feat: add kata-containers extension

Kata Containers provides an OCI runtime that focuses on protecting the
host from malicious workloads, taking advantage of KVM to provide an
extra isolation layer.

Kata Containers is also the foundation piece for Confidential
Containers, as it's the most suitable OCI runtime to be used with
Trusted Execution Environments.

Having Kata Containers here, even restricting it to be used with only
one of its drivers (for now), opens the path for future collaboration,
and providing Talos a reasonable path to become a Kubernetes distro
that's TEE capable.

For now we're sticking to using Cloud Hypervisor as the preferred driver
for Kata Containers, which probably could change in the future, but we
don't want to start with a situation where we'll increase the image size
by a whole lot, thus taking the smallest footprint that can be achieved
based on Kata Containers stable releases.

Kata Containers: https://katacontainers.io/
Cloud Hypervisor: https://www.cloudhypervisor.org/
Confidential Containers: https://github.com/confidential-containers

Depends on: siderolabs/talos#8287

Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
Signed-off-by: Noel Georgi <git@frezbo.dev>

.kres.yaml

@@ -19,6 +19,7 @@ spec:
     - intel-ice-firmware
     - intel-ucode
     - iscsi-tools
+    - kata-containers
     - mdadm
     - nut-client
     - nvidia-container-toolkit

Makefile

@@ -66,6 +66,7 @@ TARGETS += i915-ucode
 TARGETS += intel-ice-firmware
 TARGETS += intel-ucode
 TARGETS += iscsi-tools
+TARGETS += kata-containers
 TARGETS += mdadm
 TARGETS += nut-client
 TARGETS += nvidia-container-toolkit

README.md

@@ -46,6 +46,7 @@ cosign verify --certificate-identity-regexp '@siderolabs\.com$' --certificate-oi
 | [stargz-snapshotter](container-runtime/stargz-snapshotter/)          | [ghcr.io/siderolabs/stargz-snapshotter](https://github.com/siderolabs/extensions/pkgs/container/stargz-snapshotter)           | [Stargz Snapshotter](https://github.com/containerd/stargz-snapshotter) container runtime                                           | `upstream version` |
 | [ecr-credential-provider](container-runtime/ecr-credential-provider) | [ghcr.io/siderolabs/ecr-credential-provider](https://github.com/siderolabs/extensions/pkgs/container/ecr-credential-provider) | [ECR Credential Provider](https://github.com/kubernetes/cloud-provider-aws/tree/master/cmd/ecr-credential-provider) kubelet plugin | `upstream version` |
 | [wasmedge](container-runtime/wasmedge)                               | [ghcr.io/siderolabs/wasmedge](https://github.com/siderolabs/extensions/pkgs/container/wasmedge)                               | [WasmEdge](https://github.com/containerd/runwasi) container runtime                                                                | `upstream_version` |
+| [kata-containers](container-runtime/kata-containers)                 | [ghcr.io/siderolabs/kata-containers](https://github.com/siderolabs/extensions/pkgs/container/kata-containers)                 | [Kata Containers](https://github.com/kata-containers/kata-containers) container runtime                                            | `upstream version` |
 
 ### Firmware
 

container-runtime/kata-containers/README.md

@@ -0,0 +1,41 @@
+# kata-containers extension
+
+## Installation
+
+See [Installing Extensions](https://github.com/siderolabs/extensions#installing-extensions).
+
+## Usage
+
+## Testing
+
+Apply the following manifest to run nginx pod using Kata Containers:
+
+```yaml
+apiVersion: node.k8s.io/v1
+kind: RuntimeClass
+metadata:
+  name: kata
+handler: kata
+overhead:
+    podFixed:
+        memory: "130Mi"
+        cpu: "250m"
+---
+apiVersion: v1
+kind: Pod
+metadata:
+  name: nginx-kata
+spec:
+  runtimeClassName: kata
+  containers:
+  - name: nginx
+    image: nginx
+```
+
+The pod should be up and running:
+
+```bash
+$ kubectl get pods
+NAME           READY   STATUS    RESTARTS   AGE
+nginx-kata     1/1     Running   0          40s
+```