merge with master

Vagrantfile

@@ -55,6 +55,8 @@ $os ||= "ubuntu1804"
 $network_plugin ||= "flannel"
 # Setting multi_networking to true will install Multus: https://github.com/intel/multus-cni
 $multi_networking ||= false
+$download_run_once ||= "True"
+$download_force_cache ||= "True"
 # The first three nodes are etcd servers
 $etcd_instances ||= $num_instances
 # The first two nodes are kube masters
@@ -69,6 +71,7 @@ $override_disk_size ||= false
 $disk_size ||= "20GB"
 $local_path_provisioner_enabled ||= false
 $local_path_provisioner_claim_root ||= "/opt/local-path-provisioner/"
+$libvirt_nested ||= false
 
 $playbook ||= "cluster.yml"
 
@@ -146,6 +149,8 @@ Vagrant.configure("2") do |config|
       end
 
       node.vm.provider :libvirt do |lv|
+        lv.nested = $libvirt_nested
+        lv.cpu_mode = "host-model"
         lv.memory = $vm_memory
         lv.cpus = $vm_cpus
         lv.default_prefix = 'kubespray'
@@ -196,11 +201,11 @@ Vagrant.configure("2") do |config|
         "flannel_interface": "eth1",
         "kube_network_plugin": $network_plugin,
         "kube_network_plugin_multus": $multi_networking,
-        "download_run_once": "True",
+        "download_run_once": $download_run_once,
         "download_localhost": "False",
         "download_cache_dir": ENV['HOME'] + "/kubespray_cache",
         # Make kubespray cache even when download_run_once is false
-        "download_force_cache": "True",
+        "download_force_cache": $download_force_cache,
         # Keeping the cache on the nodes can improve provisioning speed while debugging kubespray
         "download_keep_remote_cache": "False",
         "docker_rpm_keepcache": "1",

docs/kata-containers.md

@@ -0,0 +1,68 @@
+# Kata Containers
+
+[Kata Containers](https://katacontainers.io) is a secure container runtime with lightweight virtual machines that supports multiple hypervisor solutions.
+
+## Hypervisors
+
+_Qemu_ is the only hypervisor supported by Kubespray.
+
+## Installation
+
+To use Kata Containers, set the following variables:
+
+**k8s-cluster.yml**:
+
+```yaml
+container_manager: containerd
+kata_containers_enabled: true
+```
+
+**etcd.yml**:
+
+```yaml
+etcd_deployment_type: host
+```
+
+## Configuration
+
+### Recommended : Pod Overhead
+
+[Pod Overhead](https://kubernetes.io/docs/concepts/configuration/pod-overhead/) is a feature for accounting for the resources consumed by the Runtime Class used by the Pod.
+
+When this feature is enabled, Kubernetes will count the fixed amount of CPU and memory set in the configuration as used by the virtual machine and not by the containers running in the Pod.
+
+Pod Overhead is mandatory if you run Pods with Kata Containers that use [resources limits](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/#requests-and-limits).
+
+**Set cgroup driver**:
+
+To enable Pod Overhead feature you have to configure Kubelet with the appropiate cgroup driver, using the following configuration:
+
+```yaml
+kubelet_cgroup_driver: cgroupfs
+```
+
+**Qemu hypervisor configuration**:
+
+The configuration for the Qemu hypervisor uses the following values:
+
+```yaml
+kata_containers_qemu_overhead: true
+kata_containers_qemu_overhead_fixed_cpu: 10m
+kata_containers_qemu_overhead_fixed_memory: 290Mi
+```
+
+### Optional : Select Kata Containers version
+
+Optionally you can select the Kata Containers release version to be installed. The available releases are published in [GitHub](https://github.com/kata-containers/runtime/releases).
+
+```yaml
+kata_containers_version: 1.11.1
+```
+
+### Optional : Debug
+
+Debug is disabled by default for all the components of Kata Containers. You can change this behaviour with the following configuration:
+
+```yaml
+kata_containers_qemu_debug: 'false'
+```

docs/openstack.md

@@ -1,7 +1,10 @@
 OpenStack
-===============
+=========
 
-To deploy kubespray on [OpenStack](https://www.openstack.org/) uncomment the `cloud_provider` option in `group_vars/all.yml` and set it to `'openstack'`.
+The in-tree cloud provider
+--------------------------
+
+To deploy Kubespray on [OpenStack](https://www.openstack.org/) uncomment the `cloud_provider` option in `group_vars/all/all.yml` and set it to `openstack`.
 
 After that make sure to source in your OpenStack credentials like you would do when using `nova-client` or `neutron-client` by using `source path/to/your/openstack-rc` or `. path/to/your/openstack-rc`.
 
@@ -51,29 +54,29 @@ Given the port ids on the left, you can set the two `allowed-address`(es) in Ope
   openstack port set e5ae2045-a1e1-4e99-9aac-4353889449a7 --allowed-address ip-address=10.233.0.0/18 --allowed-address ip-address=10.233.64.0/18
   ```
 
-If all the VMs in the tenant correspond to kubespray deployment, you can "sweep run" above with:
+If all the VMs in the tenant correspond to Kubespray deployment, you can "sweep run" above with:
 
   ```bash
   openstack port list --device-owner=compute:nova -c ID -f value | xargs -tI@ openstack port set @ --allowed-address ip-address=10.233.0.0/18 --allowed-address ip-address=10.233.64.0/18
   ```
 
 Now you can finally run the playbook.
 
-Upgrade from the in-tree to the external cloud provider
----------------
+The external cloud provider
+---------------------------
 
-The in-tree cloud provider is deprecated and will be removed in a future version of Kubernetes. The target release for removing all remaining in-tree cloud providers is set to 1.21
+The in-tree cloud provider is deprecated and will be removed in a future version of Kubernetes. The target release for removing all remaining in-tree cloud providers is set to 1.21.
 
 The new cloud provider is configured to have Octavia by default in Kubespray.
 
-- Change cloud provider from `cloud_provider: openstack` to the new external Cloud provider:
+- Enable the new external cloud provider in `group_vars/all/all.yml`:
 
   ```yaml
   cloud_provider: external
   external_cloud_provider: openstack
   ```
 
-- Enable Cinder CSI:
+- Enable Cinder CSI in `group_vars/all/openstack.yml`:
 
   ```yaml
   cinder_csi_enabled: true
@@ -105,6 +108,5 @@ The new cloud provider is configured to have Octavia by default in Kubespray.
   - ""
   ```
 
-- Run the `upgrade-cluster.yml` playbook
-- Run the cleanup playbook located under extra_playbooks `extra_playbooks/migrate_openstack_provider.yml` (this will clean up all resources used by the old cloud provider)
-- You can remove the feature gates for Volume migration. If you want to enable the possibility to expand CSI volumes you could leave the `ExpandCSIVolumes=true` feature gate
+- Run `source path/to/your/openstack-rc` to read your OpenStack credentials like `OS_AUTH_URL`, `OS_USERNAME`, `OS_PASSWORD`, etc. Those variables are used for accessing OpenStack from the external cloud provider.
+- Run the `cluster.yml` playbook

inventory/sample/group_vars/k8s-cluster/k8s-cluster.yml

@@ -171,6 +171,9 @@ dns_domain: "{{ cluster_name }}"
 ## docker for docker, crio for cri-o and containerd for containerd.
 container_manager: docker
 
+# Additional container runtimes
+kata_containers_enabled: false
+
 ## Settings for containerd runtimes (only used when container_manager is set to containerd)
 #
 # Settings for default containerd runtime

roles/container-engine/kata-containers/defaults/main.yml

@@ -0,0 +1,12 @@
+---
+
+kata_containers_version: 1.11.1
+kata_containers_release_url: https://github.com/kata-containers/runtime/releases/download/{{ kata_containers_version }}/kata-static-{{ kata_containers_version }}-{{ ansible_architecture }}.tar.xz
+kata_containers_dir: /opt/kata
+kata_containers_config_dir: /etc/kata-containers
+kata_containers_containerd_bin_dir: /usr/local/bin
+
+kata_containers_qemu_default_memory: "{{ ansible_memtotal_mb }}"
+kata_containers_qemu_debug: 'false'
+kata_containers_qemu_sandbox_cgroup_only: 'true'
+kata_containers_qemu_enable_mem_prealloc: 'false'

roles/container-engine/kata-containers/tasks/main.yml

@@ -0,0 +1,29 @@
+---
+
+- name: Download artifacts
+  unarchive:
+    src: "{{ kata_containers_release_url }}"
+    dest: /
+    remote_src: true
+
+- name: Create config directory
+  file:
+    path: "{{ kata_containers_config_dir }}"
+    state: directory
+
+- name: Set configuration
+  template:
+    src: "{{ item }}.j2"
+    dest: "{{ kata_containers_config_dir }}/{{ item }}"
+  with_items:
+    - configuration-qemu.toml
+
+- name: Set containerd bin
+  vars:
+    shim: "{{ item }}"
+  template:
+    dest: "{{ kata_containers_containerd_bin_dir }}/containerd-shim-kata-{{ item }}-v2"
+    src: containerd-shim-kata-v2.j2
+    mode: 0755
+  with_items:
+    - qemu