Skip to main content
Version: 1.11

Generate policy annotations and manifest

This step updates your deployment files with policy annotations and automatically generates the deployment manifest.

Applicability

This step is required for all Contrast deployments.

Prerequisites

  1. Set up cluster
  2. Install CLI
  3. Deploy the Contrast runtime
  4. Add Coordinator to resources
  5. Prepare deployment files
  6. Configure TLS (optional)
  7. Enable GPU support (optional)

How-to

Run the generate command to add the necessary components to your deployment files. This will add the Contrast Initializer to every workload with the specified contrast-cc runtime class and the Contrast Service Mesh to all workloads that have a specified configuration. After that, it will generate the execution policies and add them as annotations to your deployment files. A manifest.json with the reference values of your deployment will be created.

contrast generate --reference-values aks-clh-snp resources/

The generate command needs to pull the container images to derive policies. Running generate for the first time can take a while, especially if the images are large. If your container registry requires authentication, you can create the necessary credentials with docker login or podman login. Be aware of the registry authentication limitation on bare metal.

warning

Please be aware that runtime policies currently have some blind spots. For example, they can't guarantee the starting order of containers. See the current limitations for more details.

Running contrast generate for the first time creates some additional files in the working directory:

  • seedshare-owner.pem is required for handling the secret seed and recovering the Coordinator (see Secrets & recovery).
  • workload-owner.pem is required for manifest updates after the initial contrast set.
  • rules.rego and settings.json are the basis for runtime policies.
  • layers-cache.json caches container image layer information for your deployments to speed up subsequent runs of contrast generate.

Fine-tuning initializer injection

If you don't want the Contrast Initializer to automatically be added to your workloads, there are two ways you can skip the Initializer injection step, depending on how you want to customize your deployment.

--skip-initializer flag

You can disable the Initializer injection completely by specifying the --skip-initializer flag in the generate command.

contrast generate --reference-values aks-clh-snp --skip-initializer resources/

skip-initializer annotation

If you want to disable the Initializer injection for a specific workload with the contrast-cc runtime class, you can do so by adding an annotation to the workload.

metadata: # apps/v1.Deployment, apps/v1.DaemonSet, ...
  annotations:
    contrast.edgeless.systems/skip-initializer: "true"

Manual Initializer injection

When disabling the automatic Initializer injection, you can manually add the Initializer as a sidecar container to your workload before generating the policies. Configure the workload to use the certificates written to the contrast-secrets volumeMount.

# v1.PodSpec
spec:
  initContainers:
    - env:
        - name: COORDINATOR_HOST
          value: coordinator-ready
      image: "ghcr.io/edgelesssys/contrast/initializer:v1.11.0@sha256:06298428e65532dfe9bb8390149776b7e9d7edad1cdf0a0b8df37b8952993f95"
      name: contrast-initializer
      volumeMounts:
        - mountPath: /contrast
          name: contrast-secrets
  volumes:
    - emptyDir: {}
      name: contrast-secrets

Fine-tuning service mesh injection

The service mesh is only injected for workload that have a service mesh annotation.

--skip-service-mesh flag

You can disable the service mesh injection completely by specifying the --skip-service-mesh flag in the generate command.

contrast generate --reference-values aks-clh-snp --skip-service-mesh resources/

In this case, you can manually add the service mesh sidecar container to your workload before generating the policies, or authenticate peers on the application level.