【k8s系列】(202301) gvisor安装与containerd集成

安装

安装地址：Installation - gVisor

ARCH=$(uname -m)
URL=https://storage.googleapis.com/gvisor/releases/release/latest/${ARCH}
wget ${URL}/runsc ${URL}/runsc.sha512 \
  ${URL}/containerd-shim-runsc-v1 ${URL}/containerd-shim-runsc-v1.sha512
sha512sum -c runsc.sha512 \
  -c containerd-shim-runsc-v1.sha512
rm -f *.sha512
chmod a+rx runsc containerd-shim-runsc-v1
sudo mv runsc containerd-shim-runsc-v1 /usr/local/bin

与containerd集成

下发runtimeclass资源

root@node01:~# cat rc.yaml
apiVersion: node.k8s.io/v1
kind: RuntimeClass
metadata:
  name: untrusted
handler: runsc
root@node01:~# kubectl apply -f rc.yaml
root@node01:~# kubectl get runtimeclass
NAME        HANDLER   AGE
untrusted   runsc     7m34s

修改containerd配置文件

vim /etc/containerd/config.toml

增加

# gVisor: https://gvisor.dev/
[plugins."io.containerd.grpc.v1.cri".containerd.runtimes.runsc]
  runtime_type = "io.containerd.runsc.v1"

# 重启containerd
root@node01:~# systemctl restart containerd

准备pod的yaml文件

root@node01:~# kubectl run nginx-gvisor --image=nginx --dry-run=client -oyaml
apiVersion: v1
kind: Pod
metadata:
  creationTimestamp: null
  labels:
    run: nginx-gvisor
  name: nginx-gvisor
spec:
  containers:
  - image: nginx
    name: nginx-gvisor
    resources: {}
  dnsPolicy: ClusterFirst
  restartPolicy: Always
status: {}

root@node01:~#  kubectl run nginx-gvisor --image=nginx --dry-run=client -oyaml > nginx-gvisor.yaml


## 稍加修改，最终如下
root@node01:~# cat nginx-gvisor.yaml
apiVersion: v1
kind: Pod
metadata:
  name: nginx-gvisor
spec:
  runtimeClassName: untrusted
  containers:
  - image: nginx
    name: nginx-gvisor

root@node01:~# kubectl apply -f nginx-gvisor.yaml

root@node01:~# kubectl get pod
NAME           READY   STATUS    RESTARTS        AGE
nginx-gvisor   1/1     Running   0               8m3s

成了~

参考资料

### Kubernetes 最小化微服务漏洞 gVisor与Containerd集成