enable running WASM binaries with kwasm in constellation

edgelesssys / constellation

Constellation is the first Confidential Kubernetes. Constellation shields entire Kubernetes clusters from the (cloud) infrastructure using confidential computing.

GNU Affero General Public License v3.0

903 stars 47 forks source link

enable running WASM binaries with kwasm in constellation #3165

Closed hpvd closed 3 weeks ago

hpvd commented 3 weeks ago

Use case

enable running WASM binaries would help to drive security even further because of

security advantages of WASM (sandboxed, only the relevant code inside)
making it easier, and with this less error-prone/more secure, to rely on different base architectures (intel/amd, arm..) since no different/multi-arch images with different signings needed anymore.

Describe your solution

make constellation fully compatible to with kwasm operator to easily make it ready to run wasm binaries https://github.com/KWasm/kwasm-operator

Many other standard (non cc) distributions already are compatible: https://github.com/KWasm/kwasm-node-installer?tab=readme-ov-file#supported-kubernetes-distributions

Would you be willing to implement this feature?

[ ] Yes, I could contribute this feature.

hpvd commented 3 weeks ago

2 up-to-date video sources on kwasm: overview: https://www.youtube.com/watch?v=d51lFnAR-Z0 review: https://www.youtube.com/watch?v=oY9le4DDAOY

hpvd commented 3 weeks ago

maybe this can be thought together with https://github.com/edgelesssys/constellation/issues/2879 (of course only if this meets your safety requirements) as an approach to make constellation suitable for "flexible any cloud" today (agnostic of CPU-Architecture used and cloud vendor) without blowing up efforts on maintenance....

edit: of course another topic fitting into the direction of "flexible any cloud" and its management, is the crossplane topic... https://github.com/edgelesssys/constellation/issues/2630

burgerdev commented 3 weeks ago

Hi @hpvd,

Thanks for considering Constellation for your WASM use case!

As far as I understand, the node-installer works by modifying the containerd config in place and adding the kwasm-shim. That won't work on Constellation, because the containerd config file is on the immutable root partition. This choice is deliberate trading off flexibility for safety. You can find more information on the Edgeless docs.

If it were possible to extend containerd safely, say with override fragments like for systemd, we could consider adding a config dir to the mutable state disk. I took note of that in our backlog, but imho a feature request for containerd would need to be filed first. Then the kwasm team would need to add Constellation to the known config locations in their install script.

Cheers, Markus