Skip to content

Commit 339ac5b

Browse files
butler54butler54
committed
fix: Azure requirements
Signed-off-by: Chris Butler <[email protected]>
1 parent 0139db9 commit 339ac5b

12 files changed

+138
-236
lines changed

Makefile

Lines changed: 13 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -1,13 +1,23 @@
11
HOMEPAGE_CONTAINER ?= quay.io/hybridcloudpatterns/homepage-container:latest
2+
UNAME=$(shell uname -s)
23

3-
PODMAN_OPTS ?= -it --security-opt label=disable --pull=newer --net=host
4-
4+
# Can't use host networks on MacOS as it's a VM anyway.
5+
# Also because of the proxy 127.0.0.1 doesn't work as a bind address.
6+
ifeq ($(UNAME), Darwin)
7+
PODMAN_OPTS ?= -it --security-opt label=disable --pull=newer -p 4000:4000
8+
HUGO_SERVER_OPTS = --bind 0.0.0.0
9+
else
10+
PODMAN_OPTS ?= -it --security-opt label=disable --pull=newer --net=host
11+
endif
512
# Do not use selinux labeling when we are using nfs
613
FSTYPE=$(shell df -Th . | grep -v Type | awk '{ print $$2 }')
14+
715
ifeq ($(FSTYPE), nfs)
816
ATTRS = "rw"
917
else ifeq ($(FSTYPE), nfs4)
1018
ATTRS = "rw"
19+
else ifeq ($(UNAME), Darwin)
20+
ATTRS = "rw"
1121
else
1222
ATTRS = "rw,z"
1323
endif
@@ -30,7 +40,7 @@ build: ## Build the website locally in the public/ folder
3040
.PHONY: serve
3141
serve: ## Build the website locally from a container and serve it
3242
@echo "Serving via container. Browse to http://localhost:4000"
33-
podman run $(PODMAN_OPTS) -v $(PWD):/site:$(ATTRS) --entrypoint hugo $(HOMEPAGE_CONTAINER) server -p 4000
43+
podman run $(PODMAN_OPTS) -v $(PWD):/site:$(ATTRS) --entrypoint hugo $(HOMEPAGE_CONTAINER) server -p 4000 $(HUGO_SERVER_OPTS)
3444

3545
.PHONY: htmltest
3646
htmltest: build ## Runs htmltest against the site to find broken links

content/patterns/coco-pattern/_index.adoc

Lines changed: 38 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -2,30 +2,62 @@
22
title: Confidential Containers pattern
33
date: 2024-10-03
44
tier: sandbox
5-
summary: This pattern helps you get started with deploying confidential containers in OpenShift Container Platform
5+
summary: This pattern helps you get started with deploying confidential containers in OpenShift Container Platform.
66
rh_products:
77
- Red Hat OpenShift Container Platform
88
- Red Hat Advanced Cluster Management
99
- Red Hat OpenShift Sandbox Containers
1010
industries:
1111
- General
1212
aliases: /coco-pattern/
13-
pattern_logo: multicloud-gitops.png
13+
pattern_logo: coco-logo.png
1414
links:
1515
install: coco-getting-started
1616
help: https://groups.google.com/g/validatedpatterns
1717
bugs: https://github.com/validatedpatterns/coco-pattern/issues
18-
repo: https://github.com/validatedpatterns/coco-pattern
19-
2018
---
2119
:toc:
2220
:imagesdir: /images
2321
:_content-type: ASSEMBLY
2422
include::modules/comm-attributes.adoc[]
2523

26-
include::modules/mcg-about-multicloud-gitops.adoc[leveloffset=+1]
24+
= About coco-pattern
25+
26+
Confidential computing is a technology for securing data in use. It uses a https://en.wikipedia.org/wiki/Trusted_execution_environment[Trusted Execution Environment] provided within the hardware of the processor to prevent access from others who have access to the system.
27+
https://confidentialcontainers.org/[Confidential containers] is a project to standardize the consumption of confidential computing by making the security boundary for confidential computing to be a Kubernetes pod. [Kata containers](https://katacontainers.io/) is used to establish the boundary via a shim VM.
28+
29+
This pattern uses https://docs.redhat.com/en/documentation/openshift_sandboxed_containers/1.7/html/user_guide/deploying-on-azure#deploying-cc_azure-cc[Red Hat OpenShift Sandbox Containers] to deploy and configure confidential containers on Microsoft Azure.
30+
31+
It deploys three copies of 'Hello OpenShift' to demonstrate some of the security boundaries that enforced with confidential containers.
32+
33+
== Requirements
34+
35+
- An an azure account with the link:./coco-pattern-azure-requirements/[required access rights]
36+
37+
38+
== Security considerations
39+
40+
**This pattern is a demonstration only and contains configuration that is not best practice**
41+
42+
- The default configuration deploys everything in a single cluster for testing purposes. The https://www.ietf.org/archive/id/draft-ietf-rats-architecture-22.html[RATS] architecture mandates that the Key Broker Service (e.g. https://github.com/confidential-containers/trustee[Trustee]) is in a trusted security zone.
43+
- The https://github.com/confidential-containers/trustee/tree/main/attestation-service[Attestation Service] has wide open security policies.
44+
45+
== Future work
46+
47+
* Deploying the environment the 'Trusted' environment including the KBS on a separate cluster to the secured workloads
48+
* Deploying to alternative environments supporting confidential computing including bare metal x86 clusters; IBM Cloud; IBM Z
49+
* Finishing the sample AI application
50+
51+
== Architecture
52+
53+
=== Single Cluster
54+
55+
56+
=== Multi-cluster architecture
57+
58+
Work in progress
59+
2760

28-
include::modules/mcg-architecture.adoc[leveloffset=+1]
2961

3062
[id="next-steps_mcg-index"]
3163
== Next steps

content/patterns/coco-pattern/coco-cluster-sizing.adoc

Lines changed: 0 additions & 26 deletions
This file was deleted.

content/patterns/coco-pattern/coco-demo-script.adoc

Lines changed: 0 additions & 121 deletions
This file was deleted.

content/patterns/coco-pattern/coco-getting-started.adoc

Lines changed: 0 additions & 24 deletions
This file was deleted.

content/patterns/coco-pattern/coco-ideas-for-customization.adoc

Lines changed: 0 additions & 15 deletions
This file was deleted.

content/patterns/coco-pattern/coco-imperative-actions.adoc

Lines changed: 0 additions & 12 deletions
This file was deleted.

content/patterns/coco-pattern/coco-managed-cluster.adoc

Lines changed: 0 additions & 29 deletions
This file was deleted.

0 commit comments

Comments
 (0)