diff --git a/deployments/sgx_plugin/base/intel-sgx-plugin.yaml b/deployments/sgx_plugin/base/intel-sgx-plugin.yaml index 9e4020289..46e6a0a27 100644 --- a/deployments/sgx_plugin/base/intel-sgx-plugin.yaml +++ b/deployments/sgx_plugin/base/intel-sgx-plugin.yaml @@ -32,10 +32,22 @@ spec: - name: sgx-provision mountPath: /dev/sgx_provision readOnly: true + - name: nri-sgx-epc + image: ghcr.io/containers/nri-plugins/nri-sgx-epc:unstable + securityContext: + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false + imagePullPolicy: IfNotPresent + volumeMounts: + - name: nrisockets + mountPath: /var/run/nri volumes: - name: kubeletsockets hostPath: path: /var/lib/kubelet/device-plugins + - name: nrisockets + hostPath: + path: /var/run/nri - name: sgx-enclave hostPath: path: /dev/sgx_enclave diff --git a/pkg/controllers/sgx/controller_test.go b/pkg/controllers/sgx/controller_test.go index 2281d78da..c6b221aa6 100644 --- a/pkg/controllers/sgx/controller_test.go +++ b/pkg/controllers/sgx/controller_test.go @@ -94,6 +94,21 @@ func (c *controller) newDaemonSetExpected(rawObj client.Object) *apps.DaemonSet }, }, }, + { + Name: "nri-sgx-epc", + Image: "ghcr.io/containers/nri-plugins/nri-sgx-epc:unstable", + ImagePullPolicy: "IfNotPresent", + SecurityContext: &v1.SecurityContext{ + ReadOnlyRootFilesystem: &yes, + AllowPrivilegeEscalation: &no, + }, + VolumeMounts: []v1.VolumeMount{ + { + Name: "nrisockets", + MountPath: "/var/run/nri", + }, + }, + }, }, NodeSelector: map[string]string{"kubernetes.io/arch": "amd64"}, Volumes: []v1.Volume{ @@ -105,6 +120,14 @@ func (c *controller) newDaemonSetExpected(rawObj client.Object) *apps.DaemonSet }, }, }, + { + Name: "nrisockets", + VolumeSource: v1.VolumeSource{ + HostPath: &v1.HostPathVolumeSource{ + Path: "/var/run/nri", + }, + }, + }, { Name: "sgx-enclave", VolumeSource: v1.VolumeSource{ diff --git a/pkg/webhooks/sgx/sgx.go b/pkg/webhooks/sgx/sgx.go index b6e9e7ec6..daa6fa1db 100644 --- a/pkg/webhooks/sgx/sgx.go +++ b/pkg/webhooks/sgx/sgx.go @@ -35,6 +35,7 @@ var ErrObjectType = errors.New("invalid runtime object type") type Mutator struct{} const ( + epcLimitKey = "epc-limit.nri.io" namespace = "sgx.intel.com" encl = namespace + "/enclave" epc = namespace + "/epc" @@ -148,6 +149,8 @@ func (s *Mutator) Default(ctx context.Context, obj runtime.Object) error { continue } + pod.Annotations[fmt.Sprintf("%s/container.%s", epcLimitKey, container.Name)] = fmt.Sprintf("%d", epcSize) + totalEpc += epcSize // Quote Generation Modes: diff --git a/test/e2e/sgxadmissionwebhook/sgxaadmissionwebhook.go b/test/e2e/sgxadmissionwebhook/sgxaadmissionwebhook.go index 987f8cacd..a37f1fef8 100644 --- a/test/e2e/sgxadmissionwebhook/sgxaadmissionwebhook.go +++ b/test/e2e/sgxadmissionwebhook/sgxaadmissionwebhook.go @@ -69,6 +69,7 @@ func describe() { ginkgo.By("checking the pod total EPC size annotation is correctly set") gomega.Expect(pod.Annotations["sgx.intel.com/epc"]).To(gomega.Equal("1Mi")) + gomega.Expect(pod.Annotations["epc-limit.nri.io/container.test"]).To(gomega.Equal("1048576")) }) ginkgo.It("mutates created pods when the container contains the quote generation libraries", func(ctx context.Context) { ginkgo.By("submitting the pod") @@ -79,6 +80,7 @@ func describe() { ginkgo.By("checking the pod total EPC size annotation is correctly set") gomega.Expect(pod.Annotations["sgx.intel.com/epc"]).To(gomega.Equal("1Mi")) + gomega.Expect(pod.Annotations["epc-limit.nri.io/container.test"]).To(gomega.Equal("1048576")) }) ginkgo.It("mutates created pods when the container uses aesmd from a side-car container to generate quotes", func(ctx context.Context) { ginkgo.By("submitting the pod") @@ -93,6 +95,8 @@ func describe() { gomega.Expect(pod.Spec.Containers[0].Env[0].Value).To(gomega.Equal("1")) ginkgo.By("checking the pod total EPC size annotation is correctly set") gomega.Expect(pod.Annotations["sgx.intel.com/epc"]).To(gomega.Equal("2Mi")) + gomega.Expect(pod.Annotations["epc-limit.nri.io/container.test"]).To(gomega.Equal("1048576")) + gomega.Expect(pod.Annotations["epc-limit.nri.io/container.aesmd"]).To(gomega.Equal("1048576")) }) ginkgo.It("mutates created pods where one container uses host/daemonset aesmd to generate quotes", func(ctx context.Context) { ginkgo.By("submitting the pod") @@ -106,6 +110,7 @@ func describe() { gomega.Expect(pod.Spec.Containers[0].Env[0].Value).To(gomega.Equal("1")) ginkgo.By("checking the pod total EPC size annotation is correctly set") gomega.Expect(pod.Annotations["sgx.intel.com/epc"]).To(gomega.Equal("1Mi")) + gomega.Expect(pod.Annotations["epc-limit.nri.io/container.test"]).To(gomega.Equal("1048576")) }) ginkgo.It("mutates created pods where three containers use host/daemonset aesmd to generate quotes", func(ctx context.Context) { ginkgo.By("submitting the pod") @@ -125,6 +130,9 @@ func describe() { gomega.Expect(pod.Spec.Containers[2].Env[0].Value).To(gomega.Equal("1")) ginkgo.By("checking the pod total EPC size annotation is correctly set") gomega.Expect(pod.Annotations["sgx.intel.com/epc"]).To(gomega.Equal("3Mi")) + gomega.Expect(pod.Annotations["epc-limit.nri.io/container.test1"]).To(gomega.Equal("1048576")) + gomega.Expect(pod.Annotations["epc-limit.nri.io/container.test2"]).To(gomega.Equal("1048576")) + gomega.Expect(pod.Annotations["epc-limit.nri.io/container.test3"]).To(gomega.Equal("1048576")) }) ginkgo.It("checks that Volumes and VolumeMounts are created only once", func(ctx context.Context) { ginkgo.By("submitting the pod")