feat: add kata-containers extension

Kata Containers provides an OCI runtime that focuses on protecting the host from malicious workloads, taking advantage of KVM to provide an extra isolation layer. Kata Containers is also the foundation piece for Confidential Containers, as it's the most suitable OCI runtime to be used with Trusted Execution Environments. Having Kata Containers here, even restricting it to be used with only one of its drivers (for now), opens the path for future collaboration, and providing Talos a reasonable path to become a Kubernetes distro that's TEE capable. For now we're sticking to using Cloud Hypervisor as the preferred driver for Kata Containers, which probably could change in the future, but we don't want to start with a situation where we'll increase the image size by a whole lot, thus taking the smallest footprint that can be achieved based on Kata Containers stable releases. Kata Containers: https://katacontainers.io/ Cloud Hypervisor: https://www.cloudhypervisor.org/ Confidential Containers: https://github.com/confidential-containers Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
siderolabs · Dec 7, 2023 · a3158f1 · a3158f1
1 parent 8378499
commit a3158f1
Show file tree

Hide file tree

Showing 9 changed files with 573 additions and 0 deletions.
diff --git a/.kres.yaml b/.kres.yaml
@@ -19,6 +19,7 @@ spec:
     - intel-ice-firmware
     - intel-ucode
     - iscsi-tools
+    - kata-containers
     - mdadm
     - nut-client
     - nvidia-container-toolkit

diff --git a/README.md b/README.md
@@ -45,6 +45,7 @@ cosign verify --certificate-identity-regexp '@siderolabs\.com$' --certificate-oi
 | [gvisor](container-runtime/gvisor/) | [ghcr.io/siderolabs/gvisor](https://github.com/siderolabs/extensions/pkgs/container/gvisor) | [gVisor](https://gvisor.dev/) container runtime | `upstream version`-`talos version` |
 | [stargz-snapshotter](container-runtime/stargz-snapshotter/) | [ghcr.io/siderolabs/stargz-snapshotter](https://github.com/siderolabs/extensions/pkgs/container/stargz-snapshotter) | [Stargz Snapshotter](https://github.com/containerd/stargz-snapshotter) container runtime | `upstream version`-`talos version` |
 | [ecr-credential-provider](container-runtime/ecr-credential-provider) | [ghcr.io/siderolabs/ecr-credential-provider](https://github.com/siderolabs/extensions/pkgs/container/ecr-credential-provider) | [ECR Credential Provider](https://github.com/kubernetes/cloud-provider-aws/tree/master/cmd/ecr-credential-provider) kubelet plugin | `upstream version` |
+| [kata-containers](container-runtime/kata-containers) | [ghcr.io/siderolabs/kata-containers](https://github.com/siderolabs/extensions/pkgs/container/kata-containers) | [Kata Containers](https://github.com/kata-containers/kata-containers) container runtime | `upstream version` |
 
 ### Firmware
 

diff --git a/container-runtime/kata-containers/README.md b/container-runtime/kata-containers/README.md
@@ -0,0 +1,41 @@
+# kata-containers extension
+
+## Installation
+
+See [Installing Extensions](https://github.com/siderolabs/extensions#installing-extensions).
+
+## Usage
+
+## Testing
+
+Apply the following manifest to run nginx pod using Kata Containers:
+
+```yaml
+apiVersion: node.k8s.io/v1
+kind: RuntimeClass
+metadata:
+  name: kata
+handler: kata
+overhead:
+    podFixed:
+        memory: "130Mi"
+        cpu: "250m"
+---
+apiVersion: v1
+kind: Pod
+metadata:
+  name: nginx-kata
+spec:
+  runtimeClassName: kata
+  containers:
+  - name: nginx
+    image: nginx
+```
+
+The pod should be up and running:
+
+```bash
+$ kubectl get pods
+NAME           READY   STATUS    RESTARTS   AGE
+nginx-kata     1/1     Running   0          40s
+```