GithubHelp home page GithubHelp logo

oss23-demo's Introduction

Open Source Summit EU 2023

Demo Prep

Build KBS

docker build -t kbs -f Dockerfile.kbs .

Deploy KBS

k create deploy kbs --image ghcr.io/mkulke/kbs:oss23-demo --port 8080
k expose deploy/kbs --type NodePort

Encrypt Image

Build coco-keyprovider:

docker build -t coco-keyprovider -f Dockerfile.coco-keyprovider .

Create encryption key:

KEY_FILE="image_key"
head -c 32 /dev/urandom | openssl enc > "$KEY_FILE"

Run coco-keyprovider w/ mounted key file:

docker run -d -p 50000:50000 -v "${PWD}/${KEY_FILE}:/${KEY_FILE}" --name coco-keyprovider coco-keyprovider

Encrypt image with skopeo:

echo '{"key-providers": {"attestation-agent": {"grpc": "localhost:50000"}}}' > ocicrypt.conf
IMAGE_DESTINATION="ghcr.io/mkulke/busybox-encrypted:oss23-demo"
KEY_ID="default/key/busybox-encrypted"
KEYPROVIDER_PARAMS="provider:attestation-agent:keypath=/${KEY_FILE}::keyid=kbs:///${KEY_ID}::algorithm=A256GCM"
OCICRYPT_KEYPROVIDER_CONFIG="${PWD}/ocicrypt.conf" skopeo copy --insecure-policy --encryption-key "$KEYPROVIDER_PARAMS" docker://busybox:stable "docker://${IMAGE_DESTINATION}"
docker rm -f coco-keyprovider

Provision key to KBS:

cat "$KEY_FILE" | k exec -i deploy/kbs -- tee "/opt/confidential-containers/kbs/repository/${KEY_ID}" > /dev/null

Demo

Deploy Encrypted Image w/ kata-remote RuntimeClass

k apply -f busybox-encrypted.yaml

Verify Encryption Configuration

Inspect image:

skopeo inspect docker://ghcr.io/mkulke/busybox-encrypted:oss23-demo | jless

Decode attestation-agent annotation:

echo "eyJraWQiOiJrYnM6Ly8vZGVmYXVsdC9rZXkvYnVzeWJveC1lbmNyeXB0ZWQiLCJ3cmFwcGVkX2RhdGEiOiIxaWkrSHdyTWthQWlUdnVCeVRDTzFTZGNKMDBaVks2VGJ5c1l3NStCM3lqQk8yS3hnckY0TjRDMWRmYlNUOGJDSE81ZVdwVGlVRTRXdkd1UWxZREpWYy9vdlVwSE5pdElnY1NNbHh6NVd3WndXQW85M3Q5TEs1V2hNb2RrcDdwakpqV0NScFBnZ0NWNytLeDdYMmVrb0dMRUVhNmdlNk5LSHlrZmhZUDlNRnRIMTVhYTdsM3RBSUtuVkhqYk9KSFhFY3NNRjBxYUVhK2VDWThLVGMyOEdENUpGZXpMbTlwelJ3ci93bWV2d08vdmVRRWlYSWhPR0NkUTRTWjlkeVEyOEVQUXBEYjFTUXBITnd0UXFrSUlWdWc9IiwiaXYiOiJ3Qi9PQ0ErSWpMVkhNL21MIiwid3JhcF90eXBlIjoiQTI1NkdDTSJ9" | base64 -d

Check KBS logs

k logs deploy/kbs | lnav

oss23-demo's People

Contributors

mkulke avatar

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.