feat(container.provider): added container instance digest enforcement #1
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
* fix(distrib): added libudev.so.0 symlink Signed-off-by: Marcello Martina <[email protected]> * revert: readded old shebang Signed-off-by: Marcello Martina <[email protected]> * refactor: added check for target existence Signed-off-by: Marcello Martina <[email protected]> --------- Signed-off-by: Marcello Martina <[email protected]>
…rtificate entry after DNs have been added as column in the table. (eclipse-kura#5165) Workaround for fix GWT strange behavior when deleting a certificate entry after DNs have been added to the table.
…-kura#5163) * Added better error message for password never set * Added japanese message. * Updated Japanese message
Signed-off-by: Nicola Timeus <[email protected]>
Signed-off-by: SimoneFiorani <[email protected]>
Signed-off-by: SimoneFiorani <[email protected]>
Signed-off-by: SimoneFiorani <[email protected]>
Signed-off-by: SimoneFiorani <[email protected]>
Signed-off-by: Nicola Timeus <[email protected]>
Signed-off-by: Nicola Timeus <[email protected]>
…#5183) * feat: Limit the UI certificate add to a single PEM cert Signed-off-by: MMaiero <[email protected]> * chore: Updated copyright Signed-off-by: MMaiero <[email protected]> * feat: added Japanese translations Signed-off-by: MMaiero <[email protected]> * fix: Update Messages_ja.properties --------- Signed-off-by: MMaiero <[email protected]>
eclipse-kura#5179) * Updated flooding protection metatype Signed-off-by: pierantoniomerlino <[email protected]> * Update kura/org.eclipse.kura.network.threat.manager/src/main/java/org/eclipse/kura/internal/floodingprotection/FloodingProtectionOptions.java Co-authored-by: Matteo Maiero <[email protected]> * Updated metatype Signed-off-by: pierantoniomerlino <[email protected]> --------- Signed-off-by: pierantoniomerlino <[email protected]> Co-authored-by: Matteo Maiero <[email protected]>
eclipse-kura#5192) Added additional configuration also on configuration change Signed-off-by: pierantoniomerlino <[email protected]>
…list (eclipse-kura#5162) * feat(container.orchestration.provider): added first implementation of enforcement allowlist Signed-off-by: SimoneFiorani <[email protected]> * feat(container.orchestration.provider): enforcement allowlist implemented Signed-off-by: SimoneFiorani <[email protected]> * feat(container.orchestration.provider): updated copyright and method signature Signed-off-by: SimoneFiorani <[email protected]> * feat(container.orchestration.provider): improved implementation, tests added Signed-off-by: SimoneFiorani <[email protected]> * feat(container.orchestration.provider): corrected typo in option description Signed-off-by: SimoneFiorani <[email protected]> * feat(container.orchestration.provider): fixed indendation Co-authored-by: Mattia Dal Ben <[email protected]> * feat(container.orchestration.provider): implemented suggestion and validation of already running containers Signed-off-by: SimoneFiorani <[email protected]> * feat(container.orchestration.provider): added tests for monitor-starting phase Signed-off-by: SimoneFiorani <[email protected]> * feat(container.orchestration.provider): refactored allowlist monitor class Signed-off-by: SimoneFiorani <[email protected]> * fix: typo in log * style: fix copyright header * fix: copyright header year * refactor: refactor with suggestions Signed-off-by: SimoneFiorani <[email protected]> * refactor: refactored allowlist enforcement starting * refactor: added null checks on closing monitor --------- Signed-off-by: SimoneFiorani <[email protected]> Co-authored-by: Mattia Dal Ben <[email protected]>
…d code from ContainerOrchestrationServiceImpl (eclipse-kura#5175) * refactor(ContainerOrchestration): removed deprecated code from ContainerOrchestrationServiceImpl class Signed-off-by: SimoneFiorani <[email protected]> * refactor(ContainerOrchestration): removed debug logger Signed-off-by: SimoneFiorani <[email protected]> * refactor(ContainerOrchestration): updated tests Signed-off-by: SimoneFiorani <[email protected]> * refactor: refactored unit test method name --------- Signed-off-by: SimoneFiorani <[email protected]>
….eclipse.kura.container.provider.ContainerInstance.xml Co-authored-by: Mattia Dal Ben <[email protected]>
…n/java/org/eclipse/kura/container/orchestration/provider/impl/enforcement/AllowlistEnforcementMonitor.java Co-authored-by: Mattia Dal Ben <[email protected]>
|
Closed as it was merged into Eclipse Kura develop |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR adds the container enforcement digest option to the container instances components. If provided and if the ContainerInstance is enabled, it is used in addition to the ContainerOrchestrationService digest allowlist for monitoring the docker containers run on the device. Some examples of the behaviours when the ContainerInstance is enabled are:
During Enforcement monitoring, all Container Instances digests options are merged into the Container Orchestration Service Allowlist: this means that if an user tries to run from the CLI a docker container whose digest is equals to one of the enabled Container Instances, it will be let starting.
Each time the Container Instance digest is removed or changed (could be a Container Instances updating, disabling or deleting) the enforcement monitor all the running continer for the digests check. Let's make some examples of possibile situation: let's suppose that a ContainerInstance with digest option
DIGEST Awas enabled, and now it's disabled, while the monitor is enabled with ContainerOrchestrationService Allowlist filled withDIGEST B. Once the ContainerInstance is disabled, no more Possible situations:DIGEST A, will then be stopped due to absence of theDIGEST Afrom the disabled container instanceDIGEST B, will be untouched because its digest is still present in the allowlist of the serviceBe careful, then, to rely only on the use of the digest set in the container instances options. If you think you need to launch containers from the CLI, it is preferable to use the allowlist of the container orchestration service.