Preventing Kubernetes from Pulling the Pause Image from the Internet
6 months ago
- #DevOps
- #Container Runtime
- #Kubernetes
- The blog post emphasizes the importance of minimizing external dependencies in an internal Kubernetes (k8s) platform for reliability.
- By default, Kubernetes nodes reach out to registry.k8s.io to fetch the pause image on first pod creation, creating an unnecessary internet dependency.
- The pause image is crucial as it backs the Kubernetes pod 'sandbox', holding Linux namespaces and was previously responsible for reaping zombie processes.
- The pause image is part of the Container Runtime Interface (CRI) spec, making it more related to CRI than Kubernetes itself.
- Instructions are provided to redirect containerd to use a locally mirrored pause image by updating the containerd configuration, reducing reliance on external services.
- The post warns about the lack of uptime SLA for registry.k8s.io and strongly recommends mirroring images to a controlled location for higher reliability.