-
Notifications
You must be signed in to change notification settings - Fork 5
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
This commit has created a new confidential-containers website using static site generator Hugo: https://gohugo.io/ and using docsy theme: https://www.docsy.dev/docs/. In this initial commit I have also copied over few place holder documentation that we already have in our numerous repositories. I have copied the demos folder and the release notes from the `coco/coco` repository. Most of these copied docs have been marked with `TODOs` so that the appropriate people in relevant project can take a look at it, suggest changes, fixes and updates. Signed-off-by: Suraj Deshmukh <suraj.deshmukh@microsoft.com>
- Loading branch information
Showing
53 changed files
with
3,409 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,5 @@ | ||
/public | ||
resources/ | ||
node_modules/ | ||
package-lock.json | ||
.hugo_build.lock |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,4 @@ | ||
FROM klakegg/hugo:ext-alpine | ||
|
||
RUN apk add git && \ | ||
git config --global --add safe.directory /src |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,5 @@ | ||
+++ | ||
title = '{{ replace .File.ContentBaseName "-" " " | title }}' | ||
date = {{ .Date }} | ||
draft = true | ||
+++ |
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,83 @@ | ||
--- | ||
title: Confidential Containers | ||
--- | ||
|
||
{{< blocks/cover title="Welcome to Confidential Containers!" image_anchor="top" height="full" >}} | ||
<a class="btn btn-lg btn-primary me-3 mb-4" href="/docs/"> | ||
Learn More <i class="fas fa-arrow-alt-circle-right ms-2"></i> | ||
</a> | ||
<a class="btn btn-lg btn-secondary me-3 mb-4" href="https://github.com/confidential-containers/confidentialcontainers.org"> | ||
Download <i class="fab fa-github ms-2 "></i> | ||
</a> | ||
<p class="lead mt-5">Confidential Computing for — Kubernetes!</p> | ||
{{< blocks/link-down color="info" >}} | ||
{{< /blocks/cover >}} | ||
|
||
<!-- Note: The content here is mostly copied / adapted from: https://github.com/confidential-containers/.github/blob/main/profile/README.md. This page shows up when one goes to: https://github.com/confidential-containers/ --> | ||
|
||
{{% blocks/lead color="primary" %}} | ||
Confidential Containers is an open source community working to enable cloud native confidential computing by leveraging [Trusted Execution Environments](https://en.wikipedia.org/wiki/Trusted_execution_environment) to protect containers and data. | ||
|
||
{{% /blocks/lead %}} | ||
|
||
{{% blocks/section color="dark" type="row" %}} | ||
|
||
Goals | ||
{.h1 .text-center} | ||
|
||
{{% blocks/feature icon="fa-microchip" title="Multiple TEEs" %}} | ||
Support for multiple Trusted Execution Environments (TEEs) and hardware platforms | ||
|
||
Please follow this space for updates! | ||
{{% /blocks/feature %}} | ||
|
||
{{% blocks/feature icon="fa-cubes" title="Containers" %}} | ||
Transparent deployment of unmodified containers | ||
{{% /blocks/feature %}} | ||
|
||
{{% blocks/feature icon="fa-cloud" title="Cloud Service Providers (CSP)" %}} | ||
A trust model which separates CSPs from guest applications | ||
{{% /blocks/feature %}} | ||
|
||
{{% /blocks/section %}} | ||
|
||
{{% blocks/section type="row" %}} | ||
|
||
{{% blocks/feature icon="fa-shield" title="Application Security" %}} | ||
Allow cloud native application owners to enforce application security requirements | ||
{{% /blocks/feature %}} | ||
|
||
{{% blocks/feature icon="fa-key" title="Privilege" %}} | ||
Least privilege principles for the Kubernetes Cluster administration capabilities which impact delivering Confidential Computing for guest application or data inside the TEE. | ||
{{% /blocks/feature %}} | ||
|
||
{{% /blocks/section %}} | ||
|
||
{{% blocks/section type="row" %}} | ||
|
||
Community | ||
{.h1 .text-center} | ||
|
||
{{% blocks/feature icon="fab fa-github" title="Contributions welcome!" | ||
url="<https://github.com/confidential-containers/confidentialcontainers.org>" %}} | ||
We do a [Pull Request](https://github.com/confidential-containers/confidentialcontainers.org/pulls) | ||
contributions workflow on **GitHub**. New users are always welcome! | ||
{{% /blocks/feature %}} | ||
|
||
{{% blocks/feature icon="fab fa-slack" title="We are on CNCF Slack!" url="<https://slack.cncf.io>" %}} | ||
Join channel #confidential-containers by getting invitation for the [CNCF slack](https://slack.cncf.io). | ||
{{% /blocks/feature %}} | ||
|
||
{{% blocks/feature icon="fa-video-camera" title="Weekly Meetings" url="<https://docs.google.com/document/d/1E3GLCzNgrcigUlgWAZYlgqNTdVwiMwCRTJ0QnJhLZGA/>" %}} | ||
Check out our previous meetings and join our future ones. | ||
{{% /blocks/feature %}} | ||
|
||
{{% blocks/feature icon="fa-users" title="Community Guidelines" url="<https://github.com/confidential-containers/confidential-containers>" %}} | ||
How to contribute, style guides, governance... | ||
{{% /blocks/feature %}} | ||
|
||
{{% blocks/feature icon="fa-file" title="Code of Conduct" url="<https://github.com/cncf/foundation/blob/master/code-of-conduct.md>" %}} | ||
We follow the CNCF Code of Conduct. | ||
{{% /blocks/feature %}} | ||
|
||
{{% /blocks/section %}} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,87 @@ | ||
--- | ||
title: About Confidential Containers | ||
linkTitle: About | ||
menu: | ||
main: | ||
weight: 10 | ||
--- | ||
|
||
{{% blocks/cover title="About Confidential Containers" image_anchor="bottom" height="auto" %}} | ||
|
||
<!-- Content here is adopted from: https://github.com/confidential-containers/confidential-containers --> | ||
|
||
# Welcome to confidential-containers | ||
|
||
{{% /blocks/cover %}} | ||
|
||
{{% blocks/lead %}} | ||
|
||
Confidential Containers is an open source community working to leverage [Trusted Execution Environments](https://en.wikipedia.org/wiki/Trusted_execution_environment) to protect containers and data and to deliver cloud native confidential computing. | ||
|
||
**We have a new release every 6 weeks!** | ||
See [Release Notes](./releases/) or [Quickstart Guide](./quickstart.md) | ||
|
||
{{% /blocks/lead %}} | ||
|
||
{{% blocks/section %}} | ||
|
||
## Key Considerations | ||
|
||
- Allow cloud native application owners to enforce application security requirements | ||
{.h4 .text-left} | ||
|
||
- Transparent deployment of unmodified containers | ||
{.h4 .text-left} | ||
|
||
- Support for multiple TEE and hardware platforms | ||
{.h4 .text-left} | ||
|
||
- A trust model which separates Cloud Service Providers (CSPs) from guest applications | ||
{.h4 .text-left} | ||
|
||
- Least privilege principles for the Kubernetes cluster administration capabilities which impact delivering Confidential Computing for guest applications or data inside the TEE | ||
{.h4 .text-left} | ||
|
||
{.text-center} | ||
|
||
{{% /blocks/section %}} | ||
|
||
{{% blocks/section %}} | ||
|
||
## Get started quickly | ||
|
||
[Kubernetes Operator for Confidential Computing](https://github.com/confidential-containers/confidential-containers-operator) : An operator to deploy confidential containers runtime (and required configs) on a Kubernetes cluster | ||
{.h4 .text-left} | ||
|
||
{{% /blocks/section %}} | ||
|
||
{{% blocks/section %}} | ||
|
||
## Further Detail | ||
|
||
[![asciicast](https://asciinema.org/a/eGHhZdQY3uYnDalFAfuB7VYqF.svg)](https://asciinema.org/a/eGHhZdQY3uYnDalFAfuB7VYqF) | ||
|
||
[![FOSSA Status](https://app.fossa.com/api/projects/git%2Bgithub.com%2Fconfidential-containers%2Fcommunity.svg?type=shield)](https://app.fossa.com/projects/git%2Bgithub.com%2Fconfidential-containers%2Fcommunity?ref=badge_shield) | ||
|
||
- [Project Overview](./overview.md) | ||
- [Project Architecture](./architecture.md) | ||
- [Our Roadmap](./roadmap.md) | ||
- [Alignment with other Projects](alignment.md) | ||
|
||
{{% /blocks/section %}} | ||
|
||
{{% blocks/section %}} | ||
|
||
## Contribute | ||
|
||
[CONTRIBUTING](CONTRIBUTING.md) | ||
|
||
{{% /blocks/section %}} | ||
|
||
{{% blocks/section %}} | ||
|
||
## License | ||
|
||
[![FOSSA Status](https://app.fossa.com/api/projects/git%2Bgithub.com%2Fconfidential-containers%2Fcommunity.svg?type=large)](https://app.fossa.com/projects/git%2Bgithub.com%2Fconfidential-containers%2Fcommunity?ref=badge_large) | ||
|
||
{{% /blocks/section %}} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,11 @@ | ||
--- | ||
date: 2023-01-06 | ||
title: First ever official blog | ||
linkTitle: Announcing the website | ||
description: > | ||
First line desc | ||
second line desc | ||
author: Alpha Beta ([@nan](https://twitter.com/nan)) | ||
--- | ||
|
||
Here is the content of the first blog |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,10 @@ | ||
--- | ||
date: 2023-07-06 | ||
title: Second blog | ||
linkTitle: Second blog | ||
description: > | ||
Meh! | ||
author: Alpha Beta ([@nan](https://twitter.com/nan)) | ||
--- | ||
|
||
Well this is the second blog |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,6 @@ | ||
--- | ||
title: Blog | ||
menu: | ||
main: | ||
weight: 30 | ||
--- |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,4 @@ | ||
--- | ||
title: Releases | ||
weight: 20 | ||
--- |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,74 @@ | ||
--- | ||
title: Release v0.1.0 | ||
date: 2022-09-29 | ||
description: > | ||
Release Notes Confidential Containers v0.1.0 | ||
--- | ||
|
||
This is the first full release of Confidential Containers. | ||
The goal of this release is to provide a stable, simple, and well-documented base for the Confidential Containers project. | ||
The Confidential Containers operator is the focal point of the release. | ||
The operator allows users to install Confidential Containers on an existing Kubernetes cluster. | ||
This release also provides core Confidential Containers features, such as being able to run encrypted containers on Intel-TDX and AMD-SEV. | ||
|
||
Please see the [quickstart guide](../quickstart.md) for details on how to try out Confidential Containers" | ||
|
||
## Hardware Support | ||
|
||
Confidential Containers is tested with attestation on the following platforms: | ||
|
||
- Intel TDX | ||
- AMD SEV | ||
|
||
The following platforms are untested or partially supported: | ||
|
||
- AMD SEV-ES | ||
- IBM Z SE | ||
|
||
The following platforms are in development: | ||
|
||
- Intel SGX | ||
- AMD SEV-SNP | ||
|
||
## Limitations | ||
|
||
The following are known limitations of this release: | ||
|
||
- Platform support is currently limited, and rapidly changing | ||
- S390x is not supported by the CoCo operator | ||
- AMD SEV-ES has not been tested. | ||
- AMD SEV does not support container image signature validation. | ||
- Attestation and key brokering support is still under development | ||
- The disk-based key broker client (KBC) is used when there is no HW support, but is not suitable for production (except with encrypted VM images). | ||
- Currently, there are two KBS that can be used: | ||
- simple-kbs: simple key broker service (KBS) for SEV(-ES). | ||
- [Verdictd](https://github.com/inclavare-containers/verdictd): An external project with which Attestation Agent can conduct remote attestation communication and key acquisition via EAA KBC | ||
- The full-featured generic KBS and the corresponding KBC are still in the development stage. | ||
- For developers, other KBCs can be experimented with. | ||
- AMD SEV must use a KBS even for unencrypted images. | ||
- The format of encrypted container images is still subject to change | ||
- The oci-crypt container image format itself may still change | ||
- The tools to generate images are not in their final form | ||
- The image format itself is subject to change in upcoming releases | ||
- Image repository support for encrypted images is unequal | ||
- CoCo currently requires a custom build of `containerd` | ||
- The CoCo operator will deploy the correct version of `containerd` for you | ||
- Changes are required to delegate `PullImage` to the agent in the virtual machine | ||
- The required changes are not part of the vanilla `containerd` | ||
- The final form of the required changes in `containerd` is expected to be different | ||
- `crio` is not supported | ||
- CoCo is not fully integrated with the orchestration ecosystem (Kubernetes, OpenShift) | ||
- OpenShift is a non-started at the moment due to their dependency on CRIO | ||
- Existing APIs do not fully support the CoCo security and threat model | ||
- Some commands accessing confidential data, such as `kubectl exec`, may either fail to work, or incorrectly expose information to the host | ||
- Container image sharing is not possible in this release | ||
- Container images are downloaded by the guest (with encryption), not by the host | ||
- As a result, the same image will be downloaded separately by every pod using it, not shared between pods on the same host. | ||
- The CoCo community aspires to adopting open source security best practices, but not all practices are adopted yet. | ||
- We track our status with the OpenSSF Best Practices Badge, which was at 43% at the time of this release. | ||
- The main gaps are in test coverage, both general and security tests. | ||
- Vulnerability reporting mechanisms also need to be created. Public github issues are still appropriate for this release until private reporting is established. | ||
|
||
## CVE Fixes | ||
|
||
None - This is our first release. |
Oops, something went wrong.