This page shows you how to use the Virtual Trusted Platform Module (vTPM) in your Confidential Google Kubernetes Engine (GKE) Standard regional clusters' workloads. For more information about vTPMs, refer to Using Shielded GKE Nodes.
Overview
With vTPM in Confidential GKE Nodes workloads, you can create clusters and expose vTPMs to their workloads. vTPMs provide platform integrity along with other security features such as remote attestation, secret sealing, and random number generation.
Before you begin
Before you start, make sure you have performed the following tasks:
- Enable the Google Kubernetes Engine API. Enable Google Kubernetes Engine API
- If you want to use the Google Cloud CLI for this task,
install and then
initialize the
gcloud CLI. If you previously installed the gcloud CLI, get the latest
version by running
gcloud components update
.
Requirements
vTPM in Confidential GKE Nodes workloads requires GKE version 1.26 and later.
Availability
You can use Confidential GKE Nodes under the following conditions:
In zones and regions with N2D instances or C2D instances available.
Node images using Container-Optimized OS with containerd (
cos_containerd
).
Create a Confidential GKE Nodes cluster
You can create a new cluster with Confidential GKE Nodes enabled by using the gcloud CLI or the Google Cloud console. If you enable Confidential GKE Nodes at cluster level, all the nodes in the cluster become Confidential VMs.
gcloud
When creating a new cluster, specify the --enable-confidential-nodes
option
in the following command:
gcloud container clusters create CLUSTER_NAME \
--machine-type=MACHINE_TYPE \
--enable-confidential-nodes
Replace the following:
- CLUSTER_NAME: the name of your new cluster.
- MACHINE_TYPE: the machine type for your cluster's default node pool, which must be either the N2D or C2D machine type.
Console
Go to the Google Kubernetes Engine page in the Google Cloud console.
Click add_box Create.
In the Standard section, click Configure.
In the navigation menu, under Cluster, click Security.
Select the Enable Confidential GKE Nodes checkbox.
For configuring other sections of the cluster, follow the instructions in Creating a regional cluster.
Click Create.
After creating a cluster with Confidential GKE Nodes, any node pools created in this cluster can only use confidential nodes. You can't create regular node pools in clusters with Confidential GKE Nodes enabled. You also can't disable Confidential GKE Nodes on individual node pools when you enable Confidential GKE Nodes at cluster level.
Run a vTPM in Confidential GKE Nodes workloads
To run vTPM in Confidential GKE Nodes workloads, Google provides a DaemonSet to apply to the Confidential GKE Nodes clusters. Run the following command to deploy the DaemonSet:
kubectl create -f https://raw.githubusercontent.com/google/cc-device-plugin/main/manifests/cc-device-plugin.yaml
Configure Pods to see the vTPM
You use a resource limit to configure Pods to see vTPM. Specify the resource limit as 1 in a Pod specification using the following key-value pair
- Key:
google.com/cc
- Value: 1
An example of a Pod specification that uses vTPM:
apiVersion: v1
kind: Pod
metadata:
name: my-vtpm-pod
spec:
containers:
- name: nginx
image: nginx
ports:
- containerPort: 8080
name: http
resources:
limits:
google.com/cc: 1
What's next
- Learn more about Virtual Trusted Platform Module.