Right now, SCONE-based confidential services are attested using DCAP or EPID-based attestation. Starting with SCONE 5.3.0, one can enable Microsoft Azure Attestation (MAA) and import secrets from Azure Key Vault (AKV) via SCONE CAS policies.
SCONE-based confidential applications can be deploy with
helm, i.e., the Kubernetes Package Manager on AKS. To do so, you need to
helmhas access to our SconeApps helm charts: SconeApps
- ensure that our SCONE LAS (local attestation service) is installed with helm: LAS installation
AKS is compatible with
helm, i.e., one can deploy applications with
helm as soon as your confidential AKS cluster is running.
You need to specify
--useSGXDevPlugin=azure to use the Azure SGX Plugin and
--set sgxEpcMem=16 (in MiB) to specify the required EPC size.
We support a variety of helm charts: we provide confidential variants of, for example, mariadb, maxscale, memcached, nginx, openvino, pytorch, spark, teemon, tensorflow, TensorFlowLite, and Zookeeper.
To set up an AKS cluster, use the AKS command line interface. A quick walk-through on how to deploy a Kubernetes cluster and how to deploy applications on AKS, please follow this description.
Note that SCONE confidential services will stay compatible with any Kubernetes cluster, i.e., you can deploy some confidential services on your own Kubernetes cluster while others run on AKS. On AKS, you can enable additional Azure services in the policy, like, using MAA for attestation. Outside of AKS, you can enable DCAP-based attestation and use SCONE CAS for secret management. Deploying with
helm makes it very easy to redeploy workloads on different Kubernetes clusters, like, moving services from your development Kubernetes cluster to AKS.