github/intel-device-plugins-for-kubernetes
7
0
Fork 0
mirror of https://github.com/intel/intel-device-plugins-for-kubernetes.git synced 2025-06-03 03:59:37 +00:00
Code Issues Packages Projects Releases Wiki Activity
a5f648077e
intel-device-plugins-for-ku.../cmd/sgx_plugin
History
Mikko Ylinen a5f648077e sgx: add NFD EPC source, README and deployment YAMLs 
Signed-off-by: Mikko Ylinen <mikko.ylinen@intel.com>
2020-08-24 16:33:45 +03:00
..
README.md sgx: add NFD EPC source, README and deployment YAMLs 2020-08-24 16:33:45 +03:00
sgx_plugin_test.go sgx: add tests for the plugin. 2020-08-24 16:33:45 +03:00
sgx_plugin.go sgx: add new plugin. 2020-08-24 16:33:45 +03:00

README.md

Intel Software Guard Extensions (SGX) device plugin for Kubernetes

Table of Contents

Introduction

Note: The work is still WIP. The SGX device plugin can be tested to run simple enclaves but the full e2e deployment (including the SGX remote attestation) is not yet finished. See the open issues for details.

This Intel SGX device plugin provides support for Intel SGX TEE under Kubernetes.

Modes and Configuration options

The SGX plugin can take a number of command line arguments, summarised in the following table:

Flag Argument Meaning
-enclave-limit int the number of containers per node allowed to use /dev/sgx/enclave (default: 20)
-provision-limit int the number of containers per node allowed to use /dev/sgx/provision (default: 20)

The plugin also accepts a number of other arguments related to logging. Please use the -h option to see the complete list of logging related options.

Installation

The below sections cover how to obtain, build and install this component.

The component can be installed either using a DaemonSet or running 'by hand' on each node.

Prerequisites

The component has the same basic dependancies as the generic plugin framework dependencies.

The SGX plugin requires Linux Kernel SGX drivers to be available. These drivers are currently available via RFC patches on Linux Kernel Mailing List.

Getting the source code

$ mkdir -p $(go env GOPATH)/src/github.com/intel
$ git clone https://github.com/intel/intel-device-plugins-for-kubernetes $(go env GOPATH)/src/github.com/intel/intel-device-plugins-for-kubernetes

Verify node kubelet config

Every node that will be running the plugin must have the kubelet device-plugins configured. For each node, check that the kubelet device plugin socket exists:

$ ls /var/lib/kubelet/device-plugins/kubelet.sock
/var/lib/kubelet/device-plugins/kubelet.sock

Deploying as a DaemonSet

To deploy the plugin as a DaemonSet, you first need to build a container image for the plugin and ensure that is visible to your nodes.

Build the plugin and EPC source images

The following will use docker to build a local container images called intel/intel-sgx-plugin and intel/intel-sgx-initcontainer with the tag devel. The image build tool can be changed from the default docker by setting the BUILDER argument to the Makefile.

$ cd $(go env GOPATH)/src/github.com/intel/intel-device-plugins-for-kubernetes
$ make intel-sgx-plugin
...
Successfully tagged intel/intel-sgx-plugin:devel
$ make intel-sgx-initcontainer
...
Successfully tagged intel/intel-sgx-initcontainer:devel

Deploy the DaemonSet

Deploying the plugin involves the deployment of a NFD EPC Source InitContainer Job the DaemonSet YAML, and node-feature-discovery with the necessary configuration.

There is a kustomization for deploying everything:

$ cd $(go env GOPATH)/src/github.com/intel/intel-device-plugins-for-kubernetes
$ kubectl apply -k deployments/sgx_plugin/overlays/nfd

Verify SGX device plugin is registered on master:

Verification of the plugin deployment and detection of SGX hardware can be confirmed by examining the resource allocations on the nodes:

$ kubectl describe node <node name> | grep sgx.intel.com
                   nfd.node.kubernetes.io/extended-resources: sgx.intel.com/epc
 sgx.intel.com/enclave:    20
 sgx.intel.com/epc:        98566144
 sgx.intel.com/provision:  20
 sgx.intel.com/enclave:    20
 sgx.intel.com/epc:        98566144
 sgx.intel.com/provision:  20
 sgx.intel.com/enclave    1           1
 sgx.intel.com/epc        400         400
 sgx.intel.com/provision  1           1

Deploying by hand

For development purposes, it is sometimes convenient to deploy the plugin 'by hand' on a node. In this case, you do not need to build the complete container image, and can build just the plugin.

Build SGX device plugin

$ cd $(go env GOPATH)/src/github.com/intel/intel-device-plugins-for-kubernetes
$ make sgx_plugin

Deploy SGX plugin

Deploy the plugin on a node by running it as root. The below is just an example - modify the paramaters as necessary for your setup:

$ sudo $(go env GOPATH)/src/github.com/intel/intel-device-plugins-for-kubernetes/cmd/sgx_plugin/sgx_plugin \
-enclave-limit 50 -provision-limit 1 -v 2
I0626 20:33:01.414446  964346 server.go:219] Start server for provision at: /var/lib/kubelet/device-plugins/sgx.intel.com-provision.sock
I0626 20:33:01.414640  964346 server.go:219] Start server for enclave at: /var/lib/kubelet/device-plugins/sgx.intel.com-enclave.sock
I0626 20:33:01.417315  964346 server.go:237] Device plugin for provision registered
I0626 20:33:01.417748  964346 server.go:237] Device plugin for enclave registered