How can I deploy SGX apps on Kubernetes?

1/5/2021

I recently learned that Intel SGX processors are able to encrypt enclaves for persistent storage to disk. After this, I started to write my first SGX apps and now I am wondering if there is any opportunity to deploy them on Kubernetes?

-- jayare
confidential
kubernetes
sgx

1 Answer

1/5/2021

Your question can be split into multiple steps:

  1. Having a Kubernetes cluster that exposes SGX to your apps

You'll need Kubernetes nodes with SGX-capable CPUs. The way Kubernetes handles "special devices" as SGX is through Device Plugins. Multiple SGX device plugins exist for Kubernetes:

Once you've equipped a node with such a plugin, they provide you with a mechanism to expose the SGX device to your containers.

  1. Building SGX apps for Kubernetes and accessing SGX resources

You'll need to bundle your enclave into a container and write the Kubernetes resource definitions. The most common language for Cloud Native Applications is probably Go. There is a great example for a confidential microservice application based on the EdgelessRT Go runtime and SDK(link), which uses the Azure device plugin for exposing SGX to the containers: https://github.com/edgelesssys/emojivoto

  1. Managing attestation, sealing, etc. for your SGX app

Probably the most interesting point when deploying SGX apps on Kubernetes is SGX-specific orchestration. While Kubernetes handles all the general orchestration, SGX-specific task as remote-attestation, migration, and secrets management of your deployments need to be handled separately. The Marblerun service mesh addresses those tasks, namely:

-- Jonathan
Source: StackOverflow