|
| 1 | +// Module included in the following assemblies: |
| 2 | +// |
| 3 | +// * sandboxed_containers/deploying-sandboxed-container-workloads.adoc |
| 4 | + |
| 5 | +:_module-type: PROCEDURE |
| 6 | +[id="sandboxed-containers-check-node-eligiblilty_{context}"] |
| 7 | += Checking whether cluster nodes are eligible to run {sandboxed-containers-first} |
| 8 | + |
| 9 | +Before running {sandboxed-containers-first}, you can check whether the nodes in your cluster are eligible to run Kata containers. Some cluster nodes might not comply with sandboxed containers' minimum requirements. The most common reason for node ineligibility is the lack of virtualization support on the node. If you attempt to run sandboxed workloads on ineligible nodes, you will experience errors. You can use the Node Feature Discovery Operator (NFD) and a `NodeFeatureDiscovery` resource to automatically check node eligibility. |
| 10 | + |
| 11 | +[NOTE] |
| 12 | +==== |
| 13 | +If you want to install the Kata runtime on only selected worker nodes that you know are eligible, apply the `feature.node.kubernetes.io/runtime.kata=true` label to the selected nodes and set `checkNodeEligibility: true` in the `KataConfig` resource. |
| 14 | +
|
| 15 | +Alternatively, to install the Kata runtime on all worker nodes, set `checkNodeEligibility: false` in the `KataConfig` resource. |
| 16 | +
|
| 17 | +In both these scenarios, you do not need to create the `NodeFeatureDiscovery` resource. You should only apply the `feature.node.kubernetes.io/runtime.kata=true` label manually if you are sure that the node is eligible to run Kata containers. |
| 18 | +==== |
| 19 | + |
| 20 | +The following procedure applies the `feature.node.kubernetes.io/runtime.kata=true` label to all eligible nodes and configures the `KataConfig` resource to check for node eligibility. |
| 21 | + |
| 22 | +.Prerequisites |
| 23 | + |
| 24 | +* Install the OpenShift CLI (`oc`). |
| 25 | +* Log in as a user with `cluster-admin` privileges. |
| 26 | +* Install the Node Feature Discovery (NFD) Operator. |
| 27 | +
|
| 28 | +.Procedure |
| 29 | + |
| 30 | +. Create a `NodeFeatureDiscovery` resource to detect node capabilities suitable for running Kata containers: |
| 31 | + |
| 32 | +.. Save the following YAML in the `nfd.yaml` file: |
| 33 | ++ |
| 34 | +[source,yaml] |
| 35 | +---- |
| 36 | +apiVersion: nfd.openshift.io/v1 |
| 37 | +kind: NodeFeatureDiscovery |
| 38 | +metadata: |
| 39 | + name: nfd-kata |
| 40 | + namespace: openshift-nfd |
| 41 | +spec: |
| 42 | + operand: |
| 43 | + namespace: openshift-nfd |
| 44 | + image: quay.io/openshift/origin-node-feature-discovery:4.10 |
| 45 | + imagePullPolicy: Always |
| 46 | + servicePort: 12000 |
| 47 | + workerConfig: |
| 48 | + configData: | |
| 49 | + sources: |
| 50 | + custom: |
| 51 | + - name: "feature.node.kubernetes.io/runtime.kata" |
| 52 | + matchOn: |
| 53 | + - cpuId: ["SSE4", "VMX"] |
| 54 | + loadedKMod: ["kvm", "kvm_intel"] |
| 55 | + - cpuId: ["SSE4", "SVM"] |
| 56 | + loadedKMod: ["kvm", "kvm_amd"] |
| 57 | +---- |
| 58 | + |
| 59 | +.. Create the `NodeFeatureDiscovery` custom resource (CR): |
| 60 | ++ |
| 61 | +[source,terminal] |
| 62 | +---- |
| 63 | +$ oc create -f nfd.yaml |
| 64 | +---- |
| 65 | ++ |
| 66 | +.Example output |
| 67 | +[source,terminal] |
| 68 | +---- |
| 69 | +nodefeaturediscovery.nfd.openshift.io/nfd-kata created |
| 70 | +---- |
| 71 | ++ |
| 72 | +A `feature.node.kubernetes.io/runtime.kata=true` label is applied to all qualifying worker nodes. |
| 73 | + |
| 74 | +. Set the `checkNodeEligibility` field to `true` in the `KataConfig` resource to enable the feature, for example: |
| 75 | + |
| 76 | +.. Save the following YAML in the `kata-config.yaml` file: |
| 77 | ++ |
| 78 | +[source,yaml] |
| 79 | +---- |
| 80 | +apiVersion: kataconfiguration.openshift.io/v1 |
| 81 | +kind: KataConfig |
| 82 | +metadata: |
| 83 | + name: example-kataconfig |
| 84 | +spec: |
| 85 | + checkNodeEligibility: true |
| 86 | +---- |
| 87 | + |
| 88 | +.. Create the `KataConfig` CR: |
| 89 | ++ |
| 90 | +[source,terminal] |
| 91 | +---- |
| 92 | +$ oc create -f kata-config.yaml |
| 93 | +---- |
| 94 | ++ |
| 95 | +.Example output |
| 96 | +[source,terminal] |
| 97 | +---- |
| 98 | +kataconfig.kataconfiguration.openshift.io/example-kataconfig created |
| 99 | +---- |
| 100 | + |
| 101 | +.Verification |
| 102 | + |
| 103 | +* Verify that qualifying nodes in the cluster have the correct label applied: |
| 104 | ++ |
| 105 | +[source,terminal] |
| 106 | +---- |
| 107 | +$ oc get nodes --selector='feature.node.kubernetes.io/runtime.kata=true' |
| 108 | +---- |
| 109 | ++ |
| 110 | +.Example output |
| 111 | +[source,terminal] |
| 112 | +---- |
| 113 | +NAME STATUS ROLES AGE VERSION |
| 114 | +compute-3.example.com Ready worker 4h38m v1.23.3+e419edf |
| 115 | +compute-2.example.com Ready worker 4h35m v1.23.3+e419edf |
| 116 | +---- |
0 commit comments