Implmented node key model for image encryption
Signed-off-by: Brandon Lum <lumjjb@gmail.com>
This commit is contained in:
Brandon Lum
@@ -153,6 +153,11 @@ type RegistryConfig struct {
|
||||
TLS *TLSConfig `toml:"tls" json:"tls"`
|
||||
}
|
||||
|
||||
type EncryptedImagesConfig struct {
|
||||
// KeyModel specifies the model of where keys should reside
|
||||
KeyModel string `toml:"key_model" json:"keyModel"`
|
||||
}
|
||||
|
||||
// PluginConfig contains toml config related to CRI plugin,
|
||||
// it is a subset of Config.
|
||||
type PluginConfig struct {
|
||||
@@ -162,6 +167,8 @@ type PluginConfig struct {
|
||||
CniConfig `toml:"cni" json:"cni"`
|
||||
// Registry contains config related to the registry
|
||||
Registry Registry `toml:"registry" json:"registry"`
|
||||
// EncryptedImagesConfig contains config related to handling of encrypted images
|
||||
EncryptedImagesConfig `toml:"image_encryption" json:"imageEncryption"`
|
||||
// DisableTCPService disables serving CRI on the TCP server.
|
||||
DisableTCPService bool `toml:"disable_tcp_service" json:"disableTCPService"`
|
||||
// StreamServerAddress is the ip address streaming server is listening on.
|
||||
@@ -236,6 +243,12 @@ const (
|
||||
RuntimeUntrusted = "untrusted"
|
||||
// RuntimeDefault is the implicit runtime defined for ContainerdConfig.DefaultRuntime
|
||||
RuntimeDefault = "default"
|
||||
// EncryptionKeyModelMultitenant is the key model where keys are obtained from
|
||||
// kubernetes ImageDecryptSecrets
|
||||
EncryptionKeyModelMultitenant = "multitenant"
|
||||
// EncryptionKeyModelNode is the key model where key for encrypted images reside
|
||||
// on the worker nodes
|
||||
EncryptionKeyModelNode = "node"
|
||||
)
|
||||
|
||||
// ValidatePluginConfig validates the given plugin configuration.
|
||||
|
||||
@@ -165,6 +165,7 @@ func (c *criService) CreateContainer(ctx context.Context, r *runtime.CreateConta
|
||||
// rootfs readonly (requested by spec.Root.Readonly).
|
||||
customopts.WithNewSnapshot(id, containerdImage),
|
||||
}
|
||||
|
||||
if len(volumeMounts) > 0 {
|
||||
mountMap := make(map[string]string)
|
||||
for _, v := range volumeMounts {
|
||||
|
||||
@@ -32,6 +32,8 @@ import (
|
||||
containerdimages "github.com/containerd/containerd/images"
|
||||
"github.com/containerd/containerd/log"
|
||||
"github.com/containerd/containerd/remotes/docker"
|
||||
"github.com/containerd/imgcrypt"
|
||||
"github.com/containerd/imgcrypt/images/encryption"
|
||||
distribution "github.com/docker/distribution/reference"
|
||||
imagespec "github.com/opencontainers/image-spec/specs-go/v1"
|
||||
"github.com/pkg/errors"
|
||||
@@ -106,7 +108,8 @@ func (c *criService) PullImage(ctx context.Context, r *runtime.PullImageRequest)
|
||||
return nil, nil
|
||||
}
|
||||
)
|
||||
image, err := c.client.Pull(ctx, ref,
|
||||
|
||||
pullOpts := []containerd.RemoteOpt{
|
||||
containerd.WithSchema1Conversion,
|
||||
containerd.WithResolver(resolver),
|
||||
containerd.WithPullSnapshotter(c.config.ContainerdConfig.Snapshotter),
|
||||
@@ -114,7 +117,15 @@ func (c *criService) PullImage(ctx context.Context, r *runtime.PullImageRequest)
|
||||
containerd.WithPullLabel(imageLabelKey, imageLabelValue),
|
||||
containerd.WithMaxConcurrentDownloads(c.config.MaxConcurrentDownloads),
|
||||
containerd.WithImageHandler(imageHandler),
|
||||
)
|
||||
}
|
||||
|
||||
if c.config.EncryptedImagesConfig.KeyModel == criconfig.EncryptionKeyModelNode {
|
||||
ltdd := imgcrypt.Payload{}
|
||||
decUnpackOpt := encryption.WithUnpackConfigApplyOpts(encryption.WithDecryptedUnpack(<dd))
|
||||
pullOpts = append(pullOpts, encryption.WithUnpackOpts([]containerd.UnpackOpt{decUnpackOpt}))
|
||||
}
|
||||
|
||||
image, err := c.client.Pull(ctx, ref, pullOpts...)
|
||||
if err != nil {
|
||||
return nil, errors.Wrapf(err, "failed to pull and unpack image %q", ref)
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user