sgx-device-plugin is a Kubernetes device plugin jointly developed by Container Service for Kubernetes (ACK) and Ant Financial. It enables Intel Software Guard Extensions (SGX) workloads to run in containers without requiring privileged mode, and handles Enclave Page Cache (EPC) resource scheduling automatically through Kubernetes-native APIs.
Features
Run SGX workloads without enabling privileged mode.
Automatically detect and report the EPC size available on each node.
Declare EPC resource requirements in pod specs using standard Kubernetes resource fields.
Dependencies
| Dependency | Requirement |
|---|---|
| TEE-SDK | Compatible with Intel SGX and Intel SGX Platform Software (PSW) |
| Kubernetes | V1.10 or later |
| Go | V1.10 or later |
Usage notes
sgx-device-plugin is installed by default in ACK clusters. No additional configuration is required.
FAQ
Can sgx-device-plugin be deployed in a private cluster?
Yes. sgx-device-plugin can be deployed in all types of Kubernetes clusters. The plugin only runs on nodes with SGX hardware.
Can sgx-device-plugin control the EPC size inside a running container?
No. The alibabacloud.com/sgx_epc_MiB parameter is used only by kube-scheduler to select a node with enough EPC capacity. Intel SGX Driver does not support this parameter.
Is sgx-device-plugin open source?
Yes. The source code is available at github.com/AliyunContainerService/sgx-device-plugin.
Release notes
September 2023
| Version | Image address | Date | Changes | Impact |
|---|---|---|---|---|
| v1.1.0-bb1f5f9-aliyun | registry.cn-hangzhou.aliyuncs.com/acs/sgx-device-plugin:v1.1.0-bb1f5f9-aliyun | September 13, 2023 | Added support for SGX 2. | No action required. This upgrade does not affect running workloads. |
April 2021
| Version | Image address | Date | Changes | Impact |
|---|---|---|---|---|
| v1.1.0-bb1f5f9-aliyun | registry.cn-hangzhou.aliyuncs.com/acs/sgx-device-plugin:v1.1.0-bb1f5f9-aliyu | April 30, 2021 | Initial release. SGX workloads can run without privileged mode. EPC size is automatically detected. Declarative EPC resource allocation is supported. | No action required. No impact on existing workloads. |