-
Notifications
You must be signed in to change notification settings - Fork 349
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat(core): add support for kata and confidential containers #1888
base: main
Are you sure you want to change the base?
feat(core): add support for kata and confidential containers #1888
Conversation
Signed-off-by: rootxrishabh <risrock02@gmail.com>
Enforcement confirmed on CoCo + Kubearmor VM setup |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
More pending work
- Use custom directory for backup of policies
- Refactor and streamline endpoint creation for unorchestrated workloads.
KubeArmor/core/hookHandler.go
Outdated
// endpoint := types.EndPoint{} | ||
|
||
// dm.ContainersLock.Lock() | ||
// defer dm.ContainersLock.Unlock() | ||
// if _, ok := dm.Containers[container.ContainerID]; !ok { | ||
// dm.Containers[container.ContainerID] = container | ||
// } else if dm.Containers[container.ContainerID].PidNS == 0 && dm.Containers[container.ContainerID].MntNS == 0 { | ||
// c := dm.Containers[container.ContainerID] | ||
// c.MntNS = container.MntNS | ||
// c.PidNS = container.PidNS | ||
// c.AppArmorProfile = container.AppArmorProfile | ||
// dm.Containers[c.ContainerID] = c | ||
// dm.EndPointsLock.Lock() | ||
// for idx, endPoint := range dm.EndPoints { | ||
// if endPoint.NamespaceName == container.NamespaceName && endPoint.EndPointName == container.EndPointName && kl.ContainsElement(endPoint.Containers, container.ContainerID) { | ||
|
||
// // update apparmor profiles | ||
// if !kl.ContainsElement(endPoint.AppArmorProfiles, container.AppArmorProfile) { | ||
// dm.EndPoints[idx].AppArmorProfiles = append(dm.EndPoints[idx].AppArmorProfiles, container.AppArmorProfile) | ||
// } | ||
|
||
// if container.Privileged && dm.EndPoints[idx].PrivilegedContainers != nil { | ||
// dm.EndPoints[idx].PrivilegedContainers[container.ContainerName] = struct{}{} | ||
// } | ||
|
||
// endpoint = dm.EndPoints[idx] | ||
|
||
// break |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Let's avoid redundant code
Signed-off-by: Rishabh Soni <risrock02@gmail.com>
|
Signed-off-by: Rishabh Soni <risrock02@gmail.com>
@daemon1024 @DelusionalOptimist, need your thoughts on custom restore path -
|
Signed-off-by: Rishabh Soni <risrock02@gmail.com>
Signed-off-by: Rishabh Soni <risrock02@gmail.com>
Purpose of PR?:
This PR introduces support for kata and confidential containers.
Fixes #1340
Does this PR introduce a breaking change?
No
If the changes in this PR are manually verified, list down the scenarios covered::
Additional information for reviewer? :
Mention if this PR is part of any design or a continuation of previous PRs
Checklist:
<type>(<scope>): <subject>