This is a Kubernetes device plugin implementation that enables the registration of Confidential Computing devices in a Google Kubernetes Engine (GKE) for compute workload. With the appropriate GKE setup and this plugin deployed in your Kubernetes cluster, you will be able to run jobs (e.g. Attestation) that require Confidential Computing devices. (Note that: Current version supports TPM. Support for SEV SNP and TDX are on the way.)
- GKE
- This plugin targets Kubernetes v1.18+.
The device plugin needs to be run on all the nodes that are equipped with Confidential Computing devices (e.g. TPM). The simplest way of doing so is to create a Kubernetes DaemonSet, which run a copy of a pod on all (or some) Nodes in the cluster. We have a pre-built Docker image on Goolge Artifact Registry that you can use for with your DaemonSet. This repository also have a pre-defined yaml file named cc-device-plugin.yaml. You can create a DaemonSet in your Kubernetes cluster by running this command:
kubectl create -f manifests/cc-device-plugin.yaml
or directly pull from the web using
kubectl create -f https://raw.githubusercontent.com/google/cc-device-plugin/main/manifests/cc-device-plugin.yaml