Uploaded image for project: 'Openshift sandboxed containers'
  1. Openshift sandboxed containers
  2. KATA-3249

Custom Kata Agent policy support in CoCo & peer-pods

XMLWordPrintable

    • Icon: Epic Epic
    • Resolution: Unresolved
    • Icon: Medium Medium
    • None
    • None
    • None
    • None
    • Custom Kata Agent policy support in CoCo & peer-pods
    • Product / Portfolio Work
    • False
    • Hide

      None

      Show
      None
    • False
    • Not Selected
    • To Do
    • KATA-3248 - Custom Kata Agent policy support in CoCo & peer-pods
    • KATA-3248Custom Kata Agent policy support in CoCo & peer-pods
    • 67% To Do, 0% In Progress, 33% Done
    • Hide
      .Kata Agent policy customization

      The Kata agent policy is a security mechanism that controls agent API requests for pods running with the Kata runtime. This policy determines which operations are allowed or denied. You can override the default policy with a custom policy for _testing_ or _development_ by adding an annotation to a peer pod manifest. In production environments, use `initdata` to change the policy.
      Show
      .Kata Agent policy customization The Kata agent policy is a security mechanism that controls agent API requests for pods running with the Kata runtime. This policy determines which operations are allowed or denied. You can override the default policy with a custom policy for _testing_ or _development_ by adding an annotation to a peer pod manifest. In production environments, use `initdata` to change the policy.
    • Feature
    • Done
    • Yes
    • 0

      Epic Goal

      • Agent policy performs additional validation for each ttRPC API requests in the Guest VM, this epic goal is to allow to configure it.

      Why is this important?

      • Users of peer-pods/CoCo may wan't to be able to block certain calls, due to suspecting that some components were compromised or simply to change the defaults (CoCo)  

      Scenarios

      1. Setting custom policy at podvm image creation time
      2. Setting custom policy at pod runtime

      Acceptance Criteria 

      1. User is able to set custom policy at podvm image creation time
      2. User is able to set custom policy at pod runtime
      3. Instructions to the customization is provided
      4. Tests to verify customization is applied 

      Additional context:

              Unassigned Unassigned
              ssheribe@redhat.com Snir sheriber
              John Wilkins John Wilkins
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Created:
                Updated: