-
Notifications
You must be signed in to change notification settings - Fork 14
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
39 changed files
with
562 additions
and
1 deletion.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,2 +1,5 @@ | ||
apiVersion: kustomize.config.k8s.io/v1beta1 | ||
kind: Kustomization | ||
|
||
commonAnnotations: | ||
config: baremetal |
6 changes: 6 additions & 0 deletions
6
components/configs/kustomized/kata-container-example/base/kustomization.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,6 @@ | ||
apiVersion: kustomize.config.k8s.io/v1beta1 | ||
kind: Kustomization | ||
|
||
resources: | ||
- pod-kata.yaml | ||
- pod-normal.yaml |
18 changes: 18 additions & 0 deletions
18
components/configs/kustomized/kata-container-example/base/pod-kata.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,18 @@ | ||
apiVersion: v1 | ||
kind: Pod | ||
metadata: | ||
name: http-kata | ||
spec: | ||
containers: | ||
- name: http | ||
image: registry.fedoraproject.org/fedora | ||
ports: | ||
- containerPort: 8080 | ||
command: | ||
- "python3" | ||
args: | ||
- "-m" | ||
- "http.server" | ||
- "8080" | ||
resources: {} | ||
runtimeClassName: kata |
17 changes: 17 additions & 0 deletions
17
components/configs/kustomized/kata-container-example/base/pod-normal.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,17 @@ | ||
apiVersion: v1 | ||
kind: Pod | ||
metadata: | ||
name: http-normal | ||
spec: | ||
containers: | ||
- name: http | ||
image: registry.fedoraproject.org/fedora | ||
ports: | ||
- containerPort: 8080 | ||
command: | ||
- "python3" | ||
args: | ||
- "-m" | ||
- "http.server" | ||
- "8080" | ||
resources: {} |
5 changes: 5 additions & 0 deletions
5
components/configs/kustomized/kata-container-example/overlays/default/kustomization.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,5 @@ | ||
apiVersion: kustomize.config.k8s.io/v1beta1 | ||
kind: Kustomization | ||
|
||
resources: | ||
- ../../base |
8 changes: 8 additions & 0 deletions
8
...ents/configs/kustomized/kata-container-example/overlays/with-namespace/kustomization.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,8 @@ | ||
apiVersion: kustomize.config.k8s.io/v1beta1 | ||
kind: Kustomization | ||
|
||
namespace: kata-verification | ||
|
||
resources: | ||
- ../../base | ||
- namespace.yaml |
8 changes: 8 additions & 0 deletions
8
components/configs/kustomized/kata-container-example/overlays/with-namespace/namespace.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,8 @@ | ||
--- | ||
apiVersion: v1 | ||
kind: Namespace | ||
metadata: | ||
name: kata-verification | ||
annotations: | ||
openshift.io/display-name: "Sandboxed Containers Verification" | ||
argocd.argoproj.io/sync-wave: "0" |
11 changes: 11 additions & 0 deletions
11
components/operators/nfd/aggregate/overlays/kata/kustomization.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,11 @@ | ||
apiVersion: kustomize.config.k8s.io/v1beta1 | ||
kind: Kustomization | ||
|
||
commonAnnotations: | ||
argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true | ||
|
||
namespace: openshift-nfd | ||
|
||
resources: | ||
- ../../../operator/overlays/stable | ||
- ../../../instance/overlays/kata |
6 changes: 6 additions & 0 deletions
6
components/operators/nfd/instance/overlays/kata/kustomization.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,6 @@ | ||
apiVersion: kustomize.config.k8s.io/v1beta1 | ||
kind: Kustomization | ||
|
||
resources: | ||
- ../../base | ||
- nfd.yaml |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,20 @@ | ||
apiVersion: nfd.openshift.io/v1 | ||
kind: NodeFeatureDiscovery | ||
metadata: | ||
name: nfd-kata | ||
namespace: openshift-nfd | ||
spec: | ||
operand: | ||
image: quay.io/openshift/origin-node-feature-discovery:4.12 | ||
imagePullPolicy: Always | ||
servicePort: 12000 | ||
workerConfig: | ||
configData: | | ||
sources: | ||
custom: | ||
- name: "feature.node.kubernetes.io/runtime.kata" | ||
matchOn: | ||
- cpuId: ["SSE4", "VMX"] | ||
loadedKMod: ["kvm", "kvm_intel"] | ||
- cpuId: ["SSE4", "SVM"] | ||
loadedKMod: ["kvm", "kvm_amd"] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
3 changes: 3 additions & 0 deletions
3
components/operators/prometheus-operator/instance/base/kustomization.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,2 +1,5 @@ | ||
apiVersion: kustomize.config.k8s.io/v1beta1 | ||
kind: Kustomization | ||
|
||
commonAnnotations: | ||
example: prometheus |
68 changes: 68 additions & 0 deletions
68
components/operators/sandboxed-containers-operator/INFO.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,68 @@ | ||
# sandboxed-containers-operator | ||
|
||
# Requirements | ||
Your cluster must be installed on bare metal infrastructure with Red Hat Enterprise Linux CoreOS workers. | ||
|
||
# Details | ||
OpenShift sandboxed containers based on the Kata Containers open source | ||
project, provides an Open Container Initiative (OCI) compliant container | ||
runtime using lightweight virtual machines, running your workloads in their own | ||
isolated kernel and therefore contributing an additional layer of isolation | ||
back to OpenShift’s Defense-in-Depth strategy. For more information | ||
[see](https://catalog.redhat.com/software/operators/detail/5ee0d499fdbe7cddc2c91cf5). | ||
|
||
# Features & benefits | ||
- **Isolated Developer Environments & Priviliges Scoping** | ||
As a developer working on debugging an application using state-of-the-art | ||
tooling you might need elevated privileges such as CAP_ADMIN or CAP_BPF. With | ||
OpenShift sandboxed containers, any impact will be limited to a separate | ||
dedicated kernel. | ||
|
||
- **Legacy Containerized Workload Isolation** | ||
You are mid-way in converting a containerized monolith into cloud-native | ||
microservices. However, the monolith still runs on your cluster unpatched and | ||
unmaintained. OpenShift sandboxed containers helps isolate it in its own kernel | ||
to reduce risk. | ||
|
||
- **Safe Multi-tenancy & Resource Sharing (CI/CD Jobs, CNFs, ..)** | ||
If you are providing a service to multiple tenants, it could mean that the | ||
service workloads are sharing the same resources (e.g., worker node). By | ||
deploying in a dedicated kernel, the impact of these workloads have on one | ||
another is greatly reduced. | ||
|
||
- **Additional Isolation with Native Kubernetes User Experience** | ||
OpenShift sandboxed containers is used as a compliant OCI runtime. | ||
Therefore, many operational patterns used with normal containers are still | ||
preserved including but not limited to image scanning, GitOps, Imagestreams, | ||
and so on. | ||
|
||
# How to install | ||
Read the information about the Operator and click Install. | ||
|
||
On the Install Operator page: | ||
|
||
- Select preview-1.0 from the list of available Update Channel options. | ||
This ensures that you install the version of OpenShift sandboxed containers | ||
that is compatible with your OpenShift Container Platform version. | ||
|
||
- For Installed Namespace, ensure that the Operator recommended namespace | ||
option is selected. This installs the Operator in the mandatory | ||
openshift-sandboxed-containers-operator namespace, which is automatically | ||
created if it does not exist. Attempting to install the OpenShift | ||
sandboxed containers Operator in a namespace other than | ||
openshift-sandboxed-containers-operator causes the installation to fail. | ||
|
||
- For Approval Strategy, ensure that Automatic, which is the default value, | ||
is selected. OpenShift sandboxed containers automatically updates when a new | ||
z-stream release is available. | ||
|
||
- Click Install to make the Operator available to the OpenShift sandboxed | ||
containers namespace. | ||
|
||
- The OpenShift sandboxed containers Operator is now installed on your | ||
cluster. You can trigger the Operator by enabling the runtime on your cluster. | ||
You can do this by creating a KataConfig CRD instance. For this click | ||
on "create instance" on the operator overview page. | ||
|
||
# Documentation | ||
See the official documentation [here](https://docs.openshift.com/container-platform/4.8/sandboxed_containers/understanding-sandboxed-containers.html). |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,5 @@ | ||
# Notes | ||
|
||
## Links | ||
|
||
- https://cloud.redhat.com/blog/openshift-sandboxed-containers-101 |
36 changes: 36 additions & 0 deletions
36
components/operators/sandboxed-containers-operator/README.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,36 @@ | ||
# OpenShift sandboxed containers Operator | ||
|
||
Install OpenShift sandboxed containers Operator. | ||
|
||
Do not use the `base` directory directly, as you will need to patch the `channel` based on the version of OpenShift you are using, or the version of the operator you want to use. | ||
|
||
The current *overlays* available are for the following channels: | ||
|
||
* [preview-1.0](operator/overlays/preview-1.0) | ||
* [preview-1.1](operator/overlays/preview-1.1) | ||
* [stable](operator/overlays/stable) | ||
* [stable-1.2](operator/overlays/stable-1.2) | ||
* [stable-1.3](operator/overlays/stable-1.3) | ||
|
||
## Usage | ||
|
||
If you have cloned the `gitops-catalog` repository, you can install OpenShift sandboxed containers Operator based on the overlay of your choice by running from the root (`gitops-catalog`) directory. | ||
|
||
``` | ||
oc apply -k sandboxed-containers-operator/operator/overlays/<channel> | ||
``` | ||
|
||
Or, without cloning: | ||
|
||
``` | ||
oc apply -k https://github.com/redhat-cop/gitops-catalog/sandboxed-containers-operator/operator/overlays/<channel> | ||
``` | ||
|
||
As part of a different overlay in your own GitOps repo: | ||
|
||
``` | ||
apiVersion: kustomize.config.k8s.io/v1beta1 | ||
kind: Kustomization | ||
resources: | ||
- https://github.com/redhat-cop/gitops-catalog/sandboxed-containers-operator/operator/overlays/<channel>?ref=main | ||
``` |
10 changes: 10 additions & 0 deletions
10
components/operators/sandboxed-containers-operator/aggregate/aws/kustomization.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,10 @@ | ||
--- | ||
apiVersion: kustomize.config.k8s.io/v1beta1 | ||
kind: Kustomization | ||
|
||
commonAnnotations: | ||
argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true | ||
|
||
resources: | ||
- ../../operator/overlays/stable | ||
- ../../instance/overlays/aws |
10 changes: 10 additions & 0 deletions
10
components/operators/sandboxed-containers-operator/aggregate/default/kustomization.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,10 @@ | ||
--- | ||
apiVersion: kustomize.config.k8s.io/v1beta1 | ||
kind: Kustomization | ||
|
||
commonAnnotations: | ||
argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true | ||
|
||
resources: | ||
- ../../operator/overlays/stable | ||
- ../../instance/overlays/default |
7 changes: 7 additions & 0 deletions
7
components/operators/sandboxed-containers-operator/instance/base/aws/kustomization.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,7 @@ | ||
apiVersion: kustomize.config.k8s.io/v1beta1 | ||
kind: Kustomization | ||
|
||
namespace: openshift-sandboxed-containers-operator | ||
|
||
resources: | ||
- setup-machineset.yaml |
Oops, something went wrong.