-
Notifications
You must be signed in to change notification settings - Fork 628
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
proposal: CRI-O to graduation #917
Conversation
ef5db36
to
498234d
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
/lgtm
+1 |
proposals/graduation/cri-o.md
Outdated
There are two pieces of the CRI: the image service and runtime service. | ||
|
||
The image service is responsible for image related operations, like pulling, listing and removing images. | ||
CRI-O uses the OCI registry authentication definition, and the OCI image definition to conform to industry-standard image moving and storing methods. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
CRI-O uses the OCI registry authentication definition
Can this be hyperlinked to said definition?
proposals/graduation/cri-o.md
Outdated
The image service is responsible for image related operations, like pulling, listing and removing images. | ||
CRI-O uses the OCI registry authentication definition, and the OCI image definition to conform to industry-standard image moving and storing methods. | ||
In addition to docker registry authentication, CRI-O also has the option to query [sigstore](sigstore.dev) to verify image signatures. | ||
CRI-O uses the [containers image](github.com/containers/image) library to do this image pulling, which is a library shared by projects like |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
CRI-O uses the [containers image](github.com/containers/image) library to do this image pulling, which is a library shared by projects like | |
CRI-O uses the [containers image](https://github.com/containers/image) library to do this image pulling, which is a library shared by projects like |
proposals/graduation/cri-o.md
Outdated
|
||
The image service is responsible for image related operations, like pulling, listing and removing images. | ||
CRI-O uses the OCI registry authentication definition, and the OCI image definition to conform to industry-standard image moving and storing methods. | ||
In addition to docker registry authentication, CRI-O also has the option to query [sigstore](sigstore.dev) to verify image signatures. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
In addition to docker registry authentication, CRI-O also has the option to query [sigstore](sigstore.dev) to verify image signatures. | |
In addition to docker registry authentication, CRI-O also has the option to query [sigstore](https://sigstore.dev) to verify image signatures. |
proposals/graduation/cri-o.md
Outdated
|
||
The runtime service is responsible for both container and pod related operations, for instance running and removing pods, | ||
and creating, starting and removing containers. It uses a utility called [pinns](https://github.com/cri-o/cri-o/tree/release-1.26/pinns) | ||
to create namespaces for the pods, and [CNI](cni.dev) to create the networking resources for pods. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
to create namespaces for the pods, and [CNI](cni.dev) to create the networking resources for pods. | |
to create namespaces for the pods, and [CNI](https://cni.dev) to create the networking resources for pods. |
proposals/graduation/cri-o.md
Outdated
to create namespaces for the pods, and [CNI](cni.dev) to create the networking resources for pods. | ||
It also uses an OCI compliant runtime like [runC](https://github.com/opencontainers/runc), [crun](https://github.com/containers/crun) | ||
or [Kata Containers](https://katacontainers.io/) to do many container operations. | ||
It also uses a utility called [conmon](github.com/containers/conmon), or its successor [conmon-rs](github.com/containers/conmon-rs) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It also uses a utility called [conmon](github.com/containers/conmon), or its successor [conmon-rs](github.com/containers/conmon-rs) | |
It also uses a utility called [conmon](https://github.com/containers/conmon), or its successor [conmon-rs](https://github.com/containers/conmon-rs) |
proposals/graduation/cri-o.md
Outdated
|
||
This customization applies to its security posture: | ||
|
||
* Since CRI-O only supports Kubernetes, the only avenue a unprivileged malicious user has to attack it is to trick the Kubelet into causing CRI-O to perform the exploit. This severely limits CRI-O’s attack surface. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
* Since CRI-O only supports Kubernetes, the only avenue a unprivileged malicious user has to attack it is to trick the Kubelet into causing CRI-O to perform the exploit. This severely limits CRI-O’s attack surface. | |
* Since CRI-O only supports Kubernetes, the only avenue an unprivileged malicious user has to attack it is to trick the Kubelet into causing CRI-O to perform the exploit. This severely limits CRI-O’s attack surface. |
proposals/graduation/cri-o.md
Outdated
|
||
### Alignment with other CNCF projects | ||
|
||
CRI-O occupies the same piece of the Kubernetes stack as other implementations of the CRI–most notably [containerd](https://containerd.io). |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
CRI-O occupies the same piece of the Kubernetes stack as other implementations of the CRI–most notably [containerd](https://containerd.io). | |
CRI-O occupies the same piece of the Kubernetes stack as other implementations of the CRI – most notably [containerd](https://containerd.io). |
Signed-off-by: Peter Hunt~ <[email protected]>
thanks @makkes updates as suggested! |
498234d
to
438ba42
Compare
CRI-O has been an incubating project for 3 years, and has been adopted by a number of organizations for their implementation of the Kubernetes container runtime interface. The CRI-O community believes it's graduation time 😎
@haircommander will be the main contact here.
TIA for your time and attention