[Proposal] IMA (Integrity Measurement Architecture) support in Kubernetes pods and containers

[Asier Gutierrez]

Hi there,

 

We are working in a set of patches for the linux kernel that will enable the use of virtual TPMs inside containers. The goal is to be able to verify the integrity of files inside containers.

 

We would like to use this feature in Kubernetes. We are working on some experimental changes in containerd, CRI API and OCI API.

 

We'd like to hear your thoughts. Would this feature be useful? If we see good feedback, we will start working on a KEP.

 

Cheers,

Asier

[Sergey Kanzhelev]

Discussed today at SIG Node meeting.

The feedback was that the feature looks interesting and promising, but it needs to be worked out from kernel up the stack.

Meeting notes and a link to recording: https://docs.google.com/document/d/1Ne57gvidMEWXR70OxxnRkYquAoMpt56o75oZtg-OeBg/edit#bookmark=id.lda63gwg1uyy