-
Notifications
You must be signed in to change notification settings - Fork 91
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
How do the kata-agent, attestation-agent, and attestation service interact with each other? Is there any sequence diagram or other documents? #478
Comments
I am not sure there is any. But currently kata-agent forks attestation-agent. Attestation-agent connects to KBS via RCAR handshake protocol. Attestation-service is behind KBS. There is some code you can refer to kata-agent forks attestation-agent (AA): https://github.com/kata-containers/kata-containers/blob/main/src/agent/src/main.rs#L420 |
We have this diagram in the docs, but it doesn't include the Kata Agent. We should maybe add a similar diagram to the guest-components repo. |
As I started creating sequence diagrams, I'm sharing them as mermaid diagrams: Encryption and Distribution by Algorithm Provider sequenceDiagram
actor U as Algorithm Provider
participant S as skopeo
participant DR as Docker Registry
participant KP as coco-keyprovider
participant KBS as Key Broker<br/>Service (KBS)
# autonumber
U->>S: request encryption of Docker image
activate S
S->>DR: pull unencrypted Docker image
activate DR
DR-->>S: return
deactivate DR
S->>KP: ?
activate KP
KP->>KBS: ?
activate KBS
KBS-->>KP: ?
deactivate KBS
KP-->>S: ?
deactivate KP
S->>DR: upload encrypted Docker image
deactivate S
Execute Encrypted Image on Host System sequenceDiagram
actor U as User
participant K as Kubernetes
participant DR as Docker Registry
box transparent Trusted Execution Environment (TEE)
participant KA as Kata Agent
participant AA as Attestation Agent<br/>(AA)
end
participant KBS as Key Broker<br/>Service (KBS)
participant AS as Attestation<br/>Service (AS)
participant RVPS as Reference Value<br/>Provider Service<br/>(RVPS)
# autonumber
U->>K: apply service/job<br/>definition
activate K
K->>DR: pull encrypted<br/>Docker image
activate DR
DR-->>K: return
deactivate DR
K->>KA:
deactivate K
activate KA
KA->>AA: fork
activate AA
AA-->>KA: return
AA->>KBS: initial request
activate KBS
KBS->>AA: challenge and<br/>session identifier
deactivate KBS
AA->>AA: generate ephemeral<br/>public key via TEE
AA->>KBS: attestation evidence
activate KBS
KBS->>AS: verify TEE evidence
activate AS
AS->>RVPS: request reference<br/>values
activate RVPS
RVPS-->>AS: provide reference<br/>values
deactivate RVPS
AS-->>KBS: verification result
deactivate AS
KBS-->>AA: request approval<br/>(flattened JWE)
deactivate KBS
AA-->>KA: return
deactivate AA
KA->>KA: decrypt decryption<br/>key using TEE's<br/>private key
KA->>KA: decrypt Docker image
KA->>KA: execute workload
deactivate KA
U->>+K: view pod state
K-->-U: return
Please provide feedback/corrections/additions and I will update these diagrams. |
Good diagrams. A few random comments:
|
How do the kata-agent, attestation-agent, and attestation service interact with each other? Is there any sequence diagram or other documents?
The text was updated successfully, but these errors were encountered: