genpolicy: does not guarantee order of containers

[burgerdev]

Which feature do you think can be improved?

The genpolicy tool for confidential containers.

How can it be improved?

genpolicy should be able to generate policies that guarantee order and actual execution of all containers.

Additional Information

My use case is to run a pod consisting of one init container, one regular container and one sidecar. The init container sets up the environment such that traffic from the regular container is redirected to the sidecar, which encrypts the traffic before proceeding.
Kubernetes guarantees that the init container finishes successfully before the main containers start, so I can assume that the environment is set up safely for my main container.

In Confidential Containers, we now have an untrusted Kubernetes control plane that could decide not to issue the CRI requests to start the init containers. As far as I understand, this is allowed by the current policy enforcer, because it only checks individual API requests and does not keep state of the call history.

Before raising this enhancement request

Have you looked at the limitations document?

Yes, no luck.

Kata Containers survey

Please consider taking the survey to help us help you: https://openinfrafoundation.formstack.com/forms/kata_containers_user_survey

Already participated

[danmihai1]

Thanks for the feedback @burgerdev ! The current behavior is intentional - e.g., because the AKS customers we talked with wanted the ability to restart containers after they crash, etc.

If there is enough demand for the ordered start, we could look at supporting that too.

[burgerdev]

Thanks for the prompt reply, @danmihai1!

I wonder whether the Immutable Pods idea from #1834 is actually very similar to what we'd need to build for this feature here.