github/confidential-containers
1
0
Fork 0
mirror of https://github.com/confidential-containers/confidential-containers.git synced 2025-10-21 23:48:29 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
bfcdf18bfafd69ccb1b26a90986d65d6a276e0f1
confidential-containers/releases/v0.5.0.md
Tobin Feldman-Fitzthum 6ef8992bc0 releases: fix dead links in release notes 
Our link checker is having problems with GH redirects, so let's update
these links to point to the right place (even for the old releases).

Signed-off-by: Tobin Feldman-Fitzthum <tobin@ibm.com>
2025-01-23 13:04:01 -05:00

82 lines
4.9 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# Release Notes for v0.5.0
Release Date: 2023-04-14
> **Warning**
> This release includes breaking changes to the format of encrypted images. See below for more details.
> Images that were encrypted using tooling from previous releases will fail with this release.
> The process for validating signed images is also slightly different.
Please see the [quickstart guide](../quickstart.md) for details on how to try out Confidential
Containers.
Please refer to our [Acronyms](https://github.com/confidential-containers/documentation/wiki/Acronyms)
and [Glossary](https://github.com/confidential-containers/documentation/wiki/Glossary) pages for a
definition of the acronyms used in this document.
## What's new
- Process-based isolation is now fully supported with SGX hardware added to enclave-cc CI
- Remote hypervisor support added to the CoCo operator, which helps to enable creating containers
as peer pods, either locally, or on Cloud Service Provider Infrastructure.
See [README](https://github.com/confidential-containers/cloud-api-adaptor/blob/v0.5.0/README.md) for more information and installation instructions.
- [KBS Resource URI Scheme](https://github.com/confidential-containers/attestation-agent/blob/main/docs/KBS_URI.md)
is published to identify all confidential resources.
- Different KBCs now share image encryption format allowing for interchangeable use.
- Generic Key Broker System (KBS) is now supported. This includes the [KBS](https://github.com/confidential-containers/kbs)
itself, which relies on the [Attestation Service (AS)](https://github.com/confidential-containers/attestation-service)
for attestation evidence verification. Reference Values are provided to the `AS` by
the [Reference Value Provider Service (RVPS)](https://github.com/confidential-containers/attestation-service/blob/main/docs/rvps.md).
Currently only TDX and a sample mode are supported with generic KBS. Other platforms are in development.
- SEV configuration can be set with annotations.
- SEV-ES is now tested in the CI.
- Some developmental SEV-SNP components can be manually enabled to test SNP containers without attestation.
## Hardware Support
Confidential Containers is tested with attestation on the following platforms:
- Intel TDX
- AMD SEV(-ES)
- Intel SGX
The following platforms are untested or partially supported:
- IBM Secure Execution (SE) on IBM zSystems (s390x) running LinuxONE
The following platforms are in development:
- AMD SEV-SNP
## Limitations
The following are known limitations of this release:
- Platform support is currently limited, and rapidly changing
* Image signature validation with AMD SEV-ES is not covered by CI.
* s390x does not support cosign signature validation
- SELinux is not supported on the host and must be set to permissive if in use.
- Attestation and key brokering support varies by platform.
* The generic KBS is only supported on TDX. Other platforms have different solutions.
- The format of encrypted container images is still subject to change
* The [oci-crypt](https://github.com/containers/ocicrypt) container image format itself may still change
* The tools to generate images are not in their final form
* The image format itself is subject to change in upcoming releases
* Image repository support for encrypted images is unequal
- CoCo currently requires a custom build of `containerd`
* The CoCo operator will deploy the correct version of `containerd` for you
* Changes are required to delegate `PullImage` to the agent in the virtual machine
* The required changes are not part of the vanilla `containerd`
* The final form of the required changes in `containerd` is expected to be different
* `crio` is not supported
- CoCo is not fully integrated with the orchestration ecosystem (Kubernetes, OpenShift)
* OpenShift support is not yet complete.
* Existing APIs do not fully support the CoCo security and threat model. [More info](https://github.com/confidential-containers/confidential-containers/issues/53)
* Some commands accessing confidential data, such as `kubectl exec`, may either fail to work, or incorrectly expose information to the host
* Container image sharing is not possible in this release
* Container images are downloaded by the guest (with encryption), not by the host
* As a result, the same image will be downloaded separately by every pod using it, not shared between pods on the same host. [More info](https://github.com/confidential-containers/confidential-containers/issues/66)
- The CoCo community aspires to adopting open source security best practices, but not all practices are adopted yet.
* We track our status with the OpenSSF Best Practices Badge, which increased from 49% to 64% at the time of this release.
* All CoCo repos now have automated tests, including linting, incorporated into CI.
* Vulnerability reporting mechanisms still need to be created. Public github issues are still appropriate for this release until private reporting is established.
## CVE Fixes
None
Reference in New Issue View Git Blame Copy Permalink