You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: README.md
+11-11Lines changed: 11 additions & 11 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -2,28 +2,30 @@
2
2
3
3
This is a validated pattern for deploying confidential containers on OpenShift.
4
4
5
-
The target operating model has two clusters:
5
+
There are two topologies for deploying this pattern:
6
6
7
-
- One in a "trusted" zone where the remote attestation, KMS and Key Broker infrastructure are deployed.
8
-
- A second where a subset of workloads are deployed in confidential containers.
7
+
1.*Default* using a single cluster. This breaks the RACI expected in a remote attestation architecture, however, makes it easier to test. This uses the `simple``clusterGroup`.
8
+
2. A more secure operating model that has two clusters:
9
+
- One in a "trusted" zone where the remote attestation, KMS and Key Broker infrastructure are deployed. This is also the Advanced Cluster Manager Hub cluster. It uses the `trusted-hub``clusterGroup`.
10
+
- A second where a subset of workloads are deployed in confidential containers. It uses the `spoke``clusterGroup`
9
11
10
12
The current version of this application the confidential containers assumes deployment to Azure.
11
13
12
-
On the platform a sample workload is deployed:
14
+
On the cluster where confidential workloads are deployed two sample applications are deployed:
13
15
14
16
1. Sample hello world applications to allow users to experiment with the policies for CoCo and the KBS (trustee).
15
17
2. A sample application `kbs-access` which presents secrets obtained from trustee to a web service. This is designed to allow users to test locked down environments.
16
18
17
19
Future work includes:
18
20
19
-
1. Supporting a multiple cluster deployment
20
-
2. Supporting multiple infrastructure providers
21
-
3. Supporting a more sophisticated workload such as confidential AI inference with protected GPUs.
21
+
1.~~Supporting a multiple cluster deployment~~ Done
22
+
2. Supporting multiple infrastructure providers - Work in Progress.
23
+
3. Supporting air-gapped deployments - Work in Progress.
24
+
4. Supporting a more sophisticated workload such as confidential AI inference with protected GPUs.
22
25
23
26
## Current constraints and assumptions
24
27
25
28
- Only currently is known to work with `azure` as the provider of confidential vms via peer-pods.
26
-
- Only known to work today with everything on one cluster. The work to expand this is in flight.
27
29
- Below version 3.1, if not using ARO you must either provide your own CA signed certs, or use let's encrypt.
28
30
- Must be on 4.16.14 or later.
29
31
@@ -61,8 +63,6 @@ The pattern has been tested on Azure for two installation methods:
61
63
1. Installing onto an ARO cluster
62
64
2. Self managed OpenShift install using the `openshift-install` CLI.
63
65
64
-
> [!IMPORTANT]
65
-
> You need an external CA signed certificate for to be added (e.g. with let's encrypt) to a self-managed install
66
66
67
67
### `1.0.0`
68
68
@@ -75,7 +75,7 @@ The pattern has been tested on Azure for one installation method:
75
75
76
76
## Validated pattern flavours
77
77
78
-
**Today the demo has one flavour**.
78
+
**Today the demo has two flavour**.
79
79
A number are planned based on various different hub cluster-groups.
80
80
You can change between behaviour by configuring [`global.main.clusterGroupName`](https://validatedpatterns.io/learn/values-files/) key in the `values-global.yaml` file.
0 commit comments