Implement a simple admission controller webhook to annotate pods with the Kata runtime class.
First build the admission controller image and the associated Kubernetes YAML files required to instantiate the admission controller.
$ cp -a ../vendor .
$ docker build -t katadocker/kata-webhook-example:latest .
$ ./create_certs.sh
Note: Image needs to be published for the webhook needs to work. Alternately on a single machine cluster change the
imagePullPolicy
to use the locally built image.
Today in crio.conf
runc
is the default runtime when a user does not specify
runtimeClass
in the pod spec. If you want to run a cluster where Kata is used
by default, except for workloads we know for sure will not work with Kata, use
the admission webhook
and sample admission controller we created by running
$ kubectl apply -f deploy/
The webhook mutates pods to use the Kata runtime class for all pods except those with
hostNetwork: true
- namespace:
rook-ceph
androok-ceph-system