4.9. 签名预构建驱动程序容器

如果您有预构建的镜像,如由硬件供应商分发的镜像,或者在其他位置构建。

以下 YAML 文件将公钥/私钥对添加为带有所需密钥名称的 secret - key 为私钥,cert 为公钥。然后,集群会拉取 unsignedImage 镜像,打开它,签署 filesToSign 中列出的内核模块,将它们添加回来,并将生成的镜像推送到 containerImage

然后,内核模块管理 (KMM) 应该部署 DaemonSet,它将签名的 kmods 加载到与选择器匹配的所有节点中。驱动程序容器应在其 MOK 数据库中具有公钥的任何节点上运行,以及所有未启用 secure-boot (忽略签名)的节点。它们应该无法在启用了 secure-boot 的任何上加载,但其 MOK 数据库中没有该密钥。

先决条件

  • keySecretcertSecret secret 已创建。

流程

  1. 应用 YAML 文件: 

    ---
apiVersion: kmm.sigs.x-k8s.io/v1beta1
kind: Module
metadata:
  name: example-module
spec:
  moduleLoader:
    serviceAccountName: default
    container:
      modprobe: 1
        moduleName: '<your module name>'
      kernelMappings:
        # the kmods will be deployed on all nodes in the cluster with a kernel that matches the regexp
        - regexp: '^.*\.x86_64$'
          # the container to produce containing the signed kmods
          containerImage: <image name e.g. quay.io/myuser/my-driver:<kernelversion>-signed>
          sign:
            # the image containing the unsigned kmods (we need this because we are not building the kmods within the cluster)
            unsignedImage: <image name e.g. quay.io/myuser/my-driver:<kernelversion> >
            keySecret: # a secret holding the private secureboot key with the key 'key'
              name: <private key secret name>
            certSecret: # a secret holding the public secureboot key with the key 'cert'
              name: <certificate secret name>
            filesToSign: # full path within the unsignedImage container to the kmod(s) to sign
              - /opt/lib/modules/4.18.0-348.2.1.el8_5.x86_64/kmm_ci_a.ko
  imageRepoSecret:
    # the name of a secret containing credentials to pull unsignedImage and push containerImage to the registry
    name: repo-pull-secret
  selector:
    kubernetes.io/arch: amd64
1
modprobe - 要载入的 kmod 的名称。