Skip to content

A Kubernetes device plugin that exposes Confidential Computing devices to workloads in Google Kubernetes Engine (GKE) clusters.

License

Notifications You must be signed in to change notification settings

google/cc-device-plugin

Confidential Computing device plugin for Kubernetes

Go Report Card

Introduction

This is a Kubernetes device plugin implementation that enables the registration of Confidential Computing devices in a Google Kubernetes Engine (GKE) for compute workload. With the appropriate GKE setup and this plugin deployed in your Kubernetes cluster, you will be able to run jobs (e.g. Attestation) that require Confidential Computing devices. (Note that: Current version supports TPM. Support for SEV SNP and TDX are on the way.)

Prerequisites

  • GKE

Limitations

  • This plugin targets Kubernetes v1.18+.

Deployment

The device plugin needs to be run on all the nodes that are equipped with Confidential Computing devices (e.g. TPM). The simplest way of doing so is to create a Kubernetes DaemonSet, which run a copy of a pod on all (or some) Nodes in the cluster. We have a pre-built Docker image on Goolge Artifact Registry that you can use for with your DaemonSet. This repository also have a pre-defined yaml file named cc-device-plugin.yaml. You can create a DaemonSet in your Kubernetes cluster by running this command:

kubectl create -f manifests/cc-device-plugin.yaml

or directly pull from the web using

kubectl create -f https://raw.githubusercontent.com/google/cc-device-plugin/main/manifests/cc-device-plugin.yaml