External-Mirrors/kubespray
2
0
Fork 0
mirror of https://github.com/kubernetes-sigs/kubespray.git synced 2026-01-27 08:31:32 -03:30
Code Issues Packages Projects Releases Wiki Activity
kubespray/roles/container-engine/cri-o/defaults/main.yml
Feruzjon Muyassarov 7bd757da5f Add configuration option for NRI in crio & containerd (#10454) 
* [containerd] Add Configuration option for Node Resource Interface

Node Resource Interface (NRI) is a common is a common framework for
plugging domain or vendor-specific custom logic into container
runtime like containerd. With this commit, we introduce the
containerd_disable_nri configuration flag, providing cluster
administrators the flexibility to opt in or out (defaulted to 'out')
of this feature in containerd. In line with containerd's default
configuration, NRI is disabled by default in this containerd role
defaults.

Signed-off-by: Feruzjon Muyassarov <feruzjon.muyassarov@intel.com>

* [cri-o] Add configuration option for Node Resource Interface

Node Resource Interface (NRI) is a common is a common framework for
plugging domain or vendor-specific custom logic into container
runtimes like containerd/crio. With this commit, we introduce the
crio_enable_nri configuration flag, providing cluster
administrators the flexibility to opt in or out (defaulted to 'out')
of this feature in cri-o runtime. In line with crio's default
configuration, NRI is disabled by default in this cri-o role
defaults.

Signed-off-by: Feruzjon Muyassarov <feruzjon.muyassarov@intel.com>

---------

Signed-off-by: Feruzjon Muyassarov <feruzjon.muyassarov@intel.com>
(cherry picked from commit f964b3438d024e27f226f55db3e5f66dcfdb6c34)
2023-10-06 23:24:19 +02:00

103 lines
2.9 KiB
YAML
Raw Blame History

---
crio_cgroup_manager: "{{ kubelet_cgroup_driver | default('systemd') }}"
crio_conmon: "{{ bin_dir }}/conmon"
crio_enable_metrics: false
crio_log_level: "info"
crio_metrics_port: "9090"
crio_pause_image: "{{ pod_infra_image_repo }}:{{ pod_infra_version }}"
# Registries defined within cri-o.
# By default unqualified images are not allowed for security reasons
crio_registries: []
# - prefix: docker.io
# insecure: false
# blocked: false
# location: registry-1.docker.io ## REQUIRED
# unqualified: false
# mirrors:
# - location: 172.20.100.52:5000
# insecure: true
# - location: mirror.gcr.io
# insecure: false
crio_registry_auth: []
# - registry: 10.0.0.2:5000
# username: user
# password: pass
crio_seccomp_profile: ""
crio_selinux: "{{ (preinstall_selinux_state == 'enforcing') | lower }}"
crio_signature_policy: "{% if ansible_os_family == 'ClearLinux' %}/usr/share/defaults/crio/policy.json{% endif %}"
# Override system default for storage driver
# crio_storage_driver: "overlay"
crio_stream_port: "10010"
crio_required_version: "{{ kube_version | regex_replace('^v(?P<major>\\d+).(?P<minor>\\d+).(?P<patch>\\d+)$', '\\g<major>.\\g<minor>') }}"
# The crio_runtimes variable defines a list of OCI compatible runtimes.
crio_runtimes:
- name: runc
path: "{{ bin_dir }}/runc"
type: oci
root: /run/runc
# Kata Containers is an OCI runtime, where containers are run inside lightweight
# VMs. Kata provides additional isolation towards the host, minimizing the host attack
# surface and mitigating the consequences of containers breakout.
kata_runtimes:
# Kata Containers with the default configured VMM
- name: kata-qemu
path: /usr/local/bin/containerd-shim-kata-qemu-v2
type: vm
root: /run/kata-containers
privileged_without_host_devices: true
# crun is a fast and low-memory footprint OCI Container Runtime fully written in C.
crun_runtime:
name: crun
path: "{{ bin_dir }}/crun"
type: oci
root: /run/crun
# youki is an implementation of the OCI runtime-spec in Rust, similar to runc.
youki_runtime:
name: youki
path: "{{ youki_bin_dir }}/youki"
type: oci
root: /run/youki
# TODO(cristicalin): remove this after 2.21
crio_download_base: "download.opensuse.org/repositories/devel:kubic:libcontainers:stable"
crio_download_crio: "http://{{ crio_download_base }}:/cri-o:/"
# Reserve 16M uids and gids for user namespaces (256 pods * 65536 uids/gids)
# at the end of the uid/gid space
crio_remap_enable: false
crio_remap_user: containers
crio_subuid_start: 2130706432
crio_subuid_length: 16777216
crio_subgid_start: 2130706432
crio_subgid_length: 16777216
# cri-o binary files
crio_bin_files:
- conmon
- crio
- crio-status
- pinns
# cri-o manual files
crio_man_files:
5:
- crio.conf
- crio.conf.d
8:
- crio
- crio-status
# If set to true, it will enable the NRI support in cri-o
crio_enable_nri: false
Reference in New Issue View Git Blame Copy Permalink