I recently learned that Intel SGX processors are able to encrypt enclaves for persistent storage to disk. After this, I started to write my first SGX apps and now I am wondering if there is any opportunity to deploy them on Kubernetes?
Your question can be split into multiple steps:
You'll need Kubernetes nodes with SGX-capable CPUs. The way Kubernetes handles "special devices" as SGX is through Device Plugins. Multiple SGX device plugins exist for Kubernetes:
Once you've equipped a node with such a plugin, they provide you with a mechanism to expose the SGX device to your containers.
You'll need to bundle your enclave into a container and write the Kubernetes resource definitions. The most common language for Cloud Native Applications is probably Go. There is a great example for a confidential microservice application based on the EdgelessRT Go runtime and SDK(link), which uses the Azure device plugin for exposing SGX to the containers: https://github.com/edgelesssys/emojivoto
Probably the most interesting point when deploying SGX apps on Kubernetes is SGX-specific orchestration. While Kubernetes handles all the general orchestration, SGX-specific task as remote-attestation, migration, and secrets management of your deployments need to be handled separately. The Marblerun service mesh addresses those tasks, namely: