feat(vhd): add FIPS-compliant AzureLinux v3 gen2 Kata host VHD#8820
Draft
Bickor wants to merge 1 commit into
Draft
feat(vhd): add FIPS-compliant AzureLinux v3 gen2 Kata host VHD#8820Bickor wants to merge 1 commit into
Bickor wants to merge 1 commit into
Conversation
Contributor
There was a problem hiding this comment.
Pull request overview
Adds a new Azure Linux 3 Gen2 Kata host VHD variant with host-side FIPS enabled, wiring it through the VHD build pipeline and AgentBaker’s distro/SIG image configuration so it can be built and selected end-to-end.
Changes:
- Introduces new distro
aks-azurelinux-v3-gen2-kata-fipsand classifies it as a Kata distro. - Adds SIG image config template/mapping (
V3katagen2fips) and includes the distro in relevant Azure Linux / Gen2 / cgroupv2 lists. - Extends unit tests and adds a new Azure DevOps pipeline build job for the new VHD artifact.
Reviewed changes
Copilot reviewed 6 out of 6 changed files in this pull request and generated 1 comment.
Show a summary per file
| File | Description |
|---|---|
.pipelines/.vsts-vhd-builder-release.yaml |
Adds a new pipeline parameter + build job to produce the AzureLinux V3 Gen2 Kata FIPS VHD artifact. |
pkg/agent/datamodel/types.go |
Adds the new distro constant and includes it in IsKataDistro() classification. |
pkg/agent/datamodel/types_test.go |
Adds test coverage asserting the new distro is treated as AzureLinux cgroupv2-capable. |
pkg/agent/datamodel/sig_config.go |
Adds a new SIG image template (V3katagen2fips) and wires it into distro availability lists and the AzureLinux image map. |
pkg/agent/datamodel/sig_config_test.go |
Updates SIG config tests for the new maintained distro entry and expected map size. |
pkg/agent/bakerapi_test.go |
Extends API implementation tests to include the new distro in supported distros. |
Comment on lines
159
to
163
| AKSCBLMarinerV2Gen2Kata Distro = "aks-cblmariner-v2-gen2-kata" | ||
| AKSAzureLinuxV2Gen2Kata Distro = "aks-azurelinux-v2-gen2-kata" | ||
| AKSAzureLinuxV3Gen2Kata Distro = "aks-azurelinux-v3-gen2-kata" | ||
| AKSAzureLinuxV3Gen2KataFIPS Distro = "aks-azurelinux-v3-gen2-kata-fips" | ||
| AKSCBLMarinerV2Gen2TL Distro = "aks-cblmariner-v2-gen2-tl" |
Wire a new aks-azurelinux-v3-gen2-kata-fips distro that builds the AzureLinux 3 gen2 Kata host VHD with host-side FIPS enabled (ENABLE_FIPS, ENABLE_CGROUPV2). Adds the release pipeline build job, the distro const and Kata/cgroupv2 classification, the SIG image config template and mapping, and corresponding unit test coverage. Note: host FIPS (dracut-fips + fips=1 host cmdline) does not propagate to the guest microVM; true guest UVM FIPS is tracked separately (kernel-uvm).
681d5f7 to
273683e
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
aks-azurelinux-v3-gen2-kata-fipsdistro that builds the AzureLinux 3 gen2 Kata host VHD with host-side FIPS enabled (ENABLE_FIPS=True,ENABLE_CGROUPV2=True).Changes
.pipelines/.vsts-vhd-builder-release.yaml— new parambuildAzureLinuxV3gen2katafipsand build job (OS_VERSION=V3kata, SKUazure-linux-3-gen2,FEATURE_FLAGS=kata,ENABLE_FIPS=True,ENABLE_CGROUPV2=True, VM sizeStandard_D16ads_v5, artifactazurelinuxv3-gen2-kata-fips).pkg/agent/datamodel/types.go— constAKSAzureLinuxV3Gen2KataFIPS; added toIsKataDistro().pkg/agent/datamodel/sig_config.go—SIGAzureLinuxV3KataFIPSImageConfigTemplate; added to the Kata / cgroupv2 / AzureLinux classification lists; wired distro → template in the AzureLinux image map.sig_config_test.go,types_test.go,bakerapi_test.goupdated for the new distro.Scope / Notes
installFIPS()installsdracut-fipsand setsfips=1on the host kernel cmdline. This does not propagate into the Kata guest microVM.fips=1, OpenSSL FIPS provider, FIPS Go binaries) lives in thekernel-uvm/ CloudNativeCompute pipeline (417429), not AgentBaker, and is tracked separately.Validation
make generate— passes, no testdata drift.go test ./pkg/agent/...— passes (agent, datamodel, toggles).