How can I deploy SGX apps on Kubernetes?

I recently learned that Intel SGX processors are able to encrypt enclaves for persistent storage to disk. After this, I started to write my first SGX apps and now I am wondering if there is any opportunity to deploy them on Kubernetes?

Your question can be split into multiple steps:

1. Having a Kubernetes cluster that exposes SGX to your apps

You'll need Kubernetes nodes with SGX-capable CPUs. The way Kubernetes handles "special devices" as SGX is through Device Plugins. Multiple SGX device plugins exist for Kubernetes:

• Intel: https://intel.github.io/intel-device-plugins-for-kubernetes/cmd/sgx_plugin/README.html
• Azure: https://github.com/Azure/aks-engine/blob/master/docs/topics/sgx.md

Once you've equipped a node with such a plugin, they provide you with a mechanism to expose the SGX device to your containers.

2. Building SGX apps for Kubernetes and accessing SGX resources

You'll need to bundle your enclave into a container and write the Kubernetes resource definitions. The most common language for Cloud Native Applications is probably Go. There is a great example for a confidential microservice application based on the EdgelessRT Go runtime and SDK(link), which uses the Azure device plugin for exposing SGX to the containers: https://github.com/edgelesssys/emojivoto

3. Managing attestation, sealing, etc. for your SGX app

Probably the most interesting point when deploying SGX apps on Kubernetes is SGX-specific orchestration. While Kubernetes handles all the general orchestration, SGX-specific task as remote-attestation, migration, and secrets management of your deployments need to be handled separately. The Marblerun service mesh addresses those tasks, namely:

• Attestation of your services: https://marblerun.sh/docs/features/attestation/
• Migration and Recovery: https://marblerun.sh/docs/features/recovery/
• Secrets Management: https://marblerun.sh/docs/features/secrets-management/