Introduction
In this article, we will describe the steps for Running Confidential Containers with Fortanix Runtime Encryption on Microsoft Azure Kubernetes Service (AKS).
Steps to Run Confidential Container on AKS
- Create an Azure AKS cluster with SGX support using Azure CLI/Portal.
For more details refer to the URL: https://github.com/Azure/aks-engine/blob/master/docs/topics/sgx.md#deploy-a-kubernetes-cluster.
- Create a Confidential Container image for your container using the Fortnaix Confidential Computing Manager (CCM) Portal. You can use the Fortanix CCM Console or REST APIs to create a confidential container image for your existing container.
To create a Confidential container image using the Fortanix CCM Console refer to the following URLs:- Create an Image: https://support.fortanix.com/hc/en-us/articles/360043529411-User-s-Guide-
- Fortanix CCM User Guide: https://support.fortanix.com/hc/en-us/sections/360008695591-User-Guide
- Configure the container registry on Fortanix CCM which stores the container images.
For more details refer to the URL: https://support.fortanix.com/hc/en-us/articles/360048967971-User-s-Guide-Image-Registry#SettingMultipleAzureContainerRegistries.
- Run the Confidential Computing container image on the Azure AKS cluster. Following is a sample YAML file to run Confidential containers.
For More details on scheduling Confidential Containers on Azure AKS refer to the URL: https://github.com/Azure/aks-engine/blob/master/docs/topics/sgx.md#scheduling-pods-to-tee-enabled-hardware.
Following is a sample YAML to run an example application on AKS:apiVersion: v1
kind: Pod
metadata:
name: app-sgx
labels:
app: app-sgx
spec:
restartPolicy: Never
containers:
- name: app-sgx
image: <banne01/convert:flask-sgx-dcap>
volumeMounts:
- name: dev-sgx
mountPath: /dev/sgx/enclave
securityContext:
privileged: true
ports:
- containerPort: 5000
name: http
protocol: TCP
volumes:
- name: dev-sgx
hostPath:
path: /dev/sgx/enclave
type: CharDevice