Confidential computing setup

Warning

This page describes features that are still experimental in Kairos. There are a lot of things that can be improved and might be more streamlined in the future.

Confidential computing is a type of secure computing that allows users to encrypt and decrypt data on a secure, isolated computing environment. It works by encrypting the data before it is sent to the cloud or other computing resources. This allows users to keep their data private and secure, even if it is accessed by unauthorized parties. This makes it useful for sensitive data such as financial information, health records, and other confidential data.

One important aspect of Confidential Computing is the ability to encrypt data even in-memory. This document describes how to setup Kairos to use enclave-cc in order to run confidential workloads.

Create a Kairos cluster

The coco community bundle is supported since Kairos version v2.0.0-alpha3 (“coco” stands for “Confidential Computing”).

A configuration file like the following should be used (see the bundles section):

#cloud-config
bundles:
    - targets:
        - run://quay.io/kairos/community-bundles:system-upgrade-controller_latest
        - run://quay.io/kairos/community-bundles:cert-manager_latest
        - run://quay.io/kairos/community-bundles:kairos_latest
        - run://quay.io/kairos/community-bundles:coco_latest

install:
    auto: true
    device: auto
    reboot: true

k3s:
    enabled: true

users:
    - name: kairos
      passwd: kairos

The bundle is making some changes on the host’s filesystem (installs a customized containerd binary among other things) and a restart of the node is needed in order for the changes to be applied fully. When this file appears, reboot the node: /etc/containerd/.sentinel.

Additional steps

Label our node:

  kubectl label --overwrite node $(kubectl get nodes -o jsonpath='{.items[].metadata.name}') node-role.kubernetes.io/worker=""

Deploy the operator

  kubectl apply -k github.com/confidential-containers/operator/config/release?ref=v0.4.0

[Deploy the ccruntime resource]

  kubectl apply -k github.com/confidential-containers/operator/config/samples/ccruntime/ssh-demo?ref=v0.4.0

(wait until they are all running: kubectl get pods -n confidential-containers-system --watch)

Deploy a workload

The last part with the verification will only work from within a Pod because the IP address is internal:

ssh -i ccv0-ssh root@$(kubectl get service ccv0-ssh -o jsonpath="{.spec.clusterIP}")

You can create a Pod like this:
```
apiVersion: v1
kind: Pod
metadata:
  name: kubectl
spec:
  containers:
  - name: kubectl
    image: opensuse/leap
    command: ["/bin/sh", "-ec", "trap : TERM INT; sleep infinity & wait"]
```
Get a shell to it and run the verification commands (You will need to install ssh in the Pod first).

Known limitations

The above solution has some known limitations that might be addressed in future releases of Kairos. Namely:

After a Kairos upgrade, the above process has to be repeated in order to install the customized containerd and the relevant configuration.
There is no simple way to upgrade to newer versions of the bundle (this is a general bundles limitation).

Last modified August 8, 2024: add examples (16a63d0)