AKS question addition

Author: jl-pm

articles/security/fundamentals/trusted-hardware-identity-management.md

@@ -86,6 +86,89 @@ curl GET "http://169.254.169.254/metadata/THIM/amd/certification" -H "Metadata:
 | tcbm | Trusted Computing Base |
 | certificateChain | Includes the AMD SEV Key (ASK) and AMD Root Key (ARK) certificates |
 
+### How do I request AMD collateral in an Azure Kuberenetes Service (AKS) Container on a Confidential Virtual Machine (CVM) node?
+
+Follow the steps below for requesting AMD collateral in a confidential container. 
+1. Start by creating an AKS cluster on CVM mode or adding a CVM node pool to the existing cluster
+    1. Create an AKS Cluster on CVM node.
+       1. Create a resource group in one of the CVM supported regions
+         ```bash
+         az group create --resource-group <RG_NAME> --location <LOCATION> 
+         ```
+       2. Create an AKS cluster with one CVM node in the resource group. 
+         ```bash
+         az aks create --name <CLUSTER_NAME> \ 
+         --resource-group <RG_NAME> \ 
+         -l <LOCATION> \ 
+         --node-vm-size Standard_DC4as_v5 \ 
+         --nodepool-name <POOL_NAME> \ 
+         --node-count 1 
+         ```
+       3. Configure kubectl to connect to the cluster. 
+         ```bash
+         az aks get-credentials --resource-group <RG_NAME> --name <CLUSTER_NAME> 
+         ```
+    2. Add a CVM node pool to the existing AKS cluster.
+      ```bash
+      az aks nodepool add --cluster-name <CLUSTER_NAME> \ 
+      --resource-group <RG_NAME> \ 
+      --name <POOL_NAME > \ 
+      --node-vm-size Standard_DC4as_v5 \ 
+      --node-count 1 
+      ```
+    3. Verify the connection to your cluster using the kubectl get command. This command returns a list of the cluster nodes.
+      ```bash
+      kubectl get nodes 
+      ```
+    The following output example shows the single node created in the previous steps. Make sure the node status is Ready: 
+    | NAME | STATUS | ROLES | AGE | VERSION |
+    |--|--|--|--|--|
+    | aks-nodepool1-31718369-0 | Ready | agent | 6m44s | v1.12.8 |
+
+2. Once the AKS cluster is created, create a curl.yaml file with the following content. It defines a job that runs a curl container to fetch AMD collateral from the THIM endpoint. For more information about Kubernetes Jobs, please visit HERE. 
+
+    curl.yaml
+    ```bash
+    apiVersion: batch/v1 
+    kind: Job 
+    metadata: 
+      name: curl 
+    spec: 
+      template: 
+        metadata: 
+          labels: 
+            app: curl 
+        spec: 
+          nodeSelector: 
+            kubernetes.azure.com/security-type: ConfidentialVM 
+          containers: 
+            - name: curlcontainer 
+              image: alpine/curl:3.14 
+              imagePullPolicy: IfNotPresent 
+              args: ["-H", "Metadata:true", "http://169.254.169.254/metadata/THIM/amd/certification"] 
+          restartPolicy: "Never" 
+    ```
+    
+    Arguments
+    | Name | Type | Description |
+    |--|--|--|
+    | Metadata | Boolean | Setting to True to allow for collateral to be returned |
+3. Run the job by applying the curl.yaml
+    ```bash
+    kubectl apply -f curl.yaml 
+    ```
+4. Check and wait for the pod to complete its job.
+    ```bash
+    kubectl get pods 
+    ```
+    | Name | Ready | Status | Restarts | Age |
+    |--|--|--|--|--|
+    | Curl-w7nt8  | 0/1 | Completed | 0 | 72s |
+5. Run the following command to get the job logs and validate if it is working. A successful output should include vcekCert, tcbm and certificateChain.
+    ```bash
+    kubectl logs job/curl  
+    ``` 
+
 ## Next steps
 
 - Learn more about [Azure Attestation documentation](../../attestation/overview.md)