mirror of
https://github.com/kata-containers/kata-containers.git
synced 2025-09-05 10:50:18 +00:00
runtime: Support trusted ephemeral data storage
This modifies the direct volume assignement API to support the new metadata flags `confidential` and `ephemeral` and propagate them to the agent. Fixes: confidential-containers/confidential-containers#247 (proposal) Fixes: #10560 (tracking issue) Signed-off-by: Aurélien Bombo <abombo@microsoft.com>
This commit is contained in:
Aurélien Bombo
@@ -17,6 +17,8 @@ import (
|
|||||||
const (
|
const (
|
||||||
mountInfoFileName = "mountInfo.json"
|
mountInfoFileName = "mountInfo.json"
|
||||||
|
|
||||||
|
ConfidentialMetadataKey = "confidential"
|
||||||
|
EphemeralMetadataKey = "ephemeral"
|
||||||
FSGroupMetadataKey = "fsGroup"
|
FSGroupMetadataKey = "fsGroup"
|
||||||
FSGroupChangePolicyMetadataKey = "fsGroupChangePolicy"
|
FSGroupChangePolicyMetadataKey = "fsGroupChangePolicy"
|
||||||
)
|
)
|
||||||
|
|||||||
@@ -644,6 +644,20 @@ func (c *Container) createBlockDevices(ctx context.Context) error {
|
|||||||
|
|
||||||
for key, value := range mntInfo.Metadata {
|
for key, value := range mntInfo.Metadata {
|
||||||
switch key {
|
switch key {
|
||||||
|
case volume.ConfidentialMetadataKey:
|
||||||
|
confidential, err := strconv.ParseBool(value)
|
||||||
|
if err != nil {
|
||||||
|
c.Logger().Errorf("invalid value %q for metadata key %q, expected boolean string", value, key)
|
||||||
|
continue
|
||||||
|
}
|
||||||
|
c.mounts[i].Confidential = confidential
|
||||||
|
case volume.EphemeralMetadataKey:
|
||||||
|
ephemeral, err := strconv.ParseBool(value)
|
||||||
|
if err != nil {
|
||||||
|
c.Logger().Errorf("invalid value %q for metadata key %q, expected boolean string", value, key)
|
||||||
|
continue
|
||||||
|
}
|
||||||
|
c.mounts[i].Ephemeral = ephemeral
|
||||||
case volume.FSGroupMetadataKey:
|
case volume.FSGroupMetadataKey:
|
||||||
gid, err := strconv.Atoi(value)
|
gid, err := strconv.Atoi(value)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
|
|||||||
@@ -1793,6 +1793,13 @@ func (k *kataAgent) handleDeviceBlockVolume(c *Container, m Mount, device api.De
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if m.Confidential {
|
||||||
|
vol.DriverOptions = append(vol.DriverOptions, fmt.Sprintf("%s=true", volume.ConfidentialMetadataKey))
|
||||||
|
}
|
||||||
|
if m.Ephemeral {
|
||||||
|
vol.DriverOptions = append(vol.DriverOptions, fmt.Sprintf("%s=true", volume.EphemeralMetadataKey))
|
||||||
|
}
|
||||||
|
|
||||||
return vol, nil
|
return vol, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|||||||
@@ -273,6 +273,13 @@ type Mount struct {
|
|||||||
// FSGroupChangePolicy specifies the policy that will be used when applying
|
// FSGroupChangePolicy specifies the policy that will be used when applying
|
||||||
// group id ownership change for a volume.
|
// group id ownership change for a volume.
|
||||||
FSGroupChangePolicy volume.FSGroupChangePolicy
|
FSGroupChangePolicy volume.FSGroupChangePolicy
|
||||||
|
|
||||||
|
// Confidential specifies whether to encrypt the underlying storage.
|
||||||
|
Confidential bool
|
||||||
|
|
||||||
|
// Ephemeral specifies whether the underlying storage is ephemeral:
|
||||||
|
// https://kubernetes.io/docs/concepts/storage/ephemeral-volumes/
|
||||||
|
Ephemeral bool
|
||||||
}
|
}
|
||||||
|
|
||||||
func isSymlink(path string) bool {
|
func isSymlink(path string) bool {
|
||||||
|
|||||||
Reference in New Issue
Block a user