Create a node pool that supports TDX confidential VMs in an ACK cluster - Container Service for Kubernetes

Container Service for Kubernetes (ACK) supports Elastic Compute Service (ECS) instances that adopt the Intel® Trusted Domain Extension (Intel® TDX) technology. This allows you to create node pools that supports TDX confidential VMs in ACK clusters to enable the ACK clusters to support TDX confidential computing. After you create a node pool that supports TDX confidential VMs, you can deploy applications in the node pool without making code changes to the applications. The intrusion-free deployment enhances the security of your applications. This topic describes how to create a node pool that supports TDX confidential VMs in an ACK cluster and then deploy an application in the node pool.

Prerequisites

An ACK Pro cluster is created in the China (Beijing) region. For more information, see Create an ACK managed cluster.

Limits

To support a TDX confidential computing environment, a TDX-enabled instance must meet all of the following requirements:

Zone: Beijing Zone I
Instance type: ecs.g8i.xlarge or larger
Image: Alibaba Cloud Linux 3.2104 LTS 64-bit (UEFI)

Important

TDX confidential computing has certain limits. Make sure that you understand the limits before you use TDX confidential computing. For more information, see Build a TDX confidential computing environment.

Introduction to TDX

Intel^® TDX is a CPU hardware-based technology that provides hardware-assisted isolation and encryption for ECS instances to protect runtime data, such as CPU registers, memory data, and interrupt injections. TDX helps achieve higher levels of data privacy and mitigate risks that are associated with unauthorized access to running processes or sensitive data that is being processed. For more information about Intel^® TDX, see Intel® Trust Domain Extensions (Intel® TDX).

Intel^® TDX provides default out-of-the-box protection for your ECS instances and applications. You can migrate applications to a TDX-enabled instance without the need to modify the application code.

Node pools that support TDX confidential VMs can be seamlessly scaled and improve the confidentiality of operating systems and hardware. You can quickly create node pools that support TDX confidential VMs in ACK clusters to scale and maintain applications that require high security. Node pools that support TDX confidential VMs are suitable for various confidential computing scenarios, such as financial risk control, healthcare data privacy, AI-Generated Content (AIGC) and Large Language Model (LLM) inference and fine-tuning, confidential databases, and big data applications.

The following figure shows how to use hardware-based security features, such as TDX and Advanced Matrix Extensions (AMX), with end-to-end model data protection to ensure inference security.

Step 1: Create a node pool

Log on to the ACK console. In the left-side navigation pane, click Clusters.
On the Clusters page, click the name of the cluster that you want to manage and choose Nodes > Node Pools in the left-side navigation pane.

Click Create Node Pool in the upper-right corner of the page, configure parameters, and then click Confirm Order.

The following table describes the key parameters. For more information, see Create a node pool.

Parameter	Description
vSwitch	Select vSwitches in Zone I.
Auto Scaling	Keep the default setting. Auto scaling is disabled in this example.
Instance Type	Select g8i.xlarge or higher.
Expected Nodes	Specify the initial number of nodes in the node pool. Keep the default value 0.
Operating System	Select Alibaba Cloud Linux 3.2104 UEFI.
Click Show Advanced Options to configure the following parameter.
Node Label	We recommend that you add node labels for pod scheduling. Key: `nodepool-label` Value: `tdx-vm-pool`

Step 2: Create an ECS instance that has TDX enabled

Go to the ECS Custom Launch tab and create an ECS instance that has TDX enabled.

The following table describes the key parameters. For more information, see Create an instance on the Custom Launch tab.

Parameter	Description
Region	Selec the China (Beijing) region.
Network and Zone	VPC: Select the virtual private cloud (VPC) of the node pool that you created in Step 1. Zone: Select the vSwitches that you specified in Zone I in Step 1.
Instance	Select g8i.xlarge or higher.
Image	Select Alibaba Cloud Linux 3.2104 LTS 64-bit (UEFI). Select Confidential VM.
Security Group	Select the security group of the node pool that you created in Step 1.

(Optional) Step 3: Check the status of TDX on the ECS instance

Log on to the ECS instance and perform the following steps to check the status of TDX. Make sure that the ECS instance is under the protection of TDX.

Check whether TDX is enabled.
```
lscpu |grep -i tdx_guest
```
The following command output indicates that TDX is enabled.
Check whether the TDX driver is installed.
```
ls -l /dev/tdx_guest
```
The following command output indicates that the TDX driver is installed.

Step 4: Add the ECS instance to the node pool.

Log on to the ACK console. In the left-side navigation pane, click Clusters.
On the Clusters page, click the name of the cluster that you want to manage and choose Nodes > Node Pools in the left-side navigation pane.
Choose More > Add Existing Node in the Actions column of the node pool. On the Select Existing ECS Instance wizard page, set Mode to Auto, select the ECS instance that you created in Step 2, and then follow the on-screen instructions to complete the configuration.
For more information about how to add an existing node, see Add existing ECS instances to an ACK cluster.

Step 5: Deploy an application

After a node pool that supports TDX confidential VMs is created, you can migrate your applications to the ECS instance that has TDX enabled in the node pool. The migration is intrusion-free to the applications.

Use the ACK console

On the Clusters page, click the name of the cluster that you want to manage and choose Workloads > Pods in the left-side navigation pane.

Click Create from YAML in the upper-right corner of the page. Set Sample Template to Custom, copy the following YAML content, and then click Create.

apiVersion: v1
kind: Pod
metadata:
  labels:
    name: pod-tdx-vm
  name: pod-tdx-vm
spec:
  containers:
    - image: alibaba-cloud-linux-3-registry.cn-hangzhou.cr.aliyuncs.com/alinux3/alinux3:latest
      name: hello
      command:
      - sh
      - -c
      - 'echo hello && sleep infinity'
  nodeSelector:    # Make sure that the pod is scheduled to the ECS instance that has TDX enabled.
    nodepool-label: tdx-vm-pool

After you complete the configuration, you can view the status and other information of the pod on the Pods page. If the pod is in the Running state, the application is deployed.

Use kubectl

A kubectl client is connected to your cluster.

Create a file named pod-tdx-vm.yaml and add the following content to the file:

apiVersion: v1
kind: Pod
metadata:
  labels:
    name: pod-tdx-vm
  name: pod-tdx-vm
spec:
  containers:
    - image: alibaba-cloud-linux-3-registry.cn-hangzhou.cr.aliyuncs.com/alinux3/alinux3:latest
      name: hello
      command:
      - sh
      - -c
      - 'echo hello && sleep infinity'
  nodeSelector:    # Make sure that the pod is scheduled to the ECS instance that has TDX enabled.
    nodepool-label: tdx-vm-pool

Run the following command to deploy the pod-tdx-vm.yaml file. A pod named pod-tdx-vm is created.
```
kubectl apply -f pod-tdx-vm.yaml
```

Run the following command to check whether the application is deployed:

kubectl get pod pod-tdx-vm

Expected output:

NAME         READY   STATUS    RESTARTS   AGE
pod-tdx-vm   1/1     Running   0          52s