Intel® Software Guard Extensions (Intel® SGX) bare metal worker nodes for IBM Cloud Kubernetes Service
The growth of container and microservices adoption across industry continues to accelerate at impressive rates. According to Forrester’s report on Container Security, 58% of developers report that their companies currently use containers or plan to use containers in the next 12 months.
However, according to the same report, security concerns about containers are still top of mind—43% of the respondents said that security was a challenge hindering container adoption. When we talk to our customers, their concerns revolve around understanding the security paradigm shift when using containers and microservices and providing the same level of isolation and insights that they get from on-prem compute resources.
IBM Cloud Kubernetes Service
IBM Cloud Kubernetes Service is a managed Kubernetes offering to deliver powerful management tools, an intuitive user experience, and built-in security and isolation to enable rapid delivery of applications, all while leveraging advanced cloud services like blockchain, IoT, and AI through IBM Watson.
Announced in March 2018, bare metal worker nodes provide greater isolation and performance for containerized workloads. Now with the Intel® SGX capability, developers can protect their code and data through CPU hardened “enclaves” or a trusted execution environment (TEE)
Intel® SGX worker nodes on IBM Cloud Kubernetes Service
IBM Cloud Kubernetes Service provides ease of operations (multizone worker node clusters, HA master nodes, platform upgrades for security and open-source updates, and worker node auto-scaling) in a secure (access controls using resource groups, customer managed keys with IBM Key Protect, fine-grained access controls for IBM Cloud Container Registry and the Kubernetes Service with Identity and Access Manager) and compliant environment (HIPAA-ready, SOC 1, SOC 2 Type 1, ISAE 3402) where you want to run it (Tokyo MZR, San Jose, Oslo, Milan, and our existing data centers). With the support for Intel® SGX worker nodes, it brings those capabilities to your runtime memory protected workloads.
Take the following steps to provision Intel® SGX bare metal worker nodes on the IBM Cloud Kubernetes Service:
- Go to the IBM Cloud catalog and select Kubernetes Service under Containers:
Click Create on the next screen:
Select Bare Metal under Hardware isolation and choose the highlighted bare metal flavor (mb2c.4×32). The bare metal worker nodes come SGX-enabled in the BIOS:
Bare metal server provisioning may take several hours. Once you have the cluster up, you will see the Normal status for the cluster:
Installing Intel® SGX driver and PSW
You can install Intel® SGX driver and PSW by deploying datashield-sgx-driver-psw-installer container to your cluster.
- Log in to IBM Cloud and target your cluster.
- Log in to the IBM Cloud registry.
- Set your region to the global registry.
- Find the latest image and then install it. Example output:
You can find Intel® SGX-enabled container applications—MySQL, Vault, Nginx—in the IBM Cloud Container Registry public repositories. (Search for datashield-mysql/vault/nginx.)
The IBM Cloud docs on getting started are located here.