All Products
Search

This Product

    Container Service for Kubernetes:Create a TDX confidential VM node pool in an ACK cluster

    Document Center

    Container Service for Kubernetes:Create a TDX confidential VM node pool in an ACK cluster

    Last Updated:Mar 26, 2026

    If you run workloads that handle sensitive data — financial records, healthcare information, or AI model weights — Intel® Trust Domain Extensions (Intel® TDX) gives you hardware-level memory isolation without requiring code changes to your applications. This topic explains how to create a node pool backed by Intel® TDX confidential VMs in an Alibaba Cloud Container Service for Kubernetes (ACK) cluster, and how to deploy a workload into that pool.

    How it works

    Intel® TDX is a CPU hardware-based technology that provides hardware-assisted isolation and encryption for ECS instances to protect runtime data, such as CPU registers, memory data, and interrupt injections. It reduces the risk of unauthorized access to running processes or sensitive data.

    Node pools backed by Intel® TDX confidential VMs integrate with ACK's standard scaling and management features. You can migrate existing applications to a TDX-enabled node pool without modifying application code.

    For more information about Intel® TDX, see Intel® Trust Domain Extensions (Intel® TDX).

    Use cases

    Intel® TDX confidential VM node pools are suited for workloads that require hardware-enforced data isolation:

    • Financial risk control: protect transaction processing and risk scoring data at runtime

    • Healthcare data privacy: isolate patient data during analysis and inference

    • AI-Generated Content (AIGC) and Large Language Model (LLM) inference and fine-tuning: protect model weights and training data in use

    • Confidential databases: enforce hardware-level isolation for database processes

    • Big data applications: process sensitive datasets with hardware-backed guarantees

    The following diagram shows how Intel® TDX and Intel® Advanced Matrix Extensions (AMX) provide end-to-end security for model inference workloads.

    imageimage

    Supported configurations

    The following constraints apply to TDX confidential VM node pools:

    Configuration Supported value
    Region China (Beijing) only
    Zone Zone I
    Instance type ecs.g8i.xlarge or larger
    Operating system Alibaba Cloud Linux 3.2104 LTS 64-bit
    ECS image type Confidential VM
    Auto Scaling Not covered in this procedure (disabled by default)

    For additional known issues and functionality limits, see Known issues and functionality limits.

    Prerequisites

    Before you begin, make sure you have:

    • An ACK Pro cluster in the China (Beijing) region. For more information, see Create an ACK managed cluster

    • Access to both the ACK console and the ECS console

    Step 1: Create a node pool

    1. Log on to the ACK console. In the left-side navigation pane, click Clusters.

    2. On the Clusters page, click the name of the target cluster. In the left-side navigation pane, choose Nodes > Node Pools.

    3. In the upper-right corner, click Create Node Pool. Configure the parameters in the following table, then click Confirm Order. Under Advanced Options (Optional), add a node label to simplify pod scheduling: For a full description of all node pool parameters, see Create and manage a node pool.

      Parameter Setting
      vSwitch Select a vSwitch in Zone I
      Auto Scaling Disabled (default)
      Instance Type g8i.xlarge or larger
      Expected Nodes 0 (default)
      Operating System Alibaba Cloud Linux 3.2104 LTS 64-bit
      Label key Label value
      nodepool-label tdx-vm-pool

    Step 2: Create a TDX-enabled ECS instance

    The steps for creating a TDX-enabled ECS instance are similar to creating a standard instance, with two parameters that differ. For all other parameters, see Create an instance on the Custom Launch tab.

    1. Log on to the ECS console. In the left-side navigation pane, choose Instances & Images > Instances.

    2. In the top navigation bar, select the region and resource group of the resource. 地域

    3. Click Create Instance and set the following parameters:

      Parameter Setting
      Network and zone Select Beijing Zone I. Only ecs.g8i.xlarge or larger instance types are supported in this zone.
      Image Select Confidential VM, then select Alibaba Cloud Linux 3.2104 LTS 64-bit.

    4. Complete the remaining configuration as prompted and create the instance.

    (Optional) Step 3: Verify TDX status on the ECS instance

    Log on to the ECS instance and run the following commands to confirm that TDX is active.

    1. Check whether TDX is enabled:

      lscpu | grep -i tdx_guest

      The following output indicates that TDX is enabled.

      tdx-install

    2. Check whether the TDX driver is installed:

      ls -l /dev/tdx_guest

      The following output indicates that the TDX driver is installed.

      image

    Step 4: Add the ECS instance to the node pool

    1. In the ACK console, navigate to Clusters, then click the cluster name. In the left-side navigation pane, choose Nodes > Node Pools.

    2. In the Actions column of the node pool, choose More > Add Existing Node.

    3. On the Select Existing ECS Instance page, set Mode to Auto, select the ECS instance created in Step 2, and complete the configuration as prompted. For details, see Add existing ECS instances.

    Step 5: Deploy an application

    Deploy a pod into the TDX-enabled node pool. The nodeSelector field targets the node label added in Step 1, ensuring the pod runs on a TDX-enabled node.

    Use the ACK console

    1. In the ACK console, navigate to Clusters, click the cluster name, and choose Workloads > Pods in the left-side navigation pane.

    2. In the upper-right corner, click Create from YAML. Set Sample Template to Custom, paste the following YAML, and click Create.

      apiVersion: v1
kind: Pod
metadata:
  labels:
    name: pod-tdx-vm
  name: pod-tdx-vm
spec:
  containers:
    - image: alibaba-cloud-linux-3-registry.cn-hangzhou.cr.aliyuncs.com/alinux3/alinux3:latest
      name: hello
      command:
      - sh
      - -c
      - 'echo hello && sleep infinity'
  nodeSelector:    # Schedules the pod to a TDX-enabled node
    nodepool-label: tdx-vm-pool

    3. On the Pods page, confirm that the pod status is Running.

    Use kubectl

    1. Connect a kubectl client to the cluster. For more information, see Connect to an ACK cluster via kubectl.

    2. Create a file named pod-tdx-vm.yaml with the following content:

      apiVersion: v1
kind: Pod
metadata:
  labels:
    name: pod-tdx-vm
  name: pod-tdx-vm
spec:
  containers:
    - image: alibaba-cloud-linux-3-registry.cn-hangzhou.cr.aliyuncs.com/alinux3/alinux3:latest
      name: hello
      command:
      - sh
      - -c
      - 'echo hello && sleep infinity'
  nodeSelector:    # Schedules the pod to a TDX-enabled node
    nodepool-label: tdx-vm-pool

    3. Deploy the pod:

      kubectl apply -f pod-tdx-vm.yaml

    4. Verify that the pod is running:

      kubectl get pod pod-tdx-vm

      Expected output:

      NAME         READY   STATUS    RESTARTS   AGE
pod-tdx-vm   1/1     Running   0          52s

      A Running status with 1/1 ready containers confirms the application is deployed in the TDX-enabled node pool.

    What's next