I recently learned that Intel SGX processors are able to encrypt enclaves for persistent storage to disk. After this, I started to write my first SGX apps and now I am wondering if there is any opportunity to deploy them on Kubernetes?
Asked
Active
Viewed 341 times
1 Answers
3
Your question can be split into multiple steps:
- Having a Kubernetes cluster that exposes SGX to your apps
You'll need Kubernetes nodes with SGX-capable CPUs. The way Kubernetes handles "special devices" as SGX is through Device Plugins. Multiple SGX device plugins exist for Kubernetes:
- Intel: https://intel.github.io/intel-device-plugins-for-kubernetes/cmd/sgx_plugin/README.html
- Azure: https://github.com/Azure/aks-engine/blob/master/docs/topics/sgx.md
Once you've equipped a node with such a plugin, they provide you with a mechanism to expose the SGX device to your containers.
- Building SGX apps for Kubernetes and accessing SGX resources
You'll need to bundle your enclave into a container and write the Kubernetes resource definitions. The most common language for Cloud Native Applications is probably Go. There is a great example for a confidential microservice application based on the EdgelessRT Go runtime and SDK(link), which uses the Azure device plugin for exposing SGX to the containers: https://github.com/edgelesssys/emojivoto
- Managing attestation, sealing, etc. for your SGX app
Probably the most interesting point when deploying SGX apps on Kubernetes is SGX-specific orchestration. While Kubernetes handles all the general orchestration, SGX-specific task as remote-attestation, migration, and secrets management of your deployments need to be handled separately. The Marblerun service mesh addresses those tasks, namely:
- Attestation of your services: https://marblerun.sh/docs/features/attestation/
- Migration and Recovery: https://marblerun.sh/docs/features/recovery/
- Secrets Management: https://marblerun.sh/docs/features/secrets-management/
Jonathan
- 56
- 3