VEP 285: Preset launch security defaults via preference

[jschintag]

This VEP proposes to enable easier management of confidential computing VMs by using common preferences.

VEP Metadata

Tracking issue: #285
SIG label: /sig api

What this PR does

Propose adding launchSecurity field to VirtualMachinePreference for configuring VMs.

Special notes for your reviewer

[kubevirt-bot]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign vladikr for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[xpivarc]

/cc @lyarwood @0xFelix

[0xFelix]

At least we've got a conflict with #17.

[0xFelix]

You mean common-instancetypes.

[jschintag]

Good catch

[0xFelix]

How does it go together with instancetypes?

[jschintag]

As far as i understand instancetypes override settings in the VMI, so it would override it here as well.
Let me add that here as well.

[0xFelix]

IIRC the intention for providing launcheSecurity with instance types is that nodes need to have the necessary hardware i.e. the resources to support the chosen setting. It's not simply a runtime preference of the guest.

[jschintag]

The hardware support for nodes is determined via nodeselectors (at least for AMD SEV and IBM Secure Execution, no idea about Interl/Arm).
The idea here is not related to the Hardware in the cluster, but rather to specific VM images.
For example IBM Secure Execution requires specific changes to the VM image, which would mean that image can only run in SE mode. If that is then used as a golden image in the cluster, linking it to a preference which means launchSecurity would be enabled automatically. No need for users to choose an instancetype with launchSecurity or enable it manually.

[lyarwood]

The more I think about this the more I think we need to deprecate LaunchSecurity out of the instance type spec entirely and just provide it through preferences.

@0xFelix this will bork the v1 VEP for a cycle, would you be against this?

[0xFelix]

It's hard to draw a line on deciding what belongs into an instancetype or a preference. But I agree that we should move launchSecurity to preferences.

[lyarwood]

okay, @jschintag can you deprecate the instance type field as part of this work in v1beta1?

[jschintag]

Sure @lyarwood. I have added the removal to the beta target and added a deprecation notice to the alpha target.

[jschintag]

Thank you for the quick review @0xFelix.

I have updated the table to include instancetypes and fixed the mention of common-templates.

[lyarwood]

I'm not a fan of it but everything is prefixed with preferred, I've wanted to drop it forever but the backwards compat required would be a nightmare.

@0xFelix if we do delay v1 maybe yet another thing to throw in the backlog?

[0xFelix]

@lyarwood Do you want this to keep using the preferred prefix? But I agree we could drop it in the future (even this cycle already?).

[lyarwood]

I'm pretty overloaded this cycle but I can write it up as a backlog VEP and we can try to address it either this cycle or next.

[lyarwood]

The more I think about this the more I think we need to deprecate LaunchSecurity out of the instance type spec entirely and just provide it through preferences.

@0xFelix this will bork the v1 VEP for a cycle, would you be against this?

[0xFelix]

@0xFelix this will bork the v1 VEP for a cycle, would you be against this?

I am fine with that, let's refine the instanctype API first and not rush v1 in this cycle.