gvisor.dev/gvisor@v0.0.0-20240520182842-f9d4d51c7e0f/tools/gvisor_k8s_tool/spec/spec.go (about) 1 // Copyright 2023 The gVisor Authors. 2 // 3 // Licensed under the Apache License, Version 2.0 (the "License"); 4 // you may not use this file except in compliance with the License. 5 // You may obtain a copy of the License at 6 // 7 // http://www.apache.org/licenses/LICENSE-2.0 8 // 9 // Unless required by applicable law or agreed to in writing, software 10 // distributed under the License is distributed on an "AS IS" BASIS, 11 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 // See the License for the specific language governing permissions and 13 // limitations under the License. 14 15 // Package spec contains Kubernetes object specifications for gVisor setup. 16 package spec 17 18 import ( 19 "google.golang.org/protobuf/proto" 20 appsv1 "k8s.io/api/apps/v1" 21 v13 "k8s.io/api/core/v1" 22 "k8s.io/apimachinery/pkg/api/resource" 23 "k8s.io/apimachinery/pkg/apis/meta/v1" 24 ) 25 26 const ( 27 // SystemNamespace is the name of the Kubernetes system namespace. 28 SystemNamespace = "kube-system" 29 // PauseContainerImage is the name of a container image that does nothing. 30 PauseContainerImage = "gcr.io/google-containers/pause" 31 // gvisorNodepoolKey the key for the label given to GKE Sandbox nodepools. 32 gvisorNodepoolKey = "sandbox.gke.io/runtime" 33 // gvisorRuntimeClass the runtimeClassName used for GKE Sandbox pods. 34 gvisorRuntimeClass = "gvisor" 35 ) 36 37 var ( 38 // GKESandboxNodeSelector selects GKE Sandbox nodes on GKE. 39 GKESandboxNodeSelector = map[string]string{gvisorNodepoolKey: gvisorRuntimeClass} 40 ) 41 42 // InstallOptions is the set of options to install runsc. 43 type InstallOptions struct { 44 DaemonSetNamespace string 45 DaemonSetName string 46 Labels map[string]string 47 NodeSelector map[string]string 48 PauseContainerImage string 49 } 50 51 // RunscInstallDaemonSet returns a DaemonSet spec that installs runsc in 52 // Kubernetes. 53 func RunscInstallDaemonSet(image string, options InstallOptions) *appsv1.DaemonSet { 54 hpType := v13.HostPathDirectory 55 return &appsv1.DaemonSet{ 56 TypeMeta: v1.TypeMeta{ 57 Kind: "DaemonSet", 58 APIVersion: "apps/v1", 59 }, 60 ObjectMeta: v1.ObjectMeta{ 61 Name: options.DaemonSetName, 62 Namespace: options.DaemonSetNamespace, 63 }, 64 Spec: appsv1.DaemonSetSpec{ 65 Selector: &v1.LabelSelector{ 66 MatchLabels: options.Labels, 67 }, 68 UpdateStrategy: appsv1.DaemonSetUpdateStrategy{ 69 Type: appsv1.RollingUpdateDaemonSetStrategyType, 70 }, 71 Template: v13.PodTemplateSpec{ 72 ObjectMeta: v1.ObjectMeta{ 73 Labels: options.Labels, 74 }, 75 Spec: v13.PodSpec{ 76 Tolerations: []v13.Toleration{ 77 { 78 Operator: v13.TolerationOpExists, 79 }, 80 }, 81 HostPID: true, 82 InitContainers: []v13.Container{ 83 { 84 Name: options.DaemonSetName, 85 Image: image, 86 VolumeMounts: []v13.VolumeMount{ 87 { 88 Name: "host", 89 MountPath: "/host", 90 }, 91 }, 92 Resources: v13.ResourceRequirements{ 93 Requests: v13.ResourceList{ 94 v13.ResourceCPU: resource.MustParse("5m"), 95 v13.ResourceMemory: resource.MustParse("5Mi"), 96 }, 97 }, 98 SecurityContext: &v13.SecurityContext{ 99 Capabilities: &v13.Capabilities{ 100 Add: []v13.Capability{"CAP_SYS_ADMIN"}, 101 }, 102 Privileged: proto.Bool(true), 103 }, 104 }, 105 }, 106 Containers: []v13.Container{ 107 { 108 Name: "pause", 109 Image: options.PauseContainerImage, 110 }, 111 }, 112 NodeSelector: options.NodeSelector, 113 Volumes: []v13.Volume{ 114 { 115 Name: "host", 116 VolumeSource: v13.VolumeSource{ 117 HostPath: &v13.HostPathVolumeSource{ 118 Path: "/", 119 Type: &hpType, 120 }, 121 }, 122 }, 123 }, 124 }, 125 }, 126 }, 127 } 128 }