From c8609bb8576ad5ec507269d4e96f3841c41f4c39 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Aur=C3=A9lien=20Bombo?= Date: Fri, 8 Nov 2024 12:40:37 -0600 Subject: [PATCH] runtime: Support trusted ephemeral data storage MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This modifies the direct volume assignement API to support the new metadata flags `confidential` and `ephemeral` and propagate them to the agent. Fixes: confidential-containers/confidential-containers#247 (proposal) Fixes: #10560 (tracking issue) Signed-off-by: Aurélien Bombo --- src/runtime/pkg/direct-volume/utils.go | 2 ++ src/runtime/virtcontainers/container.go | 14 ++++++++++++++ src/runtime/virtcontainers/kata_agent.go | 7 +++++++ src/runtime/virtcontainers/mount.go | 7 +++++++ 4 files changed, 30 insertions(+) diff --git a/src/runtime/pkg/direct-volume/utils.go b/src/runtime/pkg/direct-volume/utils.go index 9e13a4d227..6daef00065 100644 --- a/src/runtime/pkg/direct-volume/utils.go +++ b/src/runtime/pkg/direct-volume/utils.go @@ -17,6 +17,8 @@ import ( const ( mountInfoFileName = "mountInfo.json" + ConfidentialMetadataKey = "confidential" + EphemeralMetadataKey = "ephemeral" FSGroupMetadataKey = "fsGroup" FSGroupChangePolicyMetadataKey = "fsGroupChangePolicy" ) diff --git a/src/runtime/virtcontainers/container.go b/src/runtime/virtcontainers/container.go index b554df4cfa..30b272ea94 100644 --- a/src/runtime/virtcontainers/container.go +++ b/src/runtime/virtcontainers/container.go @@ -644,6 +644,20 @@ func (c *Container) createBlockDevices(ctx context.Context) error { for key, value := range mntInfo.Metadata { switch key { + case volume.ConfidentialMetadataKey: + confidential, err := strconv.ParseBool(value) + if err != nil { + c.Logger().Errorf("invalid value %q for metadata key %q, expected boolean string", value, key) + continue + } + c.mounts[i].Confidential = confidential + case volume.EphemeralMetadataKey: + ephemeral, err := strconv.ParseBool(value) + if err != nil { + c.Logger().Errorf("invalid value %q for metadata key %q, expected boolean string", value, key) + continue + } + c.mounts[i].Ephemeral = ephemeral case volume.FSGroupMetadataKey: gid, err := strconv.Atoi(value) if err != nil { diff --git a/src/runtime/virtcontainers/kata_agent.go b/src/runtime/virtcontainers/kata_agent.go index 7c22373e4d..0912fdad9a 100644 --- a/src/runtime/virtcontainers/kata_agent.go +++ b/src/runtime/virtcontainers/kata_agent.go @@ -1793,6 +1793,13 @@ func (k *kataAgent) handleDeviceBlockVolume(c *Container, m Mount, device api.De } } + if m.Confidential { + vol.DriverOptions = append(vol.DriverOptions, fmt.Sprintf("%s=true", volume.ConfidentialMetadataKey)) + } + if m.Ephemeral { + vol.DriverOptions = append(vol.DriverOptions, fmt.Sprintf("%s=true", volume.EphemeralMetadataKey)) + } + return vol, nil } diff --git a/src/runtime/virtcontainers/mount.go b/src/runtime/virtcontainers/mount.go index e9f44dffd7..f3c44a725b 100644 --- a/src/runtime/virtcontainers/mount.go +++ b/src/runtime/virtcontainers/mount.go @@ -273,6 +273,13 @@ type Mount struct { // FSGroupChangePolicy specifies the policy that will be used when applying // group id ownership change for a volume. FSGroupChangePolicy volume.FSGroupChangePolicy + + // Confidential specifies whether to encrypt the underlying storage. + Confidential bool + + // Ephemeral specifies whether the underlying storage is ephemeral: + // https://kubernetes.io/docs/concepts/storage/ephemeral-volumes/ + Ephemeral bool } func isSymlink(path string) bool {