-
Notifications
You must be signed in to change notification settings - Fork 47
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Enable image signature check for CoCo #468
Conversation
Skipping CI for Draft Pull Request. |
4f75144
to
54cdef2
Compare
The kata-agent should manage the signature verification of container images pulled in the guest. It should be configured with two options: - enable_signature_verification=true - image_policy_file=<url> While this can be easily achieved with annotations for regular kata pods, no mechanism exists for peer pods. In the meantime, let's hardcode the agent config directly in the podvm image for the CoCo case and have the kata-agent using it. Fixes: https://issues.redhat.com/browse/KATA-3393 Suggested-by: Wainer dos Santos Moschetta <wainersm@redhat.com> Signed-off-by: Greg Kurz <groug@kaod.org>
54cdef2
to
1e86654
Compare
Hi @gkurz ! It LGTM; let's see if it works as expected :D |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM, thanks
Hi @gkurz ! I reviewed the code and it's in align with the experiments I did upstream, it should work. Also our internals tests showed that the files were proper modified on the podvm image. So from my side: /lgtm |
@gkurz: all tests passed! Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
PR openshift#468 forgot to teach the `copy-files.sh` of the CAA podvm build flow about the added `/etc/kata-agent.toml` config file. Fix that now. This doesn't have any impact on non-confidential peer pods. Signed-off-by: Greg Kurz <groug@kaod.org>
PR openshift#468 forgot to teach the `copy-files.sh` of the CAA podvm build flow about the added `/etc/kata-agent.toml` config file. Fix that now. This doesn't have any impact on non-confidential peer pods. Fixes: https://issues.redhat.com/browse/KATA-3455 Signed-off-by: Greg Kurz <groug@kaod.org>
PR openshift#468 forgot to teach the `copy-files.sh` of the CAA podvm build flow about the added `/etc/kata-agent.toml` config file. Fix that now. This doesn't have any impact on non-confidential peer pods. Fixes: https://issues.redhat.com/browse/KATA-3455 Signed-off-by: Greg Kurz <groug@kaod.org>
PR openshift#468 forgot to teach the `copy-files.sh` of the CAA podvm build flow about the added `/etc/kata-agent.toml` config file. Fix that now. This doesn't have any impact on non-confidential peer pods. Fixes: https://issues.redhat.com/browse/KATA-3455 Signed-off-by: Greg Kurz <groug@kaod.org> (cherry picked from commit 695b311) Signed-off-by: Greg Kurz <groug@kaod.org>
The kata-agent should manage the signature verification of container images pulled in the guest. It should be configured with two options:
While this can be easily achieved with annotations for regular kata pods, no mechanism exists for peer pods. In the meantime, let's hardcode the agent config directly in the podvm image for the CoCo case and have the kata-agent using it.
Fixes: https://issues.redhat.com/browse/KATA-3393