Skip to content

feat: add autopilot confidential nodes example #2289

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 9 commits into
base: main
Choose a base branch
from
Open

feat: add autopilot confidential nodes example #2289

wants to merge 9 commits into from

Conversation

arthurlapertosa
Copy link
Contributor

No description provided.

@arthurlapertosa arthurlapertosa marked this pull request as ready for review February 20, 2025 20:12
@arthurlapertosa arthurlapertosa requested review from apeabody, ericyz and a team as code owners February 20, 2025 20:12
apeabody
apeabody requested changes Feb 20, 2025
View reviewed changes
Copy link
Collaborator

@apeabody apeabody left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks @arthurlapertosa - A few minor notes.

erlanderlo
erlanderlo reviewed Feb 20, 2025
View reviewed changes
Copy link

@erlanderlo erlanderlo left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nice work. please see some comments

examples/confidential_autopilot_private/main.tf
"state" : "ENCRYPTED"
}
]

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

consider a way to specify a persistent volume claim using Confidential mode for Hyperdisk.
https://cloud.google.com/kubernetes-engine/docs/how-to/confidential-gke-nodes#creating_chd_pv

Copy link
Contributor Author

@arthurlapertosa arthurlapertosa Feb 25, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hey, @erlanderlo. Thanks for the review! I didn't find a way to specify a persistent volume claim using confidential mode for hyperdisk. I took a look at https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/container_cluster#gce_persistent_disk_csi_driver_config-1 but it doesn't appear to have a way to specify that gce_persistent_disk_csi_driver_config be on Confidential mode.
We can create the boot disk to be Hyperdisk-balanced (https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/container_cluster#disk_type-1), but also, I couldn't find a way to specify that it must be Confidential.
Would you know how to specify the hyperdisk to be confidential? When enabling Confidential GKE nodes, doesn't it automatically makes the disk Confidential?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@arthurlapertosa

I believe you can create the storage class and then create PVCs using confidential mode, if they are using the specified storage class

resource "kubernetes_storage_class" "balanced_storage" {
  metadata {
    name = "balanced-storage"
  }

  provisioner = "pd.csi.storage.gke.io"

  volume_binding_mode = "WaitForFirstConsumer"

  allow_volume_expansion = true

  parameters = {
    type                             = "hyperdisk-balanced"
    provisioned-throughput-on-create = "250Mi"
    provisioned-iops-on-create       = "7000"
    enable-confidential-storage      = "true"
    disk-encryption-kms-key         = "projects/KMS_PROJECT_ID/locations/REGION/keyRings/KEY_RING/cryptoKeys/KEY_NAME"
  }
}

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The example adding a confidential hyperdisk is: #2311.
Do you think it's a good ideia to add a hyperdisk here too?
Is it possible to manually add node pools to GKE autopilot?

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@arthurlapertosa - Let me know when this PR is ready for re-review. Thanks!

apeabody
apeabody reviewed Feb 25, 2025
View reviewed changes
@arthurlapertosa arthurlapertosa force-pushed the confidential-autopilot-example branch from c91e999 to e3cf206 Compare February 25, 2025 21:46
@apeabody apeabody self-assigned this Feb 28, 2025
@apeabody apeabody removed their assignment Mar 27, 2025
@arthurlapertosa
Copy link
Contributor Author

@apeabody this PR is ready for a re-review. Thanks!

@apeabody
Copy link
Collaborator

@apeabody this PR is ready for a re-review. Thanks!

Thanks - Once #2352 is resolved, I'l review this PR.

@apeabody
Copy link
Collaborator

Hi @arthurlapertosa - Can you please run make docker_generate_docs and update the PR. Thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@apeabody apeabody apeabody requested changes

@erlanderlo erlanderlo erlanderlo left review comments

@caetano-colin caetano-colin caetano-colin left review comments

@ericyz ericyz Awaiting requested review from ericyz ericyz is a code owner

Requested changes must be addressed to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@arthurlapertosa @apeabody @erlanderlo @caetano-colin