Documentation
Offers hardware-based memory encryption that isolates specific application code and data in memory for Kubernetes*.
Overview
There is tremendous opportunity for application and solution developers to take charge of their data security using new hardware-based controls for cloud and enterprise environments. Intel® Software Guard Extensions (Intel® SGX) offers hardware-based memory encryption that isolates specific application code and data in memory. Intel® SGX allows user-level code to allocate private regions of memory, called enclaves, which are designed to be protected from processes running at higher privilege levels. Only Intel® SGX offers such a granular level of control and protection.
See more documentation on SGX here.
The Intel SGX device plugin and related components allow workloads to use Intel SGX on platforms with SGX Flexible Launch Control enabled, e.g.,:
- 3rd Generation Intel® Xeon® Scalable Platform, code-named “Ice Lake”
- Intel® Xeon® E3
The SGX solution comes in three parts:
Design and Architecture
Modes and Configuration options
The SGX plugin can take a number of command line arguments, summarised in the following table:
Flag | Argument | Meaning |
---|---|---|
-enclave-limit | int | the number of containers per node allowed to use /dev/sgx/enclave (default: 20) |
-provision-limit | int | the number of containers per node allowed to use /dev/sgx/provision (default: 20) |
The plugin also accepts a number of other arguments related to logging. Please use the -h option to see the complete list of logging related options.
Installation and Usage
Prerequisites
The component has the same basic dependancies as the generic plugin framework dependencies.
The SGX device plugin requires Linux Kernel SGX drivers to be available. These drivers are currently available via RFC patches on Linux Kernel Mailing List. RFC v41 was used to validate what is written in this document.
The hardware platform must support SGX Flexible Launch Control.
Pre-built images
Pre-built images are available on Docker Hub. These images are automatically built and uploaded to the hub from the latest master branch of this repository.
Release tagged images of the components are also available on Docker Hub, tagged with their release version numbers in the format x.y.z, corresponding to the branches and releases in this repository. Thus the easiest way to deploy Intel SGX components in your cluster is to follow the steps on Github repo.
- Deploy node-feature-discovery
- Deploy cert-manager
- Deploy Intel Device plugin operator
- Deploy SGX device plugin with the operator
Deploy via Device Plugin Operator
Demo Videos
<video placeholder>
Intel® SGX Device Plugin and SGX DCAP ECDSA Quote Generation demo
This video demonstrates the Intel® Software Guard Extensions ECDSA Quote Generation in Kubernetes*. Demo steps: 1. Validate the status of the Kubernetes cluster. 2,Provision node-feature-discovery. 3, Provision the Intel® SGX 4, Device Plugin using Intel® Device Plugin Operator. 5, Check the SGX resources and labels are correctly registered. 6, Run Intel® SGX DCAP ECDSA Quote Generation in both "out-of-proc" and "in-proc" modes.