Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Enable to sync registry creds by proxying CRI #323

Merged
merged 1 commit into from
May 20, 2021
Merged

Enable to sync registry creds by proxying CRI #323

merged 1 commit into from
May 20, 2021

Conversation

ktock
Copy link
Member

@ktock ktock commented May 18, 2021

Fixes: #270

Though stargz snpashotter supports kubeconfig-based authentication on Kuberentes, this has some drawbacks including that it requires additional permission (listing/watching secrets) to the node.

For solving this issue, this commit introduces an alternative authentication method based on CRI proxy.

This allows stargz snapshotter to work as a proxy of CRI Image Service. Stargz Snapshotter exposes CRI Image Service API on its unix socket (i.e. /run/containerd-stargz-grpc/containerd-stargz-grpc.sock). It acquires registry creds by scanning requests on CRI PullImage API.

The following configuration enables this authentication mode.
--image-service-endpoint=unix:///run/containerd-stargz-grpc/containerd-stargz-grpc.sock option is needed to kubelet.

[cri_keychain]
enable_keychain = true
image_service_path = "/run/containerd/containerd.sock"

@ktock ktock requested a review from AkihiroSuda May 18, 2021 13:51
AkihiroSuda
AkihiroSuda reviewed May 18, 2021
View reviewed changes
docs/overview.md Outdated Show resolved Hide resolved
@ktock
Enable to sync registry creds by proxying CRI
95e2ab6 
Though stargz snpashotter supports kubeconfig-based authentication on
Kuberentes, this has some drawbacks including that it requires additional
permission (listing/watching secrets) to the node.

For solving this issue, this commit introduces an alternative authentication
method based on CRI proxy.

This allows stargz snapshotter to work as a proxy of CRI Image Service. The
snapshotter exposes CRI Image Service API on its unix socket
(i.e. `/run/containerd-stargz-grpc/containerd-stargz-grpc.sock`). Stargz
Snapshotter acquires registry creds by scanning requests on CRI ImagePull API.

The following configuration enables this authentication mode.
`--image-service-endpoint=unix:///run/containerd-stargz-grpc/containerd-stargz-grpc.sock`
option is needed to kubelet.

```toml
[cri_keychain]
enable_keychain = true
image_service_path = "/run/containerd/containerd.sock"
```

Signed-off-by: Kohei Tokunaga <[email protected]>
@ktock ktock requested a review from AkihiroSuda May 19, 2021 09:14
@AkihiroSuda AkihiroSuda merged commit acf1f58 into containerd:master May 20, 2021
This was referenced May 20, 2021
Merged
Closed
@ktock ktock deleted the cri-keychain branch September 3, 2021 09:53
@SergeyKanzhelev SergeyKanzhelev mentioned this pull request Nov 6, 2021
Closed
@jonathanbeber jonathanbeber mentioned this pull request Jun 24, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@AkihiroSuda AkihiroSuda AkihiroSuda approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

[RFC] Snapshotter should receive creds via kubelet or containerd CRI plugin
2 participants
@ktock @AkihiroSuda