You can add a node pool to your AKS cluster with CVM using the generally available confidential VM sizes (DCav5/ECav5). Confidential VMs with AMD SEV-SNP support introduces a new set of security features, including full VM memory encryption, to protect data in use. These features enable CVM-enabled node pools to migrate highly sensitive container workloads to AKS without requiring any code refactoring while taking advantage of AKS’s features. CVM nodes use a customized Ubuntu 20.04 image that has been specially configured for CVM.
Note- Adding a node pool with CVM to your AKS cluster is currently in preview.
The Heterogenous Node Pools
AKS can now have both confidential and non-confidential node pools in the same cluster. This means that apps that process sensitive data can run in a VM-level TEE node pool with memory encryption keys generated by the chipset itself. In the near future, the DCasv5 and ECasv5 confidential VMs will also support remote guest attestation, allowing AKS admins to target pod deployments to only attested nodes. The image below depicts the AKS node’s code and data while protected by AMD SEV-SNP memory.
- Azure CLI installed.
- An existing AKS cluster in the region of westus, eastus, westeurope, or northeurope.
- For your subscription, you can choose from the DCasv5 and DCadsv5-series or the ECasv5 and ECadsv5-series.
A Few Constraints
When adding a node pool with CVM to AKS, the following limitations apply:
- It is not possible to use –enable-fips-image, ARM64, or Mariner
- Node pools that are already running can’t be upgraded to CVM
- For the region where the cluster is created, DCasv5 and DCadsv5-series or ECasv5 and ECadsv5-series SKUs must be available for your subscription
- To add a node pool with the CVM to AKS, use
az aks nodepool addand set
az aks nodepool add \ --resource-group myResourceGroup \ --cluster-name myAKSCluster \ --name cvmnodepool \ --node-count 3 \ --node-vm-size Standard_DC4as_v5
2. To verify a node pool uses CVM, use
az aks nodepool show and verify the
az aks nodepool show \ --resource-group myResourceGroup \ --cluster-name myAKSCluster \ --name cvmnodepool \ --query 'vmSize'
3. To remove a node pool with CVM from an AKS cluster, use
az aks nodepool delete.
az aks nodepool delete \ --resource-group myResourceGroup \ --cluster-name myAKSCluster \ --name cvmnodepool
For more details Confidential VM in AKS