Browse Source
Support to specify ``trusted`` for runtime creation. In Kubernetes orchestrator implementation, it's using ``io.kubernetes.cri-o.TrustedSandbox`` annotation in the pod specification to choose the underlying container runtime. This feature is useful to leverage the security container technology such as Kata containers or gVisor. It also gets rid of the security concerns for running image type function. Story: 2003088 Task: 23172 Change-Id: Ic4fa3e97dcc239c7177448e3cef5d0f02340d302changes/39/585139/5
14 changed files with 119 additions and 106 deletions
@ -0,0 +1,36 @@
|
||||
# Copyright 2018 OpenStack Foundation. |
||||
# |
||||
# Licensed under the Apache License, Version 2.0 (the "License"); |
||||
# you may not use this file except in compliance with the License. |
||||
# You may obtain a copy of the License at |
||||
# |
||||
# http://www.apache.org/licenses/LICENSE-2.0 |
||||
# |
||||
# Unless required by applicable law or agreed to in writing, software |
||||
# distributed under the License is distributed on an "AS IS" BASIS, |
||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
||||
# See the License for the specific language governing permissions and |
||||
# limitations under the License. |
||||
|
||||
"""add trusted field for runtimes table |
||||
|
||||
Revision ID: 005 |
||||
Revises: 004 |
||||
Create Date: 2018-07-24 12:00:00.888969 |
||||
|
||||
""" |
||||
|
||||
# revision identifiers, used by Alembic. |
||||
revision = '005' |
||||
down_revision = '004' |
||||
|
||||
from alembic import op |
||||
import sqlalchemy as sa |
||||
|
||||
|
||||
def upgrade(): |
||||
op.add_column( |
||||
'runtimes', |
||||
sa.Column('trusted', sa.BOOLEAN, nullable=False, default=True, |
||||
server_default="1") |
||||
) |
@ -0,0 +1,9 @@
|
||||
--- |
||||
features: |
||||
- Support to specify ``trusted`` for runtime creation. In Kubernetes |
||||
orchestrator implementation, it's using |
||||
``io.kubernetes.cri-o.TrustedSandbox`` annotation in the pod specification |
||||
to choose the underlying container runtime. This feature is useful to |
||||
leverage the security container technology such as Kata containers or |
||||
gVisor. It also gets rid of the security concerns for running image type |
||||
function. |
Loading…
Reference in new issue