CRI-O is a lightweight container runtime for Kubernetes. Kubespray supports basic functionality for using CRI-O as the default container runtime in a cluster.
- Kubernetes supports CRI-O on v1.11.1 or later.
- etcd: configure either kubeadm managed etcd or host deployment
To use the CRI-O container runtime set the following variables:
download_container: false
skip_downloads: false
etcd_deployment_type: host # optionally kubeadmcontainer_manager: crioEnable docker hub registry mirrors
crio_registries:
- prefix: docker.io
insecure: false
blocked: false
location: registry-1.docker.io
unqualified: false
mirrors:
- location: 192.168.100.100:5000
insecure: true
- location: mirror.gcr.io
insecure: falseThe following is a method to enable insecure registries.
crio_insecure_registries:
- 10.0.0.2:5000And you can config authentication for these registries after crio_insecure_registries.
crio_registry_auth:
- registry: 10.0.0.2:5000
username: user
password: passCRI-O has support for user namespaces. This feature is optional and can be enabled by setting the following two variables.
crio_runtimes:
- name: runc
path: /usr/bin/runc
type: oci
root: /run/runc
allowed_annotations:
- "io.kubernetes.cri-o.userns-mode"
crio_remap_enable: trueThe allowed_annotations configures crio.conf accordingly.
The crio_remap_enable configures the /etc/subuid and /etc/subgid files to add an entry for the containers user.
By default, 16M uids and gids are reserved for user namespaces (256 pods * 65536 uids/gids) at the end of the uid/gid space.
Node Resource Interface (NRI) is disabled by default for the CRI-O. If you are using CRI-O version v1.26.0 or above, then you can enable it with the following configuration:
nri_enabled: true