github.com/cilium/cilium@v1.16.2/Documentation/network/kubernetes/kata.rst (about) 1 .. only:: not (epub or latex or html) 2 3 WARNING: You are looking at unreleased Cilium documentation. 4 Please use the official rendered version released here: 5 https://docs.cilium.io 6 7 .. _kata: 8 9 *************************** 10 Kata Containers with Cilium 11 *************************** 12 13 `Kata Containers <https://katacontainers.io/>`_ is an open source project that 14 provides a secure container runtime with lightweight virtual machines that feel 15 and perform like containers, but provide stronger workload isolation using 16 hardware virtualization technology as a second layer of defense. Kata 17 Containers implements OCI runtime spec, just like ``runc`` that is used by 18 Docker. Cilium can be used along with Kata Containers, using both enables 19 higher degree of security. Kata Containers enhances security in the compute 20 layer, while Cilium provides policy and observability in the networking layer. 21 22 This guide shows how to install Cilium along with Kata Containers. It assumes 23 that you have already followed the official 24 `Kata Containers installation user guide <https://github.com/kata-containers/documentation/tree/master/install>`_ 25 to get the Kata Containers runtime up and running on your platform of choice 26 but that you haven't yet setup Kubernetes. 27 28 .. note:: 29 This guide has been validated by following the Kata Containers guide for 30 Google Compute Engine (GCE) and using Ubuntu 18.04 LTS with the packaged 31 version of Kata Containers, CRI-containerd and Kubernetes 1.18.3. 32 33 Setup Kubernetes with CRI 34 ========================= 35 36 Kata Containers runtime is an OCI compatible runtime and cannot directly 37 interact with the CRI API level. For this reason, it relies on a CRI 38 implementation to translate CRI into OCI. At the time of writing this guide, 39 there are two supported ways called CRI-O and CRI-containerd. It is up to you 40 to choose the one that you want, but you have to pick one. 41 42 Refer to the section :ref:`k8s_requirements` for detailed instruction on how to 43 prepare your Kubernetes environment and make sure to use Kubernetes >= 1.12. 44 Then, follow the 45 `official guide to run Kata Containers with Kubernetes <https://github.com/kata-containers/documentation/blob/master/how-to/run-kata-with-k8s.md>`_. 46 47 .. note:: 48 Minimum version of kubernetes 1.12 is required to use the RuntimeClass Feature 49 for Kata Container runtime described below. 50 51 With your Kubernetes cluster ready, you can now proceed to deploy Cilium. 52 53 Deploy Cilium 54 ============= 55 56 .. include:: ../../installation/k8s-install-download-release.rst 57 58 Deploy Cilium release via Helm: 59 60 .. tabs:: 61 62 .. group-tab:: Using CRI-O 63 64 .. parsed-literal:: 65 66 helm install cilium |CHART_RELEASE| \\ 67 --namespace kube-system \\ 68 --set bpf.autoMount.enabled=false 69 70 .. group-tab:: Using CRI-containerd 71 72 .. parsed-literal:: 73 74 helm install cilium |CHART_RELEASE| \\ 75 --namespace kube-system 76 77 .. warning:: 78 79 When using :ref:`kube-proxy-replacement <kubeproxy-free>` or its socket-level 80 loadbalancer with Kata containers, the socket-level loadbalancer should be 81 disabled for pods by setting ``socketLB.hostNamespaceOnly=true``. See 82 :ref:`socketlb-host-netns-only` for more details. 83 84 .. include:: ../../installation/k8s-install-validate.rst 85 86 Run Kata Containers with Cilium CNI 87 =================================== 88 89 Now that your Kubernetes cluster is configured with the Kata Containers runtime 90 and Cilium as the CNI, you can run a sample workload by following 91 `these instructions <https://github.com/kata-containers/packaging/tree/master/kata-deploy#run-a-sample-workload>`_.