Enhancement proposal for Confidential Clusters

[uril]

This enhancement proposes the integration of confidential computing
capabilities into OpenShift cluster, enabling the deployment of
Confidential Clusters

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign dhellmann for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-ci]

Hi @uril. Thanks for your PR.

I'm waiting for a github.com member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[travier]

/ok-to-test

[uril]

/retest

[cgwalters]

Awesome work overall! There's of course huge amounts of detail in some of this, but I think the outline looks good.

[cgwalters]

We need to boot in a pure stateless mode here, where we're not accessing any persistent storage for /etc and /var right?

[travier]

To address the larger concern that we can not trust the filesystem itself on the disk on first boot, we need some form of integrity verification that covers the entire partition. I could be implemented in a similar fashion to what is done with Secure Execution on S390x.

If we don't take this concern into account, then we could indeed only read the fs-verity verified content from the composefs repo and re-generate the /etc & /var content from it.

[cgwalters]

I still really hope that we get away from having a MCS at all by shrinking the role of Ignition such that everything needed to join fits into the bootstrap config which really really should be able to fit in e.g. AWS instance user-data store completely and the like.

[cgwalters]

Yeah but won't most people who want to do this actually want HCP anyways? I would definitely put HCP support far in front of this as a priority

[travier]

That could be an option. HCP deployments place the trust in the cluster hosting the control plane, so for it to make sense for Confidential Clusters, it would be a configuration with a Hosted Control Plane in a trusted environment (likely a Bare Metal cluster) and HCP Workers in a cloud.

If we want everything in the cloud then we are back to the standalone cluster case for the control plane part as you can not claim that your workers are confidential if the control plane is hosted on the same cloud with non confidential VMs.

[cgwalters]

I'd lean towards pull, but have a cache of course of container-sha ➡️ PCRs

[travier]

Direct link to rendered docs: https://github.com/uril/openshift_enhancements/blob/confidential-clusters-proposal/enhancements/security/confidential-clusters.md

[yuqi-zhang]

Some general comments inline

[yuqi-zhang]

Basic question: the CVM is the entire node right? You can't say, run 2 CVMs on one machine, or run things outside of the CVM on that machine?

[uril]

Right, in our case, OpenShift node == CVM == OpenShift machine.

The "host machine" (the cloud server) can run many CVMs (and other things).

[travier]

Yes, the entire node runs as a Confidential VM provided by the cloud provider. You don't control on which host your VM runs (it's a cloud), and you can not run things outside.

[yuqi-zhang]

As a clarification here, this will be a cluster level setting? Or are you proposing that in one cluster, some nodes can be CVMs and others not?

[uril]

All the nodes of a confidential cluster are CVMs.

The specific configuration/API, for requesting cloud providers to create a CVM is platform dependent and is not kept at the cluster level.

A mixed cluster of non/confidential nodes is technically possible, but is not safe.

[travier]

It will be cluster wide. A cluster will be either all confidential nodes or not at all. Technically you can mix things, but it does not make sense for a cluster running in a cloud to be mixed.

[yuqi-zhang]

Since the MCO and on-cluster RHCOS operations doesn't currently use bootc at all, would that integration be needed here?

[travier]

We will indeed need "direct" bootc support in the MCO (i.e. not use rpm-ostree at all anymore).

[yuqi-zhang]

Will this be running as a core payload operator that's always present, or only deployed conditionally?

[travier]

It will be an operator part of the core payload but only running if needed.

[yuqi-zhang]

Could you clarify on this point? The admin shouldn't be able to "modify configs on the fly" during installation. The MCO has a singular render generation phase, if that's what you're trying to fetch here.

[travier]

The idea is that the config that will be used for the external Trustee server will include the full config passed to the bootstrap node. If anything modifies this config, then the Trustee config will have to be re-generated. We don't expect the manifests to be modified live during the installation.

[yuqi-zhang]

Could you provide some examples for this? Just curious what that would look like in practice.

Also curious if this affects the ongoing MAPI->CAPI transition at all

[yuqi-zhang]

Is the trustee instance responsible for asking the MCS for the contents through some in-cluster proxy, or would we have to have the MCS initiate that?

[yuqi-zhang]

Would we GA on phase 1, or would we techpreview phase 1, implement phase 2, and GA the feature after we complete phase 2?

[uril]

We will dev/tech-preview on phase 1 and phase 2.

I'm not sure about GA after phase 1.

[openshift-ci]

@uril: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/markdownlint	766b9a1	link	true	/test markdownlint

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[patrickdillon]

There is another part of the installation process we should consider, where the installer:

• generates the ignition file for the bootstrap node
• uploads bootstrap ignition to a cloud storage bucket
• puts pointer ignition in bootstrap node userdata redirecting bootstrap node to pull ignition from storage bucket (using a self-signed URL, although for Azure I think self-signed URL support is WIP and azure uses storage account keys)

It's unclear whether this model will continue to work with the remote attestation service. If the First Boot configuration from the attestation service can be merged alongside the bootstrap ignition bucket, then it would require fewer changes to the installer. For example (pseudo), the bootstrap pointer ignition would be injected with the additional attestation server source:

{
    "ignition": {
        "config": {
            "merge": [
                {
                    "source": "http://<registration-service>/ignition"
                },
                {
                    "source": "http://<cloud-bucket>/ignition"
                }
            ]
        }
    }
}

This would utilize ignition's merge functionality to grab the configs from both the attestation server and the cloud bucket.

But if it's a requirement that the remote attestation server is contacted first (or only) then the installer would presumably need to be updated to upload bootstrap ignition so it could be served by the attestation service.