| /* |
| Copyright The containerd Authors. |
| |
| Licensed under the Apache License, Version 2.0 (the "License"); |
| you may not use this file except in compliance with the License. |
| You may obtain a copy of the License at |
| |
| http://www.apache.org/licenses/LICENSE-2.0 |
| |
| Unless required by applicable law or agreed to in writing, software |
| distributed under the License is distributed on an "AS IS" BASIS, |
| WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| See the License for the specific language governing permissions and |
| limitations under the License. |
| */ |
| |
| package annotations |
| |
| import ( |
| customopts "github.com/containerd/containerd/v2/internal/cri/opts" |
| "github.com/containerd/containerd/v2/pkg/oci" |
| runtime "k8s.io/cri-api/pkg/apis/runtime/v1" |
| ) |
| |
| // ContainerType values |
| // Following OCI annotations are used by katacontainers now. |
| // We'll switch to standard secure pod API after it is defined in CRI. |
| const ( |
| // ContainerTypeSandbox represents a pod sandbox container |
| ContainerTypeSandbox = "sandbox" |
| |
| // ContainerTypeContainer represents a container running within a pod |
| ContainerTypeContainer = "container" |
| |
| // ContainerType is the container type (sandbox or container) annotation |
| ContainerType = "io.kubernetes.cri.container-type" |
| |
| // SandboxID is the sandbox ID annotation |
| SandboxID = "io.kubernetes.cri.sandbox-id" |
| |
| // SandboxCPU annotations are based on the initial CPU configuration for the sandbox. This is calculated as the |
| // sum of container CPU resources, optionally provided by Kubelet (introduced in 1.23) as part of the PodSandboxConfig |
| SandboxCPUPeriod = "io.kubernetes.cri.sandbox-cpu-period" |
| SandboxCPUQuota = "io.kubernetes.cri.sandbox-cpu-quota" |
| SandboxCPUShares = "io.kubernetes.cri.sandbox-cpu-shares" |
| |
| // SandboxMemory is the initial amount of memory associated with this sandbox. This is calculated as the sum |
| // of container memory, optionally provided by Kubelet (introduced in 1.23) as part of the PodSandboxConfig. |
| SandboxMem = "io.kubernetes.cri.sandbox-memory" |
| |
| // SandboxLogDir is the pod log directory annotation. |
| // If the sandbox needs to generate any log, it will put it into this directory. |
| // Kubelet will be responsible for: |
| // 1) Monitoring the disk usage of the log, and including it as part of the pod |
| // ephemeral storage usage. |
| // 2) Cleaning up the logs when the pod is deleted. |
| // NOTE: Kubelet is not responsible for rotating the logs. |
| SandboxLogDir = "io.kubernetes.cri.sandbox-log-directory" |
| |
| // UntrustedWorkload is the sandbox annotation for untrusted workload. Untrusted |
| // workload can only run on dedicated runtime for untrusted workload. |
| UntrustedWorkload = "io.kubernetes.cri.untrusted-workload" |
| |
| // SandboxNamespace is the name of the namespace of the sandbox (pod) |
| SandboxNamespace = "io.kubernetes.cri.sandbox-namespace" |
| |
| // SandboxUID is the uid of the sandbox (pod) passed to CRI via RunPodSanbox, |
| // this field is useful for linking the uid created by the CRI client (e.g. kubelet) |
| // to the internal Sandbox.ID created by the containerd sandbox service |
| SandboxUID = "io.kubernetes.cri.sandbox-uid" |
| |
| // SandboxName is the name of the sandbox (pod) |
| SandboxName = "io.kubernetes.cri.sandbox-name" |
| |
| // ContainerName is the name of the container in the pod |
| ContainerName = "io.kubernetes.cri.container-name" |
| |
| // ImageName is the name of the image used to create the container |
| ImageName = "io.kubernetes.cri.image-name" |
| |
| // SandboxImageName is the name of the sandbox image |
| SandboxImageName = "io.kubernetes.cri.podsandbox.image-name" |
| |
| // PodAnnotations are the annotations of the pod |
| PodAnnotations = "io.kubernetes.cri.pod-annotations" |
| |
| // RuntimeHandler an experimental annotation key for getting runtime handler from pod annotations. |
| // See https://github.com/containerd/containerd/issues/6657 and https://github.com/containerd/containerd/pull/6899 for details. |
| // The value of this annotation should be the runtime for sandboxes. |
| // e.g. for [plugins.cri.containerd.runtimes.runc] runtime config, this value should be runc |
| // TODO: we should deprecate this annotation as soon as kubelet supports passing RuntimeHandler from PullImageRequest |
| RuntimeHandler = "io.containerd.cri.runtime-handler" |
| |
| // WindowsHostProcess is used by hcsshim to identify windows pods that are running HostProcesses |
| WindowsHostProcess = "microsoft.com/hostprocess-container" |
| ) |
| |
| // DefaultCRIAnnotations are the default set of CRI annotations to |
| // pass to sandboxes and containers. |
| func DefaultCRIAnnotations( |
| sandboxID string, |
| containerName string, |
| imageName string, |
| config *runtime.PodSandboxConfig, |
| sandbox bool, |
| ) []oci.SpecOpts { |
| opts := []oci.SpecOpts{ |
| customopts.WithAnnotation(SandboxID, sandboxID), |
| customopts.WithAnnotation(SandboxNamespace, config.GetMetadata().GetNamespace()), |
| customopts.WithAnnotation(SandboxUID, config.GetMetadata().GetUid()), |
| customopts.WithAnnotation(SandboxName, config.GetMetadata().GetName()), |
| } |
| ctrType := ContainerTypeContainer |
| if sandbox { |
| ctrType = ContainerTypeSandbox |
| // Sandbox log dir and sandbox image name get passed for sandboxes, the other metadata always |
| // gets sent however. |
| opts = append( |
| opts, |
| customopts.WithAnnotation(SandboxLogDir, config.GetLogDirectory()), |
| customopts.WithAnnotation(SandboxImageName, imageName), |
| ) |
| } else { |
| // Image name and container name get passed for containers. |
| opts = append( |
| opts, |
| customopts.WithAnnotation(ContainerName, containerName), |
| customopts.WithAnnotation(ImageName, imageName), |
| ) |
| } |
| return append(opts, customopts.WithAnnotation(ContainerType, ctrType)) |
| } |
