cri v1.0.0-rc.0
TARBALL: https://storage.googleapis.com/cri-containerd-release/cri-containerd-1.1.0-rc.0.linux-amd64.tar.gz
SHA256: 396189f25a37d04e84b62fe1615d5a5bdb13056a0433b4b1faaf98ff23062294
Welcome to the v1.0.0-rc.0 release of containerd cri
plugin! The containerd
CRI support is GA now!
In this release, the project was moved from the kubernetes-incubator
organization, and renamed to cri
.
Highlights
CRI Plugin
This release of cri
is a native plugin of containerd.
It is built into containerd
v1.1 and the CRI support is enabled by default.
You can now use Kubernetes, with containerd
directly, without having to use the intermediate cri-containerd
daemon. The cri-containerd
daemon is end-of-life.
Note: Please drain your node before upgrading from older versions of cri-containerd
to containerd
v1.1.
You can use a containerd config file to configure the cri
plugin.
Untrusted Workload Runtime
To run an untrusted pod on a runtime for untrusted workload e.g. katacontainers and clearcontainers, you can:
- Configure a runtime for untrusted workload with the config option
plugins.cri.containerd.untrusted_workload_runtime
. - Create an untrusted pod by setting the annotation
io.kubernetes.cri.untrusted-workload
to"true"
, for example:
apiVersion: v1
kind: Pod
metadata:
name: nginx
annotations:
io.kubernetes.cri.untrusted-workload: "true"
spec:
containers:
- name: nginx
image: nginx
By default, cri
will run pods with the default runtime. However, if a pod has the io.kubernetes.cri.untrusted-workload
annotation, the cri
plugin will run the pod with the runtime for untrusted workloads.
Unless configured otherwise, the default runtime is set to runc.
Container Runtime Interface v1alpha2
The supported CRI (Container Runtime Interface) version for Kubernetes v1.10 is now v1alpha2.
This release of cri
has been updated to use CRI v1alpha2
, so it only works with Kubernetes v1.10+.
New CRI features added in v1alpha2
are all supported:
- Container log rotation: Kubelet rotates container logs.
- Shared pid namespace: Support sharing pid namespace inside a pod.
Registry Mirror
You can now setup registry configurations with the config option plugins.cri.registry
.
Currently only the mirrors
option is supported. With it, you can specify registry mirrors and insecure registry. (doc)
Notable Changes
- The
exec
,attach
andportforward
connection between Kubernetes apiserver and containerd is now encrypted. (#681) - If you are using native cni plugins, v0.7.0 is required. (#674)
Test
End-To-End Test
In terms of testing, we've passed:
- ALL CRI validation tests
- ALL node e2e tests
- ALL e2e tests
The containerd test coverage on GCE is equivalent with Docker now.
All the test results are public: https://k8s-testgrid.appspot.com/sig-node-containerd.
Performance
We significantly improved pod start latency and cpu/memory usage of cri
plugin this release.
The continuous benchmark result is published on http://node-perf-dash.k8s.io/. Job ci-kubernetes-node-kubelet-benchmark
is for Docker 17.03, and ci-cri-containerd-node-e2e-benchmark
is for containerd with cri
plugin.
All metrics of containerd are either better or comparable with Docker 17.03.
Try It Out
- For a production quality cluster on GCE brought up with
kube-up.sh
, see here. - For a multi-node cluster installer and bring up steps using ansible and kubeadm, see here.
- For creating a cluster from scratch on Google Cloud, see Kubernetes the Hard Way.
- For a custom installation from release tarball, see here.
- To install use LinuxKit on a local VM, see here.
Contributors
We'd like to extend a thanks to the following people who contributed to this release: