1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
|
# CRI: the Container Runtime Interface
## What is CRI?
CRI (_Container Runtime Interface_) consists of a
specifications/requirements (to-be-added),
[protobuf API](https://git.k8s.io/kubernetes/staging/src/k8s.io/cri-api/pkg/apis/runtime/v1alpha2/api.proto),
and [libraries](https://git.k8s.io/kubernetes/pkg/kubelet/server/streaming)
for container runtimes to integrate with kubelet on a node. The CRI API is
currently in Alpha, and the CRI-Docker integration is used by default as of
Kubernetes 1.7+.
In the future, we plan to add more developer tools such as the CRI validation
tests.
## Why develop CRI?
Prior to the existence of CRI, container runtimes (e.g., `docker`, `rkt`) were
integrated with kubelet through implementing an internal, high-level interface
in kubelet. The entrance barrier for runtimes was high because the integration
required understanding the internals of kubelet and contributing to the main
Kubernetes repository. More importantly, this would not scale because every new
addition incurs a significant maintenance overhead in the main Kubernetes
repository.
Kubernetes aims to be extensible. CRI is one small, yet important step to enable
pluggable container runtimes and build a healthier ecosystem.
## How to use CRI?
See the [CRI installation documentation](https://kubernetes.io/docs/setup/cri/).
CRI is still young and we are actively incorporating feedback from developers
to improve the API. Although we strive to maintain backward compatibility,
developers should expect occasional API breaking changes.
*For Kubernetes 1.5, additional flags are required:*
- Set apiserver flag `--feature-gates=StreamingProxyRedirects=true`.
- Set kubelet flag `--experimental-cri=true`.
## Does Kubelet use CRI today?
Yes, Kubelet always uses CRI except for using the rktnetes integration.
The old, pre-CRI Docker integration was removed in 1.7.
## Specifications, design documents and proposals
The Kubernetes 1.5 [blog post on CRI](https://kubernetes.io/blog/2016/12/container-runtime-interface-cri-in-kubernetes/)
serves as a general introduction.
Below is a mixed list of CRI specifications/requirements, design docs and
proposals. We are working on adding more documentation for the API.
- [Original proposal](https://github.com/kubernetes/kubernetes/blob/release-1.5/docs/proposals/container-runtime-interface-v1.md)
- [Networking](kubelet-cri-networking.md)
- [Container metrics](cri-container-stats.md)
- [Exec/attach/port-forward streaming requests](https://docs.google.com/document/d/1OE_QoInPlVCK9rMAx9aybRmgFiVjHpJCHI9LrfdNM_s/edit?usp=sharing)
- [Container stdout/stderr logs](https://github.com/kubernetes/kubernetes/blob/release-1.5/docs/proposals/kubelet-cri-logging.md)
## CRI runtimes
- [cri-o](https://github.com/cri-o/cri-o)
- [rktlet](https://github.com/kubernetes-retired/rktlet)
- [frakti](https://github.com/kubernetes/frakti)
- [cri-containerd](https://github.com/containerd/cri)
- [singularity-cri](https://github.com/sylabs/singularity-cri)
## [Status update](#status-update)
### Kubernetes v1.7 release (Docker-CRI integration GA, container metrics API)
- The Docker CRI integration has been promoted to GA.
- The legacy, non-CRI Docker integration has been completely removed from
Kubelet. The deprecated `--enable-cri` flag has been removed.
- CRI has been extended to support collecting container metrics from the
runtime.
### Kubernetes v1.6 release (Docker-CRI integration Beta)
**The Docker CRI integration has been promoted to Beta, and been enabled by
default in Kubelet**.
- **Upgrade**: It is recommended to drain your node before upgrading the
Kubelet. If you choose to perform in-place upgrade, the Kubelet will
restart all Kubernetes-managed containers on the node.
- **Resource usage and performance**: There is no performance regression
in our measurement. The memory usage of Kubelet increases slightly
(~0.27MB per pod) due to the additional gRPC serialization for CRI.
- **Disable**: To disable the Docker CRI integration and fall back to the
old implementation, set `--enable-cri=false`. Note that the old
implementation has been *deprecated* and is scheduled to be removed in
the next release. You are encouraged to migrate to CRI as early as
possible.
- **Others**: The Docker container naming/labeling scheme has changed
significantly in 1.6. This is perceived as implementation detail and
should not be relied upon by any external tools or scripts.
### Kubernetes v1.5 release (CRI v1alpha1)
- [v1alpha1 version](https://github.com/kubernetes/kubernetes/blob/release-1.5/pkg/kubelet/api/v1alpha1/runtime/api.proto) of CRI is released.
#### [CRI known issues](#cri-1.5-known-issues):
Note, these are known issues as of the 1.5 release. They may or may not have
been fixed since.
- [#27097](https://github.com/kubernetes/kubernetes/issues/27097): Container
metrics are not yet defined in CRI.
- [#36401](https://github.com/kubernetes/kubernetes/issues/36401): The new
container log path/format is not yet supported by the logging pipeline
(e.g., fluentd, GCL).
- CRI may not be compatible with other experimental features (e.g., Seccomp).
- Streaming server needs to be hardened.
- [#36666](https://github.com/kubernetes/kubernetes/issues/36666):
Authentication.
- [#36187](https://github.com/kubernetes/kubernetes/issues/36187): Avoid
including user data in the redirect URL.
#### [Docker CRI integration known issues](#docker-cri-1.5-known-issues)
Note, these are known issues as of the 1.5 release. They may or may not have
been fixed since.
- Docker compatibility: Support only Docker v1.11 and v1.12.
- Network:
- [#35457](https://github.com/kubernetes/kubernetes/issues/35457): Does
not support host ports.
- [#37315](https://github.com/kubernetes/kubernetes/issues/37315): Does
not support bandwidth shaping.
- Exec/attach/port-forward (streaming requests):
- [#35747](https://github.com/kubernetes/kubernetes/issues/35747): Does
not support `nsenter` as the exec handler (`--exec-handler=nsenter`).
- Also see [CRI 1.5 known issues](#cri-1.5-known-issues) for limitations
on CRI streaming.
## Contacts
- Email: sig-node (kubernetes-sig-node@googlegroups.com)
- Slack: https://kubernetes.slack.com/messages/sig-node
|
