Closed hpvd closed 3 weeks ago
2 up-to-date video sources on kwasm: overview: https://www.youtube.com/watch?v=d51lFnAR-Z0 review: https://www.youtube.com/watch?v=oY9le4DDAOY
maybe this can be thought together with https://github.com/edgelesssys/constellation/issues/2879 (of course only if this meets your safety requirements) as an approach to make constellation suitable for "flexible any cloud" today (agnostic of CPU-Architecture used and cloud vendor) without blowing up efforts on maintenance....
edit: of course another topic fitting into the direction of "flexible any cloud" and its management, is the crossplane topic... https://github.com/edgelesssys/constellation/issues/2630
Hi @hpvd,
Thanks for considering Constellation for your WASM use case!
As far as I understand, the node-installer works by modifying the containerd config in place and adding the kwasm-shim. That won't work on Constellation, because the containerd config file is on the immutable root partition. This choice is deliberate trading off flexibility for safety. You can find more information on the Edgeless docs.
If it were possible to extend containerd safely, say with override fragments like for systemd, we could consider adding a config dir to the mutable state disk. I took note of that in our backlog, but imho a feature request for containerd would need to be filed first. Then the kwasm team would need to add Constellation to the known config locations in their install script.
Cheers, Markus
Use case
enable running WASM binaries would help to drive security even further because of
Describe your solution
make constellation fully compatible to with kwasm operator to easily make it ready to run wasm binaries https://github.com/KWasm/kwasm-operator
Many other standard (non cc) distributions already are compatible: https://github.com/KWasm/kwasm-node-installer?tab=readme-ov-file#supported-kubernetes-distributions
Would you be willing to implement this feature?