Kubelet Checkpoint API

    Checkpointing a container is the functionality to create a stateful copy of a running container. Once you have a stateful copy of a container, you could move it to a different computer for debugging or similar purposes.

    If you move the checkpointed container data to a computer that’s able to restore it, that restored container continues to run at exactly the same point it was checkpointed. You can also inspect the saved data, provided that you have suitable tools for doing so.

    Creating a checkpoint of a container might have security implications. Typically a checkpoint contains all memory pages of all processes in the checkpointed container. This means that everything that used to be in memory is now available on the local disk. This includes all private data and possibly keys used for encryption. The underlying CRI implementations (the container runtime on that node) should create the checkpoint archive to be only accessible by the root user. It is still important to remember if the checkpoint archive is transferred to another system all memory pages will be readable by the owner of the checkpoint archive.

    Tell the kubelet to checkpoint a specific container from the specified Pod.

    Consult the Kubelet authentication/authorization reference for more information about how access to the kubelet checkpoint interface is controlled.

    The kubelet will request a checkpoint from the underlying implementation. In the checkpoint request the kubelet will specify the name of the checkpoint archive as and also request to store the checkpoint archive in the checkpoints directory below its root directory (as defined by --root-dir). This defaults to /var/lib/kubelet/checkpoints.

    HTTP Request

    POST /checkpoint/{namespace}/{pod}/{container}

    Parameters

    • pod (in path): string, required

      Pod

    • container (in path): string, required

    Response

    200: OK

    401: Unauthorized

    404: Not Found (if the feature gate is disabled)

    404: Not Found (if the specified namespace, pod or container cannot be found)

    500: Internal Server Error (if the CRI implementation does not implement the checkpoint CRI API (see error message for further details))