Skip to content

AKS Setup

Simplified Deployment

In our SconeApps, we also support the native AKS SGX Plugin, i.e., the is no need to install the SCONE SGX Plugin on AKS.

MAA-based attestation

Right now, SCONE-based confidential services are attested using DCAP or EPID-based attestation. Starting with SCONE 5.3.0, one can enable Microsoft Azure Attestation (MAA) and import secrets from Azure Key Vault (AKV) via SCONE CAS policies.

SCONE-based confidential applications can be deploy with helm, i.e., the Kubernetes Package Manager on AKS. To do so, you need to

  • ensure helm has access to our SconeApps helm charts: SconeApps
  • ensure that our SCONE LAS (local attestation service) is installed with helm: LAS installation

AKS is compatible with helm, i.e., one can deploy applications with helm as soon as your confidential AKS cluster is running. You need to specify --useSGXDevPlugin=azure to use the Azure SGX Plugin and --set sgxEpcMem=16 (in MiB) to specify the required EPC size. We support a variety of helm charts: we provide confidential variants of, for example, mariadb, maxscale, memcached, nginx, openvino, pytorch, spark, teemon, tensorflow, TensorFlowLite, and Zookeeper.

To set up an AKS cluster, use the AKS command line interface. A quick walk-through on how to deploy a Kubernetes cluster and how to deploy applications on AKS, please follow this description.

Compatibility

Note that SCONE confidential services will stay compatible with any Kubernetes cluster, i.e., you can deploy some confidential services on your own Kubernetes cluster while others run on AKS. On AKS, you can enable additional Azure services in the policy, like, using MAA for attestation. Outside of AKS, you can enable DCAP-based attestation and use SCONE CAS for secret management. Deploying with helm makes it very easy to redeploy workloads on different Kubernetes clusters, like, moving services from your development Kubernetes cluster to AKS.