Skip to content

trusted-execution-clusters/operator

BranchesTags

Repository files navigation

Trusted Execution Cluster Operator (trusted-cluster-operator)

This repository contains a Kubernetes operator for managing Trusted Execution Clusters. The operator introduces a TrustedExecutionCluster Custom Resource Definition (CRD) which allows users to declaratively manage the configuration of a trusted execution cluster and Trustee server, a core component which handles the attestation process.

The operator watches for TrustedExecutionCluster resources and ensures that the necessary configurations for the Trustee (such as KBS configuration, attestation policies, and resource policies) are correctly set up and maintained within the cluster.

Repository Structure

  • /api: Defines the TrustedExecutionCluster Custom Resource Definition (CRD) and associated CRDs and RBAC definitions in Go. Also contains a program to generate a TrustedExecutionCluster CR and associated deployment.
  • /operator: Contains the source code for the Kubernetes operator itself.
  • /register-server: A server that provides Clevis PINs for key retrieval with random UUIDs.
  • /compute-pcrs: A program to compute PCR reference values using the compute-pcrs library and insert them into a ConfigMap, run as a Job.
  • /lib: Shared Rust definitions, including translated CRDs
  • /scripts: Helper scripts for managing a local kind development cluster.
  • /config: The default output directory for generated manifests. This directory is not checked into source control.

Getting Started

Prerequisites

  • Rust toolchain
  • podman or docker (set CONTAINER_CLI and RUNTIME environment variables accordingly)
  • kubectl
  • kind

Quick Start

Create the cluster and deploy the operator.

Provide an address where the VM you will attest from can access the cluster. When using a local kind & libvirt VM, this may be your gateway address (default via … in ip route) for user libvirt or bridge (virbr0 in ip route) for system libvirt.

$ ip route
...
192.168.122.0/24 dev virbr0 proto kernel scope link src 192.168.122.1
...
$ ip=192.168.122.1

To use Docker:

export CONTAINER_CLI=docker
export RUNTIME=docker

To use Podman (these exports can be omitted as Podman is the default):

export CONTAINER_CLI=podman
export RUNTIME=podman

Then run the following commands:

make cluster-up
make REGISTRY=localhost:5000 PUSH_FLAGS="--tls-verify=false" push # optional: use BUILD_TYPE=debug
make REGISTRY=localhost:5000 manifests
make TRUSTEE_ADDR=$ip install

The KBS port will be forwarded to 8080 on your machine; the node register server to 8000, where new Ignition configs are served at /register.

Test

Run a VM as described in the investigations repository.

Cleanup

To clean up your environment after running tests, execute the following commands:

make cluster-cleanup
# Note: You must use the same RUNTIME environment variable for `cluster-down`
# that you used for `cluster-up`. For example:
#
# RUNTIME=docker make cluster-down
RUNTIME=$RUNTIME make cluster-down
make clean

Licenses

See LICENSES.

About

Kubernetes operator to manage Trusted Execution Clusters

Resources

Readme
Activity
Custom properties

Stars

1 star

Watchers

2 watching

Forks

8 forks
Report repository

Contributors 7

Languages