《云原生机密计算最佳实践白皮书》——06运行时底座——Intel TDX机密容器(4) https://developer.aliyun.com/article/1231168?groupCode=aliyun_linux
步骤四:启动并验证带签名的加密镜像
1. 配置TDX CoCo runtime
attestation agent 支持TDX平台的KBC为:eaa_kbc , 远端verdictd service用于提供验证和image解密
key,签名的policy和密钥信息。
vim /opt/confifidential-containers/share/defaults/kata-containers/confifiguration-qemu-tdx. toml # EAA KBC is specifified as: eaa_kbc::host_ip:port kernel_params = "<default kernel params> agent.aa_kbc_params=eaa_kbc::verdictd_ip_ad dress:20002 agent.enable_signature_verifification=true"
2. 部署Pod
注意:在实际操作中,应将用户docker.io/test更名为实际操作的用户名,docker.io/xxxx。
cat <<-EOF | kubectl apply -f - apiVersion: v1 kind: Pod metadata: name: test-tdx-alpine spec: runtimeClassName: kata-qemu-tdx containers: - image: docker.io/test/alpine-encrypted command: - top imagePullPolicy: Always name: test-tdx-alpine restartPolicy: Never EOF
• 查看 pod 是否启动成功:
kubectl get po
• 预期结果如下:
NAME READY STATUS RESTARTS AGE test-tdx-alpine 1/1 Running 0 31h kubectl describe pod test-tdx-alpine Normal Pulling 5s kubelet Pulling image " docker.io/test/alpine-encrypted " Normal Pulled 3s kubelet Successfully pulled image " docker.io/test/alpine-encrypted " in 1.682344015s (1.682349283s including waiting) Normal Created 3s kubelet Created container test-tdx-alpine Normal Started 3s kubelet Started container test-tdx-alpine · # verdictd 日志 [2023-03-01T08:19:45Z INFO verdictd::attestation_agent::rats_tls] response: {"data":{"base64 size":"452"},"status":"OK"} [2023-03-01T08:19:45Z INFO verdictd::attestation_agent::protocol] Request: Object {"command": String("Get Policy"), "optional": Object {}} [2023-03-01T08:19:45Z INFO verdictd::attestation_agent::rats_tls] response: ewogICAgImRlZmF 1bHQiOiBbCiAgICAgICAgewogICAgICAgICAgICAidHlwZSI6ICJyZWplY3QiCiAgICAgICAgfQogICAgXSw KICAgICJ0cmFuc3BvcnRzIjogewogICAgICAgICJkb2NrZXIiOiB7CiAgICAgICAgICAgICJyZWdpc3RyeS5kb 21haW4ubG9jYWwiOiBbCiAgICAgICAgICAgICAgICB7CiAgICAgICAgICAgICAgICAgICAgInR5cGUiOiAic2 lnc3RvcmVTaWduZWQiLAogICAgICAgICAgICAgICAgICAgICJrZXlQYXRoIjogIi9ydW4vaW1hZ2Utc2VjdXJ pdHkvY29zaWduL2Nvc2lnbi5wdWIiCiAgICAgICAgICAgICAgICB9CiAgICAgICAgICAgIF0KICAgICAgICB9 CiAgICB9Cn0K [2023-03-01T08:19:45Z INFO verdictd::attestation_agent::protocol] Request: Object {"command": String("Get Resource Info"), "name": String("Cosign Key")} [2023-03-01T08:19:45Z INFO verdictd::attestation_agent::rats_tls] response: {"data":{"base64 size":"240"},"status":"OK"} [2023-03-01T08:19:45Z INFO verdictd::attestation_agent::protocol] Request: Object {"command": String("Get Cosign Key"), "optional": Object {}} [2023-03-01T08:19:45Z INFO verdictd::attestation_agent::rats_tls] response: LS0tLS1CRUdJTiBQVU JMSUMgS0VZLS0tLS0KTUZrd0V3WUhLb1pJemowQ0FRWUlLb1pJemowRE FRY0RRZ0FFZ3h6NWhEVXl6VnpFd2RVcnhZb1JQVE1pN0ZveQovVEI4OTVlbmt MdzE4RHNLczR1MnFidHg1L1hJNVlKaUJ4TDhyZG9NL3A5clBQSHVDVV dpSkxBSFVnPT0KLS0tLS1FTkQgUFVCTElDIEtFWS0tLS0tCg==EOF
