github/intel-device-plugins-for-kubernetes
7
0
Fork 0
mirror of https://github.com/intel/intel-device-plugins-for-kubernetes.git synced 2025-06-03 03:59:37 +00:00
Code Issues Packages Projects Releases Wiki Activity
caa6f260dd
intel-device-plugins-for-ku.../cmd/sgx_admissionwebhook
History
Hyeongju Johannes Lee 09ba9fde00 Update tool versions and fix errors and warnings that originated from the update 
Update tool versions
Fix the errors and warnings originated from the update:
-Correct type deviceInfo (->DeviceInfo) to make it public
-Fix gpu_plugin.go and vpu_plugin_test.go where stylecheck errors occur
-Fix deprecation warnings
-Rename type 'PatcherManager' to 'Manager' to solve exported errors
-Rename type 'SgxMutator' to 'Mutator' to solve exported errors

Signed-off-by: Hyeongju Johannes Lee <hyeongju.lee@intel.com>
2021-08-25 07:09:34 +00:00
..
main.go Update tool versions and fix errors and warnings that originated from the update 2021-08-25 07:09:34 +00:00
README.md update to cert-manager v1.3.1 2021-04-22 14:45:39 +03:00

README.md

Intel SGX admission controller for Kubernetes

Table of Contents

Introduction

The SGX admission controller is one of the components used to add support for Intel SGX functionality to Kubernetes.

NOTE: Installation of the SGX admission controller can be skipped if the SGX device plugin is operated with the Intel Device Plugins Operator since it integrates the controller's functionality.

The SGX admission webhook is responsible for performing Pod mutations based on the sgx.intel.com/quote-provider pod annotation set by the user. The purpose of the webhook is to hide the details of setting the necessary device resources and volume mounts for using SGX remote attestation in the cluster. Furthermore, the SGX admission webhook is responsible for writing a pod/sandbox sgx.intel.com/epc annotation that is used by Kata Containers to dynamically adjust its virtualized SGX encrypted page cache (EPC) bank(s) size.

Installation

The following sections detail how to obtain, build and deploy the admission controller webhook plugin.

Pre-requisites

The simplest webhook deployment depends on having cert-manager installed:

$ kubectl apply -f https://github.com/jetstack/cert-manager/releases/download/v1.3.1/cert-manager.yaml

Also if your cluster operates behind a corporate proxy make sure that the API server is configured not to send requests to cluster services through the proxy. You can check that with the following command:

$ kubectl describe pod kube-apiserver --namespace kube-system | grep -i no_proxy | grep "\.svc"

In case there's no output and your cluster was deployed with kubeadm open /etc/kubernetes/manifests/kube-apiserver.yaml at the control plane nodes and append .svc and .svc.cluster.local to the no_proxy environment variable:

apiVersion: v1
kind: Pod
metadata:
  ...
spec:
  containers:
  - command:
    - kube-apiserver
    - --advertise-address=10.237.71.99
    ...
    env:
    - name: http_proxy
      value: http://proxy.host:8080
    - name: https_proxy
      value: http://proxy.host:8433
    - name: no_proxy
      value: 127.0.0.1,localhost,.example.com,10.0.0.0/8,.svc,.svc.cluster.local
    ...

Note: To build clusters using kubeadm with the right no_proxy settings from the very beginning, set the cluster service names to $no_proxy before kubeadm init:

$ export no_proxy=$no_proxy,.svc,.svc.cluster.local

Deployment

To deploy the webhook with cert-manager, run

$ kubectl apply -k https://github.com/intel/intel-device-plugins-for-kubernetes/deployments/sgx_admissionwebhook/overlays/default-with-certmanager?ref=main