News

Microsoft Bolsters Kubernetes with Azure Confidential Computing

• By Kurt Mackie
• 11/19/2019

Microsoft on Tuesday announced various developments concerning the use of Kubernetes, an open source container orchestration solution fostered by Google.

Microsoft now offers "confidential computing" data protections for Kubernetes workloads in conjunction with Intel's hardware-based Software Guard Extensions solutions on Azure DC-Series virtual machines. It also released the Helm 3.0 package manager last month, which brings "Helm's permissions model, command-line switches, RBAC [role-based access control], and more in line with current Kubernetes implementations."

For instance, Tiller got removed with the release of Helm 3.0 because it didn't play well with Kubernetes 1.6 and its RBAC controls, a Helm FAQ explained. Helm was one of the Kubernetes tools that Microsoft acquired when it bought Deis more than two years ago.

Azure Confidential Computing Support
Confidential computing is an effort to encrypt workloads while they are being processed. It's done using a so-called "Trusted Execution Environment" (TEE), also known as "enclaves," which can be implemented via hardware or software.

Organizations might be interested in confidential computing to protect intellectual property or proprietary algorithms used on public cloud infrastructure, including Azure datacenters. It also helps organizations collaborate using sensitive data.

Microsoft had floated an early preview of confidential computing using Azure virtual machines about two years ago, but it's now ready for commercial use. "Today, we're enabling trusted computing on Kubernetes anywhere via the Open Enclave SDK," stated Brendan Burns, Distinguished Engineer for Microsoft Azure, in the announcement.

The Open Enclave SDK is Microsoft's kit for developers working with TEEs, which was subsequently released as an open source effort to the Linux Foundation's Confidential Computing Consortium, as Microsoft previously announced. Developers can use Intel's SGX SDK with TEEs, too.

Confidential computing protections on Azure DC-Series virtual machines happens via a virtual machine "plug-in," according to another Microsoft announcement:

With confidential computing for Kubernetes, customers can now get this additional layer of data protection for their Kubernetes workloads with the code running on the CPU with secure hardware enclaves. Use the open enclave SDK for confidential computing in code. Create a Kubernetes cluster on hardware that supports Intel SGX, such as the DC-series virtual machines running Ubuntu 16.04 or Ubuntu 18.04 and install the confidential computing device plugin into those virtual machines.

Burns added that Microsoft also released another plug-in that helps the Kubernetes scheduler.

"The number of enclaves on a CPU is limited, and this plugin [for the scheduler] ensures that Pods that need enclaves will be guaranteed to land on a node with an enclave available," Burns explained. "This scheduler support is critical to running trusted compute environments in cloud-native applications via Pods."

A Pod is a set of containers, according to this Redmondmag.com Kubernetes primer article.

Other Improvements
Burns described a few other Kubernetes enhancements.

Microsoft and Google are both getting behind adding both IPv4 and IPv6 addresses to Kubernetes Pods, described as "dual-stack" support. This effort aims to add support for a "larger cluster size, IoT edge and even dual-stack enabled hosted environments," according to a KubeCon keynote talk description. KubeCon is happening this week. The dual-stack support is requested by Internet of Things (IoT) and telecom service providers, according to Burns.

Microsoft also announced that the open source Kubernetes-Based Event-Driven Autoscaling (KEDA) 1.0 solution, built in collaboration with Red Hat, is "ready for use in production." Kubernetes automatically scales based on system measures, such as memory and CPU use, Microsoft explained. Now, with KEDA, it's possible to scale apps in Kubernetes based on events.

Currently, KEDA supports "13 event sources, including Azure Queues, Azure Event Hubs, AWS SQS, Google Cloud PubSub, RabbitMQ, NATS Streaming, Kafka, and more," Microsoft indicated. Red Hat OpenShift 4 support is getting added as well.

The open source Dapr solution for porting applications using microservices between cloud and edge computing scenarios reached version 0.2.0, Microsoft added. Dapr is a distributed application runtime that runs on Kubernetes, PCs or IoT devices, or it can be injected as a container into any system.

Burns also noted that "Azure Monitor for containers can scrape the metrics exposed from Prometheus end-points so you can quickly gather failure rates, response per secs, and latency." Prometheus is an open source monitoring solution that Microsoft announced in July had been integrated with the Azure Kubernetes Service to provide greater insights into workloads.

Burns also touted a new Brigade Universal Controller for Kubernetes project, known as "BUCK," for handling "Cloud Native Application Bundles (CNAB) with Brigade." Brigade is "a tool for constructing workloads in Kubernetes using JavaScript," per Microsoft. It's used to build continuous integration/continuous development pipelines for developers. BUCK, on the other hand, is used to "listen on the Kubernetes event stream for events related to that custom resource," which can then be used to build Kubernetes controllers, Microsoft explained.