You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: keps/sig-node/3702-ima-namespace-support/README.md
+20-17Lines changed: 20 additions & 17 deletions
Original file line number
Diff line number
Diff line change
@@ -95,9 +95,7 @@ This can be achieved using IMA (Integrity Measurement Architecture) and EVM (Ext
95
95
96
96
## Proposal
97
97
<!-- We propose to enable IMA linux namespaces in pods.
98
-
99
98
Since IMA namespaces can be created when a container is launched, we can provide transparent integrity verification on any linux container.
100
-
101
99
IMA and EVM can use a TPM chip as a hardware root of trust. Hence we can verify images against a set of golden hash values, as well as avoiding any further changes to the overlayfs to intercept calls and check the integrity of files. -->
102
100
103
101
### User Stories (Optional)
@@ -140,38 +138,41 @@ The linux kernel IMA namespace support is based on user namespaces. Therefore, t
140
138
141
139
Should we enable IMA namespaces by default when enabling user namespaces?
142
140
143
-
144
141
There will be a CRI API change which will allow the pod to use IMA namespaces and specify the namespace policy.
145
142
146
-
147
-
148
143
### Linux kernel
149
144
150
-
151
-
152
145
IMA is only available in Linux hosts and Linux containers. Unfortunately, IMA is not a separate namespace, which is needed in order to isolate it and be used inside containers. Upcoming kernel patches should add support for IMA namespaces.
153
146
154
-
155
147
156
148
### Runtime specification
157
149
158
150
There is an ongoing discussion regarding the runtime changes.
0 commit comments