Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

crd: Expose "UsingNFD" to the CcInstallConfig #243

Draft
wants to merge 1 commit into
base: main
Choose a base branch
from
Draft

crd: Expose "UsingNFD" to the CcInstallConfig #243

wants to merge 1 commit into from
+14 −0

Conversation

fidencio
Copy link
Member

Let's have a explicit toggle that allows users to specify whether they're relying on NFD or not.

In case they're not relying on NFD, business as usual. In case they are, then the runtime payload will be able to create a specific NodeFeatureRule, adapt the podOverhead of the runtime class, and make sure the keys book-keeping is correctly done.

Right now, on the Kata Containers side of the things, only TDX is capable of doing so, but it's easy to expand in case other TEEs want to do the same.

@fidencio
crd: Expose "UsingNFD" to the CcInstallConfig
5e981bb 
Let's have a explicit toggle that allows users to specify whether
they're relying on NFD or not.

In case they're not relying on NFD, business as usual.  In case they
are, then the runtime payload will be able to create a specific
NodeFeatureRule, adapt the podOverhead of the runtime class, and make
sure the keys book-keeping is correctly done.

Right now, on the Kata Containers side of the things, only TDX is
capable of doing so, but it's easy to expand in case other TEEs want to
do the same.

Signed-off-by: Fabiano Fidêncio <[email protected]>
@fidencio fidencio linked an issue Aug 10, 2023 that may be closed by this pull request
Detect confidential computing capabilities of the cluster node #24
Open
@fidencio
Copy link
Member Author

A few notes for the reviewers.

  1. This work depends on a PR that's not yet merged on the Kata Containers side: kata-deploy: Take NFD into consideration kata-containers/kata-containers#7469
  2. I've decided to use an explicit toggle as rules, on the Kata Containers side, were only introduced for TDX
  3. We may hit the case where someone is using NFD, but still may want to have their own rules being used (and then they can manually do it, as they're most likely doing Today)

@fidencio
Copy link
Member Author

JFYI, this one will be material for the v0.9.0 release, not for this one.
Thanks for the understanding.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jensfr jensfr Awaiting requested review from jensfr

@mythi mythi Awaiting requested review from mythi

@zvonkok zvonkok Awaiting requested review from zvonkok

@bpradipt bpradipt Awaiting requested review from bpradipt

@stevenhorsman stevenhorsman Awaiting requested review from stevenhorsman

At least 2 approving reviews are required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Detect confidential computing capabilities of the cluster node
1 participant
@fidencio