-
Notifications
You must be signed in to change notification settings - Fork 1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
server: allow containers within a cluster to opt out of FIPS mode #8011
Conversation
15bb36c
to
548fb5e
Compare
/retest |
548fb5e
to
8fb2aef
Compare
8fb2aef
to
f6c46db
Compare
2605555
to
b7607ef
Compare
f129540
to
c441eab
Compare
67d5503
to
ee86324
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
lgtm
ctr.SpecAddMount(rspec.Mount{ | ||
Destination: "/proc/sys/crypto/fips_enabled", | ||
Source: fileName, | ||
Type: "bind", | ||
Options: []string{"noexec", "nosuid", "nodev", "ro", "bind"}, | ||
}) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Not sure if I understood this. Do we need to include/exclude anything from options
?
ee86324
to
dbe1ad6
Compare
…n necessary Signed-off-by: Sohan Kunkerkar <sohank2602@gmail.com>
…E is set Signed-off-by: Sohan Kunkerkar <sohank2602@gmail.com>
Kata containers doesn't support disabling the crypto.fips_enabled kernel parameter. Attempting to mount /proc/sys/crypto/fips_enabled within Kata Containers results in an error because the /proc directory does not allow such operations Signed-off-by: Sohan Kunkerkar <sohank2602@gmail.com>
dbe1ad6
to
2e81eed
Compare
/approve |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: kolyshkin, kwilczynski, sohankunkerkar The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
/retest |
With this change, we can disable FIPS mode in containers for a cluster that is FIPS-enabled.
What type of PR is this?
/kind feature
What this PR does / why we need it:
Which issue(s) this PR fixes:
Special notes for your reviewer:
This isn't fully tested; I'm relying on our CI, which can build
runc
with Go 1.21Does this PR introduce a user-facing change?