Azure Kubernetes Service with Fortanix Confidential Computing Manager

Introduction

This article describes how to set up an Azure Kubernetes Service (AKS) cluster as worker nodes in Fortanix Confidential Computing Manager (CCM).

Setup AKS Cluster as Worker Nodes in Fortanix CCM

1. Set up an SGX-capable cluster. For instructions refer to the URL:
   https://docs.microsoft.com/en-us/azure/confidential-computing/confidential-nodes-aks-get-started
2. Run kubectl get ds -n kube-system to see the configured DaemonSets in the kube-system namespace.
3. Retrieve the join token for your CCM zone from the CCM UI and store a copy as a Kubernetes secret in your cluster.
   1. Navigate to the “COMPUTE NODES” tab in the CCM UI and click “ENROLL NODE” to bring up the token dialog. Copy the token.                                                           Figure 1: Enroll node
       
   2. Create a Kubernetes secret for the token. Replace the <token> value below with your token.

      kubectl create secret generic em-token --from-literal=<token>

       
4. Save and download the following YAML file.

   apiVersion: apps/v1
   kind: DaemonSet
   metadata:
     name: em-agent
     namespace: default
     labels:
       component: em-agent
   spec:
     selector:
       matchLabels:
         component: em-agent
     template:
       metadata:
         labels:
           component: em-agent
       spec:
         hostNetwork: true
         dnsPolicy: ClusterFirstWithHostNet
         volumes:
         - name: em-agent-data
           hostPath:
             path: /mnt/em-agent-data
         - name: dev
           hostPath:
             path: /dev
         - name: var-run-aesmd
           hostPath:
             path: /var/run/aesmd
         - name: agent-manager-auth
           secret:
             secretName: agent-manager-auth
         containers:
         - name: em-agent
         image: "fortanix/em-agent"
         resources:
           limits:
             kubernetes.azure.com/sgx_epc_mem_in_MiB: 1
           requests:
             cpu: "100m"
             memory: "100Mi"
         volumeMounts:
         - name: em-agent-data
           mountPath: /var/opt/fortanix/em-agent/node
         - name: dev
           mountPath: /dev/host
         - name: var-run-aesmd
           mountPath: /var/run/aesmd
         ports:
         - containerPort: 9092
           name: http
           protocol: TCP
           hostPort: 9092
        env:
        - name: AGENT_MANAGER_AUTH_BASIC_TOKEN
          valueFrom:
            secretKeyRef:
              name: em-token
              key: token
        - name: NODE_IP
          valueFrom:
            fieldRef:
              fieldPath: status.hostIP
        - name: NODE_NAME
          valueFrom:
            fieldRef:
              fieldPath: spec.nodeName

    
5. Deploy the node agent DemonSet.

   kubectl create -f agent-daemonset.yaml

 
6. Include the following definitions in the k8s specifications of containers that use SGX. Adjust the requested amount of Electronic Product Code (EPC) memory to suit your node type and workload.

   resources:
     limits:
       kubernetes.azure.com/sgx_epc_mem_in_MiB: 16
   env:
   - name: NODE_IP
     valueFrom:
       fieldRef:
         fieldPath: status.hostIP
   - name: NODE_AGENT_BASE_URL
     value: http://$(NODE_IP):9092/v1

   For more information about scheduling pods with EPC reservations, see Scheduling Pods to TEE enabled Hardware.