This is a validated pattern for deploying confidential containers on OpenShift.
The target operating model has two clusters:
- One in a "trusted" zone where the remote attestation, KMS and Key Broker infrastructure are deployed.
- A second where a subset of workloads are deployed in confidential containers
For the current version of this application the confidential containers assumes deployment to Azure
On the platform a few workloads are deployed:
-
Sample hello world applications to allow users to experiment with the policies for CoCo and the KBS (trustee).
- This is currently working out of the box (or close to)
-
Red Hat OpenShift AI is deployed where a multi-layer perceptron to predict fraud is deployed as a confidential workload for inference
- This currently is a work in progress.
- Only currently is known to work with
azureas the provider of confidential vms via peer-pods - Only known to work today with everything on one cluster. The goal is to fix this as soon as possible.
- You must be able to get a lets-encrypt certificate
- RHOAI data science cluster must be disabled until required components are deployed.
- Must be on 4.16.14 or later.
NOTE: Don't use the default node sizes.. increase the node sizes such as below
- Login to console.redhat.com
- Get the openshift installer
- Login to azure locally.
openshift-install create install-config- Select azure
- For Red Hatter's and partners using RHDP make sure you select the same region for your account that you selected in RHDP
- Change worker machine type e.g.
platform:
azure:
type: Standard_D8s_v5mkdir ./ocp-install && mv openshift-install.yaml ./ocp-installopenshift-install create cluster --dir=./ocp-install
- Setup
values-secret-coco-pattern.yamlfrom the template - If you have not previously, run
./scripts/gen-ssh-key-azure.sh - If you have not previously, run
./scripts/gen-kbs-keys.sh - Populate the azure details between those that must be known already (CLIENT_ID etc) and using, when logged into
az,sh ./get-azure-details.sh - Update
charts/all/sandbox/values.yamlwith the appropriate azure details - Recommended: Disable the kata config until system is up.
The following fields must be populated for
global:
azure:
clientID: ''
subscriptionID: ''
tenantID: ''
DNSResGroup: ''
hostedZoneName: ''
clusterResGroup: ''
clusterSubnet: ''
clusterNSG: ''
clusterRegion: ''./pattern.sh make installthis should deploy all elements.- If it does not:
- Likely that the hello-openshift deployments timed out without the vm templates
- Support spreading remote attestation and workload to separate clusters.
- Finish AI work.
- Allow use of bare metal infrastructure with Intel TDX or AMD SEV-SMP.