Skip to content
This repository was archived by the owner on Feb 1, 2026. It is now read-only.

crd: Expose "UsingNFD" to the CcInstallConfig#243

Draft
fidencio wants to merge 1 commit intoconfidential-containers:mainfrom
fidencio:topic/expose-UsingNFD
Draft

crd: Expose "UsingNFD" to the CcInstallConfig#243
fidencio wants to merge 1 commit intoconfidential-containers:mainfrom
fidencio:topic/expose-UsingNFD

Conversation

@fidencio
Copy link
Member

@fidencio fidencio commented Aug 10, 2023

Let's have a explicit toggle that allows users to specify whether they're relying on NFD or not.

In case they're not relying on NFD, business as usual. In case they are, then the runtime payload will be able to create a specific NodeFeatureRule, adapt the podOverhead of the runtime class, and make sure the keys book-keeping is correctly done.

Right now, on the Kata Containers side of the things, only TDX is capable of doing so, but it's easy to expand in case other TEEs want to do the same.

@fidencio
crd: Expose "UsingNFD" to the CcInstallConfig
5e981bb 
Let's have a explicit toggle that allows users to specify whether
they're relying on NFD or not.

In case they're not relying on NFD, business as usual.  In case they
are, then the runtime payload will be able to create a specific
NodeFeatureRule, adapt the podOverhead of the runtime class, and make
sure the keys book-keeping is correctly done.

Right now, on the Kata Containers side of the things, only TDX is
capable of doing so, but it's easy to expand in case other TEEs want to
do the same.

Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
@fidencio fidencio linked an issue Aug 10, 2023 that may be closed by this pull request
Detect confidential computing capabilities of the cluster node #24
Open
@fidencio
Copy link
Member Author

fidencio commented Aug 10, 2023

A few notes for the reviewers.

  1. This work depends on a PR that's not yet merged on the Kata Containers side: kata-deploy: Take NFD into consideration kata-containers/kata-containers#7469
  2. I've decided to use an explicit toggle as rules, on the Kata Containers side, were only introduced for TDX
  3. We may hit the case where someone is using NFD, but still may want to have their own rules being used (and then they can manually do it, as they're most likely doing Today)

@fidencio
Copy link
Member Author

fidencio commented Oct 26, 2023

JFYI, this one will be material for the v0.9.0 release, not for this one.
Thanks for the understanding.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

@jensfr jensfr Awaiting requested review from jensfr

@mythi mythi Awaiting requested review from mythi

@zvonkok zvonkok Awaiting requested review from zvonkok

@bpradipt bpradipt Awaiting requested review from bpradipt

@stevenhorsman stevenhorsman Awaiting requested review from stevenhorsman

At least 2 approving reviews are required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Detect confidential computing capabilities of the cluster node

1 participant

@fidencio