You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardexpand all lines: dev-docs/user-manual.md
+10-9
Original file line number
Diff line number
Diff line change
@@ -11,20 +11,21 @@ It currently targets the [CoCo preview on AKS](https://learn.microsoft.com/en-us
11
11
## The Contrast Coordinator
12
12
13
13
The Contrast Coordinator is the central remote attestation service of a Contrast deployment.
14
-
It runs itself inside a confidential container inside your cluster.
15
-
Which gives essential properties. The Coordinator can be verified via remote attestation, and a Contrast deployment is self-contained.
14
+
It runs inside a confidential container inside your cluster.
15
+
The Coordinator can be verified via remote attestation, and a Contrast deployment is self-contained.
16
16
The Coordinator is configured with a *manifest*, a configuration file containing the reference attestation values of your deployment.
17
-
It ensures that your app's topology adheres to your specified manifest by verifying the identity and integrity of all your pods.
17
+
It ensures that your deployment's topology adheres to your specified manifest by verifying the identity and integrity of all your pods.
18
18
The Coordinator is also a certificate authority and issues certificates for your workload pods during the attestation procedure.
19
19
Your workload pods can establish secure, encrypted communication channels between themselves based on these certificates and the Coordinator as the root CA.
20
20
As your app needs to scale, the Coordinator transparently verifies new instances and then provides them with their certificates to join the deployment.
21
21
22
22
To verify your deployment, the Coordinator's remote attestation statement combined with the manifest offers a concise single remote attestation statement for your entire deployment.
23
-
A third party can use this to verify the integrity of your distributed app, making it easier to assure stakeholders of your app's security.
23
+
A third party can use this to verify the integrity of your distributed app, making it easy to assure stakeholders of your app's identity and integrity.
24
24
25
25
## The Manifest
26
26
27
27
The manifest is the configuration file for the Coordinator, defining your confidential deployment.
28
+
It is automatically generated from your deployment by the Contrast CLI.
28
29
It currently consists of the following parts:
29
30
30
31
**Policies*: The identities of your Pods, represented by the hashes of their respective runtime policies.
@@ -34,20 +35,20 @@ It currently consists of the following parts:
34
35
## Runtime Policies
35
36
36
37
Runtime Policies are a mechanism to enable the use of the (untrusted) Kubernetes API for orchestration while ensuring the confidentiality and integrity of your confidential containers.
37
-
Essentially, they allow us to enforce the integrity of your containers' runtime environment as defined in your deployment files.
38
+
They allow us to enforce the integrity of your containers' runtime environment as defined in your deployment files.
38
39
The runtime policy mechanism is based on the Open Policy Agent (OPA) and translates the Kubernetes deployment YAMLs into OPA's Rego policy language.
39
-
The Kata Agent inside the confidential micro-VM then enforces the policy by only serving permitted requests to your container.
40
+
The Kata Agent inside the confidential micro-VM then enforces the policy by only acting on permitted requests.
40
41
The Contrast CLI provides the tooling for automatically translating Kubernetes deployment YAMLs into OPA's Rego policy language.
41
42
42
-
For the interested reader, the trust chain goes as follows:
43
+
The trust chain goes as follows:
43
44
44
-
1. The CLI generates a policy and attaches it to the pod definition.
45
+
1. The Contrast CLI generates a policy and attaches it to the pod definition.
45
46
2. Kubernetes schedules the pod on a node with kata-cc-isolation runtime.
46
47
3. Containerd takes the node, starts the Kata Shim and creates the pod sandbox.
47
48
4. The Kata runtime starts a CVM with the policy's digest as `HOSTDATA`.
48
49
5. The Kata runtime sets the policy using the `SetPolicy` method.
49
50
6. The Kata agent verifies that the incoming policy's digest matches `HOSTDATA`.
50
-
7. The CLI sets a manifest at the Contrast Coordinator, including a list of permitted policies.
51
+
7. The CLI sets a manifest in the Contrast Coordinator, including a list of permitted policies.
51
52
8. The Contrast Coordinator verifies that the started pod has a permitted policy hash in its `HOSTDATA` field.
52
53
53
54
After the last step, we know that the policy has not been tampered with and, thus, that the workload is as intended.
0 commit comments