Hi Team,
Could you help me with below scenerio
-
Runtimeclass
There is a namespace where 3 deployment with each pods running respectively
Here I need to introduce Runtimeclass named gvisor which needs to be reflect on all the pods. How can i update the runtimeClassName from deployment? i already tried edit/recreate pods which went failed.
-
Apparmor
I have a custom apparmor profile created and this is located on /etc/apparmor.d/file on a worker node.
My task is to create a pod with apparmor profile loaded perfectly
Here I already checked the below directive.
container.apparmor.security.beta.kubernetes.io/<container_name>: <profile_ref>
How can i specify the apparmor file to be load on pod perfectly.
Please advise
Thanks
Jay
Hi @jayaram161989
I’m not an expert on CKS, but since this question is still outstanding, I’ll have a go.
RuntimeClass/gVisor
Firstly you’ll need to ensure that gVisor is installed on all the nodes where you want to run sandboxed containers. See Installation - gVisor
Next, you need to create the RuntimeClass so kubernetes can use it.
cat << EOF | kubectl create -f -
apiVersion: node.k8s.io/v1beta1
kind: RuntimeClass
metadata:
name: gvisor
handler: runsc
EOF
Now you should be able to add
runtimeClassName: gvisor
to your pod spec.
Thank you @Alistair_KodeKloud for the answer.
I figure it out in both cases.
-
My requirement i need to enable the Runtimeclass on Deployment.
First create the runtimeclass and then update the Deployment as below
spec.template.spec.runtimeClassName
-
Apparmor definition
Simply load the apparmor profile on the specific node using “apparmor_parser -q filename”, then specify the same in the pod definition under metadata
Make sure if this is loaded " aastatus "
container.apparmor.security.beta.kubernetes.io/<container_name>: <Specify_the_apparmor_profile>
Thanks
Jay
1 Like