This repository contains the code related to the paper "Trusting the Cloud-Native Edge: Remotely Attested Kubernetes Workers" accepted to COHERENT 2024. It provides a PoC implementation of an architecture used to enroll edge devices into a Kubernetes cluster after succesfull attestation.
attesation-operator: The controller that manages the attestation of an edge device.
deploy-edgenode: Helm Chart to deploy an EdgeNode CR to K8s.
deploy-keylime-cloud: An early fork of the keylime operator modified to deploy our custom images to K8s. Forked from this commit.
keylime: Our fork of the keylime repository with our modifications and contributions. Forked from this commit.
A full installation of Feather as a systemd service is required. This software does not install it but only provides it with credentials.
The Keylime Rust agent must be present on the edge device running as a systemd service. Use the agent's config in /etc/keylime/agent.conf on the edge device to point it to the cluster and the exposed ports for the cloud components.
This prototype exposes the cloud components as NodePorts using the following ports:
registrar 30001
verifier 30002
You might want to change this depending on the network configurations of your cluster.
A basic kubeconfig must be present on the edge device (/home/user/.kube/kubeconfig) containing cluster information such as CA and IP info. Context and User will be automatically generated.
As our images are modified Keylime images, their tools can be used to build the images. keylime/docker/release/contains scripts to generate the Dockerfiles and build the images. Make sure to edit the build_locally.sh to point to your image repository.
deploy-keylime-cloudcontains an early fork of the Keylime operator which at that point only consisted of a Helm Charts to deploy the images. Some alterations were made to make this work with our custom images.
Make sure to point the build/values.yamlfile to the images in your own repository and manually deploy any secrets required to access your them (if they are private).
The images can be deployed using the following commands:
make helm-build
make helm-deploy
Running make help in the root of deploy-keylime-cloud will give an overview of all available make commands.
The controller was created using Kubebuilder as a scaffold and thus follows its deployment steps. Make commands are provided for this.
To install the CRDs for the EdgeNode:
# Generate yamls
make build-installer
# Install yamls
make install
To build and deploy the controller image:
# Create a docker image
make docker-build IMG=<img-name>
# Push the docker image to a configured container registry
make docker-push IMG=<img-name>
# Deploy the controller manager manifests to the cluster.
make deploy
Once all other components are installed a sysadmin can deploy an EdgeNode CR to respresent the edge device in the cluster.
Provide the TPM's ekcert in templates/edgenode.yaml and a Keylime compatible boot log in config.json.
Deploy using Helm:
helm install <some_name> . -n <some_namespace>
The controller will detect the presence of a new device and as soon as that device contacts the cluster it will be attestated and either welcomed into the cluster or denied access based on its attestation status.