Skip to content

AKS Setup

Simplified Deployment

In our SconeApps, we also support the native AKS SGX Plugin, i.e., there is no need to install the SCONE SGX Plugin on AKS.

MAA-based attestation

Right now, SCONE-based confidential services are attested using DCAP or EPID-based attestation. Starting with SCONE 5.4.0, one can enable Microsoft Azure Attestation (MAA), as well as import secrets from Azure Key Vault (AKV) via SCONE CAS policies.

SCONE-based confidential applications can be deployed with helm, i.e., the Kubernetes Package Manager on AKS. To do so, you need to

  • ensure helm has access to our SconeApps helm charts: SconeApps
  • ensure that our SCONE LAS (local attestation service) is installed with helm: LAS installation

AKS is compatible with helm, i.e., one can deploy applications with helm as soon as your confidential AKS cluster is running. You need to specify --set useSGXDevPlugin=azure to use the Azure SGX Plugin and --set sgxEpcMem=16 (in MiB) to specify the required EPC size. We support a variety of helm charts: we provide confidential variants of, for example, mariadb, maxscale, memcached, nginx, openvino, pytorch, spark, teemon, tensorflow, TensorFlowLite, and Zookeeper.

Compatibility

Note that SCONE confidential services will stay compatible with any Kubernetes cluster, i.e., you can deploy some confidential services on your own Kubernetes cluster while others run on AKS. On AKS, you can enable additional Azure services in the policy, like, using MAA for attestation. Outside of AKS, you can enable DCAP-based attestation and use SCONE CAS for secret management. Deploying with helm makes it very easy to redeploy workloads on different Kubernetes clusters, like, moving services from your development Kubernetes cluster to AKS.

Creating an AKS cluster

To set up an AKS cluster, use the AKS command line interface and follow the steps on the offical Azure Kuberentes Service documentation. A brief summary follows:

  1. You need a resource group for the new cluster. You can create a new one named myResourceGroup in the westus2 region by running:
az group create --name myResourceGroup --location westus2
  1. Create the cluster with the confidential computing add-on enabled. This command will create a system node pool, responsible for running the Kubernetes control plane services. You can control the number of nodes through -c option.
az aks create --name myAKSCluster --generate-ssh-keys --enable-addon confcom -g myResourceGroup
  1. Create the confidential node pool with Intel SGX and the Azure SGX device plugin. You can configure the number of nodes through -c option. Change the VM size by setting a different --node-vm-size (see all available sizes).
az aks nodepool add --cluster-name myAKSCluster --name confcompool1 --node-vm-size Standard_DC2s_v2 --resource-group myResourceGroup
  1. Get the credentials for the cluster. This will write the credentials to your default kubeconfig ($KUBECONFIG or ~/.kube.config):
az aks get-credentials --name myAKSCluster --resource-group myResourceGroup

Deploying LAS (Local Attestation Service)

You need to deploy our Local Attestation Service (LAS) to run your SCONE applications with remote attestation.

  1. Install Helm and add the sconeapps repo. You might need to request access first.

  2. Install the LAS Helm chart. In this example, we use the Azure SGX device plugin that comes with the cluster.

helm install las sconeapps/las --set useSGXDevPlugin=azure --set image=registry.scontain.com/sconecuratedimages/kubernetes:las.microsoft-azure
  1. That's it. LAS pods should now be running (one per node) in your cluster.
$ kubectl get pods
NAME        READY   STATUS    RESTARTS   AGE
las-2z2vk   1/1     Running   0          5s
las-7vdkt   1/1     Running   0          5s

Deploy a SCONE application

To run your first SCONE application on the confidential AKS cluster, use the following manifest from our Kubernetes tutorial.

apiVersion: apps/v1
kind: Deployment
metadata:
  name: hello-world
spec:
  selector:
    matchLabels:
      run: hello-world
  replicas: 1
  template:
    metadata:
      labels:
        run: hello-world
    spec:
      containers:
      - name: hello-world
        image: sconecuratedimages/kubernetes:hello-k8s-scone0.1
        imagePullPolicy: Always
        ports:
        - containerPort: 8080
        env:
        - name: GREETING
          value: howdy!
        resources:
          limits:
            sgx.intel.com/epc: 5Mi
---
apiVersion: v1
kind: Service
metadata:
  name: hello-world
  labels:
    run: hello-world
spec:
  ports:
  - port: 8080
    protocol: TCP
  selector:
    run: hello-world
  1. Run the application.
kubectl create -f app.yaml
  1. Redirect a local port to the service port.
kubectl port-forward svc/hello-world 8080:8080 &
  1. Send a request to the service.
$ curl localhost:8080
Hello World!
$GREETING is: howdy!

To run the same application with remote attestation, transparent filesystem encryption and secret delivery, check our Kubernetes tutorial.