Skip to content

Alignment to trustee v0.15.0 #104

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Oct 9, 2025
Merged

Alignment to trustee v0.15.0 #104

merged 1 commit into from
Oct 9, 2025

Conversation

@lmilleri
Copy link
Member

@lmilleri lmilleri commented Oct 2, 2025
edited
Loading

Resource/attestation policy changes
Attestation policy VolumeMount now includes subpath to allow writing on container r/o filesystem

@lmilleri lmilleri force-pushed the trustee-v0.15.0 branch 2 times, most recently from 3271c3d to a6825e0 Compare October 2, 2025 10:59
@lmilleri lmilleri marked this pull request as ready for review October 2, 2025 11:07
@lmilleri lmilleri requested a review from a team as a code owner October 2, 2025 11:07
@lmilleri
Copy link
Member Author

lmilleri commented Oct 2, 2025

@fitzthum @bpradipt PTAL, in particular the policy changes introduced for trustee v0.15.0
@Jakob-Naucke it fixes the attestation policy r/o issue

fitzthum
fitzthum reviewed Oct 2, 2025
View reviewed changes
Copy link
Member

@fitzthum fitzthum left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

A few notes about the resource policy.

You might want to check out how the built-in affirming policy has changed in Trustee. It now checks every submod rather than just cpu or cpu0

config/samples/all-in-one/resource-policy.yaml
allow {
input["submods"]["cpu"]["ear.status"] != "contraindicated"
not input["submods"]["cpu0"]["ear.veraison.annotated-evidence"]["sample"]
}
Copy link
Member

@fitzthum fitzthum Oct 2, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

These policies mean different things.

Copy link
Member Author

@lmilleri lmilleri Oct 2, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes you're right. Even though the policy is provided here as a sample, better to provide a better one.
What about this?

    package policy
    import rego.v1

    default allow = false

    allow if {
        not any_not_affirming
        count(input.submods) > 0
    }

    any_not_affirming if {
        some _, submod in input.submods
        submod["ear.status"] != "affirming"
    }

Copy link
Member

@fitzthum fitzthum Oct 2, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That's a good policy. It does still have a different meaning than the original one which simply checks if the CPU has a certain type. Actually that policy is still valid today.

@lmilleri
Alignment to trustee v0.15.0
bb23cb7 
Resource/attestation policy changes
Attestation policy VolumeMount now includes subpath to allow writing on r/o filesystem

Signed-off-by: Leonardo Milleri <[email protected]>
fitzthum
fitzthum approved these changes Oct 9, 2025
View reviewed changes
Copy link
Member

@fitzthum fitzthum left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Changes seem good.

@lmilleri lmilleri merged commit 9bc4a45 into confidential-containers:main Oct 9, 2025
5 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@fitzthum fitzthum fitzthum approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@lmilleri @fitzthum