Skip to content

SCONE Custom Resources Quickstart

Prerequisites

We assume that you have installed the SCONE Operator and in the process, also the image pull secrets sconeapps and scone-operator-pull.

You can check and --reconcile the state as follows:

curl -fsSL https://raw.githubusercontent.com/scontain/SH/master/operator_controller | bash -s - \
--reconcile --verbose

This will deploy the SGXPlugin and the LAS.

Create Custom Resources: SGXPlugin and LAS

!!! note "The operator_controller will overwrite any changes to custom resource LAS LAS or SGXPlugin SGXPlugin the next time it is called with --reconcile or --update. Consider to change the

To run SCONE-based confidential services and applications in a Kubernetes cluster, we need

  • SCONE SGX Plugin to grant access to the SGX device
  • SCONE LAS (Local Attestation Service) to perform local attestation

You can create the Kubernetes namespace scone-systems and deploy the SCONE SGX Plugin and SCONE LAS in this namespace with one command:

kubectl apply -f https://raw.githubusercontent.com/scontain/operator-samples/main/base_and_cas.yaml

The SCONE operator will ensure that the SGX plugin and LAS are kept running and are automatically updated. The SCONE operator itself would need to be updated via its helm chart.

Independent Deployment of SGX Plugin and LAS

If you want to decouple the deployment of the SGX Plugin and LAS, we provide some basic manifest for each resource. One can install the SGX Plugin with kubectl:

kubectl create -f https://raw.githubusercontent.com/scontain/operator-samples/main/base_v1beta1_sgxplugin.yaml

LAS from the included sample manifests:

kubectl create -f https://raw.githubusercontent.com/scontain/operator-samples/main/base_v1beta1_las.yaml

These two manifests contain reasonable defaults and should work without any modifications for most deployments. This setup can be used in production.

The default Kubernetes namespace for the SGX Plugin and LAS is the namespace of the SCONE Operator. The default Kubernetes namespace of the SCONE Operator is scone-systems. If the defaults do not fit your requirements, you can customize the manifests described in the SCONE Custom Resource Definitions.

Create CAS for Development

To install SCONE CAS for development, you can :

kubectl apply -f https://raw.githubusercontent.com/scontain/operator-samples/main/services_v1beta1_cas.yaml

This CAS will run in production mode and use a persistent volume for its database but does not support a fail-over to a different host.

No Fail-Over to other nodes

To enable fail-over of a CAS to a different node, the CAS backup controller needs to be enabled. To simplify this setup of a fail-over CAS, we maintain a kubectl plugin. Install a production CAS.