Red Hat Summit Red Hat SummitSupportKonsoleEntwicklerDemo startenKontakt

Dieser Inhalt ist in der von Ihnen ausgewählten Sprache nicht verfügbar.

Chapter 5. Deploying Confidential Containers on Azure

You can deploy Confidential Containers on Microsoft Azure Cloud Computing Services after you deploy OpenShift sandboxed containers.

Important

Confidential Containers on Azure is a Technology Preview feature only. Technology Preview features are not supported with Red Hat production service level agreements (SLAs) and might not be functionally complete. Red Hat does not recommend using them in production. These features provide early access to upcoming product features, enabling customers to test functionality and provide feedback during the development process.

For more information about the support scope of Red Hat Technology Preview features, see Technology Preview Features Support Scope.

Cluster requirements

  • You have installed Red Hat OpenShift Container Platform 4.15 or later on the cluster where you are installing the Confidential compute attestation Operator.

You deploy Confidential Containers by performing the following steps:

  1. Install the Confidential compute attestation Operator.
  2. Create the route for Trustee.
  3. Enable the Confidential Containers feature gate.
  4. Update the peer pods config map.
  5. Delete the KataConfig custom resource (CR).
  6. Re-create the KataConfig CR.
  7. Create the Trustee authentication secret.
  8. Create the Trustee config map.
  9. Configure Trustee values, policies, and secrets.
  10. Create the KbsConfig CR.
  11. Verify the Trustee configuration.
  12. Verify the attestation process.

5.1. Installing the Confidential compute attestation Operator
Link kopieren

You can install the Confidential compute attestation Operator on Azure by using the CLI.

Prerequisites

  • You have installed the OpenShift CLI (oc).
  • You have access to the cluster as a user with the cluster-admin role.

Procedure

  1. Create a trustee-namespace.yaml manifest file: 

    apiVersion: v1
kind: Namespace
metadata:
  name: trustee-operator-system
    Copy to Clipboard Toggle word wrap

  2. Create the trustee-operator-system namespace by running the following command: 

    $ oc apply -f trustee-namespace.yaml
    Copy to Clipboard Toggle word wrap

  3. Create a trustee-operatorgroup.yaml manifest file: 

    apiVersion: operators.coreos.com/v1
kind: OperatorGroup
metadata:
  name: trustee-operator-group
  namespace: trustee-operator-system
spec:
  targetNamespaces:
  - trustee-operator-system
    Copy to Clipboard Toggle word wrap

  4. Create the operator group by running the following command: 

    $ oc apply -f trustee-operatorgroup.yaml
    Copy to Clipboard Toggle word wrap

  5. Create a trustee-subscription.yaml manifest file: 

    apiVersion: operators.coreos.com/v1alpha1
kind: Subscription
metadata:
  name: trustee-operator
  namespace: trustee-operator-system
spec:
  channel: stable
  installPlanApproval: Automatic
  name: trustee-operator
  source: redhat-operators
  sourceNamespace: openshift-marketplace
    Copy to Clipboard Toggle word wrap

  6. Create the subscription by running the following command: 

    $ oc apply -f trustee-subscription.yaml
    Copy to Clipboard Toggle word wrap

  7. Verify that the Operator is correctly installed by running the following command: 

    $ oc get csv -n trustee-operator-system
    Copy to Clipboard Toggle word wrap

    This command can take several minutes to complete.

  8. Watch the process by running the following command: 

    $ watch oc get csv -n trustee-operator-system
    Copy to Clipboard Toggle word wrap

    Example output

    NAME                      DISPLAY                        PHASE
trustee-operator.v0.1.0   Trustee Operator  0.1.0        Succeeded
    Copy to Clipboard Toggle word wrap

5.2. Enabling the Confidential Containers feature gate
Link kopieren

You must enable the Confidential Containers feature gate.

Prerequisites

  • You have subscribed to the OpenShift sandboxed containers Operator.

Procedure

  1. Create a cc-feature-gate.yaml manifest file: 

    apiVersion: v1
kind: ConfigMap
metadata:
  name: osc-feature-gates
  namespace: openshift-sandboxed-containers-operator
data:
  confidential: "true"
    Copy to Clipboard Toggle word wrap

  2. Create the config map by running the following command: 

    $ oc apply -f cc-feature-gate.yaml
    Copy to Clipboard Toggle word wrap

5.3. Creating the route for Trustee
Link kopieren

You can create a secure route with edge TLS termination for Trustee. External ingress traffic reaches the router pods as HTTPS and passes on to the Trustee pods as HTTP.

Prerequisites

  • You have installed the Confidential compute attestation Operator.

Procedure

  1. Create an edge route by running the following command: 

    $ oc create route edge --service=kbs-service --port kbs-port \
  -n trustee-operator-system
    Copy to Clipboard Toggle word wrap
    Note

    Note: Currently, only a route with a valid CA-signed certificate is supported. You cannot use a route with self-signed certificate.

  2. Set the TRUSTEE_HOST variable by running the following command: 

    $ TRUSTEE_HOST=$(oc get route -n trustee-operator-system kbs-service \
  -o jsonpath={.spec.host})
    Copy to Clipboard Toggle word wrap

  3. Verify the route by running the following command: 

    $ echo $TRUSTEE_HOST
    Copy to Clipboard Toggle word wrap

    Example output

    kbs-service-trustee-operator-system.apps.memvjias.eastus.aroapp.io
    Copy to Clipboard Toggle word wrap

    Record this value for the peer pods config map.

5.4. Updating the peer pods config map
Link kopieren

You must update the peer pods config map for Confidential Containers.

Note

Set Secure Boot to true to enable it by default. The default value is false, which presents a security risk.

Procedure

  1. Obtain the following values from your Azure instance:

    1. Retrieve and record the Azure resource group: 

      $ AZURE_RESOURCE_GROUP=$(oc get infrastructure/cluster -o jsonpath='{.status.platformStatus.azure.resourceGroupName}') && echo "AZURE_RESOURCE_GROUP: \"$AZURE_RESOURCE_GROUP\""
      Copy to Clipboard Toggle word wrap

    2. Retrieve and record the Azure VNet name: 

      $ AZURE_VNET_NAME=$(az network vnet list --resource-group ${AZURE_RESOURCE_GROUP} --query "[].{Name:name}" --output tsv)
      Copy to Clipboard Toggle word wrap

      This value is used to retrieve the Azure subnet ID.

    3. Retrieve and record the Azure subnet ID: 

      $ AZURE_SUBNET_ID=$(az network vnet subnet list --resource-group ${AZURE_RESOURCE_GROUP} --vnet-name $AZURE_VNET_NAME --query "[].{Id:id} | [? contains(Id, 'worker')]" --output tsv) && echo "AZURE_SUBNET_ID: \"$AZURE_SUBNET_ID\""
      Copy to Clipboard Toggle word wrap

    4. Retrieve and record the Azure network security group (NSG) ID: 

      $ AZURE_NSG_ID=$(az network nsg list --resource-group ${AZURE_RESOURCE_GROUP} --query "[].{Id:id}" --output tsv) && echo "AZURE_NSG_ID: \"$AZURE_NSG_ID\""
      Copy to Clipboard Toggle word wrap

    5. Retrieve and record the Azure region: 

      $ AZURE_REGION=$(az group show --resource-group ${AZURE_RESOURCE_GROUP} --query "{Location:location}" --output tsv) && echo "AZURE_REGION: \"$AZURE_REGION\""
      Copy to Clipboard Toggle word wrap

  2. Create a peer-pods-cm.yaml manifest file according to the following example: 

    apiVersion: v1
kind: ConfigMap
metadata:
  name: peer-pods-cm
  namespace: openshift-sandboxed-containers-operator
data:
  CLOUD_PROVIDER: "azure"
  VXLAN_PORT: "9000"
  AZURE_INSTANCE_SIZE: "Standard_DC2as_v5"
    1 
    
  AZURE_INSTANCE_SIZES: "Standard_DC2as_v5, Standard_DC4as_v5, Standard_DC8as_v5"
    2 
    
  AZURE_SUBNET_ID: "<azure_subnet_id>"
    3 
    
  AZURE_NSG_ID: "<azure_nsg_id>"
    4 
    
  PROXY_TIMEOUT: "5m"
  AZURE_IMAGE_ID: "<azure_image_id>"
    5 
    
  AZURE_REGION: "<azure_region>"
    6 
    
  AZURE_RESOURCE_GROUP: "<azure_resource_group>"
    7 
    
  DISABLECVM: "false"
  AA_KBC_PARAMS: "cc_kbc::https://${TRUSTEE_HOST}"
    8 
    
  ENABLE_SECURE_BOOT: "true"
    9
    Copy to Clipboard Toggle word wrap
    1
    The "Standard_DC2as_v5" value is the default if an instance size is not defined in the workload. Ensure the instance type supports the trusted environment. The default "Standard_DC2as_v5" value is for AMD SEV-SNP. If your TEE is Intel TDX, specify Standard_EC4eds_v5.
    2
    Lists all of the instance sizes you can specify when creating the pod. This allows you to define smaller instance sizes for workloads that need less memory and fewer CPUs or larger instance sizes for larger workloads. For Intel TDX, specify "Standard_EC4eds_v5, Standard_EC8eds_v5, Standard_EC16eds_v5".
    3
    Specify the AZURE_SUBNET_ID value that you retrieved.
    4
    Specify the AZURE_NSG_ID value that you retrieved.
    5
    Optional: By default, this value is populated when you run the KataConfig CR, using an Azure image ID based on your cluster credentials. If you create your own Azure image, specify the correct image ID.
    6
    Specify the AZURE_REGION value you retrieved.
    7
    Specify the AZURE_RESOURCE_GROUP value you retrieved.
    8
    Specify the host name of the Trustee route.
    9
    Specify true to enable Secure Boot by default.

  3. Create the config map by running the following command: 

    $ oc apply -f peer-pods-cm.yaml
    Copy to Clipboard Toggle word wrap

  4. Restart the peerpodconfig-ctrl-caa-daemon daemon set by running the following command: 

    $ oc set env ds/peerpodconfig-ctrl-caa-daemon \
  -n openshift-sandboxed-containers-operator REBOOT="$(date)"
    Copy to Clipboard Toggle word wrap

5.5. Deleting the KataConfig custom resource
Link kopieren

You can delete the KataConfig custom resource (CR) by using the command line.

Deleting the KataConfig CR removes the runtime and its related resources from your cluster.

Important

Deleting the KataConfig CR automatically reboots the worker nodes. The reboot can take from 10 to more than 60 minutes. Factors that impede reboot time are as follows:

  • A larger OpenShift Container Platform deployment with a greater number of worker nodes.
  • Activation of the BIOS and Diagnostics utility.
  • Deployment on a hard drive rather than an SSD.
  • Deployment on physical nodes such as bare metal, rather than on virtual nodes.
  • A slow CPU and network.

Prerequisites

  • You have installed the OpenShift CLI (oc).
  • You have access to the cluster as a user with the cluster-admin role.

Procedure

  1. Delete the KataConfig CR by running the following command: 

    $ oc delete kataconfig example-kataconfig
    Copy to Clipboard Toggle word wrap

    The OpenShift sandboxed containers Operator removes all resources that were initially created to enable the runtime on your cluster.

    Important

    When you delete the KataConfig CR, the CLI stops responding until all worker nodes reboot. You must wait for the deletion process to complete before performing the verification.

  2. Verify that the custom resource was deleted by running the following command: 

    $ oc get kataconfig example-kataconfig
    Copy to Clipboard Toggle word wrap

    Example output

    No example-kataconfig instances exist
    Copy to Clipboard Toggle word wrap

Important

When uninstalling OpenShift sandboxed containers deployed using a cloud provider, you must delete all of the pods. Any remaining pod resources might result in an unexpected bill from your cloud provider.

5.6. Re-creating the KataConfig custom resource
Link kopieren

You must re-create the KataConfig custom resource (CR) for Confidential Containers.

Important

Creating the KataConfig CR automatically reboots the worker nodes. The reboot can take from 10 to more than 60 minutes. Factors that impede reboot time are as follows:

  • A larger OpenShift Container Platform deployment with a greater number of worker nodes.
  • Activation of the BIOS and Diagnostics utility.
  • Deployment on a hard disk drive rather than an SSD.
  • Deployment on physical nodes such as bare metal, rather than on virtual nodes.
  • A slow CPU and network.

Prerequisites

  • You have access to the cluster as a user with the cluster-admin role.

Procedure

  1. Create an example-kataconfig.yaml manifest file according to the following example: 

    apiVersion: kataconfiguration.openshift.io/v1
kind: KataConfig
metadata:
  name: example-kataconfig
spec:
  enablePeerPods: true
  logLevel: info
#  kataConfigPoolSelector:
#    matchLabels:
#      <label_key>: '<label_value>'
    1
    Copy to Clipboard Toggle word wrap
    1
    Optional: If you have applied node labels to install kata-remote on specific nodes, specify the key and value, for example, cc: 'true'.

  2. Create the KataConfig CR by running the following command: 

    $ oc apply -f example-kataconfig.yaml
    Copy to Clipboard Toggle word wrap

    The new KataConfig CR is created and installs kata-remote as a runtime class on the worker nodes.

    Wait for the kata-remote installation to complete and the worker nodes to reboot before verifying the installation.

  3. Monitor the installation progress by running the following command: 

    $ watch "oc describe kataconfig | sed -n /^Status:/,/^Events/p"
    Copy to Clipboard Toggle word wrap

    When the status of all workers under kataNodes is installed and the condition InProgress is False without specifying a reason, the kata-remote is installed on the cluster.

  4. Verify the daemon set by running the following command: 

    $ oc get -n openshift-sandboxed-containers-operator ds/peerpodconfig-ctrl-caa-daemon
    Copy to Clipboard Toggle word wrap

  5. Verify the runtime classes by running the following command: 

    $ oc get runtimeclass
    Copy to Clipboard Toggle word wrap

    Example output

    NAME             HANDLER          AGE
kata             kata             152m
kata-remote      kata-remote      152m
    Copy to Clipboard Toggle word wrap

5.7. Creating the Trustee authentication secret
Link kopieren

You must create the authentication secret for Trustee.

Prerequisites

  • You have installed the OpenShift CLI (oc).
  • You have access to the cluster as a user with the cluster-admin role.

Procedure

  1. Create a private key by running the following command: 

    $ openssl genpkey -algorithm ed25519 > privateKey
    Copy to Clipboard Toggle word wrap

  2. Create a public key by running the following command: 

    $ openssl pkey -in privateKey -pubout -out publicKey
    Copy to Clipboard Toggle word wrap

  3. Create a secret by running the following command: 

    $ oc create secret generic kbs-auth-public-key --from-file=publicKey -n trustee-operator-system
    Copy to Clipboard Toggle word wrap

  4. Verify the secret by running the following command: 

    $ oc get secret -n trustee-operator-system
    Copy to Clipboard Toggle word wrap

5.8. Creating the Trustee config map
Link kopieren

You must create the config map to configure the Trustee server.

Note

The following configuration example turns off security features to enable demonstration of Technology Preview features. It is not meant for a production environment.

Prerequisites

  • You have created a route for Trustee.

Procedure

  1. Create a kbs-config-cm.yaml manifest file: 

    apiVersion: v1
kind: ConfigMap
metadata:
  name: kbs-config-cm
  namespace: trustee-operator-system
data:
  kbs-config.json: |
    {
      "insecure_http" : true,
      "sockets": ["0.0.0.0:8080"],
      "auth_public_key": "/etc/auth-secret/publicKey",
      "attestation_token_config": {
        "attestation_token_type": "CoCo"
      },
      "repository_config": {
        "type": "LocalFs",
        "dir_path": "/opt/confidential-containers/kbs/repository"
      },
      "as_config": {
        "work_dir": "/opt/confidential-containers/attestation-service",
        "policy_engine": "opa",
        "attestation_token_broker": "Simple",
          "attestation_token_config": {
          "duration_min": 5
          },
        "rvps_config": {
          "store_type": "LocalJson",
          "store_config": {
            "file_path": "/opt/confidential-containers/rvps/reference-values/reference-values.json"
          }
         }
      },
      "policy_engine_config": {
        "policy_path": "/opt/confidential-containers/opa/policy.rego"
      }
    }
    Copy to Clipboard Toggle word wrap

  2. Create the config map by running the following command: 

    $ oc apply -f kbs-config-cm.yaml
    Copy to Clipboard Toggle word wrap

5.9. Configuring Trustee values, policies, and secrets
Link kopieren

You can configure the following values, policies, and secrets for Trustee:

  • Optional: Reference values for the Reference Value Provider Service.
  • Optional: Attestation policy.
  • Provisioning Certificate Caching Service for Intel Trust Domain Extensions (TDX).
  • Optional: Secret for custom keys for Trustee clients.
  • Optional: Secret for container image signature verification.
  • Container image signature verification policy. This policy is mandatory. If you do not use container image signature verification, you must create a policy that does not verify signatures.
  • Resource access policy.

5.9.1. Configuring reference values
Link kopieren

You can configure reference values for the Reference Value Provider Service (RVPS) by specifying the trusted digests of your hardware platform.

The client collects measurements from the running software, the Trusted Execution Environment (TEE) hardware and firmware and it submits a quote with the claims to the Attestation Server. These measurements must match the trusted digests registered to the Trustee. This process ensures that the confidential VM (CVM) is running the expected software stack and has not been tampered with.

Procedure

  1. Create an rvps-configmap.yaml manifest file: 

    apiVersion: v1
kind: ConfigMap
metadata:
  name: rvps-reference-values
  namespace: trustee-operator-system
data:
  reference-values.json: |
    [
    1 
    
    ]
    Copy to Clipboard Toggle word wrap
    1
    Specify the trusted digests for your hardware platform if required. Otherwise, leave it empty.

  2. Create the RVPS config map by running the following command: 

    $ oc apply -f rvps-configmap.yaml
    Copy to Clipboard Toggle word wrap

5.9.2. Creating an attestation policy
Link kopieren

You can create an attestation policy that overrides the default attestation policy.

Procedure

  1. Create an attestation-policy.yaml manifest file according to the following example: 

    apiVersion: v1
kind: ConfigMap
metadata:
  name: attestation-policy
  namespace: trustee-operator-system
data:
  default.rego: |
    package policy
    1 
    
    import future.keywords.every

    default allow = false

    allow {
      every k, v in input {
          judge_field(k, v)
      }
    }

    judge_field(input_key, input_value) {
      has_key(data.reference, input_key)
      reference_value := data.reference[input_key]
      match_value(reference_value, input_value)
    }

    judge_field(input_key, input_value) {
      not has_key(data.reference, input_key)
    }

    match_value(reference_value, input_value) {
      not is_array(reference_value)
      input_value == reference_value
    }

    match_value(reference_value, input_value) {
      is_array(reference_value)
      array_include(reference_value, input_value)
    }

    array_include(reference_value_array, input_value) {
      reference_value_array == []
    }

    array_include(reference_value_array, input_value) {
      reference_value_array != []
      some i
      reference_value_array[i] == input_value
    }

    has_key(m, k) {
      _ = m[k]
    }
    Copy to Clipboard Toggle word wrap
    1
    The attestation policy follows the Open Policy Agent specification. In this example, the attestation policy compares the claims provided in the attestation report to the reference values registered in the RVPS database. The attestation process is successful only if all the values match.

  2. Create the attestation policy config map by running the following command: 

    $ oc apply -f attestation-policy.yaml
    Copy to Clipboard Toggle word wrap

5.9.3. Configuring PCCS for TDX
Link kopieren

If you use Intel Trust Domain Extensions (TDX), you must configure Trustee to use the Provisioning Certificate Caching Service (PCCS).

The PCCS retrieves the Provisioning Certification Key (PCK) certificates and caches them in a local database.

Important

Do not use the public Intel PCCS service. Use a local caching service on-premise or on the public cloud.

Procedure

  1. Create a tdx-config.yaml manifest file according to the following example: 

    apiVersion: v1
kind: ConfigMap
metadata:
  name: tdx-config
  namespace: trustee-operator-system
data:
  sgx_default_qcnl.conf: | \
      {
        "collateral_service": "https://api.trustedservices.intel.com/sgx/certification/v4/",
        "pccs_url": "<pccs_url>"
    1 
    
      }
    Copy to Clipboard Toggle word wrap
    1
    Specify the PCCS URL, for example, https://localhost:8081/sgx/certification/v4/.

  2. Create the TDX config map by running the following command: 

    $ oc apply -f tdx-config.yaml
    Copy to Clipboard Toggle word wrap

5.9.4. Creating a secret with custom keys for clients
Link kopieren

You can create a secret that contains one or more custom keys for Trustee clients.

In this example, the kbsres1 secret has two entries (key1, key2), which the clients retrieve. You can add additional secrets according to your requirements by using the same format.

Prerequisites

  • You have created one or more custom keys.

Procedure

  • Create a secret for the custom keys according to the following example: 

    $ oc apply secret generic kbsres1 \
  --from-literal key1=<custom_key1> \
    1 
    
  --from-literal key2=<custom_key2> \
  -n trustee-operator-system
    Copy to Clipboard Toggle word wrap
    1
    Specify a custom key.

    The kbsres1 secret is specified in the spec.kbsSecretResources key of the KbsConfig custom resource.

5.9.5. Creating a secret for container image signature verification
Link kopieren

If you use container image signature verification, you must create a secret that contains the public container image signing key.

The Confidential compute attestation Operator uses the secret to verify the signature, ensuring that only trusted and authenticated container images are deployed in your environment.

You can use Red Hat Trusted Artifact Signer or other tools to sign container images.

Procedure

  1. Create a secret for container image signature verification by running the following command: 

    $ oc apply secret generic <type> \
    1 
    
  --from-file=<tag>=./<public_key_file> \
    2 
    
  -n trustee-operator-system
    Copy to Clipboard Toggle word wrap
    1
    Specify the KBS secret type, for example, img-sig.
    2
    Specify the secret tag, for example, pub-key, and the public container image signing key.
  2. Record the <type> value. You must add this value to the spec.kbsSecretResources key when you create the KbsConfig custom resource.

5.9.6. Creating the container image signature verification policy
Link kopieren

You create the container image signature verification policy because signature verification is always enabled. If this policy is missing, the pods will not start.

If you are not using container image signature verification, you create the policy without signature verification.

For more information, see containers-policy.json 5.

Procedure

  1. Create a security-policy-config.json file according to the following examples:

    • Without signature verification: 

      {
  "default": [
  {
    "type": "insecureAcceptAnything"
  }],
  "transports": {}
}
      Copy to Clipboard Toggle word wrap

    • With signature verification: 

      {
  "default": [
      {
      "type": "insecureAcceptAnything"
      }
  ],
  "transports": {
      "<transport>": {
      1 
      
          "<registry>/<image>":
      2 
      
          [
              {
                  "type": "sigstoreSigned",
                  "keyPath": "kbs:///default/<type>/<tag>"
      3 
      
              }
          ]
      }
  }
}
      Copy to Clipboard Toggle word wrap
      1
      Specify the image repository for transport, for example, "docker":. For more information, see containers-transports 5.
      2
      Specify the container registry and image, for example, "quay.io/my-image".
      3
      Specify the type and tag of the container image signature verification secret that you created, for example, img-sig/pub-key.

  2. Create the security policy by running the following command: 

    $ oc apply secret generic security-policy \
  --from-file=osc=./<security-policy-config.json> \
  -n trustee-operator-system
    Copy to Clipboard Toggle word wrap

    Do not alter the secret type, security-policy, or the key, osc.

    The security-policy secret is specified in the spec.kbsSecretResources key of the KbsConfig custom resource.

5.9.7. Creating the resource access policy
Link kopieren

You configure the resource access policy for the Trustee policy engine. This policy determines which resources Trustee can access.

Note

The Trustee policy engine is different from the Attestation Service policy engine, which determines the validity of TEE evidence.

Procedure

  1. Create a resourcepolicy-configmap.yaml manifest file: 

    apiVersion: v1
kind: ConfigMap
metadata:
  name: resource-policy
  namespace: trustee-operator-system
data:
  policy.rego: |
    1 
    
    package policy
    2 
    
    default allow = false
    allow {
      input["tee"] != "sample"
    }
    Copy to Clipboard Toggle word wrap
    1
    The name of the resource policy, policy.rego, must match the resource policy defined in the Trustee config map.
    2
    The resource policy follows the Open Policy Agent specification. This example allows the retrieval of all resources when the TEE is not the sample attester.

  2. Create the resource policy config map by running the following command: 

    $ oc apply -f resourcepolicy-configmap.yaml
    Copy to Clipboard Toggle word wrap

5.10. Creating the KbsConfig custom resource
Link kopieren

You create the KbsConfig custom resource (CR) to launch Trustee.

Then, you check the Trustee pods and pod logs to verify the configuration.

Procedure

  1. Create a kbsconfig-cr.yaml manifest file: 

    apiVersion: confidentialcontainers.org/v1alpha1
kind: KbsConfig
metadata:
  labels:
    app.kubernetes.io/name: kbsconfig
    app.kubernetes.io/instance: kbsconfig
    app.kubernetes.io/part-of: trustee-operator
    app.kubernetes.io/managed-by: kustomize
    app.kubernetes.io/created-by: trustee-operator
  name: kbsconfig
  namespace: trustee-operator-system
spec:
  kbsConfigMapName: kbs-config-cm
  kbsAuthSecretName: kbs-auth-public-key
  kbsDeploymentType: AllInOneDeployment
  kbsRvpsRefValuesConfigMapName: rvps-reference-values
  kbsSecretResources: ["kbsres1", "security-policy", "<type>"]
    1 
    
  kbsResourcePolicyConfigMapName: resource-policy
# tdxConfigSpec:
#   kbsTdxConfigMapName: tdx-config
    2 
    
# kbsAttestationPolicyConfigMapName: attestation-policy
    3 
    
# kbsServiceType: <service_type>
    4
    Copy to Clipboard Toggle word wrap
    1
    Optional: Specify the type value of the container image signature verification secret if you created the secret, for example, img-sig. If you did not create the secret, set the kbsSecretResources value to ["kbsres1", "security-policy"].
    2
    Uncomment tdxConfigSpec.kbsTdxConfigMapName: tdx-config for Intel Trust Domain Extensions.
    3
    Uncomment kbsAttestationPolicyConfigMapName: attestation-policy if you create a customized attestation policy.
    4
    Uncomment kbsServiceType: <service_type> if you create a service type, other than the default ClusterIP service, to expose applications within the cluster external traffic. You can specify NodePort, LoadBalancer, or ExternalName.

  2. Create the KbsConfig CR by running the following command: 

    $ oc apply -f kbsconfig-cr.yaml
    Copy to Clipboard Toggle word wrap

5.11. Verifying the Trustee configuration
Link kopieren

You verify the Trustee configuration by checking the Trustee pods and logs.

Procedure

  1. Set the default project by running the following command: 

    $ oc project trustee-operator-system
    Copy to Clipboard Toggle word wrap

  2. Check the Trustee pods by running the following command: 

    $ oc get pods -n trustee-operator-system
    Copy to Clipboard Toggle word wrap

    Example output

    NAME                                                   READY   STATUS    RESTARTS   AGE
trustee-deployment-8585f98449-9bbgl                    1/1     Running   0          22m
trustee-operator-controller-manager-5fbd44cd97-55dlh   2/2     Running   0          59m
    Copy to Clipboard Toggle word wrap

  3. Set the POD_NAME environmental variable by running the following command: 

    $ POD_NAME=$(oc get pods -l app=kbs -o jsonpath='{.items[0].metadata.name}' -n trustee-operator-system)
    Copy to Clipboard Toggle word wrap

  4. Check the pod logs by running the following command: 

    $ oc logs -n trustee-operator-system $POD_NAME
    Copy to Clipboard Toggle word wrap

    Example output

    [2024-05-30T13:44:24Z INFO  kbs] Using config file /etc/kbs-config/kbs-config.json
[2024-05-30T13:44:24Z WARN  attestation_service::rvps] No RVPS address provided and will launch a built-in rvps
[2024-05-30T13:44:24Z INFO  attestation_service::token::simple] No Token Signer key in config file, create an ephemeral key and without CA pubkey cert
[2024-05-30T13:44:24Z INFO  api_server] Starting HTTPS server at [0.0.0.0:8080]
[2024-05-30T13:44:24Z INFO  actix_server::builder] starting 12 workers
[2024-05-30T13:44:24Z INFO  actix_server::server] Tokio runtime found; starting in existing Tokio runtime
    Copy to Clipboard Toggle word wrap

5.12. Verifying the attestation process
Link kopieren

You can verify the attestation process by creating a test pod and retrieving its secret.

Important

This procedure is an example to verify that attestation is working. Do not write sensitive data to standard I/O because the data can be captured by using a memory dump. Only data written to memory is encrypted.

By default, an agent side policy embedded in the pod VM image disables the exec and log APIs for a Confidential Containers pod. This policy ensures that sensitive data is not written to standard I/O.

In a test scenario, you can override the restriction at runtime by adding a policy annotation to the pod. For Technology Preview, runtime policy annotations are not verified by remote attestation.

Prerequisites

  • You have created a route if the Trustee server and the test pod are not running in the same cluster.

Procedure

  1. Create a verification-pod.yaml manifest file: 

    apiVersion: v1
kind: Pod
metadata:
  name: ocp-cc-pod
  labels:
    app: ocp-cc-pod
  annotations:
    io.katacontainers.config.agent.policy: cGFja2FnZSBhZ2VudF9wb2xpY3kKCmRlZmF1bHQgQWRkQVJQTmVpZ2hib3JzUmVxdWVzdCA6PSB0cnVlCmRlZmF1bHQgQWRkU3dhcFJlcXVlc3QgOj0gdHJ1ZQpkZWZhdWx0IENsb3NlU3RkaW5SZXF1ZXN0IDo9IHRydWUKZGVmYXVsdCBDb3B5RmlsZVJlcXVlc3QgOj0gdHJ1ZQpkZWZhdWx0IENyZWF0ZUNvbnRhaW5lclJlcXVlc3QgOj0gdHJ1ZQpkZWZhdWx0IENyZWF0ZVNhbmRib3hSZXF1ZXN0IDo9IHRydWUKZGVmYXVsdCBEZXN0cm95U2FuZGJveFJlcXVlc3QgOj0gdHJ1ZQpkZWZhdWx0IEV4ZWNQcm9jZXNzUmVxdWVzdCA6PSB0cnVlCmRlZmF1bHQgR2V0TWV0cmljc1JlcXVlc3QgOj0gdHJ1ZQpkZWZhdWx0IEdldE9PTUV2ZW50UmVxdWVzdCA6PSB0cnVlCmRlZmF1bHQgR3Vlc3REZXRhaWxzUmVxdWVzdCA6PSB0cnVlCmRlZmF1bHQgTGlzdEludGVyZmFjZXNSZXF1ZXN0IDo9IHRydWUKZGVmYXVsdCBMaXN0Um91dGVzUmVxdWVzdCA6PSB0cnVlCmRlZmF1bHQgTWVtSG90cGx1Z0J5UHJvYmVSZXF1ZXN0IDo9IHRydWUKZGVmYXVsdCBPbmxpbmVDUFVNZW1SZXF1ZXN0IDo9IHRydWUKZGVmYXVsdCBQYXVzZUNvbnRhaW5lclJlcXVlc3QgOj0gdHJ1ZQpkZWZhdWx0IFB1bGxJbWFnZVJlcXVlc3QgOj0gdHJ1ZQpkZWZhdWx0IFJlYWRTdHJlYW1SZXF1ZXN0IDo9IHRydWUKZGVmYXVsdCBSZW1vdmVDb250YWluZXJSZXF1ZXN0IDo9IHRydWUKZGVmYXVsdCBSZW1vdmVTdGFsZVZpcnRpb2ZzU2hhcmVNb3VudHNSZXF1ZXN0IDo9IHRydWUKZGVmYXVsdCBSZXNlZWRSYW5kb21EZXZSZXF1ZXN0IDo9IHRydWUKZGVmYXVsdCBSZXN1bWVDb250YWluZXJSZXF1ZXN0IDo9IHRydWUKZGVmYXVsdCBTZXRHdWVzdERhdGVUaW1lUmVxdWVzdCA6PSB0cnVlCmRlZmF1bHQgU2V0UG9saWN5UmVxdWVzdCA6PSB0cnVlCmRlZmF1bHQgU2lnbmFsUHJvY2Vzc1JlcXVlc3QgOj0gdHJ1ZQpkZWZhdWx0IFN0YXJ0Q29udGFpbmVyUmVxdWVzdCA6PSB0cnVlCmRlZmF1bHQgU3RhcnRUcmFjaW5nUmVxdWVzdCA6PSB0cnVlCmRlZmF1bHQgU3RhdHNDb250YWluZXJSZXF1ZXN0IDo9IHRydWUKZGVmYXVsdCBTdG9wVHJhY2luZ1JlcXVlc3QgOj0gdHJ1ZQpkZWZhdWx0IFR0eVdpblJlc2l6ZVJlcXVlc3QgOj0gdHJ1ZQpkZWZhdWx0IFVwZGF0ZUNvbnRhaW5lclJlcXVlc3QgOj0gdHJ1ZQpkZWZhdWx0IFVwZGF0ZUVwaGVtZXJhbE1vdW50c1JlcXVlc3QgOj0gdHJ1ZQpkZWZhdWx0IFVwZGF0ZUludGVyZmFjZVJlcXVlc3QgOj0gdHJ1ZQpkZWZhdWx0IFVwZGF0ZVJvdXRlc1JlcXVlc3QgOj0gdHJ1ZQpkZWZhdWx0IFdhaXRQcm9jZXNzUmVxdWVzdCA6PSB0cnVlCmRlZmF1bHQgV3JpdGVTdHJlYW1SZXF1ZXN0IDo9IHRydWUK
    1 
    
spec:
  runtimeClassName: kata-remote
  containers:
    - name: skr-openshift
      image: registry.access.redhat.com/ubi9/ubi:9.3
      command:
        - sleep
        - "36000"
      securityContext:
        privileged: false
        seccompProfile:
          type: RuntimeDefault
    Copy to Clipboard Toggle word wrap
    1
    This pod annotation overrides the policy that prevents sensitive data from being written to standard I/O.

  2. Create the pod by running the following command: 

    $ oc create -f verification-pod.yaml
    Copy to Clipboard Toggle word wrap

  3. Connect to the Bash shell of the ocp-cc-pod by running the following command: 

    $ oc exec -it ocp-cc-pod -- bash
    Copy to Clipboard Toggle word wrap

  4. Fetch the pod secret by running the following command: 

    $ curl http://127.0.0.1:8006/cdh/resource/default/kbsres1/key1
    Copy to Clipboard Toggle word wrap

    Example output

    res1val1
    Copy to Clipboard Toggle word wrap

    The Trustee server returns the secret only if the attestation is successful.

Nach oben
Red Hat logoGithubredditYoutubeTwitter

Lernen

Testen, kaufen und verkaufen

Communitys

Über Red Hat Dokumentation

Wir helfen Red Hat Benutzern, mit unseren Produkten und Diensten innovativ zu sein und ihre Ziele zu erreichen – mit Inhalten, denen sie vertrauen können. Entdecken Sie unsere neuesten Updates.

Mehr Inklusion in Open Source

Red Hat hat sich verpflichtet, problematische Sprache in unserem Code, unserer Dokumentation und unseren Web-Eigenschaften zu ersetzen. Weitere Einzelheiten finden Sie in Red Hat Blog.

Über Red Hat

Wir liefern gehärtete Lösungen, die es Unternehmen leichter machen, plattform- und umgebungsübergreifend zu arbeiten, vom zentralen Rechenzentrum bis zum Netzwerkrand.

Theme

© 2025 Red Hat