forked from gramineproject/contrib
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Add example to deploy a GSC Python image to AKS cluster
Signed-off-by: aneessahib <[email protected]>
- Loading branch information
1 parent
df3f1b5
commit 43d771d
Showing
3 changed files
with
66 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,42 @@ | ||
| # Deploying a "HelloWorld" graminized Python Docker image to AKS cluster | ||
|
|
||
| This example demonstrates how to translate the Python Docker Hub image to a | ||
| graminized image, which can be readily deployed to a confidential compute AKS | ||
| cluster. | ||
|
|
||
| *Warning:* this example relies on insecure arguments provided at runtime and | ||
| should not be used in production. To use trusted arguments, please see | ||
| [GSC documentation](https://gramine.readthedocs.io/projects/gsc). | ||
|
|
||
| - Pull Python image: | ||
|
|
||
| docker pull python | ||
|
|
||
| - Graminize the Python image using GSC, and allow insecure runtime arguments: | ||
|
|
||
| ./gsc build --insecure-args python python.manifest | ||
|
|
||
| - Sign the graminized image with your enclave signing key: | ||
|
|
||
| ./gsc sign-image python enclave-key.pem | ||
|
|
||
| - Push resulting image to Docker Hub or your preferred registry: | ||
|
|
||
| docker tag gsc-python <dockerhubusername>/gsc-aks-python | ||
| docker push <dockerhubusername>/gsc-aks-python | ||
|
|
||
| - Deploy `gsc-aks-python` job: | ||
|
|
||
| kubectl apply -f gsc-aks-python-deployment.yaml | ||
|
|
||
| - Test job status: | ||
|
|
||
| kubectl get jobs -l app=gsc-aks-python-deployment | ||
|
|
||
| - Receive logs of job: | ||
|
|
||
| kubectl logs -l app=gsc-aks-python-deployment | ||
|
|
||
| - Delete job after completion: | ||
|
|
||
| kubectl delete -f gsc-aks-python-deployment.yaml |
22 changes: 22 additions & 0 deletions
22
Examples/aks-python-helloworld/gsc-aks-python-deployment.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,22 @@ | ||
| apiVersion: batch/v1 | ||
| kind: Job | ||
| metadata: | ||
| name: gsc-aks-python | ||
| labels: | ||
| app: gsc-aks-python | ||
| spec: | ||
| template: | ||
| metadata: | ||
| labels: | ||
| app: gsc-aks-python | ||
| spec: | ||
| containers: | ||
| - name: gsc-aks-python | ||
| image: <dockerhubusername>/gsc-aks-python | ||
| imagePullPolicy: Always | ||
| args: ["-c", "print('HelloWorld!')"] # WARNING: providing args in the deployment file is insecure! | ||
| resources: | ||
| limits: | ||
| sgx.intel.com/epc: "10Mi" | ||
| restartPolicy: Never | ||
| backoffLimit: 0 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,2 @@ | ||
| sgx.enclave_size = "512M" | ||
| sgx.thread_num = 4 |