node-feature-discovery icon indicating copy to clipboard operation
node-feature-discovery copied to clipboard

Published 20 hours ago verified publisher icon kubernetes-sigs

cpu: re-organize security features

Open marquiz opened this issue 3 years ago • 4 comments

Move existing security/trusted-execution related features (i.e. SGX and SE) under the same security feature, deprecating the old features. The motivation for the change is to keep the source code and user interface more organized as we experience a constant inflow of similar security related features. This change will affect the user interface so it is less painful to do it early on.

New feature labels will be:

  feature.node.kubernetes.io/cpu-security.se.enabled
  feature.node.kubernetes.io/cpu-security.sgx.enabled

and correspondingly new cpu.security feature with se.enabled and sgx.enabled elements will be available for custom rules, for example:

      - name: "sample sgx rule"
        labels:
          sgx.sample.feature: "true"
        matchFeatures:
          - feature: cpu.security
            matchExpressions:
              "sgx.enabled": {op: IsTrue}

At the same time deprecate old labels cpu-sgx.enabled and cpu-se.enabled feature labels and the corresponding features for custom rules. These will be removed in the future causing an effective change in NFDs user interface.

marquiz avatar Jun 28 '22 10:06 marquiz

RFC /hold

marquiz avatar Jun 28 '22 10:06 marquiz

@marquiz Where are we with the topic of having shorter feature labels? I think this is also still open. I think we should start thinking of doing that as well as soon as possible before we are adding features that are used by other projects and it creates to much confusion when switching.

zvonkok avatar Jun 29 '22 08:06 zvonkok

@marquiz Where are we with the topic of having shorter feature labels? I think this is also still open. I think we should start thinking of doing that as well as soon as possible before we are adding features that are used

Yeah, agree on this. I added both (#832 and #778) into the v0.12 milestone.

What do you think about this PR vs. a totally separate security feature source?

marquiz avatar Jun 30 '22 12:06 marquiz

Any thoughts on this? @mythi @zvonkok @ArangoGutierrez ?

marquiz avatar Aug 30 '22 12:08 marquiz

Any thoughts on this? @mythi @zvonkok @ArangoGutierrez ?

I added my thoughts in https://github.com/kubernetes-sigs/node-feature-discovery/issues/832#issuecomment-1191202692 earlier

mythi avatar Aug 30 '22 18:08 mythi

I added my thoughts in #832 (comment) earlier

Ach yes, sorry I already forgot that comment 😊 Suggestions (or PRs) how to change the feature descriptions in docs are welcome.

Removing the RFC status of this PR /unhold

marquiz avatar Aug 31 '22 06:08 marquiz

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: ArangoGutierrez, marquiz

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment Approvers can cancel approval by writing /approve cancel in a comment

k8s-ci-robot avatar Sep 01 '22 12:09 k8s-ci-robot