Uploaded image for project: 'Openshift sandboxed containers'
  1. Openshift sandboxed containers
  2. KATA-2591

support encrypted container images

XMLWordPrintable

    • Icon: Feature Feature
    • Resolution: Unresolved
    • Icon: High High
    • None
    • None
    • None
    • None
    • BU Product Work
    • False
    • None
    • False
    • KATA-2603protection for data in-use (CoCo)
    • Not Selected
    • 0% To Do, 100% In Progress, 0% Done
    • 0
    • 0

      End users of coco prefers to provide either a encrypted or signed container image for their workload.
      This feature will focus on the encrypted image support.

      The encrypted container image may have the AI model embedded or their proprietary business logic. CoCo on ARO should be able to deploy workload with encrypted container images.

      A problem we will face with encrypted images is if the image is accessed by the host (cri-o pulling the image): if cri-o can't decrypt it, it will return an error, and kubelet will stop the container creation process.
      At the moment, there is no way to prevent cri-o from pulling the image, even if it is not used because the guest agent will pull it for itself. This needs to be addressed.
       

              jrope Julien ROPE
              jfreiman Jens Freimann
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Created:
                Updated: