krata
krata copied to clipboard
edera-dev
krata is an isolation engine built for securing workloads
``` % ./hack/debug/kratactl.sh exec debian-test sh -c 'apt-get update; apt-get install -y git' Finished dev [unoptimized + debuginfo] target(s) in 0.19s Hit:1 http://deb.debian.org/debian bookworm InRelease Hit:2 http://deb.debian.org/debian bookworm-updates InRelease Hit:3...
It should be possible to have certain kinds of policy decision points flow through IDM, to allow for helper domains to provide pluggable policy engines. Areas where we can add...
It can be helpful for the guest to provide an attestation back to the control plane via IDM to allow admins to define policies on what configurations / kernels /...
Although we need a larger policy-controller-like hook mechanism, we should include support for sigstore signatures as part of the "included batteries." There should also be a configuration option to require...
To simplify user deployment of krata, we should prebuild the kernel and host it on GHCR.
This is a tracking issue to track work items needed to fully deprivilege krata. See the tasklist for the actual work items. ## Overall architectural work - [ ] #75...
Presently IDM types are implied in responses processed by a user making an RPC over the IDM bus, making working with IDM unnecessarily difficult if you don't have access to...
The [OCI runtime conformance tests](https://github.com/opencontainers/runtime-tools#testing-oci-runtimes) are an exhaustive testsuite which tests behavior of an OCI runtime implementation. We should try to pass as many of the tests as possible, and...
Krata's default networking backend runs as a process in dom0. Lets convert it to its own helper domain to deprivilege it.
Some services like the IDM bus, and networking, would be ideal targets to unikernelize.