This section will describe hardware and software prerequisites, installing Confidential Containers with an operator, verifying the installation, and running a pod with Confidential Containers.
This is the multi-page printable view of this section. Click here to print.
Prerequisites
Requirements for deploying Confidential Containers
- 1: Hardware Requirements
- 1.1: CoCo without Hardware
- 1.2: Secure Execution Host Setup
- 1.3: SEV-SNP Host Setup
- 1.4: SGX Host Setup
- 1.5: TDX Host Setup
- 2: Cloud Hardware
- 3: Cluster Setup
1 - Hardware Requirements
Hardware requirements for deploying Confidential Containers
Confidential Computing is a hardware technology. Confidential Containers supports multiple hardware platforms and can leverage cloud hardware. If you do not have bare metal hardware and will deploy Confidential Containers with a cloud integration, continue to the cloud section.
You can also run Confidential Containers without hardware support for testing or development.
The Confidential Containers operator, which is described in the following section, does not setup the host kernel, firmware, or system configuration. Before installing Confidential Containers on a bare metal system, make sure that your node can start confidential VMs.
This section will describe the configuration that is required on the host.
Regardless of your platform, it is recommended to have at least 8GB of RAM and 4 cores on your worker node.
1.1 - CoCo without Hardware
Testing and development without hardware
For testing or development, Confidential Containers can be deployed without any hardware support.
This is referred to as a coco-dev or non-tee.
A coco-dev deployment functions the same way as Confidential Containers
with an enclave, but a non-confidential VM is used instead of a confidential VM.
This does not provide any security guarantees, but it can be used for testing.
No additional host configuration is required as long as the host supports virtualization.
1.2 - Secure Execution Host Setup
Host configurations for IBM s390x
TODO
1.3 - SEV-SNP Host Setup
Host configurations for AMD SEV-SNP machines
TODO
1.4 - SGX Host Setup
Host configurations for Intel SGX machines
TODO
1.5 - TDX Host Setup
Host configurations for Intel TDX machines
TODO
2 - Cloud Hardware
Confidential Containers on the Cloud
Note
If you are using bare metal confidential hardware, you can skip this section.Confidential Containers can be deployed via confidential computing cloud offerings. The main method of doing this is to use the cloud-api-adaptor also known as “peer pods.”
Some clouds also support starting confidential VMs inside of non-confidential VMs. With Confidential Containers these offerings can be used as if they were bare-metal.
3 - Cluster Setup
Cluster prerequisites
Confidential Containers requires Kubernetes. A cluster must be installed before running the operator. Many different clusters can be used but they should meet the following requirements.
- The minimum Kubernetes version is 1.24
- Cluster must use
containerdorcri-o. - At least one node has the label
node-role.kubernetes.io/worker=. - SELinux is not enabled.
If you use Minikube or Kind to setup your cluster, you will only be able to use runtime classes based on Cloud Hypervisor due to an issue with QEMU.