You can create a node pool that supports confidential computing for a Container Service for Kubernetes (ACK) cluster. The node pool functions as a trusted execution environment (TEE) that can protect your code and sensitive data from being sniffed or compromised when the code or data is in use. This topic describes how to create a node pool that supports confidential computing.
- A managed Kubernetes cluster is created. For more information, see Create a managed Kubernetes cluster. The created cluster must meet the following requirements:
- The network plug-in is Flannel.
- The container runtime is containerd.
- Elastic Compute Service (ECS) instances of the c7t security-enhanced compute optimized instance family are available in the selected region and zone.
- The security-enhanced compute optimized instance family is in private preview. This instance family provides a limited stock of ECS instances and is not covered by terms of service level agreement (SLA). If you want to use ECS instances of this instance family, apply for ECS instances based on your minimum requirement.
- Intel Ice Lake supports the remote attestation service only based on Intel Software Guard Extensions Data Center Attestation Primitives (SGX DCAP). Remote attestation services based on Intel Enhanced Privacy Identification (EPID) are not supported. You must adapt your applications before you can use the remote attestation service. For more information about the remote attestation service, see attestation-services.
- Log on to the ACK console.
- In the left-side navigation pane of the ACK console, click Clusters.
- In the left-side navigation pane of the details page, choose .
- In the upper-right corner of the Node Pools page, click Create Node Pool. In the upper-right corner of the Node Pools page, you can also click Create Managed Node Pool to create a managed node pool, or click Configure Auto Scaling to create an auto-scaling node pool.
- In the Create Node Pool dialog box, configure the node pool. For more information, see Create a managed Kubernetes cluster. The following table describes the parameters that are required to create a node pool that supports confidential computing.
Parameter Description Confidential Computing Select Enable. Container Runtime To create a node pool that supports confidential computing, you must select the containerd runtime. Auto Scaling Specify whether to enable auto scaling. If you enable auto scaling, the node pool automatically scales based on resource consumption. Instance Type Select ECS instances of the c7t security-enhanced compute optimized instance family. Quantity Set the initial number of nodes in the node pool. If you do not want to create nodes in the node pool, set this parameter to 0. Operating System Select only the AliyunLinux 2.xxxx 64-bit (UEFI) operating systems. Node Label You can add labels to the nodes in the node pool. ECS Label You can add labels to the ECS instances in the node pool.
- Click Confirm Order. On the Node Pools page, if the state of the node pool is Initializing, it indicates that the system is creating the node pool.On the Clusters page, find the cluster in which you create the node pool and click View Logs in the Actions column. On the page that appears, you can view the log data of the newly created node pool that supports confidential computing.After the node pool is created, the state of the node pool changes to Active.