第十三题 gVisor

# 第十三题 gVisor ###### tags: `真题讲解` 切换集群kubectl config use-context k8s67 **Context** This cluster uses containerd as CRl runtime. Containerd's default runtime handler is runc. Containerd has been prepared to support an additional runtime handler, runsc (gVisor). **Task** Create a RuntimeClass named **untrusted** using the prepared runtime handler named **runsc**. Update all Pods in the namespace **client** to run on gvisor, unless they are already running on a non-default runtime handler. You can find a skeleton manifest file at /cks/13/rc.yaml ## 解法直接参考官方文档: [k8s.io/RuntimeClass](https://v1-20.docs.kubernetes.io/docs/concepts/containers/runtime-class/#2-create-the-corresponding-runtimeclass-resources) 按要求创建一个RuntimeClass并应用: ``` apiVersion: node.k8s.io/v1 kind: RuntimeClass metadata: name: untrusted handler: runsc ``` 先通过get node获取nodeName, 我的gVisor部署在node3上 ``` kubectl get node NAME STATUS ROLES AGE VERSION ubuk8s-vm01 Ready master 99d v1.19.3 ubuk8s-vm02 Ready <none> 99d v1.19.3 ubuk8s-vm03 Ready <none> 99d v1.19.3 ubuk8s-vm04 Ready <none> 21d v1.19.3 ``` 获取ns中的Pod, 发现Pod跑在node4, 考试时候有可能是Deployment ``` kubectl get pod -n client -owide NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES sandbox-pod-fcd88765b-skm6g 1/1 Running 0 38s 192.168.204.151 ubuk8s-vm04 <none> <none> ``` 修改其YAML并替换 ``` kubectl edit -n client deployments.apps sandbox-pod ``` 在Pod spec中加入nodeName和runtimeClassName, 别加到了Deployment的spec中 ``` spec: containers: nodeName: ubuk8s-vm03 runtimeClassName: untrusted ``` **校验** 看到Pod在node3上成功启动, 两个方法校验: Pod中执行uname -r, 发现内核版本为4.4.0, 而非主机内核版本 ``` kubectl exec -n client sandbox-pod-645bd9dc4-6mcnp -- uname -r 4.4.0 ``` Pod中执行dmesg, 发现[ 0.000000] Starting gVisor... ``` kubectl exec -n client sandbox-pod-645bd9dc4-6mcnp -- dmesg [ 0.000000] Starting gVisor... [ 0.389245] Granting licence to kill(2)... [ 0.428698] Checking naughty and nice process list... [ 0.804248] Creating process schedule... [ 1.153182] Adversarially training Redcode AI... [ 1.425678] Conjuring /dev/null black hole... [ 1.907712] Searching for socket adapter... [ 2.006525] Digging up root... [ 2.204595] Daemonizing children... [ 2.702483] Reading process obituaries... [ 2.858553] Searching for needles in stacks... [ 2.884164] Ready! ``` Linux dmesg命令用于显示开机信息。 kernel会将开机信息存储在ring buffer中。您若是开机时来不及查看信息，可利用dmesg来查看。开机信息亦保存在/var/log目录中，名称为dmesg的文件里。