Task weight: 4%
Use context: kubectl config use-context workload-prod
Team purple wants to run some of their workloads more secure. Worker node cluster1-node2 has container engine containerd already installed and it's configured to support the runsc/gvisor runtime.
Create a RuntimeClass named gvisor with handler runsc.
Create a Pod that uses the RuntimeClass. The Pod should be in Namespace team-purple, named gvisor-test and of image nginx:1.19.2. Make sure the Pod runs on cluster1-node2.
Write the dmesg output of the successfully started Pod into /opt/course/10/gvisor-test-dmesg.
译文
任务权重:4%。
使用环境: kubectl config use-context workload-prod
Purple团队希望更安全地运行他们的一些工作负载。工作节点 cluster1-node2 已经安装了容器引擎 containerd ,它被配置为支持 runsc/gvisor 运行时。
创建一个名为 gvisor 的 RuntimeClass,处理程序为 runsc。
创建一个使用该 RuntimeClass 的 Pod 。这个 Pod 应该在命名空间 team-purple 中,命名为 gvisor-test ,镜像为 nginx:1.19.2 。确保该 Pod 运行在 cluster1-node2 上。
将成功启动的 Pod 的 dmesg 输出写入 /opt/course/10/gvisor-test-dmesg 。
解答
查看节点,并登陆远程节点检查runsc版本和配置
k get node -o wide
ssh cluster1-node2
runsc --version
grep runsc/etc/containerd/config.toml
创建一个RuntimeCLasses文件,并创建
vim 10_rtc.yaml
# 10_rtc.yaml
apiVersion: node.k8s.io/v1
kind: RuntimeClass
metadata:
name: gvisor
handler: runsc
k -f 10_rtc.yaml create
创建一个pod
k -n team-purple run gvisor-test --image=nginx:1.19.2 $do > 10_pod.yaml
vim 10_pod.yaml
# 10_pod.yaml
apiVersion: v1
kind: Pod
metadata:
creationTimestamp: null
labels:
run: gvisor-test
name: gvisor-test
namespace: team-purple
spec:
nodeName: cluster1-node2 # 添加
runtimeClassName: gvisor # 添加
containers:
- image: nginx:1.19.2
name: gvisor-test
resources: {}
dnsPolicy: ClusterFirst
restartPolicy: Always
status: {}
k -f 10_pod.yaml create
检查pod运行情况 和 日志 并把日志写入文件
k -n team-purple get pod gvisor-test
k -n team-purple exec gvisor-test -- dmesg
k -n team-purple exec gvisor-test > /opt/course/10/gvisor-test-dmesg -- dmesg