Verifying the contract

Assumptions

• For demonstration purposes, the BusyBox workload is used to create and verify the contract.

Procedure

When verifying the contract in your workload, you can deploy using either the initdata or GLOBAL initdata annotation. These annotations are used to mark data that is only required during the initialization phase of the container or kernel module. When the initdata annotation is not specified in the workload, the workloads can use the GLOBAL initdata defined in the config map.

• InitData: Marks data as temporary and places it in a special memory section (.init.data) that is discarded after initialization. This helps reduce the memory footprint of the workload.
• GLOBAL initdata: Similar to initdata, but the data is globally visible across modules or files during initialization. It is also discarded post-init.

Using these annotations ensures that sensitive or temporary data used for contract verification does not persist beyond the initialization phase, aligning with the security and efficiency goals of confidential computing.

1. Deploy a sample workload.

   • For the workload with initdata annotation, make sure to include the following annotation section in the workload.

     annotations:
       io.katacontainers.config.runtime.cc_init_data: ${initdata_annotation}

     The sample workload varies for different contracts. Based on the contract created, deploy the required workload from the following sections:

     • The sample workload that must be deployed to verify the basic contract is as follows:

       cat << EOF > busybox.yaml
       apiVersion: v1
       kind: Pod
       metadata:
         labels:
           run: busybox
         name: busybox
         namespace: default
         annotations:
           io.katacontainers.config.runtime.cc_init_data: ${initdata_annotation}
       spec:
         containers:
         - image: quay.io/prometheus/busybox
           name: busybox
         restartPolicy: Never
         runtimeClassName: kata-remote
       EOF

     • The sample workload that must be deployed to verify the contract with the sealed secret is as follows:

       cat << EOF > busybox.yaml
       apiVersion: v1
       kind: Pod
       metadata:
         labels:
           run: busybox
         name: busybox
         namespace: default
         annotations:
           io.katacontainers.config.runtime.cc_init_data: ${initdata_annotation}
       spec:
         containers:
         - image: quay.io/prometheus/busybox
           name: busybox
           volumeMounts:
           - mountPath: /tmp
             name: spoiler
         restartPolicy: Never
         runtimeClassName: kata-remote
         volumes:
         - name: spoiler
           secret:
             secretName: spoiler
       EOF

     • The sample workload that must be deployed to verify the contract with cosign verified container images is as follows:

       cat << EOF > busybox.yaml
       apiVersion: v1
       kind: Pod
       metadata:
         name: busybox
         namespace:
         labels:
           run: busybox
         annotations:
           io.katacontainers.config.runtime.cc_init_data: ${initdata_annotation}
       spec:
         runtimeClassName: kata-remote
         restartPolicy: Never
         containers:
         - name: busybox
           image: quay.io/<username>/busybox:latest
       EOF

   • For the workload with GLOBAL initdata, perform the following steps:
     1. Update the peer-pods-cm config map by running the following command:

        oc patch cm peer-pods-cm -n openshift-sandboxed-containers-operator -p='{"data": {"INITDATA": "'"$initdata_annotation"'"}}'

     2. Deploy a sample workload. The sample workload varies for different contracts. Based on the contract created, deploy the required workload from the following sections:
        1. The sample workload that must be deployed to verify the basic contract is as follows:

           cat << EOF > busybox.yaml
           apiVersion: v1
           kind: Pod
           metadata:
             labels:
               run: busybox
             name: busybox
             namespace: default
           spec:
             containers:
             - image: quay.io/prometheus/busybox
               name: busybox
             restartPolicy: Never
             runtimeClassName: kata-remote
           EOF

        2. The sample workload that must be deployed to verify the contract with the sealed secret is as follows:

           cat << EOF > busybox.yaml
           apiVersion: v1
           kind: Pod
           metadata:
             labels:
               run: busybox
             name: busybox
             namespace: default
           spec:
             containers:
             - image: quay.io/prometheus/busybox
               name: busybox
               volumeMounts:
               - mountPath: /tmp
                 name: spoiler
             restartPolicy: Never
             runtimeClassName: kata-remote
             volumes:
             - name: spoiler
               secret:
                 secretName: spoiler
           EOF

        3. The sample workload that must be deployed to verify the contract with cosign verified container images is as follows:

           cat << EOF > busybox.yaml
           apiVersion: v1
           kind: Pod
           metadata:
           name: busybox
           namespace:
           labels:
             run: busybox
           spec:
           runtimeClassName: kata-remote
           restartPolicy: Never
           containers:
           - name: busybox
             image: quay.io/<username>/busybox:latest
           EOF

2. Create the pod by running the following command:

   oc create -f busybox.yaml

3. Check if BusyBox is running by running the following command:

   oc get pods | grep busybox

   Example output

   busybox   1/1     Running   0          101s