Confidential computing with Azure Kubernetes

Hello friends, in the last Azure post we learnt about Azure Private Link. In this post we will delve a little bit on confidential computing with Azure Kubernetes. I hope you might have heard of Kubernetes lately.

Why do we need confidential computing?

If I ask you a question as to how do you protect data? Your answer would be using encryption or using network technologies, right! But that is protection when data is at rest or when data is travelling from one point to another inside a network. But how do you protect data when it is running inside a CPU? Now with the help of hardware technology called ‘enclaves’, confidential computing can provide protection of data even when the code is running on the CPU. This announcement was made by the Azure Container Compute team on November, 2019.

Azure Confidential Computing Technology

To support confidential computing, Azure makes use of the DC-series of virtual machines running on Intel® Xeon® (trademark) processors as well as Intel® SGX (trademark) i.e. Software Guard Extensions technologies. Using a combination of these technologies reduces any chances date leaks thus complying with some regulator norms. It also provides a shield from any insider at the cloud center with malicious intent.

Use Cases

Suppose two parties are in a dispute related to data fraud, they can investigate the same without giving the other party any view of that data. Another use case example is that businesses can do critical processing of payments inside the above mentioned secured enclaves. Also businesses operating in strict regulatory norms can work with their partner’s data to check for compliance without directly viewing the data.

Working in Kubernetes for Confidential Computing

Prerequisites

  • Kubernetes cluster running on Intel® SGX (trademark) hardware (Azure DC-series VMs)
  • Above VMs installed with Confidential Computing Device Plugin
  • Ubuntu 18.04/16.04
  • Open Enclave SDK

High Level Configuration Steps

  • Setup DC-series VMs running on Ubuntu 18.04/16.04 on Azure
  • Install the CC (confidential computing) plugin on above VMs
  • Create Kubernetes cluster running on above configuration
  • The CC plugin will run as a DaemonSet enabling use of EPC (Encrypted Page Cache) RAM as a resource for Kubernetes which can be scheduled by users in their pods and containers
  • Kubernetes Pod Configuration
confidential computing with kubernetes pod configuration
Image source: https://docs.microsoft.com/

The abovepod configuration shows how to schedule a pod which has access to a Trusted Execution Environments(TEE). It does this by defining a limit on the specific EPC memory (highlighted above) that is published to the Kubernetes scheduler by the device plugin.

Now the pods run in containers under secure enclaves enabling confidential computing.

Cost for Confidential Computing

As of November 2019 there are no additional fees for running Kubernetes containers on the DC-series VM costs.

Useful Links

https://confidentialcomputing.io/ – Read more about confidential computing
https://github.com/Azure/aks-engine/blob/master/docs/topics/sgx.md– Using SGX with Kubernetes

Summary

In this post on Confidential computing with Azure Kubernetes, we saw how it is now possible to secure data even while running in the CPU. Of course there is a very specific set of hardware and software to be used for this, but with time, it will be more readily available on other platforms as well. I hope you liked this piece of information, do share and visit back.

Hitesh Boricha

I have a little over a decade experience in the IT industry. Having worked in various roles in this industry, I am passionate about technology.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.