Container/Pod integrity details in the attestation report #3385
-
|
Hi, I was going through the documentation, and I was wondering if there is a way to measure/replay the workload container measurements in the attestation report provided by the verification service. Right now, what I understand is we measure till the Constellation bootloader and Kernel and the cluster ID which would be part of the PCR or RTMR. But is there a way where I can request the workload container measurements as part of the attestation request so that we can verify that the workloads are not tampered it remotely. |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment 1 reply
-
|
Hi, If you require workload attestation, Contrast may be just what you want to look at. Contrast is one of our other projects. It is a verification service that builds on confidential containers to provide attested workloads. Best, |
Beta Was this translation helpful? Give feedback.
-
|
Hi Otto, Thanks for the prompt response and the suggestions. We will definitely look into it. |
Beta Was this translation helpful? Give feedback.
Hi,
thank you for the question :). Workload attestation in the way you describe it is not part of Constellation. However, depending on your threat model it may be possible to achieve your goals with a policy engine like Kyverno. With it you can enforce attributes on workloads. The question remains: why trust Kyverno.
If you require workload attestation, Contrast may be just what you want to look at. Contrast is one of our other projects. It is a verification service that builds on confidential containers to provide attested workloads.
Best,
Otto