Home 零对冲(ZeroHedge)每日HackerNews

防止 Kubernetes 从互联网拉取暂停镜像
Preventing Kubernetes from Pulling the Pause Image from the Internet

原始链接: https://kyle.cascade.family/posts/preventing-kubernetes-from-pulling-the-pause-image-from-the-internet/

## 消除 Kubernetes 平台中的外部依赖 本文重点介绍了标准 Kubernetes 设置中隐藏的互联网依赖:`pause` 镜像。当 Kubernetes 首次创建 Pod 时,节点默认会从 `registry.k8s.io` 拉取此镜像,以建立 Pod 的“沙箱”——一个包含 Linux 命名空间的底层容器。 这种依赖性引入了一个潜在的故障点,因为 `registry.k8s.io` 是一个志愿者管理的、*没有*正常运行时间 SLA 的服务。 解决方案?**将 `pause` 镜像镜像到您控制的私有注册表中,并重新配置您的 containerd 运行时。** 这可以通过更改 containerd TOML 文件中的简单配置来实现(v1.x 和 v2.x 之间的语法有所不同)。 通过消除此外部依赖,您可以提高内部 Kubernetes 平台的可靠性,并确保 Pod 的创建不依赖于互联网连接或免费、不受支持服务的可用性。

这个Hacker News讨论围绕一篇博客文章(cascade.family)展开,文章详细介绍了如何防止Kubernetes不必要地从互联网下载“pause”镜像。 用户很快开始讨论其他话题。有人报告了访问cascade.family网站时可能存在的中间人(MITM)攻击和证书错误,这可能与它的“.family”顶级域名有关。另一位评论员批评了当前的实现方式,认为pause镜像应该直接包含在containerd中,而不是在运行时下载,并建议将其烘焙到机器镜像中。 最后,一位用户表达了对Kubernetes采用的悲观看法,认为大多数用户使用更简单的虚拟机部署会更好,尽管承认Kubernetes更具吸引力。该帖子还包含一个Y Combinator申请公告。
相关文章
原文

I don’t normally write blog posts that regurgitate information from normal documentation, but this particular subject irks me.

If you are running an internal Kubernetes (k8s) platform, you owe it to yourself to make sure there is nothing external to your platform determining your reliability.

You could ask yourself: How many internet dependencies do you have to start a pod? Should be zero, right???

If you use stock k8s, you might be surprised to know that each of your k8s nodes is actually reaching out to registry.k8s.io on first pod creation to get the pause image:

$ sudo crictl images
IMAGE                                     TAG                 IMAGE ID            SIZE
registry.k8s.io/pause                     3.9                 e6f1816883972

If you want to change that, you can update your containerd (1.x) toml:

[plugins."io.containerd.grpc.v1.cri"]
  sandbox_image = "YOUR_REGISTRY/pause:3.10"

And depend on one less thing. The rest of the blog post will go deeper into why this is the case.

The pause image is the container image that backs the k8s “sandbox” of a pod. This pause container is designed to hold the linux namespaces. The pause container used to also reap zombie processes from the other containers in a pod, its duty as PID1, but that isn’t the case by default anymore in k8s 1.8+.

The sandbox of a pod is part of the CRI spec. The CRI spec is a generic way for k8s to talk pods (and sandboxes) that is not specific to any particular container runtime (like containerd). Any container runtime that implements the CRI spec can, in theory, run k8s pods.

This means that the pause image has more to do with CRI than it does with k8s.

When a CRI-enabled container runtime needs to create a sandbox, at least with the case of containerd, it does this by creating a real container.

The image containerd is configured to use (by default) to create that sandbox, is the pause image. You can see this in code here.

Per the current docs, you can overwrite the containerd sandbox image with a containerd configuration like this (assuming you have mirrored to a local registry):

(containerd 1.x)

[plugins."io.containerd.grpc.v1.cri"]
  sandbox_image = "YOUR_REGISTRY/pause:3.10"

(containerd 2.x)

version = 3

[plugins]
  [plugins.'io.containerd.cri.v1.images']
    ...
    [plugins.'io.containerd.cri.v1.images'.pinned_images]
      sandbox = 'YOUR_REGISTRY/pause:3.10'

Don’t take my word for it here, this particular setting has changed over time, check the official docs.

If you go to registry.k8s.io you will see:

Please note that there is NO uptime SLA as this is a free, volunteer managed service. We will however do our best to respond to issues and the system is designed to be reliable and low-maintenance. If you need higher uptime guarantees please consider mirroring images to a location you control.

So yea, this is your PSA. Please mirror like they recommend and reconfigure as needed to not depend on the internet.

Comment via email
联系我们 contact @ memedata.com