pod-quote: add per pod quote server to quote server of CCNP (#158)

* add per pod quote server to quote server of ccnp * fix cargo checking error * fix the cargo environment for CI pipeline task failed
intel · Jan 20, 2024 · 9993d00 · 9993d00
1 parent 9ffaa7e
commit 9993d00
Show file tree

Hide file tree

Showing 12 changed files with 1,381 additions and 0 deletions.
diff --git a/container/pod-quote/Dockerfile b/container/pod-quote/Dockerfile
@@ -0,0 +1,30 @@
+FROM rust:1.74.0 as pod-quote-builder
+
+RUN apt-get update && apt-get install -y \
+    build-essential \
+    curl \
+    make \
+    libprotobuf-dev \
+    protobuf-compiler \
+    musl-dev \
+    wget \
+    libssl-dev \
+    pkg-config
+
+WORKDIR /app
+
+COPY . .
+
+COPY service/pod-quote /pod-quote
+
+RUN cd /pod-quote && make build
+
+FROM rust:1.74.0
+
+WORKDIR /app
+COPY --from=pod-quote-builder /pod-quote/target/release/pod_quote /app/pod_quote
+
+RUN chmod a+x /app/pod_quote
+
+# Run the sleep command for demonstration purposes
+CMD ["/app/pod_quote"]
diff --git a/deployment/manifests/pod-quote-deployment.yaml b/deployment/manifests/pod-quote-deployment.yaml
@@ -0,0 +1,85 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: ccnp
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: pod-reader
+  namespace: ccnp
+rules:
+- apiGroups: [""]
+  resources: ["pods"]
+  verbs: ["get", "list"] # Adjust the verbs as needed
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: read-pods
+  namespace: ccnp
+subjects:
+- kind: ServiceAccount
+  name: default
+  namespace: ccnp
+roleRef:
+  kind: Role
+  name: pod-reader
+  apiGroup: rbac.authorization.k8s.io
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: sleep-qs-pod
+  namespace: ccnp
+  labels:
+    app: sleep-qs-pod
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: sleep-qs-pod
+  template:
+    metadata:
+      labels:
+        app: sleep-qs-pod
+    spec:
+      tolerations:
+      - key: node-role.kubernetes.io/control-plane
+        operator: Exists
+        effect: NoSchedule
+      - key: node-role.kubernetes.io/master
+        operator: Exists
+        effect: NoSchedule
+      containers:
+      - name: sleep-container
+        image: curlimages/curl 
+        imagePullPolicy: IfNotPresent
+        command: ["/bin/sleep", "infinity"]
+      - name: pod-quote
+        image: docker.io/library/ccnp-pod-quote:0.1
+        imagePullPolicy: IfNotPresent
+        env:
+          - name: POD_NAME
+            valueFrom:
+              fieldRef:
+                fieldPath: metadata.name
+          - name: POD_NAMESPACE
+            valueFrom:
+              fieldRef:
+                fieldPath: metadata.namespace
+        resources:
+          limits:
+            tdx.intel.com/tdx-guest: 1
+        volumeMounts:
+          - name: podinfo
+            mountPath: /etc/podinfo
+      nodeSelector:
+        intel.feature.node.kubernetes.io/tdx-guest: "enabled"
+      volumes:
+        - name: podinfo
+          downwardAPI:
+            items:
+              - path: "label"
+                fieldRef:
+                  fieldPath: metadata.labels
diff --git a/service/pod-quote/Cargo.toml b/service/pod-quote/Cargo.toml
@@ -0,0 +1,37 @@
+[package]
+name = "pod_quote"
+version = "0.1.0"
+edition = "2021"
+
+[[bin]] # Bin to run the quote server
+name = "pod_quote"
+path = "src/pod_quote.rs"
+
+[dependencies]
+tonic = "0.9"
+prost = "0.11"
+tokio = { version = "1.0", features = ["macros", "rt-multi-thread"] }
+tokio-stream = "0.1.14"
+anyhow = "1.0"
+async-trait = "0.1.56"
+base64 = "0.13.0"
+log = "0.4.14"
+serde_json = "1.0"
+sha2 = "0.10"
+clap = { version = "4.0.29", features = ["derive"] }
+tonic-reflection = "0.9.2"
+tonic-health = "0.9.2"
+nix = "0.26.2"
+tdx_attest = "0.1.1"
+kube = { version = "0.74.0", features = ["runtime", "derive"] }
+k8s-openapi = { version = "0.15.0", features = ["v1_24"] }
+crypto-hash = "0.3.3"
+async-std = "1.8"
+hyper = { version ="0.14.27" }
+
+[dev-dependencies]
+tower = { version = "0.4", features = ["util"] }
+serial_test = { version ="2.0.0" }
+
+[build-dependencies]
+tonic-build = "0.9"
diff --git a/service/pod-quote/Makefile b/service/pod-quote/Makefile
@@ -0,0 +1,40 @@
+# Copyright (c) 2023, Intel Corporation. All rights reserved.<BR>
+# SPDX-License-Identifier: Apache-2.0
+
+PROJDIR := $(shell readlink -f ..)
+TOP_DIR := .
+CUR_DIR := $(shell pwd)
+PREFIX :=
+DESTDIR ?= $(PREFIX)/bin
+
+DEBUG ?=
+
+TARGET_DIR := target
+BIN_NAME := pod_quote
+
+CARGO := /usr/local/cargo/bin/cargo
+
+ifdef DEBUG
+    release :=
+    TARGET_DIR := $(TARGET_DIR)/debug
+else
+    release := --release
+    TARGET_DIR := $(TARGET_DIR)/release
+endif
+
+TARGET := $(TARGET_DIR)/$(BIN_NAME)
+
+test:
+	$(CARGO) test
+
+build:
+	$(CARGO) build $(release)
+
+install:
+	install -D -m0755 $(TARGET) $(DESTDIR)
+
+uninstall:
+	rm -f $(DESTDIR)/$(BIN_NAME)
+
+clean:
+	$(CARGO) clean
diff --git a/service/pod-quote/README.md b/service/pod-quote/README.md
@@ -0,0 +1,68 @@
+# Service: CCNP Pod Quote
+
+This service will provide quote generated by underlying TEE platform for remote attestation service to verify the integrity and confidentiality of the trusted computing environment and required software environment.
+
+## Introduction
+
+This server provides functionality to fetch quote of underlying TEE platform with nonce as mandatory input and a base64 encoded user data as optional input.The nonce and user data will be digested and added into quote for remote attestation to verify the freshness of the quote and the user specified data. And it also provides a HTTP REST API for fetching the quote data of current pod which is based on the image IDs of each container in Kubernetes cluster.
+
+## Installation
+The pod quote service can be deployed as a sidecar according to different user scenarios.
+
+### Prerequisite
+User need to have a kubernetes cluster ready to deploy the services. To simplify the deployment process, we provide Helm as one of the options to deploy the service. Please install Helm by following the [Helm official guide](https://helm.sh/docs/intro/install/). However, user can also use the yaml files located in the manifests folder for deployment.
+Also, the ccnp device plugin need to installed before the installation of quote server. Please refer to its [deployment guide](../../device-plugin/ccnp-device-plugin/README.md) for installation.
+
+### Build docker image
+The Dockerfile for the service can be found under `container/quote-server` directory. Use the following command to build the image:
+
+```
+docker build -t ccnp-pod-quote:0.1 -f container/pod-quote/Dockerfile .
+```
+
+> Note: if you are using containerd as the default runtime for kubernetes, don't forget to use the following commands to import the image into containerd first:
+```
+docker save -o ccnp-pod-quote.tar ccnp-pod-quote:0.1
+ctr -n=k8s.io image import ccnp-pod-quote.tar
+```
+
+### Deploy as DaemonSet in Kubernetes
+
+#### deploy using manifests yaml file
+
+please check file `deployment/manifests/pod-quote-deployment.yaml` to confirm the container image to use and run:
+```
+kubectl apply -f deployment/manifests/pod-quote-deployment.yaml
+```
+
+## Testing
+You can play with service on host by following the steps below:
+
+1. Start the pod quote service
+
+```
+root@tdx-guest:~# ls -l /run/ccnp/
+total 0
+drwxr-xrwx 2 root root 60 Sep  1 05:05 uds
+```
+
+And then build and run the quote server with binary:
+```
+cd service/pod-quote
+make build
+./target/release/pod-quote
+```
+2. Play with the service
+Provide a HTTP API for fetching the quote data in `localhost:3000/quote`
+
+Get quote from the TDX platform:
+```
+curl -s http://localhost:3000/quote
+```
+
+and the output should be as bellow:
+```
+{
+ "BAACAIEAAAAAAAAAk5pyM/ecTKmUCg2zlX8GB6P8pz1eLkNLuYzlFq7gmQ4AAAAABAAGAAAAAAAAAAAAAAAAAEj6aZSdsIAC7oQlKEf1cpiLHW5WjsE1P2TLbA/ZBTdfaa2VnA6vd0escKOSeJMCoQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAAAAADnAgYAAAAAAKSgAzRsWhmm/SUEcehyvQcdjJLXQxq9pGNBeAihc4OqDUKYeBS8kvX1nGBEtnf1FAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAO8sw2a5sIgf6+MgszlJcgpq4sP0tqpfKTspZny2PWPOYiJbt1aPe1rpeqDtoa+NreW8yD5Jj8ypKTGA+WfwPH77+negDf9ZWNeonsxRtNtsLoUabMeutZ+xSCbs5gUWwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAO+/PqJMpmXxEfoJELnxuPmAbw69VjN9ZQQqe3NjVd72ql13C43JW093ytpa7ipkSR7msIelxHz9nmDTkSucmGPMEAAA0doq0wnfzK1RM8LVMVECwOpiI5ePJkQ7KClggtiBrCrBhE6p3ECY4SUVhWET733tRdTwhkH3JNCkvTIRGeXE3SY1oRIxb7dVmrMVrWdmmfldJoB8RvpN7HOs/g788NOgFoemd5F95mGdNVJ3v0ppPvgJQ5ryby6SOYHAsL25dbkGAEYQAAAGBhMVA/8ABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAVAAAAAAAAAOcAAAAAAAAAOWseNYAkJ5SHxHr5xWG93BUlhjmq0t2vdgCQ70Y/C4QAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAANyeKnxvlI8XR040p/xD7QMPfBVj8bq932NAyC4OVKjFAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAOYzIRlhSwSQeVYIlVCCAgcDb+K5pY0hOxqAEm1vN5p/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACXrF4+4CGy/IYdLV5k30DF9yMXwa6zYhBz8QproGhnTZPTIEXSIJLkzgEx9OaFrepQWCu+wbggzJVLqv9hg6a5IAAAAQIDBAUGBwgJCgsMDQ4PEBESExQVFhcYGRobHB0eHwUAXg4AAC0tLS0tQkVHSU4gQ0VSVElGSUNBVEUtLS0tLQpNSUlFOERDQ0JKYWdBd0lCQWdJVWR2clZDNnpJTFRvbGI0ZEt5RGhsbFlaUEc1RXdDZ1lJS29aSXpqMEVBd0l3CmNERWlNQ0FHQTFVRUF3d1pTVzUwWld3Z1UwZFlJRkJEU3lCUWJHRjBabTl5YlNCRFFURWFNQmdHQTFVRUNnd1IKU1c1MFpXd2dRMjl5Y0c5eVlYUnBiMjR4RkRBU0JnTlZCQWNNQzFOaGJuUmhJRU5zWVhKaE1Rc3dDUVlEVlFRSQpEQUpEUVRFTE1Ba0dBMVVFQmhNQ1ZWTXdIaGNOTWpNd05URTJNRGd5TXpJd1doY05NekF3TlRFMk1EZ3lNekl3CldqQndNU0l3SUFZRFZRUUREQmxKYm5SbGJDQlRSMWdnVUVOTElFTmxjblJwWm1sallYUmxNUm93R0FZRFZRUUsKREJGSmJuUmxiQ0JEYjNKd2IzSmhkR2x2YmpFVU1CSUdBMVVFQnd3TFUyRnVkR0VnUTJ4aGNtRXhDekFKQmdOVgpCQWdNQWtOQk1Rc3dDUVlEVlFRR0V3SlZVekJaTUJNR0J5cUdTTTQ5QWdFR0NDcUdTTTQ5QXdFSEEwSUFCUHZQClNtKzJtU1R2TzE0RkhpOXd3K05qYUhzazhyVHFQQ0xEMDZ3MmtJVE9yb0RYSmN5NDBMbHRZemFBZ3JXR2FsWFoKTy9GY3cxc0padDZZdFNRVHlyU2pnZ01NTUlJRENEQWZCZ05WSFNNRUdEQVdnQlNWYjEzTnZSdmg2VUJKeWRUMApNODRCVnd2ZVZEQnJCZ05WSFI4RVpEQmlNR0NnWHFCY2hscG9kSFJ3Y3pvdkwyRndhUzUwY25WemRHVmtjMlZ5CmRtbGpaWE11YVc1MFpXd3VZMjl0TDNObmVDOWpaWEowYVdacFkyRjBhVzl1TDNZMEwzQmphMk55YkQ5allUMXcKYkdGMFptOXliU1psYm1OdlpHbHVaejFrWlhJd0hRWURWUjBPQkJZRUZEUGs4eit4L0JtVkw5UDVJTkRaNlhlUwpTOHR4TUE0R0ExVWREd0VCL3dRRUF3SUd3REFNQmdOVkhSTUJBZjhFQWpBQU1JSUNPUVlKS29aSWh2aE5BUTBCCkJJSUNLakNDQWlZd0hnWUtLb1pJaHZoTkFRMEJBUVFRUGYyUXdCNHRTYzhyRmxvZGJJQzlCVENDQVdNR0NpcUcKU0liNFRRRU5BUUl3Z2dGVE1CQUdDeXFHU0liNFRRRU5BUUlCQWdFRk1CQUdDeXFHU0liNFRRRU5BUUlDQWdFRgpNQkFHQ3lxR1NJYjRUUUVOQVFJREFnRUNNQkFHQ3lxR1NJYjRUUUVOQVFJRUFnRUNNQkFHQ3lxR1NJYjRUUUVOCkFRSUZBZ0VETUJBR0N5cUdTSWI0VFFFTkFRSUdBZ0VCTUJBR0N5cUdTSWI0VFFFTkFRSUhBZ0VBTUJBR0N5cUcKU0liNFRRRU5BUUlJQWdFRE1CQUdDeXFHU0liNFRRRU5BUUlKQWdFQU1CQUdDeXFHU0liNFRRRU5BUUlLQWdFQQpNQkFHQ3lxR1NJYjRUUUVOQVFJTEFnRUFNQkFHQ3lxR1NJYjRUUUVOQVFJTUFnRUFNQkFHQ3lxR1NJYjRUUUVOCkFRSU5BZ0VBTUJBR0N5cUdTSWI0VFFFTkFRSU9BZ0VBTUJBR0N5cUdTSWI0VFFFTkFRSVBBZ0VBTUJBR0N5cUcKU0liNFRRRU5BUUlRQWdFQU1CQUdDeXFHU0liNFRRRU5BUUlSQWdFTE1COEdDeXFHU0liNFRRRU5BUUlTQkJBRgpCUUlDQXdFQUF3QUFBQUFBQUFBQU1CQUdDaXFHU0liNFRRRU5BUU1FQWdBQU1CUUdDaXFHU0liNFRRRU5BUVFFCkJnQ0Fid1VBQURBUEJnb3Foa2lHK0UwQkRRRUZDZ0VCTUI0R0NpcUdTSWI0VFFFTkFRWUVFQUxFbzJLdDd4d3QKNmhQZGdZekRNMFl3UkFZS0tvWklodmhOQVEwQkJ6QTJNQkFHQ3lxR1NJYjRUUUVOQVFjQkFRSC9NQkFHQ3lxRwpTSWI0VFFFTkFRY0NBUUVBTUJBR0N5cUdTSWI0VFFFTkFRY0RBUUgvTUFvR0NDcUdTTTQ5QkFNQ0EwZ0FNRVVDCklBTURNUDNSaUJOYVpuM2NLUjducFVxNDFkTm1HNzIzZlFYcWlJVTU0U09KQWlFQSsrZW9Ta1ZOa2NnbERLZncKaDNDbGx6UzNway9hSGhYNjZDUjc1TllJanpnPQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCi0tLS0tQkVHSU4gQ0VSVElGSUNBVEUtLS0tLQpNSUlDbGpDQ0FqMmdBd0lCQWdJVkFKVnZYYzI5RytIcFFFbkoxUFF6emdGWEM5NVVNQW9HQ0NxR1NNNDlCQU1DCk1HZ3hHakFZQmdOVkJBTU1FVWx1ZEdWc0lGTkhXQ0JTYjI5MElFTkJNUm93R0FZRFZRUUtEQkZKYm5SbGJDQkQKYjNKd2IzSmhkR2x2YmpFVU1CSUdBMVVFQnd3TFUyRnVkR0VnUTJ4aGNtRXhDekFKQmdOVkJBZ01Ba05CTVFzdwpDUVlEVlFRR0V3SlZVekFlRncweE9EQTFNakV4TURVd01UQmFGdzB6TXpBMU1qRXhNRFV3TVRCYU1IQXhJakFnCkJnTlZCQU1NR1VsdWRHVnNJRk5IV0NCUVEwc2dVR3hoZEdadmNtMGdRMEV4R2pBWUJnTlZCQW9NRVVsdWRHVnMKSUVOdmNuQnZjbUYwYVc5dU1SUXdFZ1lEVlFRSERBdFRZVzUwWVNCRGJHRnlZVEVMTUFrR0ExVUVDQXdDUTBFeApDekFKQmdOVkJBWVRBbFZUTUZrd0V3WUhLb1pJemowQ0FRWUlLb1pJemowREFRY0RRZ0FFTlNCLzd0MjFsWFNPCjJDdXpweHc3NGVKQjcyRXlER2dXNXJYQ3R4MnRWVExxNmhLazZ6K1VpUlpDbnFSN3BzT3ZncUZlU3hsbVRsSmwKZVRtaTJXWXozcU9CdXpDQnVEQWZCZ05WSFNNRUdEQVdnQlFpWlF6V1dwMDBpZk9EdEpWU3YxQWJPU2NHckRCUwpCZ05WSFI4RVN6QkpNRWVnUmFCRGhrRm9kSFJ3Y3pvdkwyTmxjblJwWm1sallYUmxjeTUwY25WemRHVmtjMlZ5CmRtbGpaWE11YVc1MFpXd3VZMjl0TDBsdWRHVnNVMGRZVW05dmRFTkJMbVJsY2pBZEJnTlZIUTRFRmdRVWxXOWQKemIwYjRlbEFTY25VOURQT0FWY0wzbFF3RGdZRFZSMFBBUUgvQkFRREFnRUdNQklHQTFVZEV3RUIvd1FJTUFZQgpBZjhDQVFBd0NnWUlLb1pJemowRUF3SURSd0F3UkFJZ1hzVmtpMHcraTZWWUdXM1VGLzIydWFYZTBZSkRqMVVlCm5BK1RqRDFhaTVjQ0lDWWIxU0FtRDV4a2ZUVnB2bzRVb3lpU1l4ckRXTG1VUjRDSTlOS3lmUE4rCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0KLS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUNqekNDQWpTZ0F3SUJBZ0lVSW1VTTFscWROSW56ZzdTVlVyOVFHemtuQnF3d0NnWUlLb1pJemowRUF3SXcKYURFYU1CZ0dBMVVFQXd3UlNXNTBaV3dnVTBkWUlGSnZiM1FnUTBFeEdqQVlCZ05WQkFvTUVVbHVkR1ZzSUVOdgpjbkJ2Y21GMGFXOXVNUlF3RWdZRFZRUUhEQXRUWVc1MFlTQkRiR0Z5WVRFTE1Ba0dBMVVFQ0F3Q1EwRXhDekFKCkJnTlZCQVlUQWxWVE1CNFhEVEU0TURVeU1URXdORFV4TUZvWERUUTVNVEl6TVRJek5UazFPVm93YURFYU1CZ0cKQTFVRUF3d1JTVzUwWld3Z1UwZFlJRkp2YjNRZ1EwRXhHakFZQmdOVkJBb01FVWx1ZEdWc0lFTnZjbkJ2Y21GMAphVzl1TVJRd0VnWURWUVFIREF0VFlXNTBZU0JEYkdGeVlURUxNQWtHQTFVRUNBd0NRMEV4Q3pBSkJnTlZCQVlUCkFsVlRNRmt3RXdZSEtvWkl6ajBDQVFZSUtvWkl6ajBEQVFjRFFnQUVDNm5Fd01ESVlaT2ovaVBXc0N6YUVLaTcKMU9pT1NMUkZoV0dqYm5CVkpmVm5rWTR1M0lqa0RZWUwwTXhPNG1xc3lZamxCYWxUVll4RlAyc0pCSzV6bEtPQgp1ekNCdURBZkJnTlZIU01FR0RBV2dCUWlaUXpXV3AwMGlmT0R0SlZTdjFBYk9TY0dyREJTQmdOVkhSOEVTekJKCk1FZWdSYUJEaGtGb2RIUndjem92TDJObGNuUnBabWxqWVhSbGN5NTBjblZ6ZEdWa2MyVnlkbWxqWlhNdWFXNTAKWld3dVkyOXRMMGx1ZEdWc1UwZFlVbTl2ZEVOQkxtUmxjakFkQmdOVkhRNEVGZ1FVSW1VTTFscWROSW56ZzdTVgpVcjlRR3prbkJxd3dEZ1lEVlIwUEFRSC9CQVFEQWdFR01CSUdBMVVkRXdFQi93UUlNQVlCQWY4Q0FRRXdDZ1lJCktvWkl6ajBFQXdJRFNRQXdSZ0loQU9XLzVRa1IrUzlDaVNEY05vb3dMdVBSTHNXR2YvWWk3R1NYOTRCZ3dUd2cKQWlFQTRKMGxySG9NcytYbzVvL3NYNk85UVd4SFJBdlpVR09kUlE3Y3ZxUlhhcUk9Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0KAA=="
+}
+```
diff --git a/service/pod-quote/deny.toml b/service/pod-quote/deny.toml
@@ -0,0 +1,35 @@
+[advisories]
+vulnerability = "deny"
+unmaintained = "warn"
+yanked = "warn"
+notice = "warn"
+
+[licenses]
+unlicensed = "warn"
+allow = [
+    "MIT",
+    "Apache-2.0",
+    "ISC",
+    "BSD-3-Clause",
+    "Unicode-DFS-2016",
+]
+
+copyleft = "warn"
+allow-osi-fsf-free = "neither"
+default = "deny"
+confidence-threshold = 0.8
+
+[[licenses.clarify]]
+name = "ring"
+expression = "MIT AND ISC AND OpenSSL"
+license-files = [
+    { path = "LICENSE", hash = 0xbd0eed23 }
+]
+
+[bans]
+multiple-versions = "warn"
+wildcards = "allow"
+
+[sources]
+unknown-registry = "warn"
+unknown-git = "warn"
diff --git a/service/pod-quote/src/kube.rs b/service/pod-quote/src/kube.rs
@@ -0,0 +1,60 @@
+/*
+* Copyright (c) 2023, Intel Corporation. All rights reserved.<BR>
+* SPDX-License-Identifier: Apache-2.0
+*/
+
+extern crate crypto_hash;
+extern crate kube;
+
+use anyhow::{anyhow, Error};
+use k8s_openapi::api::core::v1::Pod;
+use kube::api::Api;
+use kube::Client;
+
+use std::env;
+
+const POD_NAME: &str = "POD_NAME";
+const POD_NAMESPACE: &str = "POD_NAMESPACE";
+const SEPARATOR: &str = "|";
+
+pub async fn get_cur_pod_images_info() -> Result<String, Error> {
+    let mut pod_data_array: Vec<String> = Vec::new();
+    let namespace = env::var(POD_NAMESPACE).unwrap_or_default();
+    let pod_name = env::var(POD_NAME).unwrap_or_default();
+
+    let client = Client::try_default().await?;
+    let pods: Api<Pod> = Api::namespaced(client.clone(), &namespace);
+
+    let pod_name_str = pod_name.clone();
+    let cur_pod = pods.get(&pod_name_str).await?;
+    // Access the container statuses
+    if let Some(status) = cur_pod.status {
+        for container_status in status.container_statuses.unwrap_or_default() {
+            let image_id = container_status.image_id.clone();
+            pod_data_array.push(image_id);
+        }
+        println!("pod quote data array:");
+        // Print out the quote data of pod.
+        for item in &pod_data_array {
+            println!("{}", item);
+        }
+
+        // Concat all pod quote data into one String.
+        let pod_image_id_data = pod_data_array.join(SEPARATOR);
+        return Ok(pod_image_id_data);
+    } else {
+        println!("Pod {pod_name} in {namespace} not found.");
+        let error_message = format!("Pod '{}' in '{}' not found.", pod_name, namespace);
+        return Err(anyhow!(error_message));
+    }
+}
+
+pub fn sha256_hash(input: &str) -> String {
+    // Convert the input string to bytes
+    let input_bytes = input.as_bytes();
+
+    // Calculate the SHA-256 hash
+    let hash = crypto_hash::hex_digest(crypto_hash::Algorithm::SHA256, input_bytes);
+
+    hash
+}