Skip to content

Create a default secret that can be used by the owner as a means to verify the attestation #82

New issue
New issue
Open
Open
Create a default secret that can be used by the owner as a means to verify the attestation#82
@bpradipt

Description

@bpradipt
bpradipt
opened on Mar 10, 2025
  1. Create a default K8s secret: trustee-attestation-status with status=attested as the data.
  2. A client can query the same to verify the attestation state curl -s http://localhost:8006/cdh/resource/default/trustee-attestation-status/status

In CoCo, we use a strict policy to disable exec, however with the above default secret, we can relax the strict policy to only allow the specific curl command. Example policy

package agent_policy

import future.keywords.in
import future.keywords.if
import future.keywords.every

default AddARPNeighborsRequest := true
default AddSwapRequest := true
default CloseStdinRequest := true
default CopyFileRequest := true
default CreateSandboxRequest := true
default DestroySandboxRequest := true
default GetMetricsRequest := true
default GetOOMEventRequest := true
default GuestDetailsRequest := true
default ListInterfacesRequest := true
default ListRoutesRequest := true
default MemHotplugByProbeRequest := true
default OnlineCPUMemRequest := true
default PauseContainerRequest := true
default PullImageRequest := true
default RemoveContainerRequest := true
default RemoveStaleVirtiofsShareMountsRequest := true
default ReseedRandomDevRequest := true
default ResumeContainerRequest := true
default SetGuestDateTimeRequest := true
default SignalProcessRequest := true
default StartContainerRequest := true
default StartTracingRequest := true
default StatsContainerRequest := true
default StopTracingRequest := true
default TtyWinResizeRequest := true
default UpdateContainerRequest := true
default UpdateEphemeralMountsRequest := true
default UpdateInterfaceRequest := true
default UpdateRoutesRequest := true
default WaitProcessRequest := true
default WriteStreamRequest := true
default CreateContainerRequest := true

default SetPolicyRequest := false
default ReadStreamRequest := false
default ExecProcessRequest := false


ExecProcessRequest if {
    input_command = concat(" ", input.process.Args)
    some allowed_command in policy_data.allowed_commands
    input_command == allowed_command
}

policy_data := {  
  "allowed_commands": [         
        "curl -s http://localhost:8006/cdh/resource/default/trustee-attestation-status/status"     
  ] 
}

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions