Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

attestation-service: implement *_policy() methods for EAR token broker #626

Merged
merged 1 commit into from
Dec 16, 2024
Merged

attestation-service: implement *_policy() methods for EAR token broker #626

merged 1 commit into from
Dec 16, 2024

Conversation

mythi
Copy link
Contributor

@mythi mythi commented Dec 13, 2024

without the changes, kbs-client "set-attestation-policy" gets "not supported" errors.

the changes are taken from 'simple' token broker. Both token brokers have a policy_engine instance created.

@mythi
attestation-service: implement *_policy() methods for EAR token broker
4d0497a 
without the changes, kbs-client "set-attestation-policy" gets
"not supported" errors.

the changes are taken from 'simple' token broker. Both token
brokers have a policy_engine instance created.

Signed-off-by: Mikko Ylinen <mikko.ylinen@intel.com>
@mythi mythi requested a review from a team as a code owner December 13, 2024 09:25
mkulke
mkulke reviewed Dec 13, 2024
View reviewed changes
Copy link
Contributor

@mkulke mkulke left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I assume this is setting the policy in memory for the process? so, the policy would be volatile and also potentially split-brained for multiple replicas?

it might make sense to do implement for consistency's sake. but IMO we should really re/consider how we want to handle state in KBS/AS and not expose stateful methods unless we know how we want to address with it.

If it's required for tests in the mean time, I could imagine that the policy storage is backed by a k8s configmap, a docker-compose mount or something.

@mythi
Copy link
Contributor Author

mythi commented Dec 13, 2024

OPA policy engine seems to writes these to the disk and at least the docker-compose backed mount stores it persistently (on the AS side, not KBS).

it might make sense to do implement for consistency's sake. but IMO we should really re/consider how we want to handle state in KBS/AS and not expose stateful methods unless we know how we want to address with it.

yeah makes sense. right now this is just to be able to experiment with EAR policies uploaded using kbs-client config set-attestation-policy the same way as with simple broker.

fitzthum
fitzthum approved these changes Dec 13, 2024
View reviewed changes
Copy link
Member

@fitzthum fitzthum left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

We can discuss how to handle the policy state, but for now let's just keep this the same as the simple token.

@fitzthum fitzthum merged commit 0722e4c into confidential-containers:main Dec 16, 2024
25 checks passed
@fitzthum
Copy link
Member

maybe we should make an issue for tracking the statefulness stuff

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mkulke mkulke mkulke left review comments

@Xynnn007 Xynnn007 Xynnn007 approved these changes

@fitzthum fitzthum fitzthum approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@mythi @fitzthum @mkulke @Xynnn007