This is a Kubernetes device plugin implementation that enables the registration of Confidential Computing devices in a Google Kubernetes Engine (GKE) cluster for compute workloads. With the appropriate GKE setup and this plugin deployed, your Kubernetes cluster will be able to run jobs (e.g., Attestation) that require Confidential Computing devices.
This plugin supports the following technologies on GKE:
- vTPM / AMD SEV: Exposes
google.com/ccresource. - AMD SEV-SNP: Exposes
amd.com/sev-snpresource. Requires AMD SNP machines. - Intel TDX: Exposes
intel.com/tdxresource. Requires Intel TDX machines.
- A GKE cluster with node pools configured to support the desired Confidential Computing technology (SEV, SEV-SNP, or TDX). This includes selecting appropriate machine types and enabling Confidential Nodes in the node pool settings.
- For SEV-SNP, ensure the node pool uses AMD SEV-SNP machine types.
- For TDX, ensure the node pool uses Intel TDX machine types.
- This plugin targets Kubernetes v1.18+.
- Refer to Confidential VM Supported Configurations for specific version and region availability.
The device plugin needs to be run on all the nodes that are equipped with Confidential Computing devices. The simplest way to do this is to create a Kubernetes DaemonSet, which runs a copy of a pod on all (or some) Nodes in the cluster.
We have a pre-built Docker image on Google Artifact Registry that
you can use with your DaemonSet. This repository also has a pre-defined yaml
file named cc-device-plugin.yaml. You can create a DaemonSet in your
Kubernetes cluster by running this command using a stable version from the
release repository:
kubectl create -f manifests/cc-device-plugin.yaml
or directly pull from the web using
kubectl create -f https://raw.githubusercontent.com/google/cc-device-plugin/main/manifests/cc-device-plugin.yaml