You can create a node pool that supports confidential computing in an Alibaba Cloud Container Service for Kubernetes (ACK) cluster. This creates trusted execution environments (TEEs) to store code and sensitive data in your clusters. This way, you can protect your code and data from being sniffed and compromised. This topic describes how to create a node pool that supports confidential computing.

Prerequisites

  • A managed ACK cluster is created. For more information, see Create a managed ACK cluster. The created cluster must meet the following requirements:
    • The network plug-in is Flannel.
    • The container runtime must be Docker.
  • The cluster must be deployed in a region where ECS Bare Metal Instances of ecs.ebmhfg5.2xlarge are available for purchase.

Background information

ACK provides TEE-based confidential computing, which is a cloud-native and all-in-one solution based on Intel(R) Software Guard Extensions (Intel(R) SGX). It aims to deliver and manage trusted applications and confidential computing applications by ensuring the security, integrity, and confidentiality of data in use. Confidential computing allows you to isolate sensitive data and code in TEEs. This prevents the rest part of the system from accessing the data and code. Encrypted data in a TEE is unavailable to other applications, the BIOS, the operating system, the kernel, administrators, O&M personnel, cloud vendors, and hardware components except CPUs. This simplifies data management and reduces the risk of sensitive data leakage. You can create a node pool that supports confidential computing in a managed ACK cluster to provide confidential computing for the cluster.

Procedure

  1. Log on to the ACK console.
  2. Create a node pool that supports confidential computing.
    • In the left-side navigation pane, choose Clusters > Clusters. Find the target cluster, click Node Pools in the Actions column.
    • In the left-side navigation pane, choose Clusters > Node Pools. On the Node Pools page, select the target cluster from the Cluster drop-down list.
  3. In the upper-right corner of the Node Pools page, click Create Node Pool.
  4. On the Create Node Pool page, configure the node pool.
    For more information, see Create a managed ACK cluster. The following table lists the required parameters of a confidential computing node pool.
    Parameter Description
    Confidential Computing Enable encrypted computing.Confidential computing.
    Container Runtime You must select Docker.
    Auto Scaling Select whether to enable Auto Scaling (ESS). If you enable ESS, the node pool automatically scales based on the resource consumption.
    Instance Type Select ECS Bare Metal Instance and select ecs.ebmhfg5.2xlarge as the instance type.
    Note You can select multiple instance types. Only the ecs.ebmhfg5.2xlarge instance type supports confidential computing. If the stock of ecs.ebmhfg5.2xlarge instances is insufficient, you can select another instance type. However, the node pool will not support confidential computing.
    Instance type
    Quantity Specify the initial number of nodes in the node pool. If you do not need to create nodes in the node pool, set this parameter to 0.
    Operating System You can select only the Aliyun Linux operating system.
    Node Label You can add labels to nodes in the node pool.
    ECS Label You can attach labels to the selected ECS instances.
  5. Click OK.
    On the Node Pools page, if the status of the node pool displays Initializing, this indicates that the node pool creation is in progress.1
    In the left-side navigation pane of the ACK console, choose Clusters > Clusters. Find the target cluster and click View Logs in the Actions column. On the Log Information page of the target cluster, you can view the logs of the newly created node pool that supports confidential computing.1
    After the cluster is scaled out, the status of the node pool changes to Active.2

What to do next

After the node pool that supports confidential computing is created, you can create and deploy applications by using the Intel(R) SGX technology. For more information, see Use the Intel SGX SDK to develop and build an application.