Closed CodeClinch closed 5 years ago
According to the documentation, cotainerd (container runtime on the host) needs to be restarted to install gVisor shim.
This seems hard to accomplish when a cluster is already running. Especially when triggering the restart from within a container. gVisor installation is done best when the host is provisioned.
Description
You can also setup Kubernetes nodes to run pods in gvisor using the containerd CRI runtime and the gvisor-containerd-shim. Pods with the io.kubernetes.cri.untrusted-workload annotation will execute with runsc. You can find instructions here. If the karydia feature is swiched on, this behavior should be the default. It should be possible to switch it off for a selected namespace.
User Story
As an administrator, I would like to switch on gvisor for my kubernetes cluster and all selected pods (cluster default, exceptions on namespace and pod level).
Implementation idea
Add the annotation "io.kubernetes.cri.untrusted-workload" to all pods if the feature is enabled for the assigned namespace and the pod has not been excluded.