Creating Kata Containers

Create an NGINX pod that runs as a Kata Container using a Kubernetes RuntimeClass.

This task shows how to create a container using kata-runtime as the runtime engine. To create Kata Containers, set up a Kubernetes RuntimeClass resource for kata-runtime. For information on setting up a RuntimeClass, see Setting Runtime Classes.

This example uses a Kubernetes pod configuration file to create a Kata Container running an NGINX web server.

1. Create pod configuration file.

   On a host that's set up to use the kubectl command to connect to the Kubernetes cluster, create a Kubernetes pod configuration file. Use the notation runtimeClassName: kata-containers in the pod file. When CRI-O finds this runtime class in a pod file, it uses kata-runtime to run the container.

   This pod file is named kata-nginx.yaml.

   apiVersion: v1
   kind: Pod
   metadata:
     name: kata-nginx
   spec:
     runtimeClassName: kata-containers
     containers:
       - name: nginx
         image: container-registry.oracle.com/olcne/nginx:1.17.7
         ports:
         - containerPort: 80

2. Start the pod.

   Create the Kata Container using the kata-nginx.yaml file with the kubectl apply command:

   kubectl apply -f kata-nginx.yaml

3. Verify the pod is running.

   To check the pod has been created, use the kubectl get pods command:

   kubectl get pods

   The output looks similar to:

   NAME         READY   STATUS    RESTARTS   AGE
   kata-nginx   1/1     Running   0          40s

4. Show more information about the pod.

   Use the kubectl describe command to show a more detailed view of the pod, including the runtime, which worker node is hosting the pod, and the Container ID.

   kubectl describe pod kata-nginx

   The output looks similar to:

   Name:                kata-nginx
   Namespace:           default
   Priority:            0
   Runtime Class Name:  kata-containers
   Service Account:     default
   Node:                ocne-worker-1/<IP_address>
   Start Time:          Wed, 23 Oct 2024 12:07:35 +0000
   Labels:              <none>
   Annotations:         <none>
   Status:              Running
   IP:                  10.244.1.29
   IPs:
     IP:  10.244.1.29
   Containers:
     nginx:
       Container ID:   cri-o://ca0559ab7c77deddb2a5baf681fff39ae620a5a0696ee4535ad53fff...
       Image:          container-registry.oracle.com/olcne/nginx:1.17.7
       Image ID:       container-registry.oracle.com/olcne/nginx@sha256:78ce89068e7feb1...
       Port:           80/TCP
       Host Port:      0/TCP
       State:          Running
   
   ...

5. Start an administration console on the worker node running the Kata Container pod.

   You can start an administration console on any Kubernetes node using the ocne cluster console command. The syntax is:

   ocne cluster console 
   [{-d|--direct}]
   {-N|--node} nodename
   [{-t|--toolbox}]
   [-- command] 

   For more information on the syntax options, see Oracle Cloud Native Environment: CLI.

   Start an administration console on the worker node running the kata-container pod identified in the output of the previous step, by entering the following command, replacing the name of the node as appropriate:

   ocne cluster console --direct --node ocne-worker-1

6. List the pods running on a worker node.

   List the pods running on a worker node using the crictl pods command by running the following command at the administration console prompt:

   sudo crictl pods

   The output looks similar to:

   POD ID         CREATED         STATE  NAME                        NAMESPACE       ...
   02ab970089cd1  11 seconds ago  Ready  console-ocne-worker-1...    ocne-system     ...
   52af794c70dce  4 minutes ago   Ready  kata-nginx                  default         ...    
   430c83360e934  6 days ago      Ready  control-plane-capi-cont...  capi-kubeadm-con...
   ac94aebe63b51  6 days ago      Ready  bootstrap-capi-controll...  capi-kubeadm-boo...
   ...

   You can see the kata-nginx container is running on this worker node.

   For more information on using the crictl command, use the crictl --help command.

7. List details about the containers running on a worker node.

   To get more detailed information about the containers on a worker node, use the crictl ps command. For example:

   sudo crictl ps

   The output looks similar to:

   CONTAINER       IMAGE          ... NAME                                POD ID        ...
   43d8e4fba2698   9a7fadacb497dbc... console-ocne-worker-1               2e4655ea682e5 ...
   ca0559ab7c77d   ...nginx@sha256... nginx                               52af794c70dce ...
   1556b7459a2be   container-regis... olcne/kubeadm-control-plane-cont    430c83360e934 ...
   ...

   Note the Container ID is a shortened version of the Container ID shown in the pod description.

8. List more details about a pod.

   To get detailed information about a pod, run the crictl inspectp command using the POD ID. For example:

   sudo crictl inspectp 52af794c70dce

   The output looks similar to:

   {
     "status": {
       "id": "52af794c70dce199e1bdab40b9dfe196def5a791266240a11e3477ea66b1421e",
       "metadata": {
         "attempt": 0,
         "name": "kata-nginx",
         "namespace": "default",
         "uid": "331dc2b0-769b-4a5e-b1eb-a521f8c75670"
       },
       "state": "SANDBOX_READY",
       "createdAt": "<date>",
       "network": {
         "additionalIps": [],
         "ip": "<IP_address>"
       },
   ...

9. Exit the administration console.

   Exit the administration console on the worker node by typing exit at the console prompt.

   exit

10. Delete the pod.

    You can delete the pod using the kubectl delete command on the host:

    kubectl delete pod kata-nginx