How to setup Kata in ICN
It is required to use Containerd as the Container Runtime Interface (CRI) into Kubernetes to be able to select Kata as a RuntimeClass. It won’t work with Docker because it is not possible to change OCI runtimes dynamically using Docker. The R5 Secure Container release of ICN adds support for Containerd as a CRI.
...
Table 1: Default kud-installer.yaml ConfigMap values
Configuration Variable | Valid Values | Default Value |
CONTAINER_RUNTIME | docker containerd | docker |
KUD_DEBUG | <blank> true | <blank> |
KUD_ENABLE_TESTS | true false | false |
ENABLE_KATA_WEBHOOK | true false | false |
KATA_WEBHOOK_RUNTIMECLASS | kata-clh kata-qemu | kata-clh |
CONTAINER_RUNTIME
This is the Container Runtime Interface for Kubernetes. The default is to use Docker with no Kata support. If Containerd is chosen, then Kata will be installed as part of the cluster.
...
This is the default hypervisor with its RuntimeClass settings that will be used by the webhook when it mutates pods to use the Kata runtime. The default is to use cloud-hypervisor (kata-clh) but QEMU (kata-qemu) is also supported.
How to use Kata with ICN
Using Kata in an ICN deployment is as simple as adding the RuntimeClass to each Pod spec. Below is a simple example showing how this is done for the cloud-hypervisor test pod.
...