Serving: Allow runtimeClassName and dnsPolicy in service template spec
In what area(s)?
/area API
/kind spec
Describe the feature
Allow runtimeClassName and dnsPolicy fields in the service template spec (currently disallowed here) in order to be able to run untrusted pods with knative.
Example:
spec:
runtimeClassName: 'kata-qemu' # or 'runsc' (gvisor)
dnsPolicy: 'Default'
...
RuntimeClass
Different runtimes _can_ be specified for knative services using:
annotations:
io.kubernetes.cri.untrusted-workload: "true"
However, this method is deprecated in favor of runtimeClassName
https://kubernetes.io/docs/concepts/containers/runtime-class/
https://github.com/kata-containers/documentation/blob/master/how-to/containerd-kata.md
https://gvisor.dev/docs/user_guide/kubernetes/#using-containerd
dnsPolicy
According to the k8s docs:
“Default” is not the default DNS policy. If dnsPolicy is not explicitly specified, then “ClusterFirst” is used.
In cases such as untrusted pods, it is undesirable to give access to the cluster dns.
wilsonianb
All 10 comments
Issues go stale after 90 days of inactivity.
Mark the issue as fresh by adding the comment /remove-lifecycle stale.
Stale issues rot after an additional 30 days of inactivity and eventually close.
If this issue is safe to close now please do so by adding the comment /close.
Send feedback to Knative Productivity Slack channel or file an issue in knative/test-infra.
/lifecycle stale
knative-housekeeping-robot
on 24 Jan 2020
Stale issues rot after 30 days of inactivity.
Mark the issue as fresh by adding the comment /remove-lifecycle rotten.
Rotten issues close after an additional 30 days of inactivity.
If this issue is safe to close now please do so by adding the comment /close.
Send feedback to Knative Productivity Slack channel or file an issue in knative/test-infra.
/lifecycle rotten
knative-housekeeping-robot
on 23 Feb 2020
Is there any reason runtimeClass is in the list of disabled fields? The choice of runtime should for the most part be transparent to the pod/container.
fvoznika
on 10 Mar 2020
/remove-lifecycle rotten
This probably belongs with several other similar items around what can be in/out of Pods.
evankanderson
on 18 Mar 2020
Issues go stale after 90 days of inactivity.
Mark the issue as fresh by adding the comment /remove-lifecycle stale.
Stale issues rot after an additional 30 days of inactivity and eventually close.
If this issue is safe to close now please do so by adding the comment /close.
Send feedback to Knative Productivity Slack channel or file an issue in knative/test-infra.
/lifecycle stale
knative-housekeeping-robot
on 17 Jun 2020
I couldn't find any reference for the reason runtimeClassName was disabled in the first place by the knative API.
By passing this field and testing with kata runtime it seems to work, would it make sense to enable it? what else is required in order to have it supported by Knative API?
snir911
on 3 Aug 2020
@snir911 this document describes the reasoning for not including runtimeClassName and other fields in the service template spec
https://docs.google.com/document/d/1DY5t7LqGPOq5Jw5AixSgJY8S2VuQnTGzRpV6apY_nAI/edit#
wilsonianb
on 3 Aug 2020
I don't have access to the document, can you please make it public?
fvoznika
on 5 Aug 2020
You have to join knative-users group to get access.
vagababov
on 5 Aug 2020
The recommendation from @JRBANCEL is to use Feature Flags to support RuntimeClass.
Here is an example that adds support for node selector and affinity: #8645
Can this issue be reopened?
fvoznika
on 12 Aug 2020
Related issues
wtam2018
·
4Comments
evankanderson
·
3Comments
greghaynes
·
4Comments
vtereso
·
5Comments
scothis
·
3Comments
Most helpful comment
/remove-lifecycle rotten
This probably belongs with several other similar items around what can be in/out of Pods.