Architecture
The Anjuna Kubernetes Toolset enables Anjuna Confidential Pods to be deployed and orchestrated on an Azure Kubernetes Services (AKS) cluster.
Your workloads run on isolated confidential virtual machines while remaining as part of the cluster network and fully compatible with Kubernetes features. Unauthorized third parties, such as cluster administrators or the cloud service provider, cannot inspect or modify your workloads.
The Anjuna Kubernetes Toolset configures your cluster with all the required components and provides tools to build and measure Anjuna Confidential Pods from your regular container image.
Workflow overview
Once a cluster is configured, the following flow can be used to deploy Confidential Pods:
-
Build and measure an Anjuna Confidential Pod image from a regular container image
-
Push the Anjuna Confidential Pod image to an Azure Shared Image Gallery
-
Add the label
io.anjuna/run-confidential: "yes"to the metadata labels -
Add an annotation to the pod spec with the Azure Shared Image Gallery URI for the Anjuna Confidential Pod image
-
Create your Pod using your preferred method (
kubectl,helm, the Kubernetes SDK, etc.)
Cluster Nodes are not required to support AMD SEV-SNP technology or to even have AMD processors, as the confidential workloads will be deployed as separate virtual machines.
Note that regular Pods (i.e., non-confidential) can still be deployed to the cluster after the Anjuna Kubernetes Toolset is installed.
The following diagram illustrates the deployment flow of a new Confidential Pod:
Refer to Installing the Anjuna Kubernetes Toolset for instructions on installing the Anjuna Kubernetes Toolset to your cluster.
Refer to Deploying Pods as Anjuna Confidential Pods in AKS for tutorials on building, measuring, and deploying Anjuna Confidential Pods to a Kubernetes cluster.