All Products
Search
Document Center

Container Service for Kubernetes:Create an ACK managed cluster for confidential computing

Last Updated:Dec 13, 2024

For businesses with strict security requirements, such as blockchain and key management, Container Service for Kubernetes (ACK) provides a cloud-native and all-in-one confidential computing container platform based on hardware encryption technologies. This platform enables the secure handling of sensitive data and code within a trusted execution environment (TEE), preventing unauthorized access and reducing the risk of data breaches. By creating a confidential computing managed cluster through the console, you can enhance data confidentiality while minimizing the costs associated with developing and managing trusted or confidential applications.

Prerequisites

ACK is activated and authorized to access other cloud resources. For more information, see Activate and grant permissions to ACK.

Limits

Item

Limit

Links for increasing quota limits/references

Networks

ACK clusters support only VPCs.

What is a VPC?

Cloud resources

ECS

The pay-as-you-go and subscription billing methods are supported. After an ECS instance is created, you can change its billing method from pay-as-you-go to subscription in the ECS console.

Change the billing method of an ECS instance from pay-as-you-go to subscription

VPC route entries

By default, you can add at most 200 route entries to the VPC of an ACK cluster that runs Flannel. VPCs of ACK clusters that run Terway do not have this limit. If you want to add more route entries to the VPC of your ACK cluster, request a quota increase for the VPC.

Quota Center

Security groups

By default, you can create at most 100 security groups with each account.

View and increase resource quotas

SLB instances

By default, you can create at most 60 pay-as-you-go SLB instances with each account.

Quota Center

EIP

By default, you can create at most 20 EIPs with each account.

Quota Center

Procedure

  1. Log on to the ACK console. In the left-side navigation pane, click Clusters.

  2. Click Cluster Templates, select Confidential Computing Cluster in the Managed Clusters area, and click Create.

  3. On the ACK Managed Cluster tab, complete the cluster configuration.

    Configure the parameters as required in the following table when you create an ACK managed cluster for confidential computing. Otherwise, the created cluster cannot run Intel SGX applications. For a complete description of the cluster configuration, see Create an ACK managed cluster.

    Parameter

    Description

    Confidential Computing

    Select Enable to keep the confidential computing feature of the cluster enabled.

    Zone

    Only the following instance families support ACK managed clusters for confidential computing: Security-enhanced Compute Optimized Type c7t, Security-enhanced General Purpose Type g7t, and Security-enhanced Memory Optimized Type r7t. Make sure that the selected zones support these instance families. For more information about the ECS instance types available in different regions and zones, see Instance Types Available for Each Region.

    Container Runtime

    Select containerd version 1.4.4 or later.

    Instance Type

    Select instance types from the following instance families: Security-enhanced Compute Optimized Type c7t, Security-enhanced General Purpose Type g7t, and Security-enhanced Memory Optimized Type r7t.

    Note

    Intel Ice Lake supports the remote attestation service only based on Intel Software Guard Extensions Data Center Attestation Primitives (SGX DCAP). Remote attestation services based on Intel Enhanced Privacy Identification (EPID) are not supported. You must adapt your applications before you can use the remote attestation service. For more information about the remote attestation service, see attestation-services.

    Operating System

    Select Alibaba Cloud Linux 2.xxxx 64-bit (UEFI).

    Network Plug-in

    Only Flannel is supported.

  4. After configure the parameters as prompted, confirm the configurations, read and select the terms of service, and then click Create Cluster.

    After the cluster is created, you can find the cluster on the Clusters page in the ACK console.

    Note

    It requires about 10 minutes to create a cluster that contains multiple nodes.

References