All Products
Search
Document Center

Container Service for Kubernetes:Create a node pool that supports TDX confidential VMs in an ACK cluster

最終更新日:Mar 04, 2024

Container Service for Kubernetes (ACK) supports Elastic Compute Service (ECS) instances that adopt the Intel® Trusted Domain Extension (Intel® TDX) technology. This allows you to create node pools that supports TDX confidential VMs in ACK clusters to enable the ACK clusters to support TDX confidential computing. After you create a node pool that supports TDX confidential VMs, you can deploy applications in the node pool without making code changes to the applications. The intrusion-free deployment enhances the security of your applications. This topic describes how to create a node pool that supports TDX confidential VMs in an ACK cluster and then deploy an application in the node pool.

Prerequisites

An ACK Pro cluster is created in the China (Beijing) region. For more information, see Create an ACK managed cluster.

Limits

To support a TDX confidential computing environment, a TDX-enabled instance must meet all of the following requirements:

  • Zone: Beijing Zone I

  • Instance type: ecs.g8i.xlarge or larger

  • Image: Alibaba Cloud Linux 3.2104 LTS 64-bit (UEFI)

Important

TDX confidential computing has certain limits. Make sure that you understand the limits before you use TDX confidential computing. For more information, see Build a TDX confidential computing environment.

Introduction to TDX

Intel® TDX is a CPU hardware-based technology that provides hardware-assisted isolation and encryption for ECS instances to protect runtime data, such as CPU registers, memory data, and interrupt injections. TDX helps achieve higher levels of data privacy and mitigate risks that are associated with unauthorized access to running processes or sensitive data that is being processed. For more information about Intel® TDX, see Intel® Trust Domain Extensions (Intel® TDX).

Intel® TDX provides default out-of-the-box protection for your ECS instances and applications. You can migrate applications to a TDX-enabled instance without the need to modify the application code.

Node pools that support TDX confidential VMs can be seamlessly scaled and improve the confidentiality of operating systems and hardware. You can quickly create node pools that support TDX confidential VMs in ACK clusters to scale and maintain applications that require high security. Node pools that support TDX confidential VMs are suitable for various confidential computing scenarios, such as financial risk control, healthcare data privacy, AI-Generated Content (AIGC) and Large Language Model (LLM) inference and fine-tuning, confidential databases, and big data applications.

image

The following figure shows how to use hardware-based security features, such as TDX and Advanced Matrix Extensions (AMX), with end-to-end model data protection to ensure inference security.

image

Step 1: Create a node pool

  1. Log on to the ACK console. In the left-side navigation pane, click Clusters.

  2. On the Clusters page, click the name of the cluster that you want to manage and choose Nodes > Node Pools in the left-side navigation pane.

  3. Click Create Node Pool in the upper-right corner of the page, configure parameters, and then click Confirm Order.

    The following table describes the key parameters. For more information, see Create a node pool.

    Parameter

    Description

    vSwitch

    Select vSwitches in Zone I.

    Auto Scaling

    Keep the default setting. Auto scaling is disabled in this example.

    Instance Type

    Select g8i.xlarge or higher.

    Expected Nodes

    Specify the initial number of nodes in the node pool. Keep the default value 0.

    Operating System

    Select Alibaba Cloud Linux 3.2104 UEFI.

    Click Show Advanced Options to configure the following parameter.

    Node Label

    We recommend that you add node labels for pod scheduling.

    • Key: nodepool-label

    • Value: tdx-vm-pool

Step 2: Create an ECS instance that has TDX enabled

  1. Go to the ECS Custom Launch tab and create an ECS instance that has TDX enabled.

    The following table describes the key parameters. For more information, see Create an instance on the Custom Launch tab.

    Parameter

    Description

    Region

    Selec the China (Beijing) region.

    Network and Zone

    • VPC: Select the virtual private cloud (VPC) of the node pool that you created in Step 1.

    • Zone: Select the vSwitches that you specified in Zone I in Step 1.

    Instance

    Select g8i.xlarge or higher.

    Image

    • Select Alibaba Cloud Linux 3.2104 LTS 64-bit (UEFI).

    • Select Confidential VM.

    Security Group

    Select the security group of the node pool that you created in Step 1.

(Optional) Step 3: Check the status of TDX on the ECS instance

Log on to the ECS instance and perform the following steps to check the status of TDX. Make sure that the ECS instance is under the protection of TDX.

  1. Check whether TDX is enabled.

    lscpu |grep -i tdx_guest

    The following command output indicates that TDX is enabled.tdx-install

  2. Check whether the TDX driver is installed.

    ls -l /dev/tdx_guest

    The following command output indicates that the TDX driver is installed.image

Step 4: Add the ECS instance to the node pool.

  1. Log on to the ACK console. In the left-side navigation pane, click Clusters.

  2. On the Clusters page, click the name of the cluster that you want to manage and choose Nodes > Node Pools in the left-side navigation pane.

  3. Choose More > Add Existing Node in the Actions column of the node pool. On the Select Existing ECS Instance wizard page, set Mode to Auto, select the ECS instance that you created in Step 2, and then follow the on-screen instructions to complete the configuration.

    For more information about how to add an existing node, see Add existing ECS instances to an ACK cluster.

Step 5: Deploy an application

After a node pool that supports TDX confidential VMs is created, you can migrate your applications to the ECS instance that has TDX enabled in the node pool. The migration is intrusion-free to the applications.

Use the ACK console

  1. On the Clusters page, click the name of the cluster that you want to manage and choose Workloads > Pods in the left-side navigation pane.

  2. Click Create from YAML in the upper-right corner of the page. Set Sample Template to Custom, copy the following YAML content, and then click Create.

    apiVersion: v1
    kind: Pod
    metadata:
      labels:
        name: pod-tdx-vm
      name: pod-tdx-vm
    spec:
      containers:
        - image: alibaba-cloud-linux-3-registry.cn-hangzhou.cr.aliyuncs.com/alinux3/alinux3:latest
          name: hello
          command:
          - sh
          - -c
          - 'echo hello && sleep infinity'
      nodeSelector:    # Make sure that the pod is scheduled to the ECS instance that has TDX enabled.
        nodepool-label: tdx-vm-pool

    After you complete the configuration, you can view the status and other information of the pod on the Pods page. If the pod is in the Running state, the application is deployed.

Use kubectl

  1. A kubectl client is connected to your cluster.

  2. Create a file named pod-tdx-vm.yaml and add the following content to the file:

    apiVersion: v1
    kind: Pod
    metadata:
      labels:
        name: pod-tdx-vm
      name: pod-tdx-vm
    spec:
      containers:
        - image: alibaba-cloud-linux-3-registry.cn-hangzhou.cr.aliyuncs.com/alinux3/alinux3:latest
          name: hello
          command:
          - sh
          - -c
          - 'echo hello && sleep infinity'
      nodeSelector:    # Make sure that the pod is scheduled to the ECS instance that has TDX enabled.
        nodepool-label: tdx-vm-pool
  3. Run the following command to deploy the pod-tdx-vm.yaml file. A pod named pod-tdx-vm is created.

    kubectl apply -f pod-tdx-vm.yaml
  4. Run the following command to check whether the application is deployed:

    kubectl get pod pod-tdx-vm

    Expected output:

    NAME         READY   STATUS    RESTARTS   AGE
    pod-tdx-vm   1/1     Running   0          52s