Comment 1 for bug 2007972
Revision history for this message
| bugproxy (bugproxy) wrote Comment bridged from LTC Bugzilla | #1 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
a60fb26
(Get the code!)
------- Comment From <email address hidden> 2023-02-21 07:56 EDT-------
This is a more detailed description of the problem, including SRU relevant information
SRU Justification:
==================
[Problem Statement]
* For IBM hyper protect virtual servers v2 (aka HPCR) we plan to leverage the `podman play kube` functionality to bring up OCI containers based on k8s pod definitions in a secure enclave
* since this will be running in a secure enclave, our customers can control network connectivity, in particular connectivity to the container registries needed to pull images
* the podman version available in Ubuntu 22.04 (podman v3.4.4) automatically pulls a `pause` image from `k8s.gcr.io/pause`. This has the disadvantage that connectivity is needed to `k8s.gcr.io` and in addition this pull in a potentially untrusted image
* this behaviour has been fixed in a later version of podman via https:/
[Impact]
* with the current behaviour of podman HPCR cannot run in a private-only network configuration without access to `k8s.gcr.io`. Mitigation: HPCR could try to pre-package a copy of k8s.gcr.io/pause
* HPCR relies on k8s.gcr.io/pause but we do not have open source approval for that container
[Test Plan]
* start any k8s payload using `podman play kube`. Then verify that `k8s.gcr.io/pause` is not part of the running containers
[Where problems could occur]
* the `k8s.gcr.io/pause` container is only needed to keep the cluster up, afaik there is no direct dependency on that container name by any other container or component