I don’t normally write blog posts that regurgitate information from normal documentation, but this particular subject irks me.
If you are running an internal Kubernetes (k8s) platform, you owe it to yourself to make sure there is nothing external to your platform determining your reliability.
You could ask yourself: How many internet dependencies do you have to start a pod? Should be zero, right???
If you use stock k8s, you might be surprised to know that each of your k8s nodes is actually reaching out to registry.k8s.io on first pod creation to get the pause image:
$ sudo crictl images IMAGE TAG IMAGE ID SIZE registry.k8s.io/pause 3.9 e6f1816883972
If you want to change that, you can update your containerd (1.x) toml:
[plugins."io.containerd.grpc.v1.cri"] sandbox_image = "YOUR_REGISTRY/pause:3.10"
And depend on one less thing. The rest of the blog post will go deeper into why this is the case.
What Is The Pause Image Anyway?
The pause image is the container image that backs the k8s “sandbox” of a pod. This pause container is designed to hold the linux namespaces. The pause container used to also reap zombie processes from the other containers in a pod, its duty as PID1, but that isn’t the case by default anymore in k8s 1.8+.
... continue reading