sashayakovtseva
commented
5 years ago @pickledrick Not sure yet, Singularity has encrypted containers in singularity engine, and container is decrypted on-the-fly. In Singularity-CRI we use oci engine, i.e. we would need to decrypt container to form a bundle and then call runtime.
This is a subject to discuss, this issue is more of a reminder now.
Interested how you are thinking about implementing this @sashayakovtseva.
Do you plan on supporting a model of encryption for the entire CRI? or on a specified case by case basis for example.
Workload
ain namespacetestconsumes a secret in that namespace that is then in turn passed down to sycri somehow and used to encrypt that specific workload?I've not looked much into this yet but happy to hear your thoughts on what the implementation could look like!