For businesses with strict security requirements, such as blockchain and key management, Container Service for Kubernetes (ACK) provides a cloud-native and all-in-one confidential computing container platform based on hardware encryption technologies. This platform enables the secure handling of sensitive data and code within a trusted execution environment (TEE), preventing unauthorized access and reducing the risk of data breaches. By creating a confidential computing managed cluster through the console, you can enhance data confidentiality while minimizing the costs associated with developing and managing trusted or confidential applications.
Prerequisites
ACK is activated and authorized to access other cloud resources. For more information, see Activate and grant permissions to ACK.
Limits
Item | Limit | Links for increasing quota limits/references | |
Networks | ACK clusters support only VPCs. | ||
Cloud resources | ECS | The pay-as-you-go and subscription billing methods are supported. After an ECS instance is created, you can change its billing method from pay-as-you-go to subscription in the ECS console. | Change the billing method of an ECS instance from pay-as-you-go to subscription |
VPC route entries | By default, you can add at most 200 route entries to the VPC of an ACK cluster that runs Flannel. VPCs of ACK clusters that run Terway do not have this limit. If you want to add more route entries to the VPC of your ACK cluster, request a quota increase for the VPC. | ||
Security groups | By default, you can create at most 100 security groups with each account. | ||
SLB instances | By default, you can create at most 60 pay-as-you-go SLB instances with each account. | ||
EIP | By default, you can create at most 20 EIPs with each account. |
Procedure
Log on to the ACK console. In the left-side navigation pane, click Clusters.
Click Cluster Templates, select Confidential Computing Cluster in the Managed Clusters area, and click Create.
On the ACK Managed Cluster tab, complete the cluster configuration.
Configure the parameters as required in the following table when you create an ACK managed cluster for confidential computing. Otherwise, the created cluster cannot run Intel SGX applications. For a complete description of the cluster configuration, see Create an ACK managed cluster.
Parameter
Description
Confidential Computing
Select Enable to keep the confidential computing feature of the cluster enabled.
Zone
Only the following instance families support ACK managed clusters for confidential computing: Security-enhanced Compute Optimized Type c7t, Security-enhanced General Purpose Type g7t, and Security-enhanced Memory Optimized Type r7t. Make sure that the selected zones support these instance families. For more information about the ECS instance types available in different regions and zones, see Instance Types Available for Each Region.
Container Runtime
Select containerd version 1.4.4 or later.
Instance Type
Select instance types from the following instance families: Security-enhanced Compute Optimized Type c7t, Security-enhanced General Purpose Type g7t, and Security-enhanced Memory Optimized Type r7t.
NoteIntel Ice Lake supports the remote attestation service only based on Intel Software Guard Extensions Data Center Attestation Primitives (SGX DCAP). Remote attestation services based on Intel Enhanced Privacy Identification (EPID) are not supported. You must adapt your applications before you can use the remote attestation service. For more information about the remote attestation service, see attestation-services.
Operating System
Select Alibaba Cloud Linux 2.xxxx 64-bit (UEFI).
Network Plug-in
Only Flannel is supported.
After configure the parameters as prompted, confirm the configurations, read and select the terms of service, and then click Create Cluster.
After the cluster is created, you can find the cluster on the Clusters page in the ACK console.
NoteIt requires about 10 minutes to create a cluster that contains multiple nodes.
References
You can create a node pool that supports confidential computing. By default, the nodes in the node pool support TEE-based confidential computing. For more information, see Create a node pool that supports confidential computing.
Once deployed, you can refer to Use TEE SDK to develop and build Intel SGX 2.0 applications to develop, build, and deploy an SGX 2.0 application based on TEE-SDK.
You can also create a node pool that supports Trust Domain Extensions (TDX) confidential VMs to enable existing clusters with TDX confidential computing capability. For more information, see Create a node pool that supports TDX confidential VMs.
Once deployed, you can use the Stable Diffusion XL Turbo model to experience GPU-like performance on g8i CPU instances. For more information, see Use CPU acceleration to accelerate Stable Diffusion XL Turbo models for text-to-image inference.