mirror of
https://github.com/intel/intel-device-plugins-for-kubernetes.git
synced 2025-06-03 03:59:37 +00:00
7f685b5d89
hostNetwork usage for SGX demo pods is not absolutely necessary so it's better to clean it up and make IAS "security" scanners happier. It was originally used to be able to use "localhost" PCCS but this change now adds an example how proper PCCS url can be configured using jq. Additionally, SGX DCAP Quote Verification is added. Signed-off-by: Mikko Ylinen <mikko.ylinen@intel.com>
159 lines
6.5 KiB
Bash
Executable File
159 lines
6.5 KiB
Bash
Executable File
#!/bin/bash -e
|
|
|
|
PV='pv -qL'
|
|
|
|
command()
|
|
{
|
|
speed=$2
|
|
[ -z "$speed" ] && speed=10
|
|
|
|
echo "> $1" | $PV $speed
|
|
sh -c "$1"
|
|
echo | $PV $speed
|
|
}
|
|
|
|
out()
|
|
{
|
|
speed=$2
|
|
[ -z "$speed" ] && speed=10
|
|
|
|
echo "$1" | $PV $speed
|
|
echo | $PV $speed
|
|
}
|
|
|
|
cleanup()
|
|
{
|
|
clear
|
|
out 'Cleanup demo artifacts' 20
|
|
out 'delete node-feature-discovery deployment:' 20
|
|
command 'kubectl delete -k https://github.com/intel/intel-device-plugins-for-kubernetes/deployments/nfd/overlays/node-feature-rules?ref=main || true' 20
|
|
command 'kubectl delete -k https://github.com/intel/intel-device-plugins-for-kubernetes/deployments/nfd?ref=main || true' 20
|
|
out 'delete SGX Device Plugin deployment:' 20
|
|
command 'kubectl delete sgxdeviceplugin sgxdeviceplugin-sample || true' 20
|
|
out 'delete Intel Device Plugin Operator deployment:' 20
|
|
command 'kubectl delete -k https://github.com/intel/intel-device-plugins-for-kubernetes/deployments/operator/default?ref=main || true' 20
|
|
out "delete the demo namespace"
|
|
command "kubectl delete ns sgx-ecdsa-quote"
|
|
}
|
|
|
|
record()
|
|
{
|
|
clear
|
|
out 'Record this screencast'
|
|
command "asciinema rec -t 'Intel SGX Device Plugin for Kubernetes - Intel(R) SGX DCAP ECDSA Quote Generation Demo' Intel-SGX-Device-Plugin-for-Kubernetes-SGX-DCAP-ECDSA-Quote-Generation-Demo.cast -c '$0 play'"
|
|
}
|
|
|
|
screen1()
|
|
{
|
|
clear
|
|
out "This video demonstrates the Intel(R) Software Guard Extensions ECDSA Quote Generation in Kubernetes*"
|
|
out "The key building blocks are:"
|
|
out "* Intel(R) Software Guard Extensions (SGX) Flexible Launch Control capable system (registered)"
|
|
out "* Intel(R) SGX driver (Linux 5.11+) for the host kernel"
|
|
out "* Intel(R) SGX PCKID Certificate Caching Service configured"
|
|
out "Let's get started!"
|
|
}
|
|
|
|
screen2()
|
|
{
|
|
clear
|
|
out "1. Check the Kubernetes cluster is in good shape"
|
|
command "kubectl get nodes"
|
|
command "kubectl get pods --all-namespaces"
|
|
out "Create the demo namespace"
|
|
command "kubectl create ns sgx-ecdsa-quote"
|
|
}
|
|
|
|
screen3()
|
|
{
|
|
clear
|
|
out "2. Deploy node-feature-discovery for Kubernetes"
|
|
out "It's used to label SGX capable nodes and register SGX EPC as an extended resource"
|
|
command "kubectl apply -k https://github.com/intel/intel-device-plugins-for-kubernetes/deployments/nfd?ref=main"
|
|
out "Check its pod is running"
|
|
command "kubectl wait --for=condition=Ready pod/$(kubectl get --no-headers -l app=nfd-worker -o=jsonpath='{.items[0].metadata.name}' pods -n node-feature-discovery) -n node-feature-discovery"
|
|
out "Create NodeFeatureRules for SGX specific labels and SGX EPC extended resource"
|
|
command 'kubectl apply -k https://github.com/intel/intel-device-plugins-for-kubernetes/deployments/nfd/overlays/node-feature-rules?ref=main || true' 20
|
|
}
|
|
|
|
screen4()
|
|
{
|
|
clear
|
|
out "3. Deploy Intel Device Plugin Operator"
|
|
command "kubectl apply -k https://github.com/intel/intel-device-plugins-for-kubernetes/deployments/operator/default?ref=main"
|
|
out "Create SgxDevicePlugin custom resource managed by the Operator"
|
|
command "kubectl apply -f https://raw.githubusercontent.com/intel/intel-device-plugins-for-kubernetes/main/deployments/operator/samples/deviceplugin_v1_sgxdeviceplugin.yaml"
|
|
out "Check the SGX Device Plugin is running"
|
|
command "kubectl get pods -n inteldeviceplugins-system"
|
|
}
|
|
|
|
screen5()
|
|
{
|
|
clear
|
|
out "4. Verify node resources"
|
|
command "kubectl get nodes -o jsonpath='{.items[].status.allocatable}' | jq | grep sgx"
|
|
command "kubectl get nodes -o jsonpath='{.items[].metadata.labels}' | jq | grep kubernetes.io\/sgx"
|
|
out "Both node labels and resources for SGX are in place"
|
|
}
|
|
|
|
screen6()
|
|
{
|
|
clear
|
|
out "5. Run Intel(R) SGX DCAP ECDSA Quote Generation (out-of-proc)"
|
|
out "Make the pre-built images available (from docker save)"
|
|
command "sudo ctr -n k8s.io i import sgx-aesmd.tar"
|
|
command "sudo ctr -n k8s.io i import sgx-demo.tar"
|
|
out "Deploy Intel(R) AESMD"
|
|
pushd ../deployments/sgx_aesmd/base
|
|
jq --arg pccs_url "$PCCS_URL" '.pccs_url = $pccs_url' sgx_default_qcnl.template > sgx_default_qcnl.conf
|
|
command "kubectl apply -k . -n sgx-ecdsa-quote"
|
|
popd
|
|
out "Deploy Intel(R) SGX DCAP ECDSA Quote Generation"
|
|
command "kubectl apply -k https://github.com/intel/intel-device-plugins-for-kubernetes/deployments/sgx_enclave_apps/overlays/sgx_ecdsa_aesmd_quote?ref=main -n sgx-ecdsa-quote"
|
|
command "kubectl logs $(kubectl get --no-headers -l job-name=ecdsa-quote-intelsgx-demo-job -o=jsonpath='{.items[0].metadata.name}' pods -n sgx-ecdsa-quote) -n sgx-ecdsa-quote"
|
|
out "Intel(R) SGX DCAP QuoteGenerationSample successfully requested a quote from Intel(R) AESMD"
|
|
out "Delete the deployment"
|
|
command "kubectl delete -k https://github.com/intel/intel-device-plugins-for-kubernetes/deployments/sgx_aesmd?ref=main -n sgx-ecdsa-quote"
|
|
command "kubectl delete -k https://github.com/intel/intel-device-plugins-for-kubernetes/deployments/sgx_enclave_apps/overlays/sgx_ecdsa_aesmd_quote?ref=main -n sgx-ecdsa-quote"
|
|
}
|
|
|
|
screen7()
|
|
{
|
|
clear
|
|
out "6. Run Intel(R) SGX DCAP ECDSA Quote Generation (in-proc) and Trusted Quote Verification"
|
|
out "Deploy Intel(R) SGX DCAP ECDSA DCAP Flow"
|
|
pushd ../deployments/sgx_enclave_apps/overlays/sgx_ecdsa_inproc_quote
|
|
jq --arg pccs_url "$PCCS_URL" '.pccs_url = $pccs_url' sgx_default_qcnl.template > sgx_default_qcnl.conf
|
|
command "kubectl apply -k . -n sgx-ecdsa-quote"
|
|
popd
|
|
command "kubectl logs $(kubectl get --no-headers -l job-name=inproc-ecdsa-quote-intelsgx-demo-job -o=jsonpath='{.items[0].metadata.name}' pods -n sgx-ecdsa-quote) -n sgx-ecdsa-quote"
|
|
out "Intel(R) SGX DCAP QuoteGenerationSample successfully generated and verified a quote using DCAP Quote Provider Library"
|
|
out "Delete the deployment"
|
|
command "kubectl delete -k https://github.com/intel/intel-device-plugins-for-kubernetes/deployments/sgx_enclave_apps/overlays/sgx_ecdsa_inproc_quote?ref=main -n sgx-ecdsa-quote"
|
|
}
|
|
|
|
screen8()
|
|
{
|
|
clear
|
|
out "This video demonstrated the Intel(R) Software Guard Extensions in Kubernetes*"
|
|
out "The following topics were covered:"
|
|
out "* SGX Kubernetes* Device Plugin deployment with an Operator"
|
|
out "* Intel(R) SGX node resource and feature label registration to Kubernetes*"
|
|
out "* Intel(R) SGX DCAP ECDSA Quote Generation (out-of-proc and in-proc)"
|
|
out "* Intel(R) SGX DCAP ECDSA Trusted Quote Verification"
|
|
}
|
|
|
|
if [ "$1" == 'play' ] ; then
|
|
if [ -n "$2" ] ; then
|
|
screen$2
|
|
else
|
|
for n in $(seq 8) ; do screen$n ; sleep 3; done
|
|
fi
|
|
elif [ "$1" == 'cleanup' ] ; then
|
|
cleanup
|
|
elif [ "$1" == 'record' ] ; then
|
|
record
|
|
else
|
|
echo "Usage: $0 [--help|help|-h] | [play [<screen number>]] | [cleanup] | [record]"
|
|
fi
|