Skip to content

scone-openvino chart

To see the customizations this chart currently supports, have a look at values.yaml.

Prerequisites

  1. A Kubernetes cluster.
  2. Helm 3 installed.

Before you begin

  1. Submit any SCONE sessions (e.g., the one located in ../../policies) to a CAS that is accessible from within the cluster. Reference them through extraEnv section.
  2. Create the directories you need in the worker nodes, as this application relies on hostPath volumes. They are defined in extraVolumes section.
  3. Clone this git repository.

Install the chart

Add the repo

If you haven't yet, please add this repo to Helm.

To deploy OpenVINO with the default parameters to your Kubernetes cluster:

helm install my-openvino sconeapps/openvino

See your deployed pods by running kubectl get pods | grep my-openvino.

SGX device

By default, this helm chart uses the SCONE SGX Plugin. Hence, it sets the resource limits of CAS as follows:

resources:
  limits:
    sgx.intel.com/enclave: 1

Alternatively, set useSGXDevPlugin to azure (e.g., --useSGXDevPlugin=azure) to support Azure's SGX Device Plugin. Since Azure requires the amount of EPC memory allocated to your application to be specified, the parameter sgxEpcMem (SGX EPC memory in MiB) becomes required too (e.g., --set useSGXDevPlugin=azure --set sgxEpcMem=16).

In case you do not want to use the SGX plugin, you can remove the resource limit and explicitly mount the local SGX device into your container by setting:

extraVolumes:
  - name: dev-isgx
    hostPath:
      path: /dev/isgx

extraVolumeMounts:
  - name: dev-isgx
    path: /dev/isgx

Please note that mounting the local SGX device into your container requires privileged mode, which will grant your container access to ALL host devices. To enable privileged mode, set securityContext:

securityContext:
  privileged: true