github/containerd
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases 2 Wiki Activity

Updated docs and encryption.md -> decryption.md

Browse Source 
Signed-off-by: Brandon Lum <lumjjb@gmail.com>
This commit is contained in:
Brandon Lum 2020-02-24 19:21:21 +00:00
parent c5209cd679
commit 7a24da0375
2 changed files with 16 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
docs/config.md
View File

@ -203,11 +203,20 @@ version = 2
endpoint = ["https://registry-1.docker.io", ] endpoint = ["https://registry-1.docker.io", ]
# 'plugins."io.containerd.grpc.v1.cri".image_decryption' contains config related # 'plugins."io.containerd.grpc.v1.cri".image_decryption' contains config related
# to the handling decryption of encrypted container images. # to handling decryption of encrypted container images.
[plugins."io.containerd.grpc.v1.cri".image_decryption] [plugins."io.containerd.grpc.v1.cri".image_decryption]
# key_model sets how the trust model of where keys should reside for the # key_model defines the name of the key model used for how the cri obtains
# decryption of encrypted container images. The default is "node". # keys used for decryption of encrypted container images.
# The docs/encryption.md file provides further information of key models. # Set of available string options: {"node"}
#
# In order to use the decryption feature, additional configurations must be made.
# The [decryption document](https://github.com/containerd/cri/blob/master/docs/decryption.md)
# provides information of key models and how to set them up with stream processors and the
# containerd imgcrypt decoder.
#
# Additional information on stream processors and imgcrypt:
# * Stream processors: https://github.com/containerd/containerd/blob/master/docs/stream_processors.md
# * Containerd imgcrypt : https://github.com/containerd/imgcrypt
key_model = "node" key_model = "node"
``` ```

8
docs/encryption.md → docs/decryption.md
View File

@ -1,5 +1,5 @@
# Configure Image Encryption # Configure Image Decryption
This document describes the method to configure image encryption for `containerd` for use with the `cri` plugin. This document describes the method to configure encrypted container image decryption for `containerd` for use with the `cri` plugin.
## Encrypted Container Images ## Encrypted Container Images
@ -17,7 +17,7 @@ In this model encryption is tied to worker nodes. The usecase here revolves arou
The default configuration does not handle decrypting encrypted container images. The default configuration does not handle decrypting encrypted container images.
An example for configuring the "node" key model for container image decryption is as follows: An example for configuring the "node" key model for container image decryption:
```toml ```toml
[plugins.cri.image_decryption] [plugins.cri.image_decryption]
@ -36,8 +36,6 @@ An example for configuring the "node" key model for container image decryption i
args = ["--decryption-keys-path", "/keys"] args = ["--decryption-keys-path", "/keys"]
``` ```
In this example, container image decryption is set to use the "node" key model. In addition, the decryption `stream_processors` are configured as specified in [containerd/imgcrypt project](https://github.com/containerd/imgcrypt), with the additional field `--decryption-keys-path` configured to specify where decryption keys are located locally in the node. In this example, container image decryption is set to use the "node" key model. In addition, the decryption `stream_processors` are configured as specified in [containerd/imgcrypt project](https://github.com/containerd/imgcrypt), with the additional field `--decryption-keys-path` configured to specify where decryption keys are located locally in the node.
After modify this config, you need restart the `containerd` service. After modify this config, you need restart the `containerd` service.