mkulke
commented
10 hours ago a couple of thoughts
- This is also in the scope of a future "SetInitData" API call in kata-agent to propagate config files (there is no user-data/config-drive for bare-metal or nested CVMs)
- AA + CDH config file should be measured and the measurement included in the attestation evidence, since they are injected into the CVM from an untrusted source.
- The configuration is configured global per CAA installation, while the SetInitData approach only applies to a single pod
- agent::SetPolicy (which is supposed to be a superseded by agent::SetInitData) is already used to propagate files to the CVMs, albeit we don't measure the policy files, atm
see also this issue: https://github.com/confidential-containers/cloud-api-adaptor/issues/1369
Currently, we can only access kbs from pod with http connection.
CDH of guest component has example and code logic to handle kbs cert. https://github.com/confidential-containers/guest-components/blob/main/confidential-data-hub/example.config.toml#L19
Attestation-agent of guest component has the similar definition.
However, there isn't code of cloud-api-adaptor to handle the kbs cert. There is no way to pass the parameter to configuration files of cdh and attestation agent.
This issue aims to handle the parameter of kbs cert in cloud-api-adaptor and pass the parameters to cdh and attestation-agent.