Confidential computing setup
Note
This page describes features that are still experimental in Kairos. There are a lot of things that can be improved and might be more streamlined in the future.Confidential computing is a type of secure computing that allows users to encrypt and decrypt data on a secure, isolated computing environment. It works by encrypting the data before it is sent to the cloud or other computing resources. This allows users to keep their data private and secure, even if it is accessed by unauthorized parties. This makes it useful for sensitive data such as financial information, health records, and other confidential data.
One important aspect of Confidential Computing is the ability to encrypt data even in-memory. This document describes how to setup Kairos to use enclave-cc
in order to run confidential workloads.
Create a Kairos cluster
The coco community bundle
is supported since Kairos version v2.0.0-alpha3
(“coco” stands for “Confidential Computing”).
A configuration file like the following should be used (see the bundles
section):
#cloud-config
bundles:
- targets:
- run://quay.io/kairos/community-bundles:system-upgrade-controller_latest
- run://quay.io/kairos/community-bundles:cert-manager_latest
- run://quay.io/kairos/community-bundles:kairos_latest
- run://quay.io/kairos/community-bundles:coco_latest
install:
auto: true
device: auto
reboot: true
k3s:
enabled: true
users:
- name: kairos
passwd: kairos
The bundle is making some changes on the host’s filesystem (installs a customized containerd binary among other things) and a restart of the node is needed in order for the changes to be applied fully.
When this file appears, reboot the node: /etc/containerd/.sentinel
.
Additional steps
kubectl label --overwrite node $(kubectl get nodes -o jsonpath='{.items[].metadata.name}') node-role.kubernetes.io/worker=""
kubectl apply -k github.com/confidential-containers/operator/config/release?ref=v0.4.0
- [Deploy the
ccruntime
resource]
kubectl apply -k github.com/confidential-containers/operator/config/samples/ccruntime/ssh-demo?ref=v0.4.0
(wait until they are all running: kubectl get pods -n confidential-containers-system --watch
)
-
The last part with the verification will only work from within a Pod because the IP address is internal:
ssh -i ccv0-ssh root@$(kubectl get service ccv0-ssh -o jsonpath="{.spec.clusterIP}")
You can create a Pod like this:
apiVersion: v1 kind: Pod metadata: name: kubectl spec: containers: - name: kubectl image: opensuse/leap command: ["/bin/sh", "-ec", "trap : TERM INT; sleep infinity & wait"]
Get a shell to it and run the verification commands (You will need to install
ssh
in the Pod first).
Known limitations
The above solution has some known limitations that might be addressed in future releases of Kairos. Namely:
- After a Kairos upgrade, the above process has to be repeated in order to install the customized
containerd
and the relevant configuration. - There is no simple way to upgrade to newer versions of the bundle (this is a general bundles limitation).
Feedback
Was this page helpful?
Awesome! Glad to hear it! Please tell us how we can improve.
Oh snap! Sorry to hear that. Please tell us how we can improve.