Attesting a dyneemes node

This tutorial demonstrates how to create attestation for multi-cloud Kubernetes.

Create a template

The first step will be to create a template for multi-cloud Kubernetes. You can refer to the "Create a dyneemes node template" tutorial for a better understanding of how to do this.

Create a namespace

The second step will be to create a namespace. This is a mandatory requirement for creating attestation. You can learn how to create and use namespaces in the documentation.

Register new workload

POST http://localhost:8200/v1/auth/ratls/attestation/create

For more detailed information on creating attestation, you can refer to the documentation. You need to create only one attestation for all nodes.

Body

NameTypeDescription

template

string

f05d8808-547a-4e9a-9843-07c3f55b7e63

namespace

string

education

webhook

string

http://localhost:3000/webhook

Headers

NameValue

X-Vault-Token

Response

{
    "request_id": "0bde6eee-f55b-e9a5-e1ba-7a382c6a0d50",
    "lease_id": "",
    "renewable": false,
    "lease_duration": 0,
    "data": {
        "instance": "77255d88-754c-42a3-954f-58fb86bf48a4"
    },
    "wrap_info": null,
    "warnings": null,
    "auth": null
}

Create a node

In this step, you must create a node with a configuration that supports confidential VMs. Before creating the node, you must add cloud-init, an example of which is shown below.

ENVDescriptionValue

ENCLAIVE_PROTOCOL

sev-snp

ENCLAIVE_SOURCE

The provider name that we specified during the measurement creation.

azure | aws | gcp ...

ENCLAIVE_INSTANCE

The "instance" field that we obtained during the attestation creation.

77255d88-754c-42a3-954f-58fb86bf48a4

ENCLAIVE_RESOURCE

Node name

master-node | worker-node | ...

ENCLAIVE_NITRIDE

Nitride URL

http://localhost:8200

ENCLAIVE_KEYSTORE

Vault URL

http://localhost:8200

ENCLAIVE_DNS

IP Address

13.74.123.67

ENCLAIVE_FEATURES

k8s-control or k8s-worker

k8s-control | k8s-worker

ENCLAIVE_FEATURES

k8s-control - Master Node
k8s-worker - Worker Node
#cloud-config
runcmd:
  - |
    (
    set -eu
    
    apt-get update
    apt-get upgrade -y
    apt-get install -y docker.io curl gnupg2 systemd git openssh-server
    systemctl enable --now docker
    systemctl enable --now ssh
    mkdir -p /etc/apt/keyrings
    echo "deb [signed-by=/etc/apt/keyrings/kubernetes-apt-keyring.gpg] https://pkgs.k8s.io/core:/stable:/v1.28/deb/ /" \
    | tee /etc/apt/sources.list.d/kubernetes.list
    curl -fsSL https://pkgs.k8s.io/core:/stable:/v1.28/deb/Release.key \
    | gpg --dearmor -o /etc/apt/keyrings/kubernetes-apt-keyring.gpg
    apt-get update
    apt-get upgrade -y
    apt-get install -y kubeadm kubelet kubectl

    export ENCLAIVE_PROTOCOL=sev-snp
    export ENCLAIVE_SOURCE=azure
    export ENCLAIVE_INSTANCE=77255d88-754c-42a3-954f-58fb86bf48a4
    export ENCLAIVE_RESOURCE=azure-node
    export ENCLAIVE_NITRIDE=http://localhost:8200
    export ENCLAIVE_KEYSTORE=http://localhost:8200
    export ENCLAIVE_DNS_NAME=$(curl -s ifconfig.me)
    ENCLAIVE_FEATURES=k8s-control

    if [ -x "$(command -v curl)" ];then
      COMMAND="wget -q -O"
    elif [ -v "$(command -v wget)" ];then
      COMMAND="curl -s -o"
    else
      echo "Not installed: curl|wget"
      exit 1
    fi

    $COMMAND client "$ENCLAIVE_NITRIDE/static/enclaivelet"

    chmod +x client
    ./client

Once all the steps have been completed, the result of the attestation will be sent to the webhook you specified when creating the attestation. Below is an example of what is sent to the webhook. Ensure that the webhook accepts the HTTP POST method.

{
  "Success": true,
  "Message": "success",
  "Instance": "77255d88-754c-42a3-954f-58fb86bf48a5",
  "Resource": "azure-node",
  "Quote": "eyJWZXJzaWlE9PSJ9fQ=="
}

Last updated