Azure Kubernetes Service with Fortanix Confidential Computing Manager

Introduction

This article describes how to set up an Azure Kubernetes Service (AKS) cluster as worker nodes in Fortanix Confidential Computing Manager (CCM).

Setup AKS Cluster as Worker Nodes in Fortanix CCM

1. Set up an SGX-capable cluster. For instructions refer to the URL:
   https://docs.microsoft.com/en-us/azure/confidential-computing/confidential-nodes-aks-get-started
2. Run kubectl get ds -n kube-system to see the configured DaemonSets in the kube-system namespace.
3. Retrieve the join token for your CCM zone from the CCM UI and store a copy as a Kubernetes secret in your cluster.
   1. Navigate to the “COMPUTE NODES” tab in the CCM UI and click “ENROLL NODE” to bring up the token dialog. Copy the token.                                                           Figure 1: Enroll node
       
   2. Create a Kubernetes secret for the token. Replace the <token> value below with your token.

      kubectl create secret generic em-token --from-literal="token=(token-from-ccm.fortanix.com)"

       
4. Save and download the following YAML file.

   apiVersion: apps/v1
   kind: DaemonSet
   metadata:
     name: em-agent
     namespace: default
     labels:
       component: em-agent
   spec:
     selector:
       matchLabels:
         component: em-agent
     template:
       metadata:
         labels:
           component: em-agent
       spec:
         hostNetwork: true
         dnsPolicy: ClusterFirstWithHostNet
         volumes:
         - name: em-agent-data
           hostPath:
             path: /mnt/em-agent-data
         - name: dev
           hostPath:
             path: /dev
         - name: var-run-aesmd
           hostPath:
             path: /var/run/aesmd
         - name: agent-manager-auth
           secret:
             secretName: agent-manager-auth
         containers:
         - name: em-agent
           image: "fortanix/em-agent"
           resources:
             limits:
               kubernetes.azure.com/sgx_epc_mem_in_MiB: 1
           requests:
             cpu: "100m"
             memory: "100Mi"
          volumeMounts:
          - name: em-agent-data
            mountPath: /var/opt/fortanix/em-agent/node
          - name: dev
            mountPath: /dev/host
          - name: var-run-aesmd
            mountPath: /var/run/aesmd
          ports:
          - containerPort: 9092
            name: http
            protocol: TCP
            hostPort: 9092
          env:
          - name: AGENT_MANAGER_AUTH_BASIC_TOKEN
            valueFrom:
              secretKeyRef:
                name: em-token
                key: token
          - name: NODE_IP
            valueFrom:
              fieldRef:
                fieldPath: status.hostIP
          - name: NODE_NAME
            valueFrom:
              fieldRef:
                fieldPath: spec.nodeName

    
5. Deploy the node agent DemonSet.

   kubectl create -f ./agent.yaml
   daemonset.apps/em-agent created

 
6. Include the following definitions in the k8s specifications of containers that use SGX. Adjust the requested amount of Electronic Product Code (EPC) memory to suit your node type and workload.

   resources:
     limits:
       kubernetes.azure.com/sgx_epc_mem_in_MiB: 16
   env:
   - name: NODE_IP
     valueFrom:
       fieldRef:
         fieldPath: status.hostIP
   - name: NODE_AGENT_BASE_URL
     value: http://$(NODE_IP):9092/v1

   For more information about scheduling pods with EPC reservations, see Scheduling Pods to TEE enabled Hardware.