Task weight: 4%

Use context: kubectl config use-context workload-prod

Team purple wants to run some of their workloads more secure. Worker node cluster1-node2 has container engine containerd already installed and it’s configured to support the runsc/gvisor runtime.

Create a RuntimeClass named gvisor with handler runsc .

Create a Pod that uses the RuntimeClass. The Pod should be in Namespace team-purple , named gvisor-test and of image nginx:1.19.2 . Make sure the Pod runs on cluster1-node2 .

Write the dmesg output of the successfully started Pod into /opt/course/10/gvisor-test-dmesg .

译文

任务权重:4%。

使用环境: kubectl config use-context workload-prod

Purple团队希望更安全地运行他们的一些工作负载。工作节点 cluster1-node2 已经安装了容器引擎 containerd ,它被配置为支持 runsc/gvisor 运行时。

创建一个名为 gvisor 的 RuntimeClass,处理程序为 runsc

创建一个使用该 RuntimeClass 的 Pod 。这个 Pod 应该在命名空间 team-purple 中,命名为 gvisor-test ,镜像为 nginx:1.19.2 。确保该 Pod 运行在 cluster1-node2 上。

将成功启动的 Pod 的 dmesg 输出写入 /opt/course/10/gvisor-test-dmesg

解答

查看节点,并登陆远程节点检查runsc版本和配置

k get node -o wide
ssh cluster1-node2

runsc --version
grep runsc/etc/containerd/config.toml

sandbox-gVisor-1-0

创建一个RuntimeCLasses文件,并创建

vim 10_rtc.yaml
# 10_rtc.yaml
apiVersion: node.k8s.io/v1
kind: RuntimeClass
metadata:
  name: gvisor
handler: runsc
k -f 10_rtc.yaml create

创建一个pod

k -n team-purple run gvisor-test --image=nginx:1.19.2 $do > 10_pod.yaml

vim 10_pod.yaml
# 10_pod.yaml
apiVersion: v1
kind: Pod
metadata:
  creationTimestamp: null
  labels:
    run: gvisor-test
  name: gvisor-test
  namespace: team-purple
spec:
  nodeName: cluster1-node2   # 添加
  runtimeClassName: gvisor   # 添加
  containers:
  - image: nginx:1.19.2
    name: gvisor-test
    resources: {}
  dnsPolicy: ClusterFirst
  restartPolicy: Always
status: {}
k -f 10_pod.yaml create

检查pod运行情况 和 日志 并把日志写入文件

k -n team-purple get pod gvisor-test
k -n team-purple exec gvisor-test -- dmesg
k -n team-purple exec gvisor-test > /opt/course/10/gvisor-test-dmesg -- dmesg

sandbox-gVisor-1-1