13

What is purpose of pod-infra-container-image in kubernetes?

Official documentation says only:

The image whose network/ipc namespaces containers in each pod will use. (default "gcr.io/google_containers/pause-amd64:3.0")

but I don't understand exactly what it does and how it works in detail.

Sasa
  • 1,597
  • 4
  • 16
  • 33

2 Answers2

17

The pause container, which image the --pod-infra-container flag selects, is used so that multiple containers can be launched in a pod, while sharing resources. It mostly does nothing, and unless you have a very good reason to replace it with something custom, you shouldn't. It mostly invokes the pause system call (hence its name) but it also performs the important function of having PID 1 and making sure no zombie processes are kept around.

An extremely complete article on the subject can be found here, from where I also shamelessly stole the following picture which illustrates where the pause container lives:

enter image description here

vascop
  • 4,972
  • 4
  • 37
  • 50
6

The pause container is built from https://github.com/kubernetes/kubernetes/tree/master/build/pause . The process itself does nothing so you can replace it with another container of your choice that equally does nothing (with the --pod-infra-container-image parameter of kubelet).

This container is started as a part of each and every pod. Kubernetes is using this well-known, never falling container to setup the network namespace for the pod and make sure the namespace is never empty (all the other containers in the pod might fail). But again, the container process itself does nothing, it's just a placeholder.

Janos Lenart
  • 25,074
  • 5
  • 73
  • 75
  • 1
    But why kubernetes need at all such container at all? Can't it setup network itself? – Sasa Oct 08 '17 at 14:52
  • I don't fully understand your question. The short answer is that this container is a technical necessity (when using Docker with Kubernetes), but nothing you need to care about. It takes nearly no resources to run this container and a node won't run more than 100 or so pods anyway, which means that whatever resources are being taken up by running this extra container (doing nothing) per pod is a near zero cost. – Janos Lenart Oct 08 '17 at 18:33
  • 1
    I am not concerned with the cost. I just want to understand how it works. Coming from docker swarm environment where such thing is not necessary, I am trying to figure out reasons for needing such container and want to know how it works in detail. Ultimate option for me is to look into code, but I was hoping to find quicker answer instead of going through so much code. – Sasa Oct 08 '17 at 19:42
  • This is required because multiple containers in a pod share a Linux network namespace (and optionally storage volumes) - primarily for 'sidecar' containers used in service meshes etc, or other proxies. The pause container is just there to keep the network namespace (and some others) always present, even if all other containers die. See https://linchpiner.github.io/k8s-multi-container-pods.html – RichVel Nov 07 '20 at 07:15