This document provides a hands-on guide to understanding how runtimes interacts with network devices and namespaces, focusing on the new "Network Devices" feature described in the OCI (Open Container Initiative) runtime specification. The feature is expected to be released in the version 1.3.0 of the OCI specification.
In high-level container orchestration systems like Kubernetes, the management of network namespaces and interfaces is handled by the [Container Runtime Interface
| # based on https://taozhi.medium.com/the-amazing-chroot-making-simply-ssh-to-each-nodes-in-kubernetes-a3448a665c95 | |
| # kubectl exec -it ssh-pod -- chroot /host /bin/bash | |
| apiVersion: v1 | |
| kind: Pod | |
| metadata: | |
| name: ssh-pod | |
| labels: | |
| app: ssh-pod | |
| spec: | |
| hostNetwork: true |
Network namespaces create isolated network stacks, including network devices, IP addresses, routing tables, rules , ... This separation is crucial for containerization.
Network namespaces also contain network devices that can live exactly on one network namespace:
physical network device can live in exactly one network namespace. When a network namespace is freed (i.e., when the last
| import requests | |
| from pprint import pprint | |
| # Replace with your GitHub personal access token | |
| GITHUB_TOKEN = "----------------------" | |
| def search_pull_requests_with_label(repo, label): | |
| url = f"https://api.github.com/search/issues" | |
| query = f"repo:{repo} is:pr label:{label}" | |
| params = { |
It may be required for some applications to be aware of the cluster domain.
This information is not exposed directly, the cluster domain is a kubelet property, https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet/
--cluster-domain string
However, if you set the subdomain field in a Pod, then you are able to access the FQDN directly from the Pod
| --- | |
| kind: ClusterRole | |
| apiVersion: rbac.authorization.k8s.io/v1 | |
| metadata: | |
| name: kindnet | |
| rules: | |
| - apiGroups: | |
| - "" | |
| resources: | |
| - nodes |
| package main | |
| import ( | |
| "fmt" | |
| "log" | |
| "os" | |
| "github.com/google/nftables" | |
| ) |
| - ./kubernetes/typed/certificates/v1.CertificateSigningRequestInterface.Apply: added | |
| - ./kubernetes/typed/certificates/v1.CertificateSigningRequestInterface.ApplyStatus: added | |
| - ./kubernetes/typed/rbac/v1.ClusterRoleBindingInterface.Apply: added | |
| - ./kubernetes/typed/rbac/v1.ClusterRoleInterface.Apply: added | |
| - ./kubernetes/typed/rbac/v1.RoleBindingInterface.Apply: added | |
| - ./kubernetes/typed/rbac/v1.RoleInterface.Apply: added | |
| - ./kubernetes/typed/apiserverinternal/v1alpha1.StorageVersionInterface.Apply: added | |
| - ./kubernetes/typed/apiserverinternal/v1alpha1.StorageVersionInterface.ApplyStatus: added | |
| - ./informers/storage/v1beta1.Interface.CSIStorageCapacities: added | |
| - ./informers/policy.Interface.V1: added |
| for i in $(grep -rl '<<<<<<<' path/to/go/module/); do sed -i '/=======/,/>>>>>>>/d' $i ; sed -i '/<<<<<<</d' $i; done |
| # | |
| # Automatically generated file; DO NOT EDIT. | |
| # Linux/x86 6.11.0 Kernel Configuration | |
| # | |
| CONFIG_CC_VERSION_TEXT="gcc (Debian 13.2.0-13) 13.2.0" | |
| CONFIG_CC_IS_GCC=y | |
| CONFIG_GCC_VERSION=130200 | |
| CONFIG_CLANG_VERSION=0 | |
| CONFIG_AS_IS_GNU=y | |
| CONFIG_AS_VERSION=24200 |