Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Enable image signature check for CoCo #468

Merged
merged 1 commit into from
Oct 28, 2024

Conversation

gkurz
Copy link
Member

@gkurz gkurz commented Oct 23, 2024

The kata-agent should manage the signature verification of container images pulled in the guest. It should be configured with two options:

  • enable_signature_verification=true
  • image_policy_file=

While this can be easily achieved with annotations for regular kata pods, no mechanism exists for peer pods. In the meantime, let's hardcode the agent config directly in the podvm image for the CoCo case and have the kata-agent using it.

Fixes: https://issues.redhat.com/browse/KATA-3393

@openshift-ci openshift-ci bot added the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Oct 23, 2024
Copy link

openshift-ci bot commented Oct 23, 2024

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

@gkurz gkurz force-pushed the static-image-signature-config branch from 4f75144 to 54cdef2 Compare October 23, 2024 17:12
The kata-agent should manage the signature verification of container
images pulled in the guest. It should be configured with two options:
- enable_signature_verification=true
- image_policy_file=<url>

While this can be easily achieved with annotations for regular kata
pods, no mechanism exists for peer pods. In the meantime, let's
hardcode the agent config directly in the podvm image for the CoCo
case and have the kata-agent using it.

Fixes: https://issues.redhat.com/browse/KATA-3393

Suggested-by: Wainer dos Santos Moschetta <wainersm@redhat.com>
Signed-off-by: Greg Kurz <groug@kaod.org>
@gkurz gkurz force-pushed the static-image-signature-config branch from 54cdef2 to 1e86654 Compare October 24, 2024 12:15
@wainersm
Copy link

Hi @gkurz !

It LGTM; let's see if it works as expected :D

@gkurz gkurz marked this pull request as ready for review October 25, 2024 19:29
@openshift-ci openshift-ci bot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Oct 25, 2024
@openshift-ci openshift-ci bot requested a review from cpmeadors October 25, 2024 19:29
Copy link
Member

@beraldoleal beraldoleal left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, thanks

@wainersm
Copy link

Hi @gkurz !

I reviewed the code and it's in align with the experiments I did upstream, it should work. Also our internals tests showed that the files were proper modified on the podvm image. So from my side:

/lgtm

@openshift-ci openshift-ci bot added the lgtm Indicates that a PR is ready to be merged. label Oct 25, 2024
Copy link

openshift-ci bot commented Oct 25, 2024

@gkurz: all tests passed!

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

@gkurz gkurz merged commit dacb45e into openshift:devel Oct 28, 2024
4 checks passed
gkurz added a commit to gkurz/sandboxed-containers-operator that referenced this pull request Nov 4, 2024
PR openshift#468 forgot to teach the `copy-files.sh` of the CAA podvm build flow
about the added `/etc/kata-agent.toml` config file.

Fix that now. This doesn't have any impact on non-confidential peer pods.

Signed-off-by: Greg Kurz <groug@kaod.org>
gkurz added a commit to gkurz/sandboxed-containers-operator that referenced this pull request Nov 4, 2024
PR openshift#468 forgot to teach the `copy-files.sh` of the CAA podvm build flow
about the added `/etc/kata-agent.toml` config file.

Fix that now. This doesn't have any impact on non-confidential peer pods.

Fixes: https://issues.redhat.com/browse/KATA-3455

Signed-off-by: Greg Kurz <groug@kaod.org>
gkurz added a commit to gkurz/sandboxed-containers-operator that referenced this pull request Nov 4, 2024
PR openshift#468 forgot to teach the `copy-files.sh` of the CAA podvm build flow
about the added `/etc/kata-agent.toml` config file.

Fix that now. This doesn't have any impact on non-confidential peer pods.

Fixes: https://issues.redhat.com/browse/KATA-3455

Signed-off-by: Greg Kurz <groug@kaod.org>
gkurz added a commit to gkurz/sandboxed-containers-operator that referenced this pull request Nov 4, 2024
PR openshift#468 forgot to teach the `copy-files.sh` of the CAA podvm build flow
about the added `/etc/kata-agent.toml` config file.

Fix that now. This doesn't have any impact on non-confidential peer pods.

Fixes: https://issues.redhat.com/browse/KATA-3455

Signed-off-by: Greg Kurz <groug@kaod.org>
(cherry picked from commit 695b311)
Signed-off-by: Greg Kurz <groug@kaod.org>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
lgtm Indicates that a PR is ready to be merged.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants