Kata Containers is an open source project and community working to build a standard implementation of lightweight Virtual Machines (VMs) that feel and perform like containers, but provide the workload isolation and security advantages of VMs. https://katacontainers.io/
Apache License 2.0
5.08k
stars
1k
forks
source link
genpolicy: reject untested CreateContainer field values #9856
Reject CreateContainerRequest field values that are not tested by Kata CI and that might impact the confidentiality of CoCo Guests.
This change uses a "better safe than sorry" approach to untested fields. It is very possible that in the future we'll encounter
reasonable use cases that will either:
Show that some of these fields are benign and don't have to be verified by Policy, or
Show that Policy should verify legitimate values of these fields
These are the new CreateContainerRequest Policy rules:
Reject CreateContainerRequest field values that are not tested by Kata CI and that might impact the confidentiality of CoCo Guests.
This change uses a "better safe than sorry" approach to untested fields. It is very possible that in the future we'll encounter reasonable use cases that will either:
These are the new CreateContainerRequest Policy rules: