文章目录
- 安装
- 与containerd集成
- 下发runtimeclass资源
- 修改containerd配置文件
- 准备pod的yaml文件
- 参考资料
author: ningan123
date: ‘2023-01-11 21:23’
updated: ‘2023-01-11 21:31’
安装
安装地址:Installation - gVisor
ARCH=$(uname -m)
URL=https://storage.googleapis.com/gvisor/releases/release/latest/${ARCH}
wget ${URL}/runsc ${URL}/runsc.sha512 \
${URL}/containerd-shim-runsc-v1 ${URL}/containerd-shim-runsc-v1.sha512
sha512sum -c runsc.sha512 \
-c containerd-shim-runsc-v1.sha512
rm -f *.sha512
chmod a+rx runsc containerd-shim-runsc-v1
sudo mv runsc containerd-shim-runsc-v1 /usr/local/bin
与containerd集成
下发runtimeclass资源
root@node01:~# cat rc.yaml
apiVersion: node.k8s.io/v1
kind: RuntimeClass
metadata:
name: untrusted
handler: runsc
root@node01:~# kubectl apply -f rc.yaml
root@node01:~# kubectl get runtimeclass
NAME HANDLER AGE
untrusted runsc 7m34s
修改containerd配置文件
增加
# gVisor: https://gvisor.dev/
[plugins."io.containerd.grpc.v1.cri".containerd.runtimes.runsc]
runtime_type = "io.containerd.runsc.v1"
# 重启containerd
root@node01:~# systemctl restart containerd
准备pod的yaml文件
root@node01:~# kubectl run nginx-gvisor --image=nginx --dry-run=client -oyaml
apiVersion: v1
kind: Pod
metadata:
creationTimestamp: null
labels:
run: nginx-gvisor
name: nginx-gvisor
spec:
containers:
- image: nginx
name: nginx-gvisor
resources: {}
dnsPolicy: ClusterFirst
restartPolicy: Always
status: {}
root@node01:~# kubectl run nginx-gvisor --image=nginx --dry-run=client -oyaml > nginx-gvisor.yaml
## 稍加修改,最终如下
root@node01:~# cat nginx-gvisor.yaml
apiVersion: v1
kind: Pod
metadata:
name: nginx-gvisor
spec:
runtimeClassName: untrusted
containers:
- image: nginx
name: nginx-gvisor
root@node01:~# kubectl apply -f nginx-gvisor.yaml
root@node01:~# kubectl get pod
NAME READY STATUS RESTARTS AGE
nginx-gvisor 1/1 Running 0 8m3s
成了~
参考资料
### Kubernetes 最小化微服务漏洞 gVisor与Containerd集成
