Skip to content
This repository has been archived by the owner on Mar 9, 2022. It is now read-only.

cri v1.0.0-rc.0

Compare
Choose a tag to compare
@Random-Liu Random-Liu released this 26 Mar 22:10
796cae7

TARBALL: https://storage.googleapis.com/cri-containerd-release/cri-containerd-1.1.0-rc.0.linux-amd64.tar.gz

SHA256: 396189f25a37d04e84b62fe1615d5a5bdb13056a0433b4b1faaf98ff23062294

Welcome to the v1.0.0-rc.0 release of containerd cri plugin! The containerd CRI support is GA now!

In this release, the project was moved from the kubernetes-incubator organization, and renamed to cri.

Highlights

CRI Plugin

This release of cri is a native plugin of containerd.It is built into containerd v1.1 and the CRI support is enabled by default.

You can now use Kubernetes, with containerd directly, without having to use the intermediate cri-containerd daemon. The cri-containerd daemon is end-of-life.

Note: Please drain your node before upgrading from older versions of cri-containerd to containerd v1.1.

You can use a containerd config file to configure the cri plugin.

Untrusted Workload Runtime

To run an untrusted pod on a runtime for untrusted workload e.g. katacontainers and clearcontainers, you can:

  1. Configure a runtime for untrusted workload with the config option plugins.cri.containerd.untrusted_workload_runtime.
  2. Create an untrusted pod by setting the annotation io.kubernetes.cri.untrusted-workload to "true", for example:
apiVersion: v1
kind: Pod
metadata:
  name: nginx
  annotations:
    io.kubernetes.cri.untrusted-workload: "true"
spec:
  containers:
  - name: nginx
    image: nginx

By default, cri will run pods with the default runtime. However, if a pod has the io.kubernetes.cri.untrusted-workload annotation, the cri plugin will run the pod with the runtime for untrusted workloads.

Unless configured otherwise, the default runtime is set to runc.

Container Runtime Interface v1alpha2

The supported CRI (Container Runtime Interface) version for Kubernetes v1.10 is now v1alpha2. This release of cri has been updated to use CRI v1alpha2, so it only works with Kubernetes v1.10+.

New CRI features added in v1alpha2 are all supported:

  • Container log rotation: Kubelet rotates container logs.
  • Shared pid namespace: Support sharing pid namespace inside a pod.

Registry Mirror

You can now setup registry configurations with the config option plugins.cri.registry.

Currently only the mirrors option is supported. With it, you can specify registry mirrors and insecure registry. (doc)

Notable Changes

  • The exec, attach and portforward connection between Kubernetes apiserver and containerd is now encrypted. (#681)
  • If you are using native cni plugins, v0.7.0 is required. (#674)

Test

End-To-End Test

In terms of testing, we've passed:

  • ALL CRI validation tests
  • ALL node e2e tests
  • ALL e2e tests

The containerd test coverage on GCE is equivalent with Docker now.

All the test results are public: https://k8s-testgrid.appspot.com/sig-node-containerd.

Performance

We significantly improved pod start latency and cpu/memory usage of cri plugin this release.

The continuous benchmark result is published on http://node-perf-dash.k8s.io/. Job ci-kubernetes-node-kubelet-benchmark is for Docker 17.03, and ci-cri-containerd-node-e2e-benchmark is for containerd with cri plugin.

All metrics of containerd are either better or comparable with Docker 17.03.

Try It Out

  • For a production quality cluster on GCE brought up with kube-up.sh, see here.
  • For a multi-node cluster installer and bring up steps using ansible and kubeadm, see here.
  • For creating a cluster from scratch on Google Cloud, see Kubernetes the Hard Way.
  • For a custom installation from release tarball, see here.
  • To install use LinuxKit on a local VM, see here.

Contributors

We'd like to extend a thanks to the following people who contributed to this release: