Mike Brown
@@ -3,7 +3,7 @@ This document provides the description of the CRI plugin configuration.
|
||||
The CRI plugin config is part of the containerd config (default
|
||||
path: `/etc/containerd/config.toml`).
|
||||
|
||||
See [here](https://github.com/containerd/containerd/blob/master/docs/ops.md)
|
||||
See [here](https://github.com/containerd/containerd/blob/main/docs/ops.md)
|
||||
for more information about containerd config.
|
||||
|
||||
The explanation and default value of each configuration item are as follows:
|
||||
@@ -102,7 +102,7 @@ version = 2
|
||||
# default unset profile will map to `unconfined`)
|
||||
# Note: The default unset seccomp profile should not be confused with the seccomp profile
|
||||
# used in CRI when the runtime default seccomp profile is requested. In the later case, the
|
||||
# default is set by the following code (https://github.com/containerd/containerd/blob/master/contrib/seccomp/seccomp_default.go).
|
||||
# default is set by the following code (https://github.com/containerd/containerd/blob/main/contrib/seccomp/seccomp_default.go).
|
||||
# To summarize, there are two different seccomp defaults, the unset default used when the CRI request is
|
||||
# set to nil or `unconfined`, and the default used when the runtime default seccomp profile is requested.
|
||||
unset_seccomp_profile = ""
|
||||
@@ -244,7 +244,7 @@ version = 2
|
||||
[plugins."io.containerd.grpc.v1.cri".image_decryption]
|
||||
# key_model defines the name of the key model used for how the cri obtains
|
||||
# keys used for decryption of encrypted container images.
|
||||
# The [decryption document](https://github.com/containerd/cri/blob/master/docs/decryption.md)
|
||||
# The [decryption document](https://github.com/containerd/containerd/blob/main/docs/cri/decryption.md)
|
||||
# contains additional information about the key models available.
|
||||
#
|
||||
# Set of available string options: {"", "node"}
|
||||
@@ -252,12 +252,12 @@ version = 2
|
||||
# disabling image decryption.
|
||||
#
|
||||
# In order to use the decryption feature, additional configurations must be made.
|
||||
# The [decryption document](https://github.com/containerd/cri/blob/master/docs/decryption.md)
|
||||
# The [decryption document](https://github.com/containerd/containerd/blob/main/docs/cri/decryption.md)
|
||||
# provides information of how to set up stream processors and the containerd imgcrypt decoder
|
||||
# with the appropriate key models.
|
||||
#
|
||||
# Additional information:
|
||||
# * Stream processors: https://github.com/containerd/containerd/blob/master/docs/stream_processors.md
|
||||
# * Stream processors: https://github.com/containerd/containerd/blob/main/docs/stream_processors.md
|
||||
# * Containerd imgcrypt: https://github.com/containerd/imgcrypt
|
||||
key_model = "node"
|
||||
|
||||
|
||||
@@ -40,6 +40,6 @@ version = 2
|
||||
```
|
||||
|
||||
In this example, container image decryption is set to use the "node" key model.
|
||||
In addition, the decryption [`stream_processors`](https://github.com/containerd/containerd/blob/master/docs/stream_processors.md) are configured as specified in [containerd/imgcrypt project](https://github.com/containerd/imgcrypt), with the additional field `--decryption-keys-path` configured to specify where decryption keys are located locally in the node.
|
||||
In addition, the decryption [`stream_processors`](https://github.com/containerd/containerd/blob/main/docs/stream_processors.md) are configured as specified in [containerd/imgcrypt project](https://github.com/containerd/imgcrypt), with the additional field `--decryption-keys-path` configured to specify where decryption keys are located locally in the node.
|
||||
|
||||
The `$OCICRYPT_KEYPROVIDER_CONFIG` environment variable is used for [ocicrypt keyprovider protocol](https://github.com/containers/ocicrypt/blob/main/docs/keyprovider.md).
|
||||
|
||||
@@ -23,7 +23,7 @@ Containerd is one potential alternative to Docker as the runtime for Kubernetes
|
||||
### Cons
|
||||
* **User Adoption**:
|
||||
* Ideally, Kubernetes users don't interact with the underlying container runtime directly. However, for the lack of debug toolkits, sometimes users still need to login the node to debug with Docker CLI directly.
|
||||
* Containerd provides barebone CLIs [ctr](https://github.com/containerd/containerd/tree/master/cmd/ctr) and [dist](https://github.com/containerd/containerd/tree/master/cmd/dist) for development and debugging purpose, but they may not be sufficient and necessary. Additionally, presuming these are sufficient and necessary tools, a plan and time would be needed to sufficiently document these CLIs and educate users in their use.
|
||||
* Containerd provides barebone CLIs [ctr](https://github.com/containerd/containerd/tree/main/cmd/ctr) and [dist](https://github.com/containerd/containerd/tree/main/cmd/dist) for development and debugging purpose, but they may not be sufficient and necessary. Additionally, presuming these are sufficient and necessary tools, a plan and time would be needed to sufficiently document these CLIs and educate users in their use.
|
||||
* **Maturity**: The rescoped containerd is pretty new, and it's still under heavy development.
|
||||
## Goals
|
||||
* Make sure containerd meets the requirement of Kubernetes, now and into the foreseeable future.
|
||||
@@ -64,7 +64,7 @@ CRI-containerd should:
|
||||
* Call [network plugin](https://github.com/kubernetes/kubernetes/blob/master/pkg/kubelet/network/plugins.go) to update the options of the network namespace;
|
||||
* Let the user containers in the same sandbox share the network namespace.
|
||||
### Container Metrics
|
||||
Containerd provides [container cgroup metrics](https://github.com/containerd/containerd/blob/master/reports/2017-03-17.md#metrics), and plans to provide [container writable layer disk usage](https://github.com/containerd/containerd/issues/678).
|
||||
Containerd provides [container cgroup metrics](https://github.com/containerd/containerd/blob/main/reports/2017-03-17.md#metrics), and plans to provide [container writable layer disk usage](https://github.com/containerd/containerd/issues/678).
|
||||
|
||||
CRI container metrics api needs to be defined ([#27097](https://github.com/kubernetes/kubernetes/issues/27097)). After that, CRI-containerd should translate containerd container metrics into CRI container metrics.
|
||||
### Image Management
|
||||
@@ -77,7 +77,7 @@ CRI image filesystem metrics needs to be defined ([#33048](https://github.com/ku
|
||||
### Out of Scope
|
||||
Following items are out of the scope of this design, we may address them in future version as enhancement or optimization.
|
||||
* **Debuggability**: One of the biggest concern of CRI-containerd is debuggability. We should provide equivalent debuggability with Docker CLI through `kubectl`, [`cri-tools`](https://github.com/kubernetes-sigs/cri-tools) or containerd CLI.
|
||||
* **Built-in CRI support**: The [plugin model](https://github.com/containerd/containerd/blob/master/design/plugins.md) provided by containerd makes it possible to directly build CRI support into containerd as a plugin, which will eliminate one more hop from the stack. But because of the [limitation of golang plugin](https://github.com/containerd/containerd/issues/563), we have to either maintain our own branch or push CRI plugin upstream.
|
||||
* **Built-in CRI support**: The [plugin model](https://github.com/containerd/containerd/blob/main/design/plugins.md) provided by containerd makes it possible to directly build CRI support into containerd as a plugin, which will eliminate one more hop from the stack. But because of the [limitation of golang plugin](https://github.com/containerd/containerd/issues/563), we have to either maintain our own branch or push CRI plugin upstream.
|
||||
* **Seccomp**: ([#36997](https://github.com/kubernetes/kubernetes/issues/36997)) Seccomp is supported in OCI runtime spec. However, current seccomp implementation in Kubernetes is experimental and docker specific, the api needs to be defined in CRI first before CRI-containerd implements it.
|
||||
* **Streaming server authentication**: ([#36666](https://github.com/kubernetes/kubernetes/issues/36666)) CRI-containerd will be out-of-process with Kubelet, so it could not reuse Kubelet authentication. Its streaming server should implement its own authentication mechanism.
|
||||
* **Move container facilities into pod cgroup**: Container facilities including container image puller, container streaming handler, log handler and containerd-shim serve a specific container. They should be moved to the corresponding pod cgroup, and the overhead introduced by them should be charged to the pod.
|
||||
|
||||
@@ -101,7 +101,7 @@ OPTIONS:
|
||||
|
||||
Although we have deprecated the old CRI config pattern for specifying registry.mirrors
|
||||
and registry.configs you can still specify your credentials via
|
||||
[CRI config](https://github.com/containerd/containerd/blob/master/docs/cri/registry.md#configure-registry-credentials).
|
||||
[CRI config](https://github.com/containerd/containerd/blob/main/docs/cri/registry.md#configure-registry-credentials).
|
||||
|
||||
Additionally, the containerd CRI plugin implements/supports the authentication parameters passed in through CRI pull image service requests.
|
||||
For example, when containerd is the container runtime implementation for `Kubernetes`, the containerd CRI plugin receives
|
||||
|
||||
Reference in New Issue
Block a user