diff --git a/README.md b/README.md index 1401581264..d9c0c1b939 100644 --- a/README.md +++ b/README.md @@ -89,7 +89,7 @@ The Contrast CLI provides the tooling for automatically translating Kubernetes d The trust chain goes as follows: 1. The Contrast CLI generates a policy and attaches it to the pod definition. -2. Kubernetes schedules the pod on a node with kata-cc-isolation runtime. +2. Kubernetes schedules the pod on a node with contrast-cc-isolation runtime. 3. Containerd takes the node, starts the Kata Shim and creates the pod sandbox. 4. The Kata runtime starts a CVM with the policy's digest as `HOSTDATA`. 5. The Kata runtime sets the policy using the `SetPolicy` method. @@ -180,13 +180,13 @@ helm template release-name chart-name > resources/all.yml ``` To specify that a workload (pod, deployment, etc.) should be deployed as confidential containers, -add `runtimeClassName: kata-cc-isolation` to the pod spec (pod definition or template). +add `runtimeClassName: contrast-cc-isolation` to the pod spec (pod definition or template). In addition, add the Contrast Initializer as `initContainers` to these workloads and configure the workload to use the certificates written to the `tls-certs` volumeMount. ```yaml spec: # v1.PodSpec - runtimeClassName: kata-cc-isolation + runtimeClassName: contrast-cc-isolation initContainers: - name: initializer image: "ghcr.io/edgelesssys/contrast/initializer:latest" diff --git a/cli/cmd/generate.go b/cli/cmd/generate.go index 3ea9ad3a1b..255c1b9b70 100644 --- a/cli/cmd/generate.go +++ b/cli/cmd/generate.go @@ -168,7 +168,7 @@ func findGenerateTargets(args []string, logger *slog.Logger) ([]string, error) { } } - paths = filterNonCoCoRuntime("kata-cc-isolation", paths, logger) + paths = filterNonCoCoRuntime("contrast-cc-isolation", paths, logger) if len(paths) == 0 { return nil, fmt.Errorf("no .yml/.yaml files found") diff --git a/deployments/emojivoto-sm-egress/coordinator.yml b/deployments/emojivoto-sm-egress/coordinator.yml index de121a3165..dd2fd35f40 100644 --- a/deployments/emojivoto-sm-egress/coordinator.yml +++ b/deployments/emojivoto-sm-egress/coordinator.yml @@ -15,7 +15,7 @@ spec: annotations: contrast.edgeless.systems/pod-role: coordinator spec: - runtimeClassName: kata-cc-isolation + runtimeClassName: contrast-cc-isolation containers: - name: coordinator image: "ghcr.io/edgelesssys/contrast/coordinator:latest" diff --git a/deployments/emojivoto-sm-egress/emoji.yml b/deployments/emojivoto-sm-egress/emoji.yml index 64a7a6d736..4515c9b0d2 100644 --- a/deployments/emojivoto-sm-egress/emoji.yml +++ b/deployments/emojivoto-sm-egress/emoji.yml @@ -25,7 +25,7 @@ spec: app.kubernetes.io/name: emoji-svc version: v11 spec: - runtimeClassName: kata-cc-isolation + runtimeClassName: contrast-cc-isolation initContainers: - name: initializer image: "ghcr.io/edgelesssys/contrast/initializer:latest" diff --git a/deployments/emojivoto-sm-egress/voting.yml b/deployments/emojivoto-sm-egress/voting.yml index 1cbb3da69a..785cca3733 100644 --- a/deployments/emojivoto-sm-egress/voting.yml +++ b/deployments/emojivoto-sm-egress/voting.yml @@ -25,7 +25,7 @@ spec: app.kubernetes.io/name: voting-svc version: v11 spec: - runtimeClassName: kata-cc-isolation + runtimeClassName: contrast-cc-isolation initContainers: - name: initializer image: "ghcr.io/edgelesssys/contrast/initializer:latest" diff --git a/deployments/emojivoto-sm-egress/web.yml b/deployments/emojivoto-sm-egress/web.yml index 9993344239..6a003d030c 100644 --- a/deployments/emojivoto-sm-egress/web.yml +++ b/deployments/emojivoto-sm-egress/web.yml @@ -25,7 +25,7 @@ spec: app.kubernetes.io/name: web-svc version: v11 spec: - runtimeClassName: kata-cc-isolation + runtimeClassName: contrast-cc-isolation initContainers: - name: initializer image: "ghcr.io/edgelesssys/contrast/initializer:latest" diff --git a/deployments/emojivoto/coordinator.yml b/deployments/emojivoto/coordinator.yml index 555baafd66..56ab8a1eb4 100644 --- a/deployments/emojivoto/coordinator.yml +++ b/deployments/emojivoto/coordinator.yml @@ -15,7 +15,7 @@ spec: annotations: contrast.edgeless.systems/pod-role: coordinator spec: - runtimeClassName: kata-cc-isolation + runtimeClassName: contrast-cc-isolation containers: - name: coordinator image: "ghcr.io/edgelesssys/contrast/coordinator:latest" diff --git a/deployments/emojivoto/emoji.yml b/deployments/emojivoto/emoji.yml index 64a7a6d736..4515c9b0d2 100644 --- a/deployments/emojivoto/emoji.yml +++ b/deployments/emojivoto/emoji.yml @@ -25,7 +25,7 @@ spec: app.kubernetes.io/name: emoji-svc version: v11 spec: - runtimeClassName: kata-cc-isolation + runtimeClassName: contrast-cc-isolation initContainers: - name: initializer image: "ghcr.io/edgelesssys/contrast/initializer:latest" diff --git a/deployments/emojivoto/voting.yml b/deployments/emojivoto/voting.yml index 1cbb3da69a..785cca3733 100644 --- a/deployments/emojivoto/voting.yml +++ b/deployments/emojivoto/voting.yml @@ -25,7 +25,7 @@ spec: app.kubernetes.io/name: voting-svc version: v11 spec: - runtimeClassName: kata-cc-isolation + runtimeClassName: contrast-cc-isolation initContainers: - name: initializer image: "ghcr.io/edgelesssys/contrast/initializer:latest" diff --git a/deployments/emojivoto/web.yml b/deployments/emojivoto/web.yml index c6beba1bcb..ef8570a8b3 100644 --- a/deployments/emojivoto/web.yml +++ b/deployments/emojivoto/web.yml @@ -25,7 +25,7 @@ spec: app.kubernetes.io/name: web-svc version: v11 spec: - runtimeClassName: kata-cc-isolation + runtimeClassName: contrast-cc-isolation initContainers: - name: initializer image: "ghcr.io/edgelesssys/contrast/initializer:latest" diff --git a/deployments/openssl/coordinator.yml b/deployments/openssl/coordinator.yml index 4c9b1ae65c..562fb2bdb4 100644 --- a/deployments/openssl/coordinator.yml +++ b/deployments/openssl/coordinator.yml @@ -15,7 +15,7 @@ spec: annotations: contrast.edgeless.systems/pod-role: coordinator spec: - runtimeClassName: kata-cc-isolation + runtimeClassName: contrast-cc-isolation containers: - name: coordinator image: "ghcr.io/edgelesssys/contrast/coordinator:latest" diff --git a/deployments/openssl/openssl-backend.yml b/deployments/openssl/openssl-backend.yml index 19e053f065..d1e90448bc 100644 --- a/deployments/openssl/openssl-backend.yml +++ b/deployments/openssl/openssl-backend.yml @@ -13,7 +13,7 @@ spec: labels: app.kubernetes.io/name: openssl-backend spec: - runtimeClassName: kata-cc-isolation + runtimeClassName: contrast-cc-isolation initContainers: - name: initializer image: "ghcr.io/edgelesssys/contrast/initializer:latest" diff --git a/deployments/openssl/openssl-client.yml b/deployments/openssl/openssl-client.yml index 414c98f8bd..ee2148b81f 100644 --- a/deployments/openssl/openssl-client.yml +++ b/deployments/openssl/openssl-client.yml @@ -13,7 +13,7 @@ spec: labels: app.kubernetes.io/name: openssl-client spec: - runtimeClassName: kata-cc-isolation + runtimeClassName: contrast-cc-isolation initContainers: - name: initializer image: "ghcr.io/edgelesssys/contrast/initializer:latest" diff --git a/deployments/openssl/openssl-frontend.yml b/deployments/openssl/openssl-frontend.yml index e293f392ec..c9f67e467c 100644 --- a/deployments/openssl/openssl-frontend.yml +++ b/deployments/openssl/openssl-frontend.yml @@ -13,7 +13,7 @@ spec: labels: app.kubernetes.io/name: openssl-frontend spec: - runtimeClassName: kata-cc-isolation + runtimeClassName: contrast-cc-isolation initContainers: - name: initializer image: "ghcr.io/edgelesssys/contrast/initializer:latest" diff --git a/deployments/simple/coordinator.yml b/deployments/simple/coordinator.yml index 555baafd66..56ab8a1eb4 100644 --- a/deployments/simple/coordinator.yml +++ b/deployments/simple/coordinator.yml @@ -15,7 +15,7 @@ spec: annotations: contrast.edgeless.systems/pod-role: coordinator spec: - runtimeClassName: kata-cc-isolation + runtimeClassName: contrast-cc-isolation containers: - name: coordinator image: "ghcr.io/edgelesssys/contrast/coordinator:latest" diff --git a/deployments/simple/initializer.yml b/deployments/simple/initializer.yml index 5f32ae1516..46ae1c0c01 100644 --- a/deployments/simple/initializer.yml +++ b/deployments/simple/initializer.yml @@ -13,7 +13,7 @@ spec: labels: app.kubernetes.io/name: workload spec: - runtimeClassName: kata-cc-isolation + runtimeClassName: contrast-cc-isolation initContainers: - name: initializer image: "ghcr.io/edgelesssys/contrast/initializer:latest" diff --git a/dev-docs/user-manual.md b/dev-docs/user-manual.md index 13c0fbf63c..de87fe4c13 100644 --- a/dev-docs/user-manual.md +++ b/dev-docs/user-manual.md @@ -43,7 +43,7 @@ The Contrast CLI provides the tooling for automatically translating Kubernetes d The trust chain goes as follows: 1. The Contrast CLI generates a policy and attaches it to the pod definition. -2. Kubernetes schedules the pod on a node with kata-cc-isolation runtime. +2. Kubernetes schedules the pod on a node with contrast-cc-isolation runtime. 3. Containerd takes the node, starts the Kata Shim and creates the pod sandbox. 4. The Kata runtime starts a CVM with the policy's digest as `HOSTDATA`. 5. The Kata runtime sets the policy using the `SetPolicy` method. diff --git a/e2e/internal/kuberesource/parts.go b/e2e/internal/kuberesource/parts.go index b2ab1d6164..cc1f56b2f3 100644 --- a/e2e/internal/kuberesource/parts.go +++ b/e2e/internal/kuberesource/parts.go @@ -73,7 +73,7 @@ func Coordinator(namespace string) *CoordinatorConfig { WithLabels(map[string]string{"app.kubernetes.io/name": "coordinator"}). WithAnnotations(map[string]string{"contrast.edgeless.systems/pod-role": "coordinator"}). WithSpec(PodSpec(). - WithRuntimeClassName("kata-cc-isolation"). + WithRuntimeClassName("contrast-cc-isolation"). WithContainers( Container(). WithName("coordinator"). diff --git a/e2e/internal/kuberesource/sets.go b/e2e/internal/kuberesource/sets.go index 80b7bc54fa..8bf4ccfb8d 100644 --- a/e2e/internal/kuberesource/sets.go +++ b/e2e/internal/kuberesource/sets.go @@ -21,7 +21,7 @@ func Simple() ([]any, error) { WithTemplate(PodTemplateSpec(). WithLabels(map[string]string{"app.kubernetes.io/name": "workload"}). WithSpec(PodSpec(). - WithRuntimeClassName("kata-cc-isolation"). + WithRuntimeClassName("contrast-cc-isolation"). WithContainers( Container(). WithName("workload").