Merge pull request #983 from chavafg/topic/k8s-runtimeclass

k8s: Add runtimeclass configuration

Author: Julio Montes

.ci/configure_containerd_for_kata.sh

@@ -11,10 +11,22 @@ set -o pipefail
 
 crio_config_file="/etc/crio/crio.conf"
 
-echo "Configure runtimes for trusted/untrusted annotations"
-sudo sed -i 's/^#* *runtime =.*/runtime = "\/usr\/local\/bin\/crio-runc"/' "$crio_config_file"
-sudo sed -i 's/^default_runtime/# default_runtime/' "$crio_config_file"
-sudo sed -i 's/^#*runtime_untrusted_workload = ""/runtime_untrusted_workload = "\/usr\/local\/bin\/kata-runtime"/' "$crio_config_file"
-sudo sed -i 's/#*default_workload_trust = ""/default_workload_trust = "trusted"/' "$crio_config_file"
-
+# `use_runtime_class` should be set to:
+# - true if we will test using k8s RuntimeClass feature or
+# - false (default) if we will test using the old trusted/untrusted annotations.
+use_runtime_class=${use_runtime_class:-false}
 
+if [ "${use_runtime_class}"  == true ]; then
+	echo "Configure runtimes map for RuntimeClass feature"
+	echo "- Set runc as default runtime"
+	sudo sed -i 's!runtime_path =.*!runtime_path = "/usr/local/bin/crio-runc"!' "$crio_config_file"
+	echo "- Add kata-runtime to the runtimes map"
+	sudo sed -i '/crio-runc/a[crio.runtime.runtimes.kata]' "$crio_config_file"
+	sudo sed -i '/kata/aruntime_path = "/usr/local/bin/kata-runtime"' "$crio_config_file"
+else
+	echo "Configure runtimes for trusted/untrusted annotations"
+	sudo sed -i 's!^#* *runtime =.*!runtime = "/usr/local/bin/crio-runc"!' "$crio_config_file"
+	sudo sed -i 's!^default_runtime!# default_runtime!' "$crio_config_file"
+	sudo sed -i 's!^#*runtime_untrusted_workload = ""!runtime_untrusted_workload = "/usr/local/bin/kata-runtime"!' "$crio_config_file"
+	sudo sed -i 's!#*default_workload_trust = ""!default_workload_trust = "trusted"!' "$crio_config_file"
+fi

.ci/configure_crio_for_kata.sh

@@ -5,11 +5,18 @@
 # SPDX-License-Identifier: Apache-2.0
 #
 
-set -e
+set -o errexit
+set -o nounset
+set -o pipefail
 
 cidir=$(dirname "$0")
 source "${cidir}/lib.sh"
 
+# `use_runtime_class` should be set to:
+# - true if we will test using k8s RuntimeClass feature or
+# - false (default) if we will test using the old trusted/untrusted annotations.
+use_runtime_class=${use_runtime_class:-false}
+
 echo "Install Kubernetes components"
 
 cidir=$(dirname "$0")
@@ -27,3 +34,10 @@ EOF"
 curl -s https://packages.cloud.google.com/apt/doc/apt-key.gpg | sudo apt-key add -
 chronic sudo -E apt update
 chronic sudo -E apt install --allow-downgrades -y kubelet="$kubernetes_version" kubeadm="$kubernetes_version" kubectl="$kubernetes_version"
+
+if [ "${use_runtime_class}"  == true ]; then
+	kubelet_systemd_file="/etc/systemd/system/kubelet.service.d/10-kubeadm.conf"
+	feature_gate="--feature-gates RuntimeClass=true"
+	echo "Configure Kubelet service to enable RuntimeClass feature"
+	sudo sed -i "s/ExecStart=\/.*$/& $feature_gate/" "$kubelet_systemd_file"
+fi

.ci/install_kubernetes.sh

@@ -5,13 +5,18 @@
 # SPDX-License-Identifier: Apache-2.0
 #
 
-set -e
+set -o errexit
+set -o nounset
+set -o pipefail
+
 
 SCRIPT_PATH=$(dirname "$(readlink -f "$0")")
 source "${SCRIPT_PATH}/../../.ci/lib.sh"
 source "${SCRIPT_PATH}/../../lib/common.bash"
 
 cri_runtime="${CRI_RUNTIME:-crio}"
+use_runtime_class=${use_runtime_class:-false}
+kubernetes_version=$(get_version "externals.kubernetes.version")
 
 case "${cri_runtime}" in
 containerd)
@@ -46,6 +51,12 @@ kubeadm_config_file="$(mktemp --tmpdir kubeadm_config.XXXXXX.yaml)"
 
 sed -e "s|CRI_RUNTIME_SOCKET|${cri_runtime_socket}|" "${kubeadm_config_template}" > "${kubeadm_config_file}"
 
+if [ "${use_runtime_class}"  == true ]; then
+	echo "Add RuntimeClass feature for apiserver in kubeadm config file"
+	echo "apiServerExtraArgs:" >> "${kubeadm_config_file}"
+	echo "  feature-gates: RuntimeClass=true" >> "${kubeadm_config_file}"
+fi
+
 sudo -E kubeadm init --config "${kubeadm_config_file}"
 
 export KUBECONFIG=/etc/kubernetes/admin.conf
@@ -66,5 +77,14 @@ sleep_time=5
 cmd="sudo -E kubectl get pods --all-namespaces | grep 'coredns.*1/1.*Running'"
 waitForProcess "$dns_wait_time" "$sleep_time" "$cmd"
 
+if [ "${use_runtime_class}" == true ]; then
+	runtimeclass_files_path="${SCRIPT_PATH}/runtimeclass_workloads"
+	echo "Install RuntimeClass resource definition"
+	sudo -E kubectl apply -f \
+		"https://raw.githubusercontent.com/kubernetes/kubernetes/v${kubernetes_version/-*}/cluster/addons/runtimeclass/runtimeclass_crd.yaml"
+	echo "Create kata RuntimeClass resource"
+	sudo -E kubectl create -f "${runtimeclass_files_path}/kata-runtimeclass.yaml"
+fi
+
 # Enable the master node to be able to schedule pods.
 sudo -E kubectl taint nodes "$(hostname)" node-role.kubernetes.io/master:NoSchedule-

integration/kubernetes/init.sh

@@ -10,7 +10,12 @@ load "${BATS_TEST_DIRNAME}/../../.ci/lib.sh"
 setup() {
 	export KUBECONFIG=/etc/kubernetes/admin.conf
 	pod_name="handlers"
-	pod_config_dir="${BATS_TEST_DIRNAME}/untrusted_workloads"
+
+	if sudo -E kubectl get runtimeclass | grep kata; then
+		pod_config_dir="${BATS_TEST_DIRNAME}/runtimeclass_workloads"
+	else
+		pod_config_dir="${BATS_TEST_DIRNAME}/untrusted_workloads"
+	fi
 }
 
 @test "Running with postStart and preStop handlers" {

integration/kubernetes/k8s-attach-handlers.bats

@@ -17,7 +17,12 @@ setup() {
 	total_cpus=2
 	total_requests=512
 	total_cpu_container=1
-	pod_config_dir="${BATS_TEST_DIRNAME}/untrusted_workloads"
+
+	if sudo -E kubectl get runtimeclass | grep kata; then
+		pod_config_dir="${BATS_TEST_DIRNAME}/runtimeclass_workloads"
+	else
+		pod_config_dir="${BATS_TEST_DIRNAME}/untrusted_workloads"
+	fi
 }
 
 @test "Check CPU constraints" {

integration/kubernetes/k8s-cpu-ns.bats

@@ -10,7 +10,12 @@ load "${BATS_TEST_DIRNAME}/../../.ci/lib.sh"
 setup() {
 	export KUBECONFIG=/etc/kubernetes/admin.conf
 	pod_name="test-env"
-	pod_config_dir="${BATS_TEST_DIRNAME}/untrusted_workloads"
+
+	if sudo -E kubectl get runtimeclass | grep kata; then
+		pod_config_dir="${BATS_TEST_DIRNAME}/runtimeclass_workloads"
+	else
+		pod_config_dir="${BATS_TEST_DIRNAME}/untrusted_workloads"
+	fi
 }
 
 @test "Environment variables" {

integration/kubernetes/k8s-env.bats

@@ -10,7 +10,12 @@ load "${BATS_TEST_DIRNAME}/../../.ci/lib.sh"
 setup() {
 	export KUBECONFIG=/etc/kubernetes/admin.conf
 	pod_name="liveness-exec"
-	pod_config_dir="${BATS_TEST_DIRNAME}/untrusted_workloads"
+
+	if sudo -E kubectl get runtimeclass | grep kata; then
+		pod_config_dir="${BATS_TEST_DIRNAME}/runtimeclass_workloads"
+	else
+		pod_config_dir="${BATS_TEST_DIRNAME}/untrusted_workloads"
+	fi
 }
 
 @test "Liveness probe" {

integration/kubernetes/k8s-liveness-probes.bats

@@ -10,7 +10,12 @@ load "${BATS_TEST_DIRNAME}/../../.ci/lib.sh"
 setup() {
 	export KUBECONFIG=/etc/kubernetes/admin.conf
 	pod_name="memory-test"
-	pod_config_dir="${BATS_TEST_DIRNAME}/untrusted_workloads"
+
+	if sudo -E kubectl get runtimeclass | grep kata; then
+		pod_config_dir="${BATS_TEST_DIRNAME}/runtimeclass_workloads"
+	else
+		pod_config_dir="${BATS_TEST_DIRNAME}/untrusted_workloads"
+	fi
 }
 
 @test "Exceeding memory constraints" {

integration/kubernetes/k8s-memory.bats

@@ -13,7 +13,12 @@ setup() {
 	pod_name="busybox"
 	first_container_name="first-test-container"
 	second_container_name="second-test-container"
-	pod_config_dir="${BATS_TEST_DIRNAME}/untrusted_workloads"
+
+	if sudo -E kubectl get runtimeclass | grep kata; then
+		pod_config_dir="${BATS_TEST_DIRNAME}/runtimeclass_workloads"
+	else
+		pod_config_dir="${BATS_TEST_DIRNAME}/untrusted_workloads"
+	fi
 }
 
 @test "Check PID namespaces" {