In an Azure Kubernetes Service (AKS) cluster, use Confidential Virtual Machines (CVM)
By: Date: 26/10/2022 Categories: azure Tags:

You can add a node pool to your AKS cluster with CVM using the generally available confidential VM sizes (DCav5/ECav5). Confidential VMs with AMD SEV-SNP support introduces a new set of security features, including full VM memory encryption, to protect data in use. These features enable CVM-enabled node pools to migrate highly sensitive container workloads to AKS without requiring any code refactoring while taking advantage of AKS’s features. CVM nodes use a customized Ubuntu 20.04 image that has been specially configured for CVM.

Note- Adding a node pool with CVM to your AKS cluster is currently in preview.

The Heterogenous Node Pools 

AKS can now have both confidential and non-confidential node pools in the same cluster. This means that apps that process sensitive data can run in a VM-level TEE node pool with memory encryption keys generated by the chipset itself. In the near future, the DCasv5 and ECasv5 confidential VMs will also support remote guest attestation, allowing AKS admins to target pod deployments to only attested nodes. The image below depicts the AKS node’s code and data while protected by AMD SEV-SNP memory.

Required Pre-requisites

  1. Azure CLI installed.
  2. An existing AKS cluster in the region of westus, eastus, westeurope, or northeurope.
  3. For your subscription, you can choose from the DCasv5 and DCadsv5-series or the ECasv5 and ECadsv5-series.

A Few Constraints

When adding a node pool with CVM to AKS, the following limitations apply:

  1. It is not possible to use –enable-fips-image, ARM64, or Mariner
  2. Node pools that are already running can’t be upgraded to CVM
  3. For the region where the cluster is created, DCasv5 and DCadsv5-series or ECasv5 and ECadsv5-series SKUs must be available for your subscription

Below Examples:

  1. To add a node pool with the CVM to AKS, use az aks nodepool add and set node-vm-size to Standard_DCa4_v5.
az aks nodepool add \
    --resource-group myResourceGroup \
    --cluster-name myAKSCluster \
    --name cvmnodepool \
    --node-count 3 \
    --node-vm-size Standard_DC4as_v5

2. To verify a node pool uses CVM, use az aks nodepool show and verify the vmSize is Standard_DCa4_v5.

az aks nodepool show \
    --resource-group myResourceGroup \
    --cluster-name myAKSCluster \
    --name cvmnodepool \
    --query 'vmSize'

3. To remove a node pool with CVM from an AKS cluster, use az aks nodepool delete.

az aks nodepool delete \
    --resource-group myResourceGroup \
    --cluster-name myAKSCluster \
    --name cvmnodepool

For more details Confidential VM in AKS