CRI-O is a lightweight container runtime for Kubernetes. Kubespray supports basic functionality for using CRI-O as the default container runtime in a cluster.
To use the CRI-O container runtime set the following variables:
download_container: false skip_downloads: false etcd_deployment_type: host # optionally kubeadm
container_manager: crio
Enable docker hub registry mirrors
crio_registries: - prefix: docker.io insecure: false blocked: false location: registry-1.docker.io unqualified: false mirrors: - location: 192.168.100.100:5000 insecure: true - location: mirror.gcr.io insecure: false
For heavily mult-threaded workloads like databases, the default of 1024 for pids-limit is too low. This parameter controls not just the number of processes but also the amount of threads (since a thread is technically a process with shared memory). See cri-o#1921
In order to increase the default pids_limit for cri-o based deployments you need to set the crio_pids_limit for your k8s_cluster ansible group or per node depending on the use case.
crio_pids_limit: 4096
CRI-O has support for user namespaces. This feature is optional and can be enabled by setting the following two variables.
crio_runtimes: - name: runc path: /usr/bin/runc type: oci root: /run/runc allowed_annotations: - "io.kubernetes.cri-o.userns-mode" crio_remap_enable: true
The allowed_annotations configures crio.conf accordingly.
The crio_remap_enable configures the /etc/subuid and /etc/subgid files to add an entry for the containers user. By default, 16M uids and gids are reserved for user namespaces (256 pods * 65536 uids/gids) at the end of the uid/gid space.