runtime: Support trusted ephemeral data storage

This modifies the direct volume assignement API to support the new metadata flags `confidential` and `ephemeral` and propagate them to the agent. Fixes: confidential-containers/confidential-containers#247 (proposal) Fixes: #10560 (tracking issue) Signed-off-by: Aurélien Bombo <abombo@microsoft.com>
2025-09-01 08:56:32 +00:00 · 2024-11-08 12:40:37 -06:00
parent c47bff6d6a
commit c8609bb857
4 changed files with 30 additions and 0 deletions
--- a/src/runtime/pkg/direct-volume/utils.go
+++ b/src/runtime/pkg/direct-volume/utils.go
@@ -17,6 +17,8 @@ import (
 const (
 	mountInfoFileName = "mountInfo.json"

+	ConfidentialMetadataKey        = "confidential"
+	EphemeralMetadataKey           = "ephemeral"
 	FSGroupMetadataKey             = "fsGroup"
 	FSGroupChangePolicyMetadataKey = "fsGroupChangePolicy"
 )
--- a/src/runtime/virtcontainers/container.go
+++ b/src/runtime/virtcontainers/container.go
@@ -644,6 +644,20 @@ func (c *Container) createBlockDevices(ctx context.Context) error {

 			for key, value := range mntInfo.Metadata {
 				switch key {
+				case volume.ConfidentialMetadataKey:
+					confidential, err := strconv.ParseBool(value)
+					if err != nil {
+						c.Logger().Errorf("invalid value %q for metadata key %q, expected boolean string", value, key)
+						continue
+					}
+					c.mounts[i].Confidential = confidential
+				case volume.EphemeralMetadataKey:
+					ephemeral, err := strconv.ParseBool(value)
+					if err != nil {
+						c.Logger().Errorf("invalid value %q for metadata key %q, expected boolean string", value, key)
+						continue
+					}
+					c.mounts[i].Ephemeral = ephemeral
 				case volume.FSGroupMetadataKey:
 					gid, err := strconv.Atoi(value)
 					if err != nil {
--- a/src/runtime/virtcontainers/kata_agent.go
+++ b/src/runtime/virtcontainers/kata_agent.go
@@ -1793,6 +1793,13 @@ func (k *kataAgent) handleDeviceBlockVolume(c *Container, m Mount, device api.De
 		}
 	}

+	if m.Confidential {
+		vol.DriverOptions = append(vol.DriverOptions, fmt.Sprintf("%s=true", volume.ConfidentialMetadataKey))
+	}
+	if m.Ephemeral {
+		vol.DriverOptions = append(vol.DriverOptions, fmt.Sprintf("%s=true", volume.EphemeralMetadataKey))
+	}
+
 	return vol, nil
 }

--- a/src/runtime/virtcontainers/mount.go
+++ b/src/runtime/virtcontainers/mount.go
@@ -273,6 +273,13 @@ type Mount struct {
 	// FSGroupChangePolicy specifies the policy that will be used when applying
 	// group id ownership change for a volume.
 	FSGroupChangePolicy volume.FSGroupChangePolicy
+
+	// Confidential specifies whether to encrypt the underlying storage.
+	Confidential bool
+
+	// Ephemeral specifies whether the underlying storage is ephemeral:
+	// https://kubernetes.io/docs/concepts/storage/ephemeral-volumes/
+	Ephemeral bool
 }

 func isSymlink(path string) bool {