Skip to content

Commit

Permalink
add: kata (#38)
Browse files Browse the repository at this point in the history
  • Loading branch information
codekow authored Nov 11, 2023
1 parent 40d70ca commit 3c871d2
Show file tree
Hide file tree
Showing 39 changed files with 562 additions and 1 deletion.
3 changes: 3 additions & 0 deletions components/configs/cluster/baremetal/base/kustomization.yaml
Original file line number Diff line number Diff line change
@@ -1,2 +1,5 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization

commonAnnotations:
config: baremetal
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization

resources:
- pod-kata.yaml
- pod-normal.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@
apiVersion: v1
kind: Pod
metadata:
name: http-kata
spec:
containers:
- name: http
image: registry.fedoraproject.org/fedora
ports:
- containerPort: 8080
command:
- "python3"
args:
- "-m"
- "http.server"
- "8080"
resources: {}
runtimeClassName: kata
Original file line number Diff line number Diff line change
@@ -0,0 +1,17 @@
apiVersion: v1
kind: Pod
metadata:
name: http-normal
spec:
containers:
- name: http
image: registry.fedoraproject.org/fedora
ports:
- containerPort: 8080
command:
- "python3"
args:
- "-m"
- "http.server"
- "8080"
resources: {}
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization

resources:
- ../../base
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization

namespace: kata-verification

resources:
- ../../base
- namespace.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
---
apiVersion: v1
kind: Namespace
metadata:
name: kata-verification
annotations:
openshift.io/display-name: "Sandboxed Containers Verification"
argocd.argoproj.io/sync-wave: "0"
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization

commonAnnotations:
argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true

namespace: openshift-nfd

resources:
- ../../../operator/overlays/stable
- ../../../instance/overlays/kata
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization

resources:
- ../../base
- nfd.yaml
20 changes: 20 additions & 0 deletions components/operators/nfd/instance/overlays/kata/nfd.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,20 @@
apiVersion: nfd.openshift.io/v1
kind: NodeFeatureDiscovery
metadata:
name: nfd-kata
namespace: openshift-nfd
spec:
operand:
image: quay.io/openshift/origin-node-feature-discovery:4.12
imagePullPolicy: Always
servicePort: 12000
workerConfig:
configData: |
sources:
custom:
- name: "feature.node.kubernetes.io/runtime.kata"
matchOn:
- cpuId: ["SSE4", "VMX"]
loadedKMod: ["kvm", "kvm_intel"]
- cpuId: ["SSE4", "SVM"]
loadedKMod: ["kvm", "kvm_amd"]
Original file line number Diff line number Diff line change
Expand Up @@ -6,4 +6,4 @@ commonAnnotations:

resources:
- ../../operator/overlays/beta
- ../../instance/overlays/example
# - ../../instance/overlays/example
Original file line number Diff line number Diff line change
@@ -1,2 +1,5 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization

commonAnnotations:
example: prometheus
68 changes: 68 additions & 0 deletions components/operators/sandboxed-containers-operator/INFO.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,68 @@
# sandboxed-containers-operator

# Requirements
Your cluster must be installed on bare metal infrastructure with Red Hat Enterprise Linux CoreOS workers.

# Details
OpenShift sandboxed containers based on the Kata Containers open source
project, provides an Open Container Initiative (OCI) compliant container
runtime using lightweight virtual machines, running your workloads in their own
isolated kernel and therefore contributing an additional layer of isolation
back to OpenShift’s Defense-in-Depth strategy. For more information
[see](https://catalog.redhat.com/software/operators/detail/5ee0d499fdbe7cddc2c91cf5).

# Features & benefits
- **Isolated Developer Environments & Priviliges Scoping**
As a developer working on debugging an application using state-of-the-art
tooling you might need elevated privileges such as CAP_ADMIN or CAP_BPF. With
OpenShift sandboxed containers, any impact will be limited to a separate
dedicated kernel.

- **Legacy Containerized Workload Isolation**
You are mid-way in converting a containerized monolith into cloud-native
microservices. However, the monolith still runs on your cluster unpatched and
unmaintained. OpenShift sandboxed containers helps isolate it in its own kernel
to reduce risk.

- **Safe Multi-tenancy & Resource Sharing (CI/CD Jobs, CNFs, ..)**
If you are providing a service to multiple tenants, it could mean that the
service workloads are sharing the same resources (e.g., worker node). By
deploying in a dedicated kernel, the impact of these workloads have on one
another is greatly reduced.

- **Additional Isolation with Native Kubernetes User Experience**
OpenShift sandboxed containers is used as a compliant OCI runtime.
Therefore, many operational patterns used with normal containers are still
preserved including but not limited to image scanning, GitOps, Imagestreams,
and so on.

# How to install
Read the information about the Operator and click Install.

On the Install Operator page:

- Select preview-1.0 from the list of available Update Channel options.
This ensures that you install the version of OpenShift sandboxed containers
that is compatible with your OpenShift Container Platform version.

- For Installed Namespace, ensure that the Operator recommended namespace
option is selected. This installs the Operator in the mandatory
openshift-sandboxed-containers-operator namespace, which is automatically
created if it does not exist. Attempting to install the OpenShift
sandboxed containers Operator in a namespace other than
openshift-sandboxed-containers-operator causes the installation to fail.

- For Approval Strategy, ensure that Automatic, which is the default value,
is selected. OpenShift sandboxed containers automatically updates when a new
z-stream release is available.

- Click Install to make the Operator available to the OpenShift sandboxed
containers namespace.

- The OpenShift sandboxed containers Operator is now installed on your
cluster. You can trigger the Operator by enabling the runtime on your cluster.
You can do this by creating a KataConfig CRD instance. For this click
on "create instance" on the operator overview page.

# Documentation
See the official documentation [here](https://docs.openshift.com/container-platform/4.8/sandboxed_containers/understanding-sandboxed-containers.html).
5 changes: 5 additions & 0 deletions components/operators/sandboxed-containers-operator/NOTES.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
# Notes

## Links

- https://cloud.redhat.com/blog/openshift-sandboxed-containers-101
36 changes: 36 additions & 0 deletions components/operators/sandboxed-containers-operator/README.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,36 @@
# OpenShift sandboxed containers Operator

Install OpenShift sandboxed containers Operator.

Do not use the `base` directory directly, as you will need to patch the `channel` based on the version of OpenShift you are using, or the version of the operator you want to use.

The current *overlays* available are for the following channels:

* [preview-1.0](operator/overlays/preview-1.0)
* [preview-1.1](operator/overlays/preview-1.1)
* [stable](operator/overlays/stable)
* [stable-1.2](operator/overlays/stable-1.2)
* [stable-1.3](operator/overlays/stable-1.3)

## Usage

If you have cloned the `gitops-catalog` repository, you can install OpenShift sandboxed containers Operator based on the overlay of your choice by running from the root (`gitops-catalog`) directory.

```
oc apply -k sandboxed-containers-operator/operator/overlays/<channel>
```

Or, without cloning:

```
oc apply -k https://github.com/redhat-cop/gitops-catalog/sandboxed-containers-operator/operator/overlays/<channel>
```

As part of a different overlay in your own GitOps repo:

```
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- https://github.com/redhat-cop/gitops-catalog/sandboxed-containers-operator/operator/overlays/<channel>?ref=main
```
Original file line number Diff line number Diff line change
@@ -0,0 +1,10 @@
---
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization

commonAnnotations:
argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true

resources:
- ../../operator/overlays/stable
- ../../instance/overlays/aws
Original file line number Diff line number Diff line change
@@ -0,0 +1,10 @@
---
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization

commonAnnotations:
argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true

resources:
- ../../operator/overlays/stable
- ../../instance/overlays/default
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization

namespace: openshift-sandboxed-containers-operator

resources:
- setup-machineset.yaml
Loading

0 comments on commit 3c871d2

Please sign in to comment.