SCONE Custom Resources Quickstart
Prerequisites
We assume that you have installed the SCONE Operator and in the process, also the image pull secrets sconeapps
and scone-operator-pull
.
You can check and --reconcile
the state as follows:
curl -fsSL https://raw.githubusercontent.com/scontain/SH/master/operator_controller | bash -s - \
--reconcile --verbose
This will deploy the SGXPlugin
and the LAS
.
Create Custom Resources: SGXPlugin and LAS
!!! note "The operator_controller
will overwrite any changes to custom resource LAS LAS
or SGXPlugin SGXPlugin
the next time it is called with --reconcile
or --update
. Consider to change the
To run SCONE-based confidential services and applications in a Kubernetes cluster, we need
SCONE SGX Plugin
to grant access to the SGX deviceSCONE LAS
(Local Attestation Service) to perform local attestation
You can create the Kubernetes namespace scone-systems
and deploy the SCONE SGX Plugin and SCONE LAS in this namespace with one command:
kubectl apply -f https://raw.githubusercontent.com/scontain/operator-samples/main/base_and_cas.yaml
The SCONE operator will ensure that the SGX plugin and LAS are kept running and are automatically updated. The SCONE operator itself would need to be updated via its helm chart.
Independent Deployment of SGX Plugin and LAS
If you want to decouple the deployment of the SGX Plugin and LAS, we provide some basic manifest for each resource. One can install the SGX Plugin with kubectl
:
kubectl create -f https://raw.githubusercontent.com/scontain/operator-samples/main/base_v1beta1_sgxplugin.yaml
LAS from the included sample manifests:
kubectl create -f https://raw.githubusercontent.com/scontain/operator-samples/main/base_v1beta1_las.yaml
These two manifests contain reasonable defaults and should work without any modifications for most deployments. This setup can be used in production.
The default Kubernetes namespace for the SGX Plugin and LAS is the namespace of the SCONE Operator. The default Kubernetes namespace of the SCONE Operator is scone-systems
. If the defaults do not fit your requirements, you can customize the manifests described in the SCONE Custom Resource Definitions.
Create CAS for Development
To install SCONE CAS for development, you can :
kubectl apply -f https://raw.githubusercontent.com/scontain/operator-samples/main/services_v1beta1_cas.yaml
This CAS will run in production mode and use a persistent volume for its database but does not support a fail-over to a different host.
No Fail-Over to other nodes
To enable fail-over of a CAS to a different node, the CAS backup controller needs to be enabled. To simplify this setup of a fail-over CAS, we maintain a kubectl
plugin. Install a production CAS.