# Volt Image: Kubernetes Node
# Target density: 30,000+ per host
# Purpose-built K8s worker node

name: volt/k8s-node
version: "1.0"
description: "Kubernetes worker node VM"

# Base configuration
kernel: kernel-server
userland: musl-minimal

# Resource defaults
defaults:
  memory: 256M
  cpus: 1
  network: bridge

# Included packages
packages:
  - busybox
  - kubelet
  - containerd  # Uses Voltainer runtime!
  - runc
  - cni-plugins
  - iptables
  - conntrack-tools

# Init system
init:
  type: busybox
  services:
    - containerd
    - kubelet

# Shell
shell: /bin/ash

# Security policy
security:
  landlock_profile: k8s-node
  seccomp_profile: server
  capabilities:
    drop:
      - ALL
    add:
      - NET_ADMIN
      - NET_BIND_SERVICE
      - SYS_ADMIN  # Required for container runtime
      - MKNOD

# Filesystem layout
filesystem:
  readonly:
    - /usr
    - /lib
  writable:
    - /var/lib/kubelet
    - /var/lib/containerd
    - /var/log
    - /tmp
    - /etc/kubernetes

# Kubelet configuration
kubelet:
  config_path: /etc/kubernetes/kubelet.conf
  kubeconfig_path: /etc/kubernetes/kubelet.kubeconfig
  container_runtime: containerd
  container_runtime_endpoint: unix:///run/containerd/containerd.sock
  
# Labels
labels:
  voltvisor.io/managed: "true"
  voltvisor.io/type: "k8s-node"

# Metadata
metadata:
  category: kubernetes
  density: 30000
  boot_time: "<200ms"
  ode_capable: false
  voltainer_native: true  # Uses Voltainer as container runtime