Application and Compute Node Policy Enforcement

Introduction

Users can control which applications are allowed to run on which nodes, primarily through the use of application and node labels in the form of “Key:Value” pairs. This is enforced by having the Fortanix Confidential Computing Manager (CCM) only issue application certificates for nodes that satisfy the Fortanix CCM Application and Compute Node Policy.

Policy

When labels are added for an application, we are adding requirements to the application and these labels become the "required" labels. When the same labels are added to the compute nodes, we are adding labels that can be provided by the compute node on which the application will run once the compute node is enrolled in Fortanix CCM. The attached labels of an application and compute node will be compared when Fortanix CCM issues a certificate to an application and if all the required application labels match with the provided compute node labels then a certificate for the application on the compute node will be issued. In the case of a label mismatch, no such certificate will be issued. This can be seen in the logs of the application.

Hence, for an application to be allowed to run on a compute node, the set of provided compute node labels must be a superset of the set of required application labels.

Currently, the policy is enforced only when we issue certificates. So, if the policy changes after a certificate was issued, that certificate will not be revoked, it will remain valid until it expires.

Rules to be Satisfied

In order for Fortanix CCM to issue a certificate for an application image to run on a compute node, the following rules must be satisfied.

  • Basic security rules:

    • The compute node has been attested to be an SGX-capable node running Node Agent. 

    • An instance of the application image has been attested to be running on the compute node.

  • Manual approvals:

    • The image has been approved by a manager.

    • The requested domain for the certificate (that is, its subject common name) has been approved by a manager.

    • The compute node is still active (that is, it has not been deactivated).

  • Label-based rules:

    • For each key-value label associated with the application, the compute node must have the same key with the same value.