kata-deploy provides a Dockerfile, which contains all of the binaries
and artifacts required to run Kata Containers, as well as reference DaemonSets, which can
be utilized to install Kata Containers for both Docker and on a running Kubernetes cluster.
Note, installation through DaemonSets successfully installs katacontainers.io/kata-runtime on
a node only if it uses either containerd or CRI-O CRI-shims.
The kata-deploy container image makes use of a script, kata-deploy-docker, for installation of
Kata artifacts and configuration of Docker to utilize the runtime. The following volumes are required to be mounted
to aid in this:
/opt/kata: this is where all Kata artifacts are installed on the system/var/run/dbus,/run/systemd: this is required for reloading the Docker service/etc/docker: this is required for updatingdaemon.jsonin order to configure the Kata runtimes in Docker
To install:
$ docker run -v /opt/kata:/opt/kata -v /var/run/dbus:/var/run/dbus -v /run/systemd:/run/systemd -v /etc/docker:/etc/docker -it katadocker/kata-deploy kata-deploy-docker installOnce complete, /etc/docker/daemon.json is updated or created to include the Kata runtimes: kata-qemu and kata-fc, for utilizing
QEMU and Firecracker, respectively, for the VM isolation layer.
Run a QEMU isolated Kata container:
$ docker run --runtime=kata-qemu -itd alpineRun a Firecracker isolated Kata container:
$ docker run --runtime=kata-fc -itd alpineTo uninstall:
$ docker run -v /opt/kata:/opt/kata -v /var/run/dbus:/var/run/dbus -v /run/systemd:/run/systemd -v /etc/docker:/etc/docker -it katadocker/kata-deploy kata-deploy-docker removeAfter completing, the original daemon.json, if it existed, is restored and all Kata artifacts from /opt/kata are removed.
$ kubectl apply -f https://raw.githubusercontent.com/kata-containers/packaging/master/kata-deploy/kata-rbac/base/kata-rbac.yaml
$ kubectl apply -f https://raw.githubusercontent.com/kata-containers/packaging/master/kata-deploy/kata-deploy/base/kata-deploy.yamlor on a k3s cluster:
$ kubectl apply -k github.com/kata-containers/packaging/kata-deploy/kata-deploy/overlays/k3sWorkloads which utilize Kata can node-select based on katacontainers.io/kata-runtime=true, and are
run through an applicable runtime if they are marked with the appropriate runtimeClass annotation.
runtimeClass is a built-in type in Kubernetes versions 1.14 and greater. In Kubernetes 1.13, runtimeClass
is defined through a custom resource definition. For Kubernetes 1.13:
$ kubectl apply -f https://raw.githubusercontent.com/kata-containers/packaging/master/kata-deploy/k8s-1.13/runtimeclass-crd.yamlTo use a workload with Kata for QEMU, first add a RuntimeClass as:
-
For Kubernetes 1.14:
$ kubectl apply -f https://raw.githubusercontent.com/kata-containers/packaging/master/kata-deploy/k8s-1.14/kata-qemu-runtimeClass.yaml
-
For Kubernetes 1.13:
$ kubectl apply -f https://raw.githubusercontent.com/kata-containers/packaging/master/kata-deploy/k8s-1.13/kata-qemu-runtimeClass.yaml
To use a workload with Kata for Firecracker, first add a RuntimeClass as:
-
For Kubernetes 1.14:
$ kubectl apply -f https://raw.githubusercontent.com/kata-containers/packaging/master/kata-deploy/k8s-1.14/kata-fc-runtimeClass.yaml
-
For Kubernetes 1.13:
$ kubectl apply -f https://raw.githubusercontent.com/kata-containers/packaging/master/kata-deploy/k8s-1.13/kata-fc-runtimeClass.yaml
The following YAML snippet shows how to specify a runtime class with Kata for QEMU:
spec:
template:
spec:
runtimeClassName: kata-qemuThe following YAML snippet shows how to specify a runtime class with Kata for Firecracker:
spec:
template:
spec:
runtimeClassName: kata-fcTo run an example with kata-qemu:
$ kubectl apply -f https://raw.githubusercontent.com/kata-containers/packaging/master/kata-deploy/examples/test-deploy-kata-qemu.yamlTo run an example with kata-fc:
$ kubectl apply -f https://raw.githubusercontent.com/kata-containers/packaging/master/kata-deploy/examples/test-deploy-kata-fc.yamlThe following removes the test pods:
$ kubectl delete -f https://raw.githubusercontent.com/kata-containers/packaging/master/kata-deploy/examples/test-deploy-kata-qemu.yaml
$ kubectl delete -f https://raw.githubusercontent.com/kata-containers/packaging/master/kata-deploy/examples/test-deploy-kata-fc.yaml$ kubectl delete -f kata-deploy.yaml
$ kubectl apply -f kata-cleanup.yaml
$ kubectl delete -f kata-cleanup.yaml
$ kubectl delete -f kata-rbac.yamlThe Dockerfile used to create the container image deployed in the DaemonSet is provided here. This image contains all the necessary artifacts for running Kata Containers, all of which are pulled from the Kata Containers release page.
Host artifacts:
kata-runtimekata-fckata-qemukata-proxykata-shimfirecrackerqemu-system-x86_64and supporting binaries
Virtual Machine artifacts:
kata-containers.img: pulled from Kata GitHub releases pagevmlinuz.container: pulled from Kata GitHub releases page
Two DaemonSets are introduced for kata-deploy, as well as an RBAC to facilitate
applying labels to the nodes.
This DaemonSet installs the necessary Kata binaries, configuration files, and virtual machine artifacts on
the node. Once installed, the DaemonSet adds a node label katacontainers.io/kata-runtime=true and reconfigures
either CRI-O or containerd to register two runtimeClasses: kata-qemu (for QEMU isolation) and kata-fc (for Firecracker isolation).
As a final step the DaemonSet restarts either CRI-O or containerd. Upon deletion, the DaemonSet removes the
Kata binaries and VM artifacts and updates the node label to katacontainers.io/kata-runtime=cleanup.
This DaemonSet runs of the node has the label katacontainers.io/kata-runtime=cleanup. These DaemonSets removes
the katacontainers.io/kata-runtime label as well as restarts either CRI-O or containerd systemctl
daemon. You cannot execute these resets during the preStopHook of the Kata installer DaemonSet,
which necessitated this final cleanup DaemonSet.