Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

KBS: Enable deployment for s390x #436

Merged
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
31 changes: 30 additions & 1 deletion kbs/config/kubernetes/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,7 @@ We will see how to deploy KBS (with builtin Attestation Service) on a Kubernetes
Create a secret that you want to be served using this instance of KBS:

```bash
echo "This is my super secert" > overlays/key.bin
echo "This is my super secret" > overlays/$(uname -m)/key.bin
```

If you have more than one secret, copy them over to the `config/kubernetes/overlays` directory and add those to the `overlays/kustomization.yaml` file after as shown below:
Expand Down Expand Up @@ -91,6 +91,29 @@ Deploy KBS by running the following command:
./deploy-kbs.sh
```

For IBM Secure Execution (s390x), an environment variable `IBM_SE_CREDS_DIR` should be exported as follows:

```
$ export IBM_SE_CREDS_DIR=/path/to/your/directory
$ tree $IBM_SE_CREDS_DIR
/path/to/your/directory
├── certs
│   ├── DigiCertCA.crt
│   └── ibm-z-host-key-signing-gen2.crt
├── crls
│   └── ibm-z-host-key-gen2.crl
├── hdr
│   └── hdr.bin
├── hkds
│   └── HKD-3931-0275D38.crt
└── rsa
├── encrypt_key.pem
└── encrypt_key.pub
5 directories, 7 files
```

Please check out the [documentation](https://github.com/confidential-containers/trustee/tree/main/attestation-service/verifier/src/se) for details.

## Check deployment

Run the following command to check if the KBS is deployed successfully:
Expand All @@ -114,3 +137,9 @@ $ kubectl -n coco-tenant get service
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
kbs ClusterIP 10.0.210.190 <none> 8080/TCP 4s
```

## Delete KBS

```
$ kubectl delete -k ${DEPLOYMENT_DIR}/$(uname -m)
```
20 changes: 20 additions & 0 deletions kbs/config/kubernetes/base/deployment.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,19 @@ spec:
labels:
app: kbs
spec:
initContainers:
- command:
- sh
- -c
- cp -r /config/$(dirname $(readlink /config/policy.rego))/* /opa/confidential-containers/kbs/
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This doesn't support updates at runtime or provisioning resources, right? Maybe this is fine in the short term.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No, it is just used for copying any data from a read-only mounting point to a writable one before creating a container. I agree with your opinion. Thanks!

image: busybox
imagePullPolicy: Always
name: copy-config
volumeMounts:
- mountPath: /config
name: config-volume
- mountPath: /opa/confidential-containers/kbs
name: policy-volume
containers:
- name: kbs
image: kbs-container-image
Expand All @@ -27,10 +40,17 @@ spec:
mountPath: /kbs/
- name: kbs-config
mountPath: /etc/kbs/
- name: policy-volume
mountPath: /opa/confidential-containers/kbs/
volumes:
- name: kbs-auth-public-key
secret:
secretName: kbs-auth-public-key
- name: kbs-config
configMap:
name: kbs-config
- name: policy-volume
emptyDir: {}
- name: config-volume
configMap:
name: policy-config
3 changes: 3 additions & 0 deletions kbs/config/kubernetes/base/kustomization.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,9 @@ configMapGenerator:
- files:
- kbs-config.toml
name: kbs-config
- files:
- policy.rego
name: policy-config

# KBS auth public key.
secretGenerator:
Expand Down
40 changes: 40 additions & 0 deletions kbs/config/kubernetes/base/policy.rego
Original file line number Diff line number Diff line change
@@ -0,0 +1,40 @@
# Resource Policy
# ---------------
#
# The resource policy of KBS is to make a strategic decision on
# whether the requester has access to resources based on the
# input Attestation Claims (including tee-pubkey, tcb-status, and other information)
# and KBS Resource Path.
#
# The format of the resource path data is:
# ```
# {
# "resource-path": <PATH>
# }
# ```
#
# The <PATH> variable is a KBS resource path,
# which is required to be a string in three segment path format:<TOP>/<MIDDLE>/<TAIL>,
# for example: "my'repo/License/key".
#
# The format of Attestation Claims Input is defined by the attestation service,
# and its format may look like the following:
# ```
# {
# "tee-pubkey": "",
# "tcb-status": {
# "productId": “”,
# "svn": “”,
# ……
# }
# ……
# }
# ```

package policy

default allow = false

allow {
input["tee"] != "sample"
}
21 changes: 18 additions & 3 deletions kbs/config/kubernetes/deploy-kbs.sh
Original file line number Diff line number Diff line change
Expand Up @@ -6,11 +6,12 @@ set -euo pipefail
DEPLOYMENT_DIR="${DEPLOYMENT_DIR:-overlays}"

k8s_cnf_dir="$(dirname ${BASH_SOURCE[0]})"
ARCH=$(uname -m)

# Fail the script if the key.bin file does not exist.
key_file="${k8s_cnf_dir}/overlays/key.bin"
key_file="${k8s_cnf_dir}/overlays/${ARCH}/key.bin"
[[ -f "${key_file}" ]] || {
echo "key.bin file does not exist"
echo "key.bin not found at ${k8s_cnf_dir}/overlays/${ARCH}/"
exit 1
}

Expand All @@ -21,4 +22,18 @@ kbs_cert="${k8s_cnf_dir}/base/kbs.pem"
openssl pkey -in "${k8s_cnf_dir}/base/kbs.key" -pubout -out "${kbs_cert}"
}

kubectl apply -k "./${k8s_cnf_dir}/${DEPLOYMENT_DIR}"
if [ "${ARCH}" == "s390x" ]; then
if [ -n "${IBM_SE_CREDS_DIR:-}" ]; then
export NODE_NAME=$(kubectl get nodes -o jsonpath='{.items[0].metadata.name}')
envsubst <"${k8s_cnf_dir}/overlays/s390x/pv.yaml" | kubectl apply -f -
else
echo "IBM_SE_CREDS_DIR is empty" >&2
exit 1
fi
fi

if [[ "${DEPLOYMENT_DIR}" == "nodeport" || "${DEPLOYMENT_DIR}" == "overlays" ]]; then
kubectl apply -k "${k8s_cnf_dir}/${DEPLOYMENT_DIR}/${ARCH}"
else
kubectl apply -k "${k8s_cnf_dir}/${DEPLOYMENT_DIR}"
fi
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@ kind: Kustomization
namespace: coco-tenant

resources:
- ../overlays
- ../../overlays/s390x

patches:
- path: patch.yaml
Expand Down
13 changes: 13 additions & 0 deletions kbs/config/kubernetes/nodeport/x86_64/kustomization.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,13 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: coco-tenant

resources:
- ../../overlays/x86_64

patches:
- path: patch.yaml
target:
group: ""
kind: Service
name: kbs
3 changes: 3 additions & 0 deletions kbs/config/kubernetes/nodeport/x86_64/patch.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
- op: add
path: /spec/type
value: NodePort
6 changes: 6 additions & 0 deletions kbs/config/kubernetes/overlays/common/kustomization.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: coco-tenant

resources:
- ../../base
20 changes: 20 additions & 0 deletions kbs/config/kubernetes/overlays/s390x/kustomization.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,20 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: coco-tenant

resources:
- ../common
- pvc.yaml

patches:
- path: patch.yaml
target:
kind: Deployment
name: kbs

# Store keys that KBS will release to workloads after attestation:
# kbs:///reponame/workload_key/key.bin
secretGenerator:
- files:
- key.bin
name: keys
19 changes: 19 additions & 0 deletions kbs/config/kubernetes/overlays/s390x/patch.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,19 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: kbs
spec:
template:
spec:
containers:
- name: kbs
env:
- name: SE_SKIP_CERTS_VERIFICATION
value: "false"
volumeMounts:
- name: test-local-volume
mountPath: /run/confidential-containers/ibmse/
volumes:
- name: test-local-volume
persistentVolumeClaim:
claimName: test-local-pvc
20 changes: 20 additions & 0 deletions kbs/config/kubernetes/overlays/s390x/pv.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,20 @@
apiVersion: v1
kind: PersistentVolume
metadata:
name: test-local-pv
spec:
capacity:
storage: 1Gi
accessModes:
- ReadWriteOnce
storageClassName: local-storage
local:
path: ${IBM_SE_CREDS_DIR}
nodeAffinity:
required:
nodeSelectorTerms:
- matchExpressions:
- key: kubernetes.io/hostname
operator: In
values:
- ${NODE_NAME}
12 changes: 12 additions & 0 deletions kbs/config/kubernetes/overlays/s390x/pvc.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: test-local-pvc
namespace: coco-tenant
spec:
accessModes:
- ReadWriteOnce
storageClassName: local-storage
resources:
requests:
storage: 1Gi
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@ kind: Kustomization
namespace: coco-tenant

resources:
- ../base
- ../common

patches:
- path: patch.yaml
Expand Down
Loading