Attesting a dyneemes node This tutorial demonstrates how to create attestation for multi-cloud Kubernetes.
Create a template
The first step will be to create a template for multi-cloud Kubernetes. You can refer to the "Create a dyneemes node template" tutorial for a better understanding of how to do this.
Create a namespace
The second step will be to create a namespace. This is a mandatory requirement for creating attestation. You can learn how to create and use namespaces in the documentation .
Register new workload
POST
http://localhost:8200/v1/auth/ratls/attestation/create
For more detailed information on creating attestation, you can refer to the documentation . You need to create only one attestation for all nodes.
Body
Name Type Description f05d8808-547a-4e9a-9843-07c3f55b7e63
http://localhost:3000/webhook
Headers
Response
200
Copy {
"request_id" : "0bde6eee-f55b-e9a5-e1ba-7a382c6a0d50" ,
"lease_id" : "" ,
"renewable" : false ,
"lease_duration" : 0 ,
"data" : {
"instance" : "77255d88-754c-42a3-954f-58fb86bf48a4"
} ,
"wrap_info" : null ,
"warnings" : null ,
"auth" : null
}
Create a node
In this step, you must create a node with a configuration that supports confidential VMs . Before creating the node, you must add cloud-init, an example of which is shown below.
ENV Description Value The provider name that we specified during the measurement creation.
The "instance" field that we obtained during the attestation creation.
77255d88-754c-42a3-954f-58fb86bf48a4
master-node | worker-node | ...
k8s-control or k8s-worker
ENCLAIVE_FEATURES
Copy k8s-control - Master Node
k8s-worker - Worker Node
Azure AWS
Copy #cloud-config
runcmd :
- |
(
set -eu
apt-get update
apt-get upgrade -y
apt-get install -y docker.io curl gnupg2 systemd git openssh-server
systemctl enable --now docker
systemctl enable --now ssh
mkdir -p /etc/apt/keyrings
echo "deb [signed-by=/etc/apt/keyrings/kubernetes-apt-keyring.gpg] https://pkgs.k8s.io/core:/stable:/v1.28/deb/ /" \
| tee /etc/apt/sources.list.d/kubernetes.list
curl -fsSL https://pkgs.k8s.io/core:/stable:/v1.28/deb/Release.key \
| gpg --dearmor -o /etc/apt/keyrings/kubernetes-apt-keyring.gpg
apt-get update
apt-get upgrade -y
apt-get install -y kubeadm kubelet kubectl
export ENCLAIVE_PROTOCOL=sev-snp
export ENCLAIVE_SOURCE=azure
export ENCLAIVE_INSTANCE=77255d88-754c-42a3-954f-58fb86bf48a4
export ENCLAIVE_RESOURCE=azure-node
export ENCLAIVE_NITRIDE=http://localhost:8200
export ENCLAIVE_KEYSTORE=http://localhost:8200
export ENCLAIVE_DNS_NAME=$(curl -s ifconfig.me)
ENCLAIVE_FEATURES=k8s-control
if [ -x "$(command -v curl)" ];then
COMMAND="wget -q -O"
elif [ -v "$(command -v wget)" ];then
COMMAND="curl -s -o"
else
echo "Not installed: curl|wget"
exit 1
fi
$COMMAND client "$ENCLAIVE_NITRIDE/static/enclaivelet"
chmod +x client
./client
Copy #cloud-config
runcmd :
- |
(
set -eu
apt-get update
apt-get upgrade -y
apt-get install -y docker.io curl gnupg2 systemd git openssh-server
systemctl enable --now docker
systemctl enable --now ssh
mkdir -p /etc/apt/keyrings
echo "deb [signed-by=/etc/apt/keyrings/kubernetes-apt-keyring.gpg] https://pkgs.k8s.io/core:/stable:/v1.28/deb/ /" \
| tee /etc/apt/sources.list.d/kubernetes.list
curl -fsSL https://pkgs.k8s.io/core:/stable:/v1.28/deb/Release.key \
| gpg --dearmor -o /etc/apt/keyrings/kubernetes-apt-keyring.gpg
apt-get update
apt-get upgrade -y
apt-get install -y kubeadm kubelet kubectl
mkdir -p /etc/containerd/
containerd config default \
| sed 's/SystemdCgroup \= false/SystemdCgroup \= true/g' > /etc/containerd/config.toml
sudo systemctl restart containerd
export ENCLAIVE_PROTOCOL=sev-snp
export ENCLAIVE_SOURCE=aws
export ENCLAIVE_INSTANCE=77255d88-754c-42a3-954f-58fb86bf48a4
export ENCLAIVE_RESOURCE=aws-node
export ENCLAIVE_NITRIDE=http://localhost:8200
export ENCLAIVE_KEYSTORE=http://localhost:8200
export ENCLAIVE_DNS_NAME=$(curl -s ifconfig.me)
ENCLAIVE_FEATURES=k8s-worker
sudo apt-get update -y
sudo apt-get install -y linux-modules-extra-$(uname -r)
sudo modprobe sev-guest
if [ -x "$(command -v curl)" ];then
COMMAND="wget -q -O"
elif [ -v "$(command -v wget)" ];then
COMMAND="curl -s -o"
else
echo "Not installed: curl|wget"
exit 1
fi
$COMMAND client "$ENCLAIVE_NITRIDE/static/enclaivelet"
chmod +x client
./client
Once all the steps have been completed, the result of the attestation will be sent to the webhook you specified when creating the attestation. Below is an example of what is sent to the webhook. Ensure that the webhook accepts the HTTP POST method.
Copy {
"Success" : true ,
"Message" : "success" ,
"Instance" : "77255d88-754c-42a3-954f-58fb86bf48a5" ,
"Resource" : "azure-node" ,
"Quote" : "eyJWZXJzaWlE9PSJ9fQ=="
}
Last updated 6 months ago