AKS with Confidential Computing. WHAAAT?

A lot of you might not know what confidential computing is. Yes, even I did not till a few weeks back when Microsoft introduced it for Azure Kubernetes. Confidential Computing Consortium is a community with contributions from leaders in the information technology industry. 

So what is really confidential computing?

At the storage level, data are secured by encrypting them. When you are transferring data, they can be encrypted by using secured channels and other protocols. But when an application actually uses your data, they are decrypted. 

Now you might wonder how can data remain encrypted when they are in need of display in the user interfaces. Confidential Computing does not address that. It is impossible as of now. But imagine situations such as processes that run internally to serve other purposes. Processes that are scheduled to perform some batch actions. What if we can keep data encrypted while performing those processes? Confidential computing addresses that.

The Confidential Computing Consotorium has listed 3 active projects that are being maintained as of now. 

• Intel Software Guard Extensions (Intel® SGX) Software Development
• Microsoft Open Enclave SDK
• Red Hat Enarx

What is on AKS?

Bringing confidential computing to your Azure worker roles is not such a difficult task.

1. When you are creating a Kubernetes cluster, you need to create the cluster with hardware that supports Intel SGX project. This means using Ubuntu DC-series virtual machines running versions 16.04 or 18.04.

2. Then you need to install the confidential computing device plugin on the virtual machines within the cluster.

3. For the code, you have to use Open enclave SDK.

4. Schedule the pods and containers to use Open Enclave SDK that supports Trusted Execution Environments as shown in the image below.

Source: Azure Blog