search

confidential-containers / cloud-api-adaptor

Ability to create Kata pods using cloud provider APIs aka the peer-pods approach
Apache License 2.0
44 stars 73 forks source link

Feature request: support istio service mesh #102

Open huoqifeng opened 1 year ago

huoqifeng commented 1 year ago

To support istio service mesh, I did a manual testing by hacking the istio enabled deployment file against IKS (IBM Cloud Kubernetes as a service). It worked but there are several problems identified that peerpod function need be enhanced, here is a collection of the issues to support istio:

  1. Allow image pull when istio iptables set Short term: https://github.com/confidential-containers/cloud-api-adaptor/issues/86
    Longer term: image-rs (https://github.com/confidential-containers/cloud-api-adaptor/issues/109)

  2. Private image pull https://github.com/confidential-containers/cloud-api-adaptor/issues/99 https://github.com/kata-containers/kata-containers/issues/4601

  3. ImagePullPolicy (always) https://github.com/confidential-containers/cloud-api-adaptor/issues/100

  4. Merge oci image config and oci container config https://github.com/confidential-containers/cloud-api-adaptor/issues/101
    https://github.com/kata-containers/kata-containers/issues/4828

  5. multiple containers refer to same image Short term https://github.com/confidential-containers/cloud-api-adaptor/issues/126
    Longer term: https://github.com/kata-containers/kata-containers/issues/4785, fixed as @yoheiueda verified in https://github.com/kata-containers/kata-containers/issues/4785#issuecomment-1266563912

After istio basic function worked in peerpod, we'll need consider how to synchronize the certs and cfg files from control plane to data plane.

fitzthum commented 1 year ago

Have you looked into how istio itself fits into the trust model? How can certificates and configurations be safely provisioned to the envoy?

huoqifeng commented 1 year ago

Have you looked into how istio itself fits into the trust model? How can certificates and configurations be safely provisioned to the envoy?

@fitzthum thanks for the reminding, I have not done much investigating but which is my TODO item indeed.

ariel-adam commented 1 year ago

@huoqifeng is this issue still relevant or can be closed? If it's still relevant to what release do you think we should map it to (mid-November, end-December, mid-February etc...)?

bpradipt commented 1 year ago

@huoqifeng I recall you have already tested istio service mesh successfully. Can we close this issue now ?

huoqifeng commented 1 year ago

I think we're missing https://github.com/kata-containers/kata-containers/issues/4323