How does Containerd configure Proxy?

This article was last updated on: July 24, 2024 am

preface

In some air gap scenarios, it is often necessary to go offline or use proxy (proxy), such as:

  1. You need to pull the container image via Proxy:
    1. Docker Hub: docker.io
    2. Quay: quay.io
    3. GCR: gcr.io
    4. GitHub mirroring repository:ghcr.io
  2. In some enterprise environments, you need to access external services through a proxy

How Docker configures the proxy must be clear to everyone, but ever since Docker will be deprecated after Kubernetes 1.20, containerd gradually became mainstream CRI.
So let’s take a look at how to configure contaienrd for proxy.

📝Notes:

There is another scenario that requires containerd to configure proxy, which is to convert Dragonfly and containerd are used in combination When.

Containerd configures the Proxy step

Here’s an example of containerd installed via systemd.

The configuration of containerd is generally located at /etc/containerd/config.toml , the service file is located at:/etc/systemd/system/containerd.service
The configuration proxy can be configured through service environment variables, as follows:

To create or edit a file:/etc/systemd/system/containerd.service.d/http-proxy.conf

It reads as follows:

1
2
3
4
[Service]
Environment="HTTP_PROXY=http://127.0.0.1:7890"
Environment="HTTPS_PROXY=http://127.0.0.1:7890"
Environment="NO_PROXY=localhost"

After configuration, save the restart:

1
systemctl restart containerd.service

When configuring proxies, special attention should be paid to which proxies should be taken and which proxies should be very clear to avoid network access exceptions or even business exceptions.

Here’s a recommendation NO_PROXY Disposition:

  1. Local address and network segment:localhost and 127.0.0.1 or 127.0.0.0/8
  2. Default domain name suffix for Kubernetes:.svc and .cluster.local
  3. The network block of the Kubernetes node and even all the node network blocks that should not be accessed by proxy:<nodeCIDR>
  4. APIServer’s internal URL: <APIServerInternalURL>
  5. Service Network: <serviceNetworkCIDRs>
  6. etcd’s Discovery Domain (if any): <etcdDiscoveryDomain>
  7. Cluster Network: <clusterNetworkCIDRs>
  8. Other platform-specific network segments (e.g. DevOps, Git/artifact repositories…): <platformSpecific>
  9. Other specific NO_PROXY Network segment:<REST_OF_CUSTOM_EXCEPTIONS>
  10. Commonly used intranet blocks:
    1. 10.0.0.0/8
    2. 172.16.0.0/12
    3. 192.168.0.0/16

The final configuration is as follows:

1
2
3
4
[Service]
Environment="HTTP_PROXY=http://127.0.0.1:7890"
Environment="HTTPS_PROXY=http://127.0.0.1:7890"
Environment="NO_PROXY=localhost,127.0.0.0/8,10.0.0.0/8,172.16.0.0/12,192.168.0.0/16,.svc,.cluster.local,.e-whisper.com,<nodeCIDR>,<APIServerInternalURL>,<serviceNetworkCIDRs>,<etcdDiscoveryDomain>,<clusterNetworkCIDRs>,<platformSpecific>,<REST_OF_CUSTOM_EXCEPTIONS>"

🎉🎉🎉

summary

Kubernetes 1.20 and above, enterprise air gap scenarios may need to use containerd configuration Proxy.
This article describes how to configure it, and the configuration process NO_PROXY Best practices.