This is a validated pattern for deploying confidential containers on OpenShift.
The target operating model has two clusters:
- One in a "trusted" zone where the remote attestation, KMS and Key Broker infrastructure are deployed.
- A second where a subset of workloads are deployed in confidential containers
For the current version of this application the confidential containers assumes deployment to Azure
On the platform a a sample workload is deployed
- Sample hello world applications to allow users to experiment with the policies for CoCo and the KBS (trustee).
- This is currently working out of the box (or close to).
Future work includes:
- Red Hat OpenShift AI is deployed where a multi-layer perceptron to predict fraud is deployed as a confidential workload for inference
- Enirnonments which will work sucessfully across multiple cloud providers
- Only currently is known to work with
azureas the provider of confidential vms via peer-pods - Only known to work today with everything on one cluster. The work to expand this is in flight
- You must be able to get a lets-encrypt certificate. This means the service credentials in openshift must be able to manipulate the dns zone used by OpenSift.
- RHOAI data science cluster must be disabled until required components are deployed.
- Must be on 4.16.14 or later.
Today the demo has one flavour.
A number are planned based on various different hub cluster-groups.
You can change between behaviour by configuring global.main.clusterGroupName key in the values-global.yaml file.
values-simple.yaml: or the simple cluster group is the default for the pattern.
It deploys a hello-openshift application 3 times:
- A standard pod
- A kata container with peer-pods
- A confidential kata-container
values-ai.yaml: Is currently a work in progress.
The secrets here secure Trustee and the peer-pod vms. Mostly they are for demonstration purposes. This only has to be done once.
- Run
sh scripts/gen-secrets.sh
Red Hat a demo platform. This allows easy access for Red Hat associates and partners to ephemeral cloud resources. The pattern is known to work with this setup.
- Get the openshift installer
- NOTE: openshift installer must be updated regularly if you want to automatically provision the latest versions of OCP
- Get access to an Azure Subscription Based Blank Open Environment.
- Import the required azure environmental variables (see coded block):
export CLIENT_ID= export PASSWORD= export TENANT= export SUBSCRIPTION= export RESOURCEGROUP=
1. Run the wrapper install script
1. `sh ./rhdp/wrapper.sh`
1. You *should* be done
1. You *may* need to recreate the hello world peer-pods depending on timeouts.
#### Install azure *not* usign Red Hat Demo platform
**NOTE: Don't use the default node sizes.. increase the node sizes such as below**
1. Login to console.redhat.com
2. Get the openshift installer
3. Login to azure locally.
4. `openshift-install create install-config`
1. Select azure
2. For Red Hatter's and partners using RHDP make sure you select the same region for your account that you selected in RHDP
5. Change worker machine type e.g.
```yaml
platform:
azure:
type: Standard_D8s_v5
mkdir ./ocp-install && mv openshift-install.yaml ./ocp-installopenshift-install create cluster --dir=./ocp-install- Once installed:
- Login to
oc - `./pattern.sh make install
TBD
TBD
- Support spreading remote attestation and workload to separate clusters.
- Finish AI work.
- Allow use of bare metal infrastructure with Intel TDX or AMD SEV-SMP.