mirrors/talos-extensions
1
0
Fork 0
mirror of https://github.com/siderolabs/extensions.git synced 2025-08-06 14:27:31 +02:00
Code Issues Packages Projects Releases Wiki Activity
main
talos-extensions/container-runtime/gvisor/README.md
Tobias Bradtke 5f4947e28a
docs: fix link to kspp page 
Update README.

Signed-off-by: Tobias Bradtke <webwurst@gmail.com>
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
2024-08-14 14:58:25 +04:00

1.5 KiB
Raw Permalink Blame History

gVisor extension

Installation

See Installing Extensions.

Usage

gVisor requires unprivileged user namespace creation, so Talos default setting should be overridden:

machine:
  sysctls:
    user.max_user_namespaces: "11255"

Warning! This disables KSPP best practices setting.

Testing

default

Apply the following manifest to run nginx pod via gVisor:

apiVersion: node.k8s.io/v1
kind: RuntimeClass
metadata:
  name: gvisor
handler: runsc
---
apiVersion: v1
kind: Pod
metadata:
  name: nginx-gvisor
spec:
  runtimeClassName: gvisor
  containers:
  - name: nginx
    image: nginx

The pod should be up and running:

$ kubectl get pods
NAME           READY   STATUS    RESTARTS   AGE
nginx-gvisor   1/1     Running   0          40s

With platform KVM (requires nested virtualization or bare-metal)

Apply the following manifest to run nginx pod via gVisor with kvm platform:

apiVersion: node.k8s.io/v1
kind: RuntimeClass
metadata:
  name: gvisor
handler: runsc-kvm
---
apiVersion: v1
kind: Pod
metadata:
  name: nginx-gvisor
spec:
  runtimeClassName: gvisor
  containers:
  - name: nginx
    image: nginx

The pod should be up and running:

$ kubectl get pods
NAME           READY   STATUS    RESTARTS   AGE
nginx-gvisor   1/1     Running   0          40s

Hint: You can run both runtime handlers in parallel by naming them different