Parametrize RuntimeClass for Image flavor types

nre-learning / antidote-selfmedicate

Configs and scripts for spinning up a local instance of Antidote on your laptop for testing and lesson development

Apache License 2.0

12 stars 19 forks source link

Parametrize RuntimeClass for Image flavor types #80

Closed gbonnefille closed 3 years ago

gbonnefille commented 3 years ago

Preamble: kata container is not necessarily an option, depending on K8S implementation.

Currently, flavor type (trusted, untrusted, legacy) is described in images. And association between flavor and ContainerRuntime is hardcoded.

It could be more flexible if the antidote configuration allows to associate flavor and ContainerRuntime class. For example, for the current settings, I will configure as:

flavorLegacy: none
flavorTrusted: none
flavorUntrusted: "kata"

But for a simple deployment (k3d) I will configure as:

flavorLegacy: none
flavorTrusted: none
flavorUntrusted: none

As these settings are related to Kubernetes backend, perhaps should it be placed in a dedicated tree. For example:

backends:
  kubernetes:
    flavorLegacy: none
    flavorTrusted: none
    flavorUntrusted: "kata"

gbonnefille commented 3 years ago

Please, note that for my k3d deployement, I successfully configured the system with RuntimeClass object:

apiVersion: node.k8s.io/v1beta1  # RuntimeClass is defined in the node.k8s.io API group
kind: RuntimeClass
metadata:
  name: kata  # The name the RuntimeClass will be referenced by
  # RuntimeClass is a non-namespaced resource
handler: runc  # The name of the corresponding CRI configuration

But:

I don't know if such tweak is possible on any K8S implementation (Cf. https://v1-19.docs.kubernetes.io/docs/concepts/containers/runtime-class/#cri-configuration)
the hardcoded reference to "kata" seems disturbing as people can decide to configure in other ways

An other approach can be to remove any specific code the Legacy, Trusted and Untrusted and simply systematically pass the flavor value as runtime-class and let the K8S admin to create RuntimeClass objects to properly handle these situations. But such approach requires that it is always possible to configure the CRI.

Mierdin commented 3 years ago

Thanks, but at this time we're not looking to support multiple runtimeclass implementations.

gbonnefille commented 3 years ago

Please, note that, currently, antidote-core handle two RuntimeClass: the default one and the "kata". But if "kata" is not supported by K8S implementation, most of the lesson will not work.

As pointed, it is possible to deal with this by declaring a RuntimeClass named "kata" and using the default handler, but it is quite weird. Having the hability to change the RuntimeClass used by flavorUntrusted could be more cleaner.