Uploaded image for project: 'Openshift sandboxed containers'
  1. Openshift sandboxed containers
  2. KATA-2716

Kata agent policy support for CoCo

XMLWordPrintable

    • Icon: Feature Feature
    • Resolution: Done
    • Icon: Medium Medium
    • None
    • None
    • None
    • None
    • Product / Portfolio Work
    • False
    • Hide

      None

      Show
      None
    • False
    • Not Selected
    • OCPSTRAT-2027OpenShift Confidential Containers
    • 0

      Feature Overview (aka. Goal Summary)  

      In CoCo, any components on the host is untrusted. Consequently the kata shim is untrusted and care should be taken to protect kata-agent from the kata shim.

      This is made possible by agent policy which is in the VM TEE which defines the allowed operations for the kata-agent.

      Goals (aka. expected user outcomes)

      Any operation which is not explicitly allowed should be blocked by the kata-agent

      Requirements (aka. Acceptance Criteria):

      Kata agent policy integration

      Ability to customise agent policy

      Ensuring agent policy cannot be tampered with

       

      References

      https://github.com/kata-containers/kata-containers/blob/main/docs/how-to/how-to-use-the-kata-agent-policy.md 

              ssheribe@redhat.com Snir sheriber
              bpradipt Pradipta Banerjee
              Snir sheriber
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

                Created:
                Updated:
                Resolved: