SGX device plugin on Kubernetes
Kubernetes manages hardware resources like Intel SGX through its device plugin framework. The SGX device plugin can either be deployed manually or as a DaemonSet in the cluster. Different vendors provide open-source device plugins for SGX:
Marblerun checks if an SGX device plugin is already running and deploys Azure’s plugin otherwise.
NoteThe Azure SGX plugin is not tied to Azure. We may however switch to Intel’s device plugin in the future.
Manually deploying an SGX device plugin
For different reasons, you may want to deploy the device plugin manually. This requires two steps. First, add
resources to your Kubernetes deployment spec as outlined below.
apiVersion: apps/v1 kind: Deployment metadata: name: oe-deployment spec: selector: matchLabels: app: oe-app replicas: 1 template: metadata: labels: app: oe-app spec: tolerations: - key: kubernetes.azure.com/sgx_epc_mem_in_MiB operator: Exists effect: NoSchedule containers: - name: <image_name> image: <image_reference> command: <exec> resources: limits: kubernetes.azure.com/sgx_epc_mem_in_MiB: 10
Note that in this case, the plugin from Azure is used. Second, install Marblerun using the
marblerun install [--no-sgx-device-plugin]