You can create a node pool that supports confidential computing for a Container Service for Kubernetes (ACK) cluster. The node pool functions as a trusted execution environment (TEE) that can protect your code and sensitive data from being sniffed or compromised when the code or data is in use. This topic describes how to create a node pool that supports confidential computing.
Prerequisites
An ACK managed cluster is created. For more information, see Create an ACK managed cluster. The cluster must meet the following requirements:
The network plug-in is Flannel.
The container runtime is containerd.
Elastic Compute Service (ECS) instances of the following instance families are available in the selected region and zone: c7t security-enhanced compute-optimized, g7t security-enhanced general-purpose, and r7t security-enhanced memory-optimized. For more information about the ECS instance types available for different regions and zones, see Instance Types Available for Each Region.
NoteIntel Ice Lake supports the remote attestation service only based on Intel Software Guard Extensions Data Center Attestation Primitives (SGX DCAP). Remote attestation services based on Intel Enhanced Privacy Identification (EPID) are not supported. You must adapt your applications before you can use the remote attestation service. For more information about the remote attestation service, see attestation-services.
Background information
TEE-based confidential computing for ACK is powered by Intel SGX 2.0. It provides a cloud-native, all-in-one platform for you to manage and deliver confidential computing applications. Only trusted applications are allowed to run within TEEs. This ensures the security, integrity, and confidentiality of the data that is in use. Confidential computing allows you to isolate sensitive data and code in a TEE. This prevents the data and code from being accessed by the rest of the system. The data stored within TEEs is inaccessible to external applications, the BIOS, the operating system, the kernel, administrators, O&M engineers, cloud service providers, and hardware components except the CPU. This reduces the possibility of data leakage and simplifies data management. You can create a node pool that supports confidential computing in an ACK managed cluster to provide confidential computing for the cluster.
Procedure
Log on to the ACK console.
In the left-side navigation pane of the ACK console, click Clusters.
In the left-side navigation pane of the details page, choose .
On the right side of the Node Pools page, click Create Node Pool.
In the Create Node Pool dialog box, set the parameters for the node pool.
For more information about the parameters, see Create an ACK managed cluster. The following table describes the parameters required for creating a node pool that supports confidential computing.
Parameter
Description
Confidential Computing
Select Enable.
Container Runtime
To create a node pool that supports confidential computing, you must select the containerd runtime.
Auto Scaling
Specify whether to enable auto scaling. If you enable auto scaling, the node pool automatically scales based on resource consumption.
Instance Type
Select instances types from the following instance families: c7t security-enhanced compute-optimized, g7t security-enhanced general-purpose, and r7t security-enhanced memory-optimized.
Expected Nodes
Specify the initial number of nodes in the node pool. If you do not want to add nodes to the node pool, set this parameter to 0.
Operating System
Select only the Alibaba Cloud Linux 2.xxxx 64-bit (UEFI) operating systems.
Node Label
You can add labels to the nodes in the node pool.
ECS Label
You can add labels to the selected ECS instances.
Click Confirm Order.
On the Node Pools page, check the Status column of the node pool. If the node pool is in the Initializing state, the node pool is being created.
On the Clusters page, click View Logs in the Actions column. On the page that appears, you can view the log data of the newly created node pool that supports confidential computing.
After the node pool is created, the Status column of the node pool displays Active.
What to do next
After the node pool that supports confidential computing is created, you can create and deploy Intel SGX 2.0 applications. For more information, see Use TEE SDK to develop and build Intel SGX 2.0 applications.