Release Date: May 2nd, 2024
This is our first release based on Kata Containers main, but it is an alpha release that supports only a subset of features.
This release is based on 3.4.0 of Kata Containers and v0.9.0 of enclave-cc.
This release supports pulling images inside of the guest with some caveats but it does not support pulling encrypted or signed images inside the guest. This release supports attestation and includes the guest components in the rootfs, but it does not support any TEE platform. Peer pods is also not supported.
This release was created mainly for development purposes. For a full feature set, consider returning to v0.8.0 or using the next release.
Please see the quickstart guide for details on how to try out Confidential Containers.
Please refer to our Acronyms and Glossary pages for a definition of the acronyms used in this document.
- This release is built from the main branch of Kata Containers.
- Non-tee attestation is now based on a sample attester and verifier rather than on
offline_fs_kbc.- Resources can be dynamically delivered in confidential environments.
- Trustee is integrated into the Kata Containers CI.
- All platforms now share one confidential rootfs.
- All platforms share one confidential guest kernel.
- Image request timeout is configurable to facilitate pulling large images.
- Attestation Agent now supports generic
configfs-tsmABI for collecting evidence. - Enclave-cc moves to unified LibOS bundle for secure rootfs key handling and to the latest Occlum v0.30.1 release that adds SGX EDMM support for dynamically adjusting the enclave size.
- Adoption of a project-wide security reporting protocol
This release does not officially support any hardware platforms. It is mainly intended for testing in non-tee environments. Future releases will return to previous levels of support.
The following are known limitations of this release:
- Nydus snapshotter support is not mature.
- Nydus snapshot sometimes conflicts with existing node configuration.
- You may need to remove existing container images/snapshots before installing Nydus snapshotter.
- Nydus snapshotter may not support pulling one image with multiple runtime handler annotations even across different pods.
- These limitations can apply to the pause image when filesystem passthrough is not enabled.
- Host pulling with Nydus snapshotter is not yet enabled.
- Nydus snapshotter is not supported with enclave-cc.
- Pulling container images inside guest may have negative performance implications including greater resource usage and slower startup.
criosupport is still evolving.- Platform support is rapidly changing
- SELinux is not supported on the host and must be set to permissive if in use.
- The format of encrypted container images is still subject to change
- The oci-crypt container image format itself may still change
- The tools to generate images are not in their final form
- The image format itself is subject to change in upcoming releases
- Not all image repositories support encrypted container images.
- Complete integration with Kubernetes is still in progress.
- OpenShift support is not yet complete.
- Existing APIs do not fully support the CoCo security and threat model. More info
- Some commands accessing confidential data, such as
kubectl exec, may either fail to work, or incorrectly expose information to the host
- The CoCo community aspires to adopting open source security best practices, but not all practices are adopted yet.
- We track our status with the OpenSSF Best Practices Badge, which improved to 75% at the time of this release.
- Community has adopted a security reporting protocol, but application and documentation of static and dynamic analysis still needed.
- Container metadata such as environment variables are not measured.
- Kata Agent does not validate mount requests. A malicious host might be able to mount a shared filesystem into the PodVM.
None