title: “gvisor under eks”
date: 2022-02-09T16:22:29
slug: gvisor-under-eks

ssh -i $eks\_key ec2-user@$gVisor\_node\_EIP

cat kubelet.service

[Unit]
Description=Kubernetes Kubelet
Documentation=https://github.com/kubernetes/kubernetes
After=docker.service iptables-restore.service
Requires=docker.service
[Service]
ExecStartPre=/sbin/iptables -P FORWARD ACCEPT -w 5
ExecStart=/usr/bin/kubelet --cloud-provider aws \
--config /etc/kubernetes/kubelet/kubelet-config.json \
--kubeconfig /var/lib/kubelet/kubeconfig \
--container-runtime remote \
--network-plugin cni $KUBELET\_ARGS $KUBELET\_EXTRA\_ARGS
Restart=always
RestartSec=5
KillMode=process
[Install]
WantedBy=multi-user.target

$ sudo systemctl daemon-reload
$ sudo systemctl restart kubelet

Install latest gvisor release

(
set -e
ARCH=$(uname -m)
URL=https://storage.googleapis.com/gvisor/releases/release/latest/${ARCH}
wget ${URL}/runsc ${URL}/runsc.sha512 \
${URL}/containerd-shim-runsc-v1 ${URL}/containerd-shim-runsc-v1.sha512
sha512sum -c runsc.sha512 \
-c containerd-shim-runsc-v1.sha512
rm -f \*.sha512
chmod a+rx runsc containerd-shim-runsc-v1
sudo mv runsc containerd-shim-runsc-v1 /usr/local/bin
)

Install gvisor-containerd-shim

$ git clone https://github.com/google/gvisor-containerd-shim.git
$ cd gvisor-containerd-shim
$ make
$ sudo make install

cat kubelet.service.d/10-kubelet-args.conf

[Service]
Environment='KUBELET\_ARGS=--node-ip=10.0.1.14 --pod-infra-container-image=602401143452.dkr.ecr.eu-central-1.amazonaws.com/eks/pause:3.1-eksbuild.1 --v=2 --runtime-request-timeout=15m --container-runtime-endpoint=unix:///run/containerd/containerd.sock'

mkdir /etc/containerd/
cat <
kubectl label node $gVisor\_node\_name runtime=gvisor
cat <
cat <