Skip to content

Latest commit

 

History

History
47 lines (31 loc) · 3.52 KB

README.md

File metadata and controls

47 lines (31 loc) · 3.52 KB

Trusted Cluster enhanced by CC API & CCNP

1. Definitions

Confidential Cluster is defined by:

  • Redhat: A confidential cluster (CCl) is a cluster of confidential virtual machines, which are considered to be part of a single trust domain
  • Google: Confidential GKE Nodes is built on top of Compute Engine Confidential VM, which encrypts the memory contents of VMs in-use. Confidential GKE Nodes can be enabled as a cluster-level security setting or a node pool-level security setting.
  • Edgeless: Leverages confidential computing to isolate entire Kubernetes clusters from the infrastructure.

Trusted Cluster is End-to-End measurement for Confidential Cluster:

In above diagram:

  • CCNP is used to calculate the measurement for node, namespace, POD and cluster level.
  • CC Trusted API provides unified API to tenant to access measurement, event log and quote (report).

2. Confidential Cluster

2.1 Existing CSPs

Google GKE Azure AKS
Resource N2D(AMD EPYC)/C3(Intel Sapphire Rapids) DCasv5/ECasv5(AMD), DCesv5/ECesv5(Intel)
OS CentOS/ContainerOS/Debian/Fedora/RHEL/... Ubuntu Server 22.04 LTS/SUSE Linux Enterprise Server/Red Hat Enterprise Linux
CPU Accelerator AMX AMX
Full Disk Encryption Yes Yes
Key customer-managed encryption keys (CMEK) PMK (platform-managed key) and CMK (customer-managed key)
Attestation Google Managed vTPM Microsoft Azure Attestation/Intel® Trust Authority
Tutorial Here here

3. Deployment

There are 3 options creating a confidential cluster.

  • Create a few confidential VMs (CVMs) and deploy Kubernetes within them. The CVMs can be on local hosts if you have supported hardware. The CVMs can also be applied from CSP. The document csp_cvm.md shows how to apply for a TD on Google Cloud or Azure and start a Kubernetes cluster in the single confidential node.
  • Create Confidential GKE node on Google cloud.
  • Create a Constellation based confidential cluster on top of a TDX machine. Follow the steps here to deploy the cluster.

Find details in deployment guide.