From 7523ea44f1661e051f349f81f0b637a78b258ee8 Mon Sep 17 00:00:00 2001 From: Ameer Ghani <57697428+inahga@users.noreply.github.com> Date: Thu, 3 Jun 2021 18:56:43 -0500 Subject: [PATCH] feat: allow specifying runtime class in runner spec (#580) This allows using the `runtimeClassName` directive in the runner's spec. One of the use-cases for this is Kata Containers, which use `runtimeClassName` in a pod spec as an indicator that the pod should run inside a Kata container. This allows us a greater degree of pod isolation. --- README.md | 6 +++++- api/v1alpha1/runner_types.go | 5 +++++ api/v1alpha1/zz_generated.deepcopy.go | 5 +++++ .../crds/actions.summerwind.dev_runnerdeployments.yaml | 3 +++ .../crds/actions.summerwind.dev_runnerreplicasets.yaml | 3 +++ .../crds/actions.summerwind.dev_runners.yaml | 3 +++ .../crd/bases/actions.summerwind.dev_runnerdeployments.yaml | 3 +++ .../crd/bases/actions.summerwind.dev_runnerreplicasets.yaml | 3 +++ config/crd/bases/actions.summerwind.dev_runners.yaml | 3 +++ controllers/runner_controller.go | 4 ++++ 10 files changed, 37 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index b143ef16..d710d950 100644 --- a/README.md +++ b/README.md @@ -771,7 +771,7 @@ spec: # - https://cloud.google.com/container-registry/docs/pulling-cached-images dockerRegistryMirror: https://mirror.gcr.io/ # false (default) = Docker support is provided by a sidecar container deployed in the runner pod. - # true = No docker sidecar container is deployed in the runner pod but docker can be used within teh runner container instead. The image summerwind/actions-runner-dind is used by default. + # true = No docker sidecar container is deployed in the runner pod but docker can be used within the runner container instead. The image summerwind/actions-runner-dind is used by default. dockerdWithinRunnerContainer: true # Docker sidecar container image tweaks examples below, only applicable if dockerdWithinRunnerContainer = false dockerdContainerResources: @@ -805,6 +805,10 @@ spec: dockerVolumeMounts: - mountPath: /var/lib/docker name: docker-extra + # Optional name of the container runtime configuration that should be used for pods. + # This must match the name of a RuntimeClass resource available on the cluster. + # More info: https://kubernetes.io/docs/concepts/containers/runtime-class + runtimeClassName: "runc" ``` ### Runner Labels diff --git a/api/v1alpha1/runner_types.go b/api/v1alpha1/runner_types.go index 930ed52e..1364a78d 100644 --- a/api/v1alpha1/runner_types.go +++ b/api/v1alpha1/runner_types.go @@ -107,6 +107,11 @@ type RunnerSpec struct { HostAliases []corev1.HostAlias `json:"hostAliases,omitempty"` // +optional VolumeSizeLimit *resource.Quantity `json:"volumeSizeLimit,omitempty"` + + // RuntimeClassName is the container runtime configuration that containers should run under. + // More info: https://kubernetes.io/docs/concepts/containers/runtime-class + // +optional + RuntimeClassName *string `json:"runtimeClassName,omitempty"` } // ValidateRepository validates repository field. diff --git a/api/v1alpha1/zz_generated.deepcopy.go b/api/v1alpha1/zz_generated.deepcopy.go index f3f2abc8..9f91f29c 100644 --- a/api/v1alpha1/zz_generated.deepcopy.go +++ b/api/v1alpha1/zz_generated.deepcopy.go @@ -791,6 +791,11 @@ func (in *RunnerSpec) DeepCopyInto(out *RunnerSpec) { x := (*in).DeepCopy() *out = &x } + if in.RuntimeClassName != nil { + in, out := &in.RuntimeClassName, &out.RuntimeClassName + *out = new(string) + **out = **in + } } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RunnerSpec. diff --git a/charts/actions-runner-controller/crds/actions.summerwind.dev_runnerdeployments.yaml b/charts/actions-runner-controller/crds/actions.summerwind.dev_runnerdeployments.yaml index c0ebf6d6..23428031 100644 --- a/charts/actions-runner-controller/crds/actions.summerwind.dev_runnerdeployments.yaml +++ b/charts/actions-runner-controller/crds/actions.summerwind.dev_runnerdeployments.yaml @@ -688,6 +688,9 @@ spec: description: 'Requests describes the minimum amount of compute resources required. If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, otherwise to an implementation-defined value. More info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/' type: object type: object + runtimeClassName: + description: 'RuntimeClassName is the container runtime configuration that containers should run under. More info: https://kubernetes.io/docs/concepts/containers/runtime-class' + type: string securityContext: description: PodSecurityContext holds pod-level security attributes and common container settings. Some fields are also present in container.securityContext. Field values of container.securityContext take precedence over field values of PodSecurityContext. properties: diff --git a/charts/actions-runner-controller/crds/actions.summerwind.dev_runnerreplicasets.yaml b/charts/actions-runner-controller/crds/actions.summerwind.dev_runnerreplicasets.yaml index f859dec9..f15154a2 100644 --- a/charts/actions-runner-controller/crds/actions.summerwind.dev_runnerreplicasets.yaml +++ b/charts/actions-runner-controller/crds/actions.summerwind.dev_runnerreplicasets.yaml @@ -685,6 +685,9 @@ spec: description: 'Requests describes the minimum amount of compute resources required. If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, otherwise to an implementation-defined value. More info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/' type: object type: object + runtimeClassName: + description: 'RuntimeClassName is the container runtime configuration that containers should run under. More info: https://kubernetes.io/docs/concepts/containers/runtime-class' + type: string securityContext: description: PodSecurityContext holds pod-level security attributes and common container settings. Some fields are also present in container.securityContext. Field values of container.securityContext take precedence over field values of PodSecurityContext. properties: diff --git a/charts/actions-runner-controller/crds/actions.summerwind.dev_runners.yaml b/charts/actions-runner-controller/crds/actions.summerwind.dev_runners.yaml index c8ff9711..cc169f26 100644 --- a/charts/actions-runner-controller/crds/actions.summerwind.dev_runners.yaml +++ b/charts/actions-runner-controller/crds/actions.summerwind.dev_runners.yaml @@ -650,6 +650,9 @@ spec: description: 'Requests describes the minimum amount of compute resources required. If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, otherwise to an implementation-defined value. More info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/' type: object type: object + runtimeClassName: + description: 'RuntimeClassName is the container runtime configuration that containers should run under. More info: https://kubernetes.io/docs/concepts/containers/runtime-class' + type: string securityContext: description: PodSecurityContext holds pod-level security attributes and common container settings. Some fields are also present in container.securityContext. Field values of container.securityContext take precedence over field values of PodSecurityContext. properties: diff --git a/config/crd/bases/actions.summerwind.dev_runnerdeployments.yaml b/config/crd/bases/actions.summerwind.dev_runnerdeployments.yaml index c0ebf6d6..23428031 100644 --- a/config/crd/bases/actions.summerwind.dev_runnerdeployments.yaml +++ b/config/crd/bases/actions.summerwind.dev_runnerdeployments.yaml @@ -688,6 +688,9 @@ spec: description: 'Requests describes the minimum amount of compute resources required. If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, otherwise to an implementation-defined value. More info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/' type: object type: object + runtimeClassName: + description: 'RuntimeClassName is the container runtime configuration that containers should run under. More info: https://kubernetes.io/docs/concepts/containers/runtime-class' + type: string securityContext: description: PodSecurityContext holds pod-level security attributes and common container settings. Some fields are also present in container.securityContext. Field values of container.securityContext take precedence over field values of PodSecurityContext. properties: diff --git a/config/crd/bases/actions.summerwind.dev_runnerreplicasets.yaml b/config/crd/bases/actions.summerwind.dev_runnerreplicasets.yaml index f859dec9..f15154a2 100644 --- a/config/crd/bases/actions.summerwind.dev_runnerreplicasets.yaml +++ b/config/crd/bases/actions.summerwind.dev_runnerreplicasets.yaml @@ -685,6 +685,9 @@ spec: description: 'Requests describes the minimum amount of compute resources required. If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, otherwise to an implementation-defined value. More info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/' type: object type: object + runtimeClassName: + description: 'RuntimeClassName is the container runtime configuration that containers should run under. More info: https://kubernetes.io/docs/concepts/containers/runtime-class' + type: string securityContext: description: PodSecurityContext holds pod-level security attributes and common container settings. Some fields are also present in container.securityContext. Field values of container.securityContext take precedence over field values of PodSecurityContext. properties: diff --git a/config/crd/bases/actions.summerwind.dev_runners.yaml b/config/crd/bases/actions.summerwind.dev_runners.yaml index c8ff9711..cc169f26 100644 --- a/config/crd/bases/actions.summerwind.dev_runners.yaml +++ b/config/crd/bases/actions.summerwind.dev_runners.yaml @@ -650,6 +650,9 @@ spec: description: 'Requests describes the minimum amount of compute resources required. If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, otherwise to an implementation-defined value. More info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/' type: object type: object + runtimeClassName: + description: 'RuntimeClassName is the container runtime configuration that containers should run under. More info: https://kubernetes.io/docs/concepts/containers/runtime-class' + type: string securityContext: description: PodSecurityContext holds pod-level security attributes and common container settings. Some fields are also present in container.securityContext. Field values of container.securityContext take precedence over field values of PodSecurityContext. properties: diff --git a/controllers/runner_controller.go b/controllers/runner_controller.go index 93693b48..80d83250 100644 --- a/controllers/runner_controller.go +++ b/controllers/runner_controller.go @@ -910,6 +910,10 @@ func (r *RunnerReconciler) newPod(runner v1alpha1.Runner) (corev1.Pod, error) { pod.Spec.HostAliases = runner.Spec.HostAliases } + if runner.Spec.RuntimeClassName != nil { + pod.Spec.RuntimeClassName = runner.Spec.RuntimeClassName + } + if err := ctrl.SetControllerReference(&runner, &pod, r.Scheme); err != nil { return pod, err }