XML

Word

Printable

Type: Epic
Resolution: Done
Priority: High
Fix Version/s: OSC 1.7.0
Affects Version/s: None
Component/s: None
Labels:
None

Epic Name:
Add support for retrieving secret from KBS by CoCo
Work Type:
BU Product Work
Size:
M
Blocked:
False
Blocked Reason:
None
Ready:
False
Color Status:
Not Selected
Epic Status:
To Do
Feature Link:
KATA-2446 - Secure Key Release for Confidential Workloads
Hierarchy Progress Bar:

0% To Do, 0% In Progress, 100% Done
Intelligence Requested:
Market:

Cost of Delay:
0
WSJF:
0
Target Version:

OSC 1.7.0

SFDC Cases Links:
SFDC Cases Counter:
SFDC Cases Open:

Epic Goal

Confidential Container able to retrieve secret after proving that it's running inside a TEE

Why is this important?

When using CoCo, the basic expectation is that the secret will be delivered inside the TEE post verification of the authenticity and integrity of the TEE

Scenarios

User deploying a pod and retrieving a secret to decrypt data
...

Acceptance Criteria

(The Epic is complete when...)

Downstream builds of the required pod vm components are available
Able to retrieve a secret from Trustee.
..

Additional context:

The required pod vm components

attestation agent built with cc_kbc
confidential-data-hub
api-server-rest
process-user-data

The CoCo steps are same for ARO or self-managed Azure OpenShift cluster. The steps for Trustee deployment as well as secure key retrieval will be documented in the following internal guide - https://docs.google.com/document/d/1GFSC1-CEq-V0gqBaIDPU1lb7t4HE8hnF5vqwGjVz8xY/edit#heading=h.z1exffbz0ipo

Assignee:: Pradipta Banerjee

Reporter:: Pradipta Banerjee

QA Contact:: Victor Voronkov

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Created:: 2024/04/26 10:33 AM

Updated:: 2024/09/20 11:03 AM

Resolved:: 2024/09/18 12:31 PM