4.9. 签名预构建驱动程序容器
如果您有预构建的镜像,如由硬件供应商分发的镜像,或者在其他位置构建。
以下 YAML 文件将公钥/私钥对添加为带有所需密钥名称的 secret - key
为私钥,cert
为公钥。然后,集群会拉取 unsignedImage
镜像,打开它,签署 filesToSign
中列出的内核模块,将它们添加回来,并将生成的镜像推送到 containerImage
。
然后,内核模块管理 (KMM) 应该部署 DaemonSet,它将签名的 kmods 加载到与选择器匹配的所有节点中。驱动程序容器应在其 MOK 数据库中具有公钥的任何节点上运行,以及所有未启用 secure-boot (忽略签名)的节点。它们应该无法在启用了 secure-boot 的任何上加载,但其 MOK 数据库中没有该密钥。
先决条件
-
keySecret
和certSecret
secret 已创建。
流程
应用 YAML 文件:
--- apiVersion: kmm.sigs.x-k8s.io/v1beta1 kind: Module metadata: name: example-module spec: moduleLoader: serviceAccountName: default container: modprobe: 1 moduleName: '<your module name>' kernelMappings: # the kmods will be deployed on all nodes in the cluster with a kernel that matches the regexp - regexp: '^.*\.x86_64$' # the container to produce containing the signed kmods containerImage: <image name e.g. quay.io/myuser/my-driver:<kernelversion>-signed> sign: # the image containing the unsigned kmods (we need this because we are not building the kmods within the cluster) unsignedImage: <image name e.g. quay.io/myuser/my-driver:<kernelversion> > keySecret: # a secret holding the private secureboot key with the key 'key' name: <private key secret name> certSecret: # a secret holding the public secureboot key with the key 'cert' name: <certificate secret name> filesToSign: # full path within the unsignedImage container to the kmod(s) to sign - /opt/lib/modules/4.18.0-348.2.1.el8_5.x86_64/kmm_ci_a.ko imageRepoSecret: # the name of a secret containing credentials to pull unsignedImage and push containerImage to the registry name: repo-pull-secret selector: kubernetes.io/arch: amd64
- 1
modprobe
- 要载入的 kmod 的名称。