proposal: CRI-O to graduation #917
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
amye
added this to Needs TOC Triage & Public Comment Kickoff
in Graduating Projects Backlog
TheFoxAtWork
moved this from Needs TOC Triage & Public Comment Kickoff
to In discussion & Adopter Interviews
in Graduating Projects Backlog
haircommander
force-pushed
the
graduate-cri-o
branch
2 times, most recently
from
ef5db36
to
498234d
Compare
TheFoxAtWork
moved this from In discussion & Adopter Interviews
to In Public Comment Period
in Graduating Projects Backlog
|
+1 |
makkes
reviewed
Jun 7, 2023
proposals/graduation/cri-o.md
Outdated
| There are two pieces of the CRI: the image service and runtime service. | ||
|
|
||
| The image service is responsible for image related operations, like pulling, listing and removing images. | ||
| CRI-O uses the OCI registry authentication definition, and the OCI image definition to conform to industry-standard image moving and storing methods. |
There was a problem hiding this comment.
CRI-O uses the OCI registry authentication definition
Can this be hyperlinked to said definition?
proposals/graduation/cri-o.md
Outdated
| The image service is responsible for image related operations, like pulling, listing and removing images. | ||
| CRI-O uses the OCI registry authentication definition, and the OCI image definition to conform to industry-standard image moving and storing methods. | ||
| In addition to docker registry authentication, CRI-O also has the option to query [sigstore](sigstore.dev) to verify image signatures. | ||
| CRI-O uses the [containers image](github.com/containers/image) library to do this image pulling, which is a library shared by projects like |
There was a problem hiding this comment.
Suggested change
| CRI-O uses the [containers image](github.com/containers/image) library to do this image pulling, which is a library shared by projects like | |
| CRI-O uses the [containers image](https://github.com/containers/image) library to do this image pulling, which is a library shared by projects like |
proposals/graduation/cri-o.md
Outdated
|
|
||
| The image service is responsible for image related operations, like pulling, listing and removing images. | ||
| CRI-O uses the OCI registry authentication definition, and the OCI image definition to conform to industry-standard image moving and storing methods. | ||
| In addition to docker registry authentication, CRI-O also has the option to query [sigstore](sigstore.dev) to verify image signatures. |
There was a problem hiding this comment.
Suggested change
| In addition to docker registry authentication, CRI-O also has the option to query [sigstore](sigstore.dev) to verify image signatures. | |
| In addition to docker registry authentication, CRI-O also has the option to query [sigstore](https://sigstore.dev) to verify image signatures. |
proposals/graduation/cri-o.md
Outdated
|
|
||
| The runtime service is responsible for both container and pod related operations, for instance running and removing pods, | ||
| and creating, starting and removing containers. It uses a utility called [pinns](https://github.com/cri-o/cri-o/tree/release-1.26/pinns) | ||
| to create namespaces for the pods, and [CNI](cni.dev) to create the networking resources for pods. |
There was a problem hiding this comment.
Suggested change
| to create namespaces for the pods, and [CNI](cni.dev) to create the networking resources for pods. | |
| to create namespaces for the pods, and [CNI](https://cni.dev) to create the networking resources for pods. |
proposals/graduation/cri-o.md
Outdated
| to create namespaces for the pods, and [CNI](cni.dev) to create the networking resources for pods. | ||
| It also uses an OCI compliant runtime like [runC](https://github.com/opencontainers/runc), [crun](https://github.com/containers/crun) | ||
| or [Kata Containers](https://katacontainers.io/) to do many container operations. | ||
| It also uses a utility called [conmon](github.com/containers/conmon), or its successor [conmon-rs](github.com/containers/conmon-rs) |
There was a problem hiding this comment.
Suggested change
| It also uses a utility called [conmon](github.com/containers/conmon), or its successor [conmon-rs](github.com/containers/conmon-rs) | |
| It also uses a utility called [conmon](https://github.com/containers/conmon), or its successor [conmon-rs](https://github.com/containers/conmon-rs) |
proposals/graduation/cri-o.md
Outdated
|
|
||
| This customization applies to its security posture: | ||
|
|
||
| * Since CRI-O only supports Kubernetes, the only avenue a unprivileged malicious user has to attack it is to trick the Kubelet into causing CRI-O to perform the exploit. This severely limits CRI-O’s attack surface. |
There was a problem hiding this comment.
Suggested change
| * Since CRI-O only supports Kubernetes, the only avenue a unprivileged malicious user has to attack it is to trick the Kubelet into causing CRI-O to perform the exploit. This severely limits CRI-O’s attack surface. | |
| * Since CRI-O only supports Kubernetes, the only avenue an unprivileged malicious user has to attack it is to trick the Kubelet into causing CRI-O to perform the exploit. This severely limits CRI-O’s attack surface. |
proposals/graduation/cri-o.md
Outdated
|
|
||
| ### Alignment with other CNCF projects | ||
|
|
||
| CRI-O occupies the same piece of the Kubernetes stack as other implementations of the CRI–most notably [containerd](https://containerd.io). |
There was a problem hiding this comment.
Suggested change
| CRI-O occupies the same piece of the Kubernetes stack as other implementations of the CRI–most notably [containerd](https://containerd.io). | |
| CRI-O occupies the same piece of the Kubernetes stack as other implementations of the CRI – most notably [containerd](https://containerd.io). |
Signed-off-by: Peter Hunt~ <[email protected]>
|
thanks @makkes updates as suggested! |
haircommander
force-pushed
the
graduate-cri-o
branch
from
498234d
to
438ba42
Compare
amye
moved this from In Public Comment Period
to In TOC Voting
in Graduating Projects Backlog
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
CRI-O has been an incubating project for 3 years, and has been adopted by a number of organizations for their implementation of the Kubernetes container runtime interface. The CRI-O community believes it's graduation time 😎
@haircommander will be the main contact here.
TIA for your time and attention