che icon indicating copy to clipboard operation
che copied to clipboard

Published 20 hours ago verified publisher icon eclipse-che

Support running a workspace in kata containers

Open l0rd opened this issue 3 years ago • 4 comments

Is your enhancement related to a problem? Please describe

Kata containers allow running pod in dedicated VMs. That makes it possible to run a container as root without any security exposure (and run apt-get/yum install or buildah).

To run a Che workspace in a kata container the workspace Pod should specify runtimeClassName: kata:

apiVersion: v1
kind: Pod
metadata:
  ...
spec:
  runtimeClassName: kata
  containers:
  ...

But that's not currently possible.

Describe the solution you'd like

To implement we should:

  1. Add spec.runtimeClassName field in DevWorkspace CRD that, if set and if the user has the necessary privileges, will be propagated to all the workspace Pods.
  2. Add a new Che URL parameter runtime-class-name: https://<che-host>#<repository_url>?<runtimeClassName>. If set the resulting DevWorkspace should include the runtimeClassName

Additional context

Here I have described how to setup an OpenShift cluster with kata containers and run buildah in it.

l0rd avatar Feb 01 '22 18:02 l0rd

We can support this via an attribute in the DevWorkspace Operator, or by adding the relevant field to the DevWorkspace CRD -- which is preferable here?

It would be very straightforward to define e.g. controller.devfile.io/runtimeClassName as an attribute and propagate that to the pod created for that workspace. This also has the benefit of not adding more explicit fields to the DevWorkspace API and also being "upgradeable" to an explicit CRD field in the future.

amisevsk avatar Mar 01 '22 20:03 amisevsk

We can support this via an attribute in the DevWorkspace Operator, or by adding the relevant field to the DevWorkspace CRD -- which is preferable here?

I want to let the developers to choose if the workspace will run in a Kata container or not. In other words, on the same OpenShift cluster, a developer can:

  • specify the factory URL parameter runtime-class-name=kata and the workspace will be started using kata containers
  • omit the factory URL parameter runtime-class-name and the workspace will be started using a regular Pod.

So if the attribute your are thinking about is at the DevWorkspace CR level than 👍

l0rd avatar Mar 02 '22 12:03 l0rd

Issues go stale after 180 days of inactivity. lifecycle/stale issues rot after an additional 7 days of inactivity and eventually close.

Mark the issue as fresh with /remove-lifecycle stale in a new comment.

If this issue is safe to close now please do so.

Moderators: Add lifecycle/frozen label to avoid stale mode.

che-bot avatar Aug 29 '22 00:08 che-bot

/remove-lifecycle stale

amisevsk avatar Aug 29 '22 15:08 amisevsk

This is now possible using devfile attributes as describe in the PR

l0rd avatar Oct 20 '22 12:10 l0rd