sandboxed containers enhancement proposal

[fidencio]

This supersedes #366, as it provides fixes for the lint.

The reason a new PR has been opened is because Jens Freimman, who's the person dealing with #366 recently became a father and is out for his paternity leave.

[fidencio]

/test markdownlint

[fidencio]

Closing this one as we were able to unblock #366.

[fidencio]

/test markdownlint

[fidencio]

/test markdownlint

[fidencio]

/test markdownlint

[cgwalters]

Overall seems sane to me!

[cgwalters]

Why is this out of curiosity? Why not e.g. enable the feature on all available nodes but use regular nodeSelector for steering?

Is it because it fully takes over the crio backend and so hence all containers on that node are kata? That seems unfortunate if true.

[fidencio]

Hey @cgwalters!

Why is this out of curiosity?

The default behaviour is to deploy on all available worker nodes. However, it's been decided to leave the option for the admin to select the nodes they want, if they don't want all the worker nodes using Kata Containers.

Why not e.g. enable the feature on all available nodes but use regular nodeSelector for steering?

That would simplify our code, indeed. Shall we consider removing the option from the operator?

Is it because it fully takes over the crio backend and so hence all containers on that node are kata? That seems unfortunate if true.

No, that's not the case, at all. A note capable of doing Kata Containers should not, and will not, lose its ability to do "vanilla" containers.

@cgwalters, have I addressed all your concerns?

[cgwalters]

The default behaviour is to deploy on all available worker nodes.

Sure, seems reasonable. In a compact cluster the control plane are workers too so this will apply there.

That would simplify our code, indeed. Shall we consider removing the option from the operator?

I don't have a really strong opinion on this but if having admins steer the pods with regular selectors works then why not use that? Less API surface for you to maintain, and feels more native to admins, etc.

[mrunalp]

There is scheduling support for runtime classes that we can make use of. The enhancement should mention that.
https://v1-16.docs.kubernetes.io/docs/concepts/containers/runtime-class/#

[cgwalters]

Semi random but there's actually a 3rd class of thing in here, which is "containers that use virt" - what we do with https://github.com/coreos/coreos-assembler/ overlaps a lot with kata; we want to control qemu, not be inside qemu.

[fidencio]

That's interesting, and I wonder whether the minimalist QEMU we plan to use for the extensions could also benefit CoreOS Assembler.

Do you mind if we switch this conversation to the Slack, at some point soon, to try to sync on the usages and then, maybe, come up with a full document on how we plan to use QEMU as part of RHCOS, and hopefully agree in the minimal QEMU that could attend yours (CoreOS Assembler) and ours (Kata Containers) needs?

[cgwalters]

Note that the qemu we use to build (and test) RHCOS (and FCOS) is included in the coreos-assembler container; it has nothing to do with the host, which is the opposite of kata. It's closer to KubeVirt in a way except this usage is special in that we're not trying to run production VMs that e.g. expose networking. We don't require any privileges, just KVM available.

I have a blurb on this here https://hackmd.io/8YCMjP_JTzu-vp7PrOjT0g that I need to stick somewhere.

[cgwalters]

We don't need a minimal qemu really - our container image is already enormous anyways (2.5G+).

What may be good to share though is e.g. Go bindings for interacting with qemu - I touched on that in coreos/coreos-assembler#1336 (comment)

[cgwalters]

In some private discussion it turns out there's a lot more detail behind this bit that we'll want to elaborate on. From what I can see I lean towards having the MCO install this extra content as an extension (RPM) too.

This also relates to coreos/fedora-coreos-tracker#354 etc.

[fidencio]

@cgwalters, I've rewritten this PR, almost entirely, to cover what we current do, what we could do, etc.

Please, whenever you have some cycles, take a look at the changes.
Also, please, help me to loop in all the needed parts that can help to decide whether we could go for having the Kata Containers RPMs also as part of the RHCOS extensions (even with those being ~100MB, installed size).

[fidencio]

In what started as a non related conversation with @cgwalters (https://coreos.slack.com/archives/CK1AE4ZCK/p1614974860056400), we agreed that more discussions have to happen, mainly with regards how Kata Containers will be delivered to the OpenShift customers (as in, whether it'll be part of the Extensions, whether it'll be binaries being copied by the Kata Operator, etc).

Based on that, this PR will be updated accordingly, probably by the beginning of the next week.

[fidencio]

/hold

[cgwalters]

I'd say instead have single MC object 50-kata-containers-worker or so that does both this and the crio config to make it more atomic. Otherwise there's a race where the MCO might try to roll out just the crio change but not the extension, etc.

[cgwalters]

Is there more to this than just the MC?

[fidencio]

@cgwalters, I don't fully understand the question.
"Configure CRI-O to use Kata Runtime on those worker nodes" is just a drop-in file, performed by: https://github.com/openshift/sandboxed-containers-operator/blob/fbbc74e21e2fc4f3d0874dd201513a801a1a333c/controllers/openshift_controller.go#L281-L362

As I'm not sure whether this is what you asked, mind to rephrase the question, with more details is possible, so I can try to answer?

(by the way, sorry if I end up missing some details, the person who majoritarily worked on the Operator side is on paternity leave and I'm taking this over from him).

[fidencio]

Oh, wait, I'm wrong, I'm thinking only about the RPM sides.
"Configure CRI-O to use Kata Runtime" also contains:

• applying RBAC policies;
• defining the CRDs;
• creating the "kata" runtime class;

[cgwalters]

If done via extensions, this would all be handled by MCO reconciliation. See also https://blog.verbum.org/2020/08/22/immutable-%E2%86%92-reprovisionable-anti-hysteresis/

I think more broadly, if everything goes via MCO functionality then e.g. node changes will be fully coordinated. Having more host daemonsets etc. can create synchronization issues.

[fidencio]

When you say "everything goes via MCO functionality" you mean ... just forget the operator and teach the MCO to deal with Kata Containers' needs, entirely?

While I think that's a really good idea, I don't think it's do-able for 4.8 timeframe.

[cgwalters]

Ah no, I just mean that the operator installs machineconfigs, rather than reaching out to each node individually. This is a pattern followed by for example the cluster-node-tuning-operator.

[fidencio]

Oh, that we do. :-)

[cgwalters]

So if we fully use the MCO, then all this stuff is covered by the MCO objects, specifically machineconfigpool.

[fidencio]

/cc @zanetworker, @bpradipt, @jensfr for visibility

[fidencio]

@bpradipt, would you mind to take a careful look on the bits describing the operator? That's one part of the project I barely touched and I don't confident to ensure the text matches reality.

[fidencio]

@zanetworker, I will need your help to ensure this aligns with your vision.

[fidencio]

@mrunalp, I really would love your input, mainly as things changed a lot from the time when the original PR was created, till what we currently have nowadays.

[jackevans43]

@fidencio I'd love to use this feature to isolate less trustworthy / higher risk (eg. Internet facing) workloads - do you think this is worth adding? For these workloads, Firecracker would be a great, could this be added in the future?

I presume NetworkPolicy be applied on the host, outside of the VM (ie. provides a higher level of assurance)?

[fidencio]

@fidencio I'd love to use this feature to isolate less trustworthy / higher risk (eg. Internet facing) workloads - do you think this is worth adding?

I think this is covered by:

- any other administrative privileges above and beyond what is secure in a
  shared kernel environment (regular runc).

Or would you prefer have it explicitly set there?

For these workloads, Firecracker would be a great, could this be added in the future?

Right now we prefer to focus on the VMM we have a huge team working on, and maintaining it, which is QEMU.
I'd be interested, really interested, on learning about possible use cases you see Firecracker being used that QEMU couldn't. This would help the QEMU community to improve, we (as Sandboxed Containers) to see whether we can expand what we cover, and the end users to take a decision.

I don't think this proposal is the right place to discuss this, but maybe https://github.com/openshift/sandboxed-containers-operator/ could be.

I'd suggest opening an issue there, then we can start the discussion and move to the another (more appropriated?) place if needed.

Does this sound reasonable?

I presume NetworkPolicy be applied on the host, outside of the VM (ie. provides a higher level of assurance)?

Please, open us an issue and we can discuss it there. :-)
By the way, I hope I don't come across as "rude", I just want to be sure that such important conversation gets properly tracked, and properly replied (and here it may be confusing for all the parts involved).

[fidencio]

@mrunalp, the last requests have been addressed. Thanks for the review.

[mrunalp]

/lgtm

[openshift-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

Approval requirements bypassed by manually added approval.

This pull-request has been approved by: cgwalters

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment