Deploy lockc as a DeamonSet

[vadorovsky]

This PR is not fully functional yet, just showing progress

This change makes lockc deployable on Kubernetes by simply doing

kubectl apply -f contrib/kubernetes/lockc.yaml

That way:

• lockcd is deployed as a DaemonSet
• lockc-runc-wrapper is installed on the host by the init container
• a new component, lockc-k8s-agent, gets deployed as a DaemonSet and its purpose is to serve a small API via UNIX socket which lets lockc-runc-wrapper now what kind of policy should be applied for which k8s namespace

Container images can be built with:

./scripts/container-build.sh

or also pushed with:

LOCKC_PUSH=true ./scripts/container-build.sh

Signed-off-by: Michal Rostecki mrostecki@opensuse.org

[vadorovsky]

The issue I have with this PR are pods failing with:

opensuse@lockc-control-plane-0:/usr/local/src/lockc/examples/kubernetes> kubectl describe pod nginx-default-5c4d987847-8n4mq
Name:           nginx-default-5c4d987847-8n4mq
Namespace:      default
Priority:       0
Node:           lockc-control-plane-0/10.16.0.199
Start Time:     Wed, 03 Nov 2021 12:52:46 +0000
Labels:         app=nginx-default
                pod-template-hash=5c4d987847
Annotations:    <none>
Status:         Pending
IP:             
IPs:            <none>
Controlled By:  ReplicaSet/nginx-default-5c4d987847
Containers:
  nginx:
    Container ID:   
    Image:          nginx:1.14.2
    Image ID:       
    Port:           80/TCP
    Host Port:      0/TCP
    State:          Waiting
      Reason:       ContainerCreating
    Ready:          False
    Restart Count:  0
    Environment:    <none>
    Mounts:
      /var/run/secrets/kubernetes.io/serviceaccount from kube-api-access-8xrhw (ro)
Conditions:
  Type              Status
  Initialized       True 
  Ready             False 
  ContainersReady   False 
  PodScheduled      True 
Volumes:
  kube-api-access-8xrhw:
    Type:                    Projected (a volume that contains injected data from multiple sources)
    TokenExpirationSeconds:  3607
    ConfigMapName:           kube-root-ca.crt
    ConfigMapOptional:       <nil>
    DownwardAPI:             true
QoS Class:                   BestEffort
Node-Selectors:              <none>
Tolerations:                 node.kubernetes.io/not-ready:NoExecute op=Exists for 300s
                             node.kubernetes.io/unreachable:NoExecute op=Exists for 300s
Events:
  Type     Reason                  Age   From               Message
  ----     ------                  ----  ----               -------
  Normal   Scheduled               19s   default-scheduler  Successfully assigned default/nginx-default-5c4d987847-8n4mq to lockc-control-plane-0
  Warning  FailedCreatePodSandBox  18s   kubelet            Failed to create pod sandbox: rpc error: code = Unknown desc = failed to create containerd task: failed to create shim: failed to retrieve OCI runtime container pid: open /run/containerd/io.containerd.runtime.v2.task/k8s.io/36ee18ba4ce6a00fa5693ba52ca06094334d7ee36f918eab0d21b9d61c2cd651/init.pid: no such file or directory: unknown
  Warning  FailedCreatePodSandBox  6s    kubelet            Failed to create pod sandbox: rpc error: code = Unknown desc = failed to create containerd task: failed to create shim: failed to retrieve OCI runtime container pid: open /run/containerd/io.containerd.runtime.v2.task/k8s.io/1acc3f1e827b04fa99dd907f5180c5ca4f65344e43261abda0effa86b0a72e3c/init.pid: no such file or directory: unknown

I've never seen this error before and when I was using the lockc-runc-wrapper as a default runtime. This occurs only when using lockc-runc-wrapper as a secondary runtime with Runtime Class.

[vadorovsky]

OK, same issuee appears when I'm putting lockc-runc-wrapper as the main runtime in containerd config (in ConfigMap). Weird.

[vadorovsky]

So my mentioned issue actually occurs also on main, created a bug https://github.com/rancher-sandbox/lockc/issues/92

[vadorovsky]

Moved the content of this PR to #93