Workload Tainting

Manage the life cycle of workloads composed of platform measurements, images and templates

Introduction

When working with confidential workload, it is clear that the deployment continuously updates throughout the lifecycle of the application. New confidential environments, virtual machines, kubernetes clusters, pods or containers yield to the introduction of new attestation measures. These attestations need a lifecycle measurement.

Reference Values

Nitride uses taints to keep track of the lifecycle of workloads. Taints are human-readable and aim to abstract the working with attestation reports which are typically cryptographic. We distinguish between the following taints:

measurement taint: measurements provided by the secure platform per provider
image taint: we have image values that are automatically added by the update process.
template taint: combine images to a template that represent a workload

Taints are composable. Multiple image taints may be combined to a template.

There is currently no way to manually set references. This all handled by the automatic attestation lifecycle management process.

Create a platform measurement

This endpoint stores a new measurement for a specified provider. Both must be supplied. This action can also be performed as an automatic update, please see Update for more information.

POSThttp://localhost:8200/v1/auth/ratls/reference/measurement

Body

measurement*string

provider*string

Response

Created Measurement

Body

data*object

Request

const response = await fetch('http://localhost:8200/v1/auth/ratls/reference/measurement', {
    method: 'POST',
    headers: {
      "Content-Type": "application/json"
    },
    body: JSON.stringify({
      "measurement": "text",
      "provider": "text"
    }),
});
const data = await response.json();

Response

{}

Create an image

This endpoint creates a new image associated with a human readable name. The name allows identification and reusage in templates. Image values are versioned. Upon initial creation, there is no version available. You'll need to create versions through the update process before you can attest this image.

POSThttp://localhost:8200/v1/auth/ratls/reference/image

Body

name*string

provider*string

Response

Created Image

Body

data*object

Request

const response = await fetch('http://localhost:8200/v1/auth/ratls/reference/image', {
    method: 'POST',
    headers: {
      "Content-Type": "application/json"
    },
    body: JSON.stringify({
      "name": "text",
      "provider": "text"
    }),
});
const data = await response.json();

Response

{
  "data": {
    "image": "text"
  }
}

Create a template

This endpoint ceates a new template for multiple images. This value is used to create instances. Version information of images is not copied at this stage.

POSThttp://localhost:8200/v1/auth/ratls/reference/template

Body

templatestring

namestring

images*array of string

Response

Created Template

Body

data*object

Request

const response = await fetch('http://localhost:8200/v1/auth/ratls/reference/template', {
    method: 'POST',
    headers: {
      "Content-Type": "application/json"
    },
    body: JSON.stringify({
      "images": [
        "text"
      ]
    }),
});
const data = await response.json();

Response

{
  "data": {
    "template": "text"
  }
}

Last updated 19 days ago