4.12. 在预构建的镜像中签名 kmods
如果您有预构建的镜像,如由硬件供应商分发的镜像,或者在其他位置构建。
以下 YAML 文件将公钥/私钥对添加为带有所需密钥名称的 secret - key 为私钥,cert 为公钥。然后,集群会拉取 unsignedImage 镜像,打开它,签署 filesToSign 中列出的内核模块,将它们添加回来,并将生成的镜像推送到 containerImage。
然后,KMM 将签名的 kmods 加载到与选择器匹配的所有节点上。kmods 在其 MOK 数据库中有公钥的任何节点上成功载入,以及所有未启用 secure-boot 的节点,这将忽略签名。
先决条件
-
keySecret和certSecretsecret 已在与其他资源相同的命名空间中创建。
流程
应用 YAML 文件:
--- apiVersion: kmm.sigs.x-k8s.io/v1beta1 kind: Module metadata: name: example-module spec: moduleLoader: serviceAccountName: default container: modprobe: 1 moduleName: '<module_name>' kernelMappings: # the kmods will be deployed on all nodes in the cluster with a kernel that matches the regexp - regexp: '^.*\.x86_64$' # the container to produce containing the signed kmods containerImage: <image_name> 2 sign: # the image containing the unsigned kmods (we need this because we are not building the kmods within the cluster) unsignedImage: <image_name> 3 keySecret: # a secret holding the private secureboot key with the key 'key' name: <private_key_secret_name> certSecret: # a secret holding the public secureboot key with the key 'cert' name: <certificate_secret_name> filesToSign: # full path within the unsignedImage container to the kmod(s) to sign - /opt/lib/modules/4.18.0-348.2.1.el8_5.x86_64/kmm_ci_a.ko imageRepoSecret: # the name of a secret containing credentials to pull unsignedImage and push containerImage to the registry name: repo-pull-secret selector: kubernetes.io/arch: amd64
