A collection of helm charts for ISecL-DC usecases
Kubernetes | Details |
---|---|
Cluster OS | RedHat Enterprise Linux 8.x Ubuntu 20.04 |
Distributions | Any non-managed K8s cluster |
Versions | v1.23 |
Storage | NFS |
Container Runtime | Foundational Security: CRI-O |
Use case | Description | Helm Charts |
---|---|---|
Host Attestation | Host Attestation(Platform attestation) is cornerstone use case for Intel SecL It involves taking measurements of system components during system boot, and then cryptographically verifying that the actual measurements taken matched a set of expected or approved values, ensuring that the measured components were in an acceptable or "trusted" state at the time of the last system boot. | Certificate Management Service (CMS) Authentication and Authorization Service (AAS) Host Verification Service(HVS) Trustagent (TA) |
Trusted Workload Placement(TWP) - Containers | Trusted Workload Placement(Data Sovereignty) builds on the Host Attestation use case to allow physical TPMs to be written with Asset Tags containing any number of key/value pairs. This use case is typically used to identify the geographic location of the physical server, but can also be used to identify other attributes. For example, the Asset Tags provided by this use case could be used to identify hosts that meet specific compliance requirements and can run controlled workloads. | Certificate Management Service (CMS) Authentication and Authorization Service (AAS) Host Verification Service(HVS) admission-controller isecl-controller isecl-scheduler Integration Hub (IHub) Trustagent (TA) |
Trusted Workload Placement - Control Plane | Trusted Workload Placement - Control Plane is a subset of trusted workload placement usecase. This usecase helm chart can be deployed on any existing non managed k8s cluster on cloud platform and performs platform attestation of nodes at CSPs or edge nodes. | Certificate Management Service (CMS) Authentication and Authorization Service (AAS) Host Verification Service(HVS) |
Trusted Workload Placement - CSP | Trusted Workload Placement - CSP is a subset of trusted workload placement usecase. This usecase helm chart can be deployed on any non managed k8s cluster at CSPs or edge nodes for getting the cluster nodes attested by deployed twp-control-plane services running in cloud | Trustagent (TA) Integration Hub Admission-controller ISecl-Controller ISecl-Scheduler |
Workload Security | Workload Confidentiality allows container images to be encrypted at rest, with key access tied to platform integrity attestation. Because security attributes contained in the platform integrity attestation report are used to control access to the decryption keys, this feature provides both protection for at-rest data, IP, code, etc in container images, and also enforcement of image-owner-controlled placement policies. | Certificate Management Service (CMS) Authentication and Authorization Service (AAS) Trustagent (TA) Integration Hub ISecl-Controller ISecl-Scheduler Key Broker Service(KBS) Host Verification Service(HVS) Workload Service(WLS) Workload Agent(WLA) |
For more details on the product, installation and deployment strategies, please go through following, (Refer to latest and use case wise guide)
https://intel-secl.github.io/docs
https://intel-secl.github.io/docs/4.2/ReleaseNotes/ReleaseNotes
Feel free to raise deployment issues here,