RuntimeClass in Kubernetes

The RuntimeClass object¹ in k8s allows to have different container runtime options per Pod, depending on your use case. Use cases are: added isolation (e.g., using gVisor or Kata) or startup time optimisation and resource efficiency (e.g., with crun). You can use this functionality after:

1. The runtime handler options are defined.
2. The object is created.

Configuring the runtime

Every option is CRI-implementation-dependent (containerd has different options than cri-o). In any case there is a configuration file to alter (for examples see here). Every option is “handled” by a handler whose DNS-valid-name is then referenced under the handler field of the RuntimeClass.

Note

Runtime Handlers are just that: things that handle the runtime. This is a bit misleading because for example containerd is not the actual runtime (although people call it that); the actual (default) one is runc.

In containerd, runtime handlers are configured in /etc/containerd/config.toml:

version = 3
[plugins."io.containerd.cri.v1.runtime".containerd]
  default_runtime_name = "crun"
  [plugins."io.containerd.cri.v1.runtime".containerd.runtimes]
    # crun: https://github.com/containers/crun
    [plugins."io.containerd.cri.v1.runtime".containerd.runtimes.crun]
      runtime_type = "io.containerd.runc.v2"
      [plugins."io.containerd.cri.v1.runtime".containerd.runtimes.crun.options]
        BinaryName = "/usr/local/bin/crun"
    # gVisor: https://gvisor.dev/
    [plugins."io.containerd.cri.v1.runtime".containerd.runtimes.gvisor]
      runtime_type = "io.containerd.runsc.v1"
    # Kata Containers: https://katacontainers.io/
    [plugins."io.containerd.cri.v1.runtime".containerd.runtimes.kata]
      runtime_type = "io.containerd.kata.v2"

Creating the object

Here is an example object:

# RuntimeClass is defined in the node.k8s.io API group
apiVersion: node.k8s.io/v1
kind: RuntimeClass
metadata:
  # The name the RuntimeClass will be referenced by.
  # RuntimeClass is a non-namespaced resource.
  name: myclass 
# The name of the corresponding CRI configuration
handler: myconfiguration 

Note

Since by default Kubernetes is homogenous (same runtimes across all Nodes²), every RuntimeClass has to specify a Node label selector³ to indicate to the kube-scheduler which Node supports the handler. If omitted, it is assumed that all Nodes support it. The selector is UNIONed with the Node selectors of the Pod. The same goes for the overhead field.

Warning

If a Pod is scheduled on a non-suitable Node, it will enter a Failed terminal phase.

Sources

• https://kubernetes.io/docs/concepts/containers/runtime-class/

Footnotes

1. See k8s objects. ↩

2. See k8s worker nodes. ↩

3. See Labels and Label Selectors in k8s. ↩