Getting started with Kubernetes, Azure and AKS

By Chris Walden, Editor for TechNet UK

17/06/2022

A header showing a lock next to an illustration of Bit the Raccoon

Security is a key driver accelerating the adoption of cloud computing, but it’s also a major concern when you’re moving extremely sensitive IP and data scenarios to the cloud.

There are ways to secure data at rest and in transit, but you need to protect your data from threats as it’s being processed. Now you can. Confidential computing adds new data security capabilities using trusted execution environments (TEEs) or encryption mechanisms to protect your data while in use.

TEEs are hardware or software implementations that safeguard data being processed from access outside the TEE. The hardware provides a protected container by securing a portion of the processor and memory. Only authorised code is permitted to run and to access data, so code and data are protected against viewing and modification from outside of the TEE.

Confidential computing with Azure

While data is typically encrypted at rest and in transit, Azure confidential computing also protects your data while it’s being processed. You can share machine learning datasets with multiple sources without exposing proprietary data, and prevent unauthorised access to your data and code by isolating computations in a hardware-based TEE.

Confidential computing provides an additional layer of protection from potentially malicious insiders at a cloud provider, minimises the risk of data leaks and may even address some regulatory compliance needs.

It also enables several previously not possible use-cases. For example, customers in regulated industries can now collaborate together using sensitive partner or customer data to detect fraud scenarios, without giving the other party visibility into that data.

How it works for Kubernetes

You can get this additional layer of data protection for your Kubernetes workloads with the code running on the CPU with secure hardware enclaves. This can be done in just a few steps:

Use the open enclave SDK for confidential computing in code.
Create a Kubernetes cluster on hardware that supports Intel SGX.
Install the confidential computing device plugin into those virtual machines.

Kubernetes users can then schedule pods and containers that use the Open Enclave SDK onto hardware which support TEEs. The Open Enclave SDK was recently open sourced by Microsoft and made available to the Confidential Computing Consortium under the Linux Foundation for standardisation.

Azure Kubernetes Service (AKS)

Azure Kubernetes Service simplifies deploying a managed Kubernetes cluster in Azure by offloading the operational overhead to Azure. As a hosted Kubernetes service, Azure handles critical tasks like health monitoring and maintenance, and since Kubernetes masters are managed by Azure, you only manage and maintain the agent nodes. Thus, AKS is free; you only pay for the agent nodes within your clusters, not for the masters.

When you deploy an AKS cluster, the Kubernetes master and all nodes are deployed and configured for you. Advanced networking, Azure Active Directory integration, monitoring, and other features can be configured during the deployment process.