1- install runsc
(
set -e
ARCH=$(uname -m)
URL=https://storage.googleapis.com/gvisor/releases/release/latest/${ARCH}
wget ${URL}/runsc ${URL}/runsc.sha512 \
${URL}/containerd-shim-runsc-v1 ${URL}/containerd-shim-runsc-v1.sha512
sha512sum -c runsc.sha512 \
-c containerd-shim-runsc-v1.sha512
rm -f *.sha512
chmod a+rx runsc containerd-shim-runsc-v1
sudo mv runsc containerd-shim-runsc-v1 /usr/local/bin
)
puis, vérifier la version:
[root@node1 ~]# runsc --version
runsc version release-20250820.0
spec: 1.2.0
2- Créer un fichier runtimeclass-gvisor.yaml:
apiVersion: node.k8s.io/v1
kind: RuntimeClass
metadata:
name: gvisor
handler: runsc
3 - Modifier le fichier /etc/containerd/config.toml et t ajout;
[plugins."io.containerd.cri.v1.runtime".containerd.runtimes.runsc]
runtime_type = "io.containerd.runsc.v1"
runtime_engine = ""
runtime_root = ""
base_runtime_spec = "/etc/containerd/cri-base.json"
[plugins."io.containerd.cri.v1.runtime".containerd.runtimes.runsc.options]
BinaryName = "/usr/local/bin/runsc"
Voici un exemple complet:
[root@node1 ~]# cat /etc/containerd/config.toml
version = 3
root = "/var/lib/containerd"
state = "/run/containerd"
oom_score = 0
[grpc]
max_recv_message_size = 16777216
max_send_message_size = 16777216
[debug]
address = ""
level = "info"
format = ""
uid = 0
gid = 0
[metrics]
address = ""
grpc_histogram = false
[plugins]
[plugins."io.containerd.cri.v1.runtime"]
max_container_log_line_size = 16384
enable_unprivileged_ports = false
enable_unprivileged_icmp = false
enable_selinux = false
disable_apparmor = false
tolerate_missing_hugetlb_controller = true
disable_hugetlb_controller = true
[plugins."io.containerd.cri.v1.runtime".containerd]
default_runtime_name = "runc"
[plugins."io.containerd.cri.v1.runtime".containerd.runtimes]
[plugins."io.containerd.cri.v1.runtime".containerd.runtimes.runc]
runtime_type = "io.containerd.runc.v2"
runtime_engine = ""
runtime_root = ""
base_runtime_spec = "/etc/containerd/cri-base.json"
[plugins."io.containerd.cri.v1.runtime".containerd.runtimes.runc.options]
SystemdCgroup = true
BinaryName = "/usr/local/bin/runc"
[plugins."io.containerd.cri.v1.runtime".containerd.runtimes.runsc]
runtime_type = "io.containerd.runsc.v1"
runtime_engine = ""
runtime_root = ""
base_runtime_spec = "/etc/containerd/cri-base.json"
[plugins."io.containerd.cri.v1.runtime".containerd.runtimes.runsc.options]
BinaryName = "/usr/local/bin/runsc"
[plugins."io.containerd.cri.v1.images"]
snapshotter = "overlayfs"
discard_unpacked_layers = true
image_pull_progress_timeout = "5m"
[plugins."io.containerd.cri.v1.images".pinned_images]
sandbox = "harbor-prod.allopsconnect.com/k8s/pause:3.10"
[plugins."io.containerd.grpc.v1.cri".registry.mirrors."harbor-prod.allopsconnect.com"]
endpoint = ["https://harbor-prod.allopsconnect.com"]
[plugins."io.containerd.grpc.v1.cri".registry.configs."harbor-prod.allopsconnect.com".tls]
insecure_skip_verify = true
[plugins."io.containerd.nri.v1.nri"]
disable = false
Puis redémarre, containerd
[root@node1 ~]# systemctl restart containerd
Créer un pods de test:
[root@node1 ~]# cat pod_test.yaml
apiVersion: v1
kind: Pod
metadata:
name: pod-hostpath-priv
namespace: default
spec:
nodeSelector:
kubernetes.io/hostname: node1
runtimeClassName: gvisor
containers:
- name: test-container
image: busybox
command: ["sleep", "3600"]
volumeMounts:
- name: runtime-volume
mountPath: /tmp
securityContext:
privileged: true
volumes:
- name: runtime-volume
hostPath:
path: /var/run
type: DirectoryOrCreate