You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
genpolicy should be able to generate policies that guarantee order and actual execution of all containers.
Additional Information
My use case is to run a pod consisting of one init container, one regular container and one sidecar. The init container sets up the environment such that traffic from the regular container is redirected to the sidecar, which encrypts the traffic before proceeding.
Kubernetes guarantees that the init container finishes successfully before the main containers start, so I can assume that the environment is set up safely for my main container.
In Confidential Containers, we now have an untrusted Kubernetes control plane that could decide not to issue the CRI requests to start the init containers. As far as I understand, this is allowed by the current policy enforcer, because it only checks individual API requests and does not keep state of the call history.
Thanks for the feedback @burgerdev ! The current behavior is intentional - e.g., because the AKS customers we talked with wanted the ability to restart containers after they crash, etc.
If there is enough demand for the ordered start, we could look at supporting that too.
Which feature do you think can be improved?
The
genpolicy
tool for confidential containers.How can it be improved?
genpolicy
should be able to generate policies that guarantee order and actual execution of all containers.Additional Information
My use case is to run a pod consisting of one init container, one regular container and one sidecar. The init container sets up the environment such that traffic from the regular container is redirected to the sidecar, which encrypts the traffic before proceeding.
Kubernetes guarantees that the init container finishes successfully before the main containers start, so I can assume that the environment is set up safely for my main container.
In Confidential Containers, we now have an untrusted Kubernetes control plane that could decide not to issue the CRI requests to start the init containers. As far as I understand, this is allowed by the current policy enforcer, because it only checks individual API requests and does not keep state of the call history.
Before raising this enhancement request
Have you looked at the limitations document?
Yes, no luck.
Kata Containers survey
Please consider taking the survey to help us help you: https://openinfrafoundation.formstack.com/forms/kata_containers_user_survey
Already participated
The text was updated successfully, but these errors were encountered: