mirror of
https://github.com/confidential-containers/confidential-containers.git
synced 2025-10-19 14:31:07 +00:00
release: add release notes for v0.14.0
This is a big release Signed-off-by: Tobin Feldman-Fitzthum <tobin@ibm.com>
This commit is contained in:
Tobin Feldman-Fitzthum
committed by
Tobin Feldman-Fitzthum
Tobin Feldman-Fitzthum
parent
a12c1c93c3
commit
ab174bdc71
89
releases/v0.14.0.md
Normal file
89
releases/v0.14.0.md
Normal file
@@ -0,0 +1,89 @@
|
||||
# Release Notes for v0.14.0
|
||||
|
||||
Release Date: May 23rd, 2025
|
||||
|
||||
This release is based on [3.17.0](https://github.com/kata-containers/kata-containers/releases/tag/3.17.0) of Kata Containers
|
||||
and [v0.11.0](https://github.com/confidential-containers/enclave-cc/releases/tag/v0.11.0) of enclave-cc.
|
||||
|
||||
Kata and the CoCo components share an MSRV of 1.80.0.
|
||||
|
||||
Please see the [quickstart guide](https://confidentialcontainers.org/docs/getting-started/) or [project documentation](https://confidentialcontainers.org/docs) for more information.
|
||||
|
||||
## What's new
|
||||
|
||||
* Init-data is supported on bare metal Confidential Containers (see limitations below)
|
||||
* [Peer Pods](https://github.com/confidential-containers/cloud-api-adaptor) is now supported by [Alibaba Cloud](https://github.com/confidential-containers/cloud-api-adaptor/tree/main/src/cloud-api-adaptor/alibabacloud).
|
||||
* Image-rs supports registry configuration file for fine-grained proxying and remapping of container registries.
|
||||
* KBS Client can be used to set reference values for Trustee.
|
||||
* KBS Client has a few simple resource policies built-in.
|
||||
* Trustee supports native verification of CCA guests in addition to verification via veraison.
|
||||
* Trustee artifacts are built and tested for ARM.
|
||||
* Trustee can extract reference values from TCG RIMs.
|
||||
* Trustee can be configured to support a larger payload size to accomodate guests with large evidence.
|
||||
* The confidential guest kernel configuration disables virtio MMIO transport and rng to reduce host attack surface.
|
||||
|
||||
## Bug Fixes
|
||||
* CDH configuration file no longer requires `coco_as` and `kbs_token` fields to be set when not in use.
|
||||
* Trustee with docker compose can attest TDX evidence without any changes to QCNL configuration.
|
||||
* Trustee no longer errors when parsing the CCEl of a guest booted with grub.
|
||||
* Trustee default policy matches parsed claims generated by SNP verifier.
|
||||
* Trustee k8s deployment and Kata tests updated for new AKS interfaces
|
||||
|
||||
## Hardware Support
|
||||
|
||||
Attestation is supported and tested on three platforms: Intel TDX, AMD SEV-SNP, and IBM SE.
|
||||
Not all features have been tested on every platform, but those based on attestation
|
||||
are expected to work on the platforms above.
|
||||
|
||||
Make sure your host platform is compatible with the hypervisor and guest kernel
|
||||
provisioned by CoCo.
|
||||
|
||||
This release has been tested on the following stacks:
|
||||
|
||||
### AMD SEV-SNP
|
||||
|
||||
* Processor: AMD EPYC 7413
|
||||
* Kernel: 6.12.0-snp-host-adc218676 (upstream 6.11+)
|
||||
* OS: Ubuntu 22.04.4 LTS
|
||||
* k8s: v1.30.1 (Kubeadm)
|
||||
* Kustomize: v4.5.4
|
||||
|
||||
### Intel TDX
|
||||
|
||||
* Kernel: [6.8.0-1022-intel](https://git.launchpad.net/~kobuk-team/ubuntu/+source/linux-intel/tree/?h=noble-main-next)
|
||||
* OS: Ubuntu 24.04 LTS
|
||||
* k8s: v1.30.2 (Kubeadm)
|
||||
* Kustomize: v5.0.4-0.20230601165947-6ce0bf390ce3
|
||||
|
||||
### Secure Execution on IBM zSystems (s390x) running LinuxONE
|
||||
|
||||
* Hardware: IBM Z16 LPAR
|
||||
* Kernel: 5.15.0-113-generic
|
||||
* OS: Ubuntu 22.04.1 LTS
|
||||
* k8s: v1.28.4 (Kubeadm)
|
||||
* Kustomize: v5.3.0
|
||||
|
||||
## Limitations
|
||||
|
||||
The following are limitations and known issues with this release.
|
||||
|
||||
* Bare metal initdata is only tested on TDX and non-tee.
|
||||
* Plaintext initdata is not forwarded to Trustee.
|
||||
* Credentials for authenticated registries are exposed to the host.
|
||||
* Not all features are tested on all platforms.
|
||||
* Nydus snapshotter support is not mature.
|
||||
* Nydus snapshotter sometimes fails to pull an image.
|
||||
* Host pulling with Nydus snapshotter is not yet enabled.
|
||||
* Nydus snapshotter is not supported with enclave-cc.
|
||||
* Pulling container images inside guest may have negative performance implications including greater resource usage and slower startup.
|
||||
* `crio` support is still evolving.
|
||||
* Platform support is rapidly changing
|
||||
* SELinux is not supported on the host and must be set to permissive if in use.
|
||||
* Complete integration with Kubernetes is still in progress.
|
||||
* Existing APIs do not fully support the CoCo security and threat model. [More info](https://github.com/confidential-containers/confidential-containers/issues/53)
|
||||
* Some commands accessing confidential data, such as `kubectl exec`, may either fail to work, or incorrectly expose information to the host
|
||||
* The CoCo community aspires to adopting open source security best practices, but not all practices are adopted yet.
|
||||
|
||||
## CVE Fixes
|
||||
|
||||
None
|
||||
Reference in New Issue
Block a user