Right now, SCONE-based confidential services are attested using DCAP or EPID-based attestation. Starting with SCONE 5.4.0, one can enable Microsoft Azure Attestation (MAA), as well as import secrets from Azure Key Vault (AKV) via SCONE CAS policies.
SCONE-based confidential applications can be deployed with
helm, i.e., the Kubernetes Package Manager on AKS. To do so, you need to
helmhas access to our SconeApps helm charts: SconeApps
- ensure that our SCONE LAS (local attestation service) is installed with helm: LAS installation
AKS is compatible with
helm, i.e., one can deploy applications with
helm as soon as your confidential AKS cluster is running.
You need to specify
--useSGXDevPlugin=azure to use the Azure SGX Plugin and
--set sgxEpcMem=16 (in MiB) to specify the required EPC size.
We support a variety of helm charts: we provide confidential variants of, for example, mariadb, maxscale, memcached, nginx, openvino, pytorch, spark, teemon, tensorflow, TensorFlowLite, and Zookeeper.
Note that SCONE confidential services will stay compatible with any Kubernetes cluster, i.e., you can deploy some confidential services on your own Kubernetes cluster while others run on AKS. On AKS, you can enable additional Azure services in the policy, like, using MAA for attestation. Outside of AKS, you can enable DCAP-based attestation and use SCONE CAS for secret management. Deploying with
helm makes it very easy to redeploy workloads on different Kubernetes clusters, like, moving services from your development Kubernetes cluster to AKS.
Creating an AKS cluster
To set up an AKS cluster, use the AKS command line interface and follow the steps on the offical Azure Kuberentes Service documentation. A brief summary follows:
- You need a resource group for the new cluster. You can create a new one named
westus2region by running:
az group create --name myResourceGroup --location westus2
- Create the cluster with the confidential computing add-on enabled. This command will create a system node pool, responsible for running the Kubernetes control plane services. You can control the number of nodes through
az aks create --name myAKSCluster --generate-ssh-keys --enable-addon confcom -g myResourceGroup
- Create the confidential node pool with Intel SGX and the Azure SGX device plugin. You can configure the number of nodes through
-coption. Change the VM size by setting a different
--node-vm-size(see all available sizes).
az aks nodepool add --cluster-name myAKSCluster --name confcompool1 --node-vm-size Standard_DC2s_v2 --resource-group myResourceGroup
- Get the credentials for the cluster. This will write the credentials to your default kubeconfig (
az aks get-credentials --name myAKSCluster --resource-group myResourceGroup
Deploying LAS (Local Attestation Service)
You need to deploy our Local Attestation Service (LAS) to run your SCONE applications with remote attestation.
Install Helm and add the
sconeappsrepo. You might need to request access first.
Install the LAS Helm chart. In this example, we use the Azure SGX device plugin that comes with the cluster.
helm install las sconeapps/las --set useSGXDevPlugin=azure --set image=registry.scontain.com:5050/sconecuratedimages/kubernetes:las.microsoft-azure
- That's it. LAS pods should now be running (one per node) in your cluster.
$ kubectl get pods NAME READY STATUS RESTARTS AGE las-2z2vk 1/1 Running 0 5s las-7vdkt 1/1 Running 0 5s
Deploy a SCONE application
To run your first SCONE application on the confidential AKS cluster, use the following manifest from our Kubernetes tutorial.
apiVersion: apps/v1 kind: Deployment metadata: name: hello-world spec: selector: matchLabels: run: hello-world replicas: 1 template: metadata: labels: run: hello-world spec: containers: - name: hello-world image: sconecuratedimages/kubernetes:hello-k8s-scone0.1 imagePullPolicy: Always ports: - containerPort: 8080 env: - name: GREETING value: howdy! resources: limits: sgx.intel.com/epc: 5Mi --- apiVersion: v1 kind: Service metadata: name: hello-world labels: run: hello-world spec: ports: - port: 8080 protocol: TCP selector: run: hello-world
- Run the application.
kubectl create -f app.yaml
- Redirect a local port to the service port.
kubectl port-forward svc/hello-world 8080:8080 &
- Send a request to the service.
$ curl localhost:8080 Hello World! $GREETING is: howdy!
To run the same application with remote attestation, transparent filesystem encryption and secret delivery, check our Kubernetes tutorial.