feat: add kata-containers extension

Kata Containers provides an OCI runtime that focuses on protecting the host from malicious workloads, taking advantage of KVM to provide an extra isolation layer. Kata Containers is also the foundation piece for Confidential Containers, as it's the most suitable OCI runtime to be used with Trusted Execution Environments. Having Kata Containers here, even restricting it to be used with only one of its drivers (for now), opens the path for future collaboration, and providing Talos a reasonable path to become a Kubernetes distro that's TEE capable. For now we're sticking to using Cloud Hypervisor as the preferred driver for Kata Containers, which probably could change in the future, but we don't want to start with a situation where we'll increase the image size by a whole lot, thus taking the smallest footprint that can be achieved based on Kata Containers stable releases. Kata Containers: https://katacontainers.io/ Cloud Hypervisor: https://www.cloudhypervisor.org/ Confidential Containers: https://github.com/confidential-containers Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com> Signed-off-by: Noel Georgi <git@frezbo.dev>
siderolabs · Dec 13, 2023 · 36f397c · 36f397c
1 parent 622ec82
commit 36f397c
Show file tree

Hide file tree

Showing 12 changed files with 603 additions and 8 deletions.
diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
@@ -1,6 +1,6 @@
 # THIS FILE WAS AUTOMATICALLY GENERATED, PLEASE DO NOT EDIT.
 #
-# Generated on 2023-11-22T14:00:12Z by kres latest.
+# Generated on 2023-12-12T17:23:13Z by kres latest.
 
 name: default
 concurrency:
@@ -33,7 +33,7 @@ jobs:
  labels: ${{ steps.retrieve-pr-labels.outputs.result }}
  services:
  buildkitd:
- image: moby/buildkit:v0.12.3
+ image: moby/buildkit:v0.12.4
  options: --privileged
  ports:
  - 1234:1234
@@ -77,11 +77,12 @@ jobs:
  make nonfree PUSH=true
  - name: Retrieve PR labels
  id: retrieve-pr-labels
- if: github.event_name == 'pull_request' && always()
  uses: actions/github-script@v6
  with:
  retries: "3"
  script: |
+ if (context.eventName != "pull_request") { return "[]" }
+
  const resp = await github.rest.issues.get({
  issue_number: context.issue.number,
  owner: context.repo.owner,
@@ -114,7 +115,7 @@ jobs:
  - default
  services:
  buildkitd:
- image: moby/buildkit:v0.12.3
+ image: moby/buildkit:v0.12.4
  options: --privileged
  ports:
  - 1234:1234

diff --git a/.github/workflows/weekly.yaml b/.github/workflows/weekly.yaml
@@ -1,6 +1,6 @@
 # THIS FILE WAS AUTOMATICALLY GENERATED, PLEASE DO NOT EDIT.
 #
-# Generated on 2023-11-13T17:09:48Z by kres latest.
+# Generated on 2023-12-12T17:23:13Z by kres latest.
 
 name: weekly
 concurrency:
@@ -16,7 +16,7 @@ jobs:
  - pkgs
  services:
  buildkitd:
- image: moby/buildkit:v0.12.3
+ image: moby/buildkit:v0.12.4
  options: --privileged
  ports:
  - 1234:1234

diff --git a/.kres.yaml b/.kres.yaml
@@ -19,6 +19,7 @@ spec:
  - intel-ice-firmware
  - intel-ucode
  - iscsi-tools
+ - kata-containers
  - mdadm
  - nut-client
  - nvidia-container-toolkit

diff --git a/Makefile b/Makefile
@@ -1,6 +1,6 @@
 # THIS FILE WAS AUTOMATICALLY GENERATED, PLEASE DO NOT EDIT.
 #
-# Generated on 2023-12-07T13:02:30Z by kres latest.
+# Generated on 2023-12-12T17:43:32Z by kres latest.
 
 # common variables
 
@@ -66,6 +66,7 @@ TARGETS += i915-ucode
 TARGETS += intel-ice-firmware
 TARGETS += intel-ucode
 TARGETS += iscsi-tools
+TARGETS += kata-containers
 TARGETS += mdadm
 TARGETS += nut-client
 TARGETS += nvidia-container-toolkit
@@ -203,4 +204,3 @@ release-notes:
 conformance:
  @docker pull $(CONFORMANCE_IMAGE)
  @docker run --rm -it -v $(PWD):/src -w /src $(CONFORMANCE_IMAGE) enforce
-
diff --git a/README.md b/README.md
@@ -45,6 +45,7 @@ cosign verify --certificate-identity-regexp '@siderolabs\.com$' --certificate-oi
 | [gvisor](container-runtime/gvisor/) | [ghcr.io/siderolabs/gvisor](https://github.com/siderolabs/extensions/pkgs/container/gvisor) | [gVisor](https://gvisor.dev/) container runtime | `upstream version`-`talos version` |
 | [stargz-snapshotter](container-runtime/stargz-snapshotter/) | [ghcr.io/siderolabs/stargz-snapshotter](https://github.com/siderolabs/extensions/pkgs/container/stargz-snapshotter) | [Stargz Snapshotter](https://github.com/containerd/stargz-snapshotter) container runtime | `upstream version`-`talos version` |
 | [ecr-credential-provider](container-runtime/ecr-credential-provider) | [ghcr.io/siderolabs/ecr-credential-provider](https://github.com/siderolabs/extensions/pkgs/container/ecr-credential-provider) | [ECR Credential Provider](https://github.com/kubernetes/cloud-provider-aws/tree/master/cmd/ecr-credential-provider) kubelet plugin | `upstream version` |
+| [kata-containers](container-runtime/kata-containers) | [ghcr.io/siderolabs/kata-containers](https://github.com/siderolabs/extensions/pkgs/container/kata-containers) | [Kata Containers](https://github.com/kata-containers/kata-containers) container runtime | `upstream version` |
 
 ### Firmware
 

diff --git a/container-runtime/kata-containers/README.md b/container-runtime/kata-containers/README.md
@@ -0,0 +1,41 @@
+# kata-containers extension
+
+## Installation
+
+See [Installing Extensions](https://github.com/siderolabs/extensions#installing-extensions).
+
+## Usage
+
+## Testing
+
+Apply the following manifest to run nginx pod using Kata Containers:
+
+```yaml
+apiVersion: node.k8s.io/v1
+kind: RuntimeClass
+metadata:
+ name: kata
+handler: kata
+overhead:
+ podFixed:
+ memory: "130Mi"
+ cpu: "250m"
+---
+apiVersion: v1
+kind: Pod
+metadata:
+ name: nginx-kata
+spec:
+ runtimeClassName: kata
+ containers:
+ - name: nginx
+ image: nginx
+```
+
+The pod should be up and running:
+
+```bash
+$ kubectl get pods
+NAME READY STATUS RESTARTS AGE
+nginx-kata 1/1 Running 0 40s
+```