Confidential Computing device plugin for Kubernetes
Introduction
This is a Kubernetes device plugin implementation that enables the
registration of Confidential Computing devices in a Google
Kubernetes Engine (GKE) for compute workload. With the appropriate GKE setup and
this plugin deployed in your Kubernetes cluster, you will be able to run jobs
(e.g. Attestation) that require Confidential Computing devices. (Note that: Current version supports TPM. Support for SEV and TDX are on the way.)
Prerequisites
Limitations
- This plugin targets Kubernetes v1.18+.
Deployment
The device plugin needs to be run on all the nodes that are equipped with Confidential Computing devices (e.g. TPM). The simplest way of doing so is to create a Kubernetes DaemonSet, which run a copy of a pod on all (or some) Nodes in the cluster. We have a pre-built Docker image on Goolge Artifact Registry that you can use for with your DaemonSet. This repository also have a pre-defined yaml file named cc-device-plugin.yaml
. You can create a DaemonSet in your Kubernetes cluster by running this command:
kubectl create -f manifests/cc-device-plugin.yaml
or directly pull from the web using
kubectl create -f
https://raw.githubusercontent.com/google/cc-device-plugin/main/manifests/cc-device-plugin.yaml