cri-o/oci
Samuel Ortiz 0e51bbb778 oci: Support mixing trusted and untrusted workloads
Container runtimes provide different levels of isolation, from kernel
namespaces to hardware virtualization. When starting a specific
container, one may want to decide which level of isolation to use
depending on how much we trust the container workload. Fully verified
and signed containers may not need the hardware isolation layer but e.g.
CI jobs pulling packages from many untrusted sources should probably not
run only on a kernel namespace isolation layer.

Here we allow CRI-O users to define a container runtime for trusted
containers and another one for untrusted containers, and also to define
a general, default trust level. This anticipates future kubelet
implementations that would be able to tag containers as trusted or
untrusted. When missing a kubelet hint, containers are trusted by
default.

A container becomes untrusted if we get a hint in that direction from
kubelet or if the default trust level is set to "untrusted" and the
container is not privileged. In both cases CRI-O will try to use the
untrusted container runtime. For any other cases, it will switch to the
trusted one.

Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
2017-06-15 10:04:36 +02:00
..
container.go oci: Support mixing trusted and untrusted workloads 2017-06-15 10:04:36 +02:00
history.go use an in memory store for containers 2016-09-19 13:11:36 +02:00
memory_store.go oci: more grep'able interface name 2017-04-19 16:12:59 -04:00
oci.go oci: Support mixing trusted and untrusted workloads 2017-06-15 10:04:36 +02:00
store.go oci: more grep'able interface name 2017-04-19 16:12:59 -04:00