diff --git a/README.md b/README.md index 5ffa304..bb89cd8 100644 --- a/README.md +++ b/README.md @@ -36,3 +36,80 @@ To install the 5g-core, follow these steps: To install 5gc in one go, run `make 5gc-install`. #### Uninstall - run `make 5gc-uninstall` + +### Confidential Containers Configuration (Optional) + +To deploy 5G core network functions in confidential containers, add the following configuration to your `vars/main.yaml` file under the `core` section: + +```yaml +core: + # ... existing configuration ... + + # Confidential Container Configuration + confidential_containers: + enabled: false # Set to true to enable confidential containers + runtime_class: "kata-qemu" # Runtime class (default: kata-qemu) + annotation: + enabled: false # Enable Kata-specific annotations + kernel_params: "" # Custom kernel parameters (leave empty for defaults) + attestation: + enabled: false # Enable attestation verification + required: false # If true, pods fail when attestation fails + kbs_address: "" # Key Broker Service address (e.g., "http://kbs-service:8080") + url: "http://127.0.0.1:8006/aa/token?token_type=kbs" # Attestation endpoint + timeout: 300 # Attestation timeout in seconds +``` +#### Confidential Container Prerequisites + +Before enabling confidential containers, ensure: + +- Kata Containers is installed on all Kubernetes nodes +- Runtime Class is configured in your cluster: + +```bash +kubectl get runtimeclass +``` + +- KBS (Key Broker Service) is deployed if using attestation +- Hardware support for TDX confidential computing + +#### Configuration Examples + +Basic Confidential Containers (no attestation): + +```yaml +confidential_containers: + enabled: true + runtime_class: "kata-qemu" + annotation: + enabled: false + attestation: + enabled: false +``` + +Full Confidential Containers with Attestation: + +```yaml +confidential_containers: + enabled: true + runtime_class: "kata-qemu" + annotation: + enabled: true + kernel_params: "" # Uses default KBS parameters + attestation: + enabled: true + required: true + kbs_address: "http://kbs-service.kbs-system:8080" +``` + +#### Verification + +After deployment, verify confidential containers are working: + +```bash +# Check runtime class assignment +kubectl get pods -n aether-5gc -o custom-columns=NAME:.metadata.name,RUNTIME:.spec.runtimeClassName + +# Check pod annotations +kubectl get pod -n aether-5gc -o jsonpath='{.metadata.annotations}' | jq . +``` diff --git a/roles/core/templates/sdcore-5g-values.yaml b/roles/core/templates/sdcore-5g-values.yaml index 9a03d7f..7da1d51 100644 --- a/roles/core/templates/sdcore-5g-values.yaml +++ b/roles/core/templates/sdcore-5g-values.yaml @@ -21,6 +21,20 @@ omec-control-plane: # amf: # refer to above Helm Chart to add other NF images + # Confidential Container Configuration + confidentialContainers: + enabled: {{ core.confidential_containers.enabled | default('false') }} + runtimeClassName: {{ core.confidential_containers.runtime_class | default('kata-qemu') }} + annotation: + enabled: {{ core.confidential_containers.annotation.enabled | default('false') }} + kernelParams: {{ core.confidential_containers.annotation.kernel_params | default('') | quote }} + attestation: + enabled: {{ core.confidential_containers.attestation.enabled | default('false') }} + required: {{ core.confidential_containers.attestation.required | default('false') }} + kbsAddress: {{ core.confidential_containers.attestation.kbs_address | default('') | quote }} + attestationUrl: {{ core.confidential_containers.attestation.url | default('http://127.0.0.1:8006/aa/token?token_type=kbs') | quote }} + timeout: {{ core.confidential_containers.attestation.timeout | default(300) }} + kafka: deploy: true