifying NRI supported versions of
containerd and CRI-O from cluster administrators, and leaves it to
Ansible.

Signed-off-by: default avatarFeruzjon Muyassarov <feruzjon.muyassarov@intel.com>
    Unverified
    1fd31ccc
    History
    Refactor NRI activation for containerd and CRI-O (#10470)
    Feruzjon Muyassarov authored 
    
Refactor NRI (Node Resource Interface) activation in CRI-O and
containerd. Introduce a shared variable, nri_enabled, to streamline
the process. Currently, enabling NRI requires a separate update of
defaults for each container runtime independently, without any
verification of NRI support for the specific version of containerd
or CRI-O in use.

With this commit, the previous approach is replaced. Now, a single
variable, nri_enabled, handles this functionality. Also, this commit
separates the responsibility of verifying NRI supported versions of
containerd and CRI-O from cluster administrators, and leaves it to
Ansible.

Signed-off-by: default avatarFeruzjon Muyassarov <feruzjon.muyassarov@intel.com>
cri-o.md 1.78 KiB

CRI-O

CRI-O is a lightweight container runtime for Kubernetes. Kubespray supports basic functionality for using CRI-O as the default container runtime in a cluster.

  • Kubernetes supports CRI-O on v1.11.1 or later.
  • etcd: configure either kubeadm managed etcd or host deployment

To use the CRI-O container runtime set the following variables:

all/all.yml

download_container: false
skip_downloads: false
etcd_deployment_type: host # optionally kubeadm

k8s_cluster/k8s_cluster.yml

container_manager: crio

all/crio.yml

Enable docker hub registry mirrors

crio_registries:
  - prefix: docker.io
    insecure: false
    blocked: false
    location: registry-1.docker.io
    unqualified: false
    mirrors:
      - location: 192.168.100.100:5000
        insecure: true
      - location: mirror.gcr.io
        insecure: false

Note about user namespaces

CRI-O has support for user namespaces. This feature is optional and can be enabled by setting the following two variables.

crio_runtimes:
  - name: runc
    path: /usr/bin/runc
    type: oci
    root: /run/runc
    allowed_annotations:
    - "io.kubernetes.cri-o.userns-mode"

crio_remap_enable: true

The allowed_annotations configures crio.conf accordingly.

The crio_remap_enable configures the /etc/subuid and /etc/subgid files to add an entry for the containers user. By default, 16M uids and gids are reserved for user namespaces (256 pods * 65536 uids/gids) at the end of the uid/gid space.

Optional : NRI

Node Resource Interface (NRI) is disabled by default for the CRI-O. If you are using CRI-O version v1.26.0 or above, then you can enable it with the following configuration:

nri_enabled: true