SC2 is a system to run serverless functions in confidential containers. It is deployed on a Kubernetes cluster on top of Knative, and builds on the Confidential Containers project.
SC2 currently supports AMD SEV-SNP and Intel TDX as underlying TEE, and requires
deployment on a bare-metal host. Before moving forward, make sure you have a
correct installation. For SEV-SNP you may use snphost ok
.
Lastly, make sure you are using the exact host kernel:
SEV-SNP | TDX |
---|---|
6.8.0-rc5-next-20240221-snp-host-cc2568386 | 6.8.0-1004-intel |
To get started with SC2, clone this repository and run:
# This shell script will auto-detect the installed TEE (TDX or SNP)
source ./bin/workon.sh
# The following will call `sudo` under the hood
inv sc2.deploy [--debug] [--clean]
the previous command will: install a single-node k8s cluster with CoCo, install Knative, and install SC2.
Warning
Deploying SC2 will patch many components of the system like containerd
,
docker
, nydus-snapshotter
, and kata
. We recommend installing on a
fresh host and, potentially, using the --clean
flag.
You can now check that everything is running by running a simple hello world:
# Use qemu-tdx-sc2 for TDX
export SC2_RUNTIME_CLASS=qemu-snp-sc2
# Knative demo
envsubst < ./demo-apps/helloworld-knative/service.yaml | kubectl apply -f -
curl $(kubectl get ksvc helloworld-knative --output=custom-columns=URL:.status.url --no-headers)
# Non-Knative demo
envsubst < ./demo-apps/helloworld-py/deployment.yaml | kubectl apply -f -
curl $(kubectl get services -o jsonpath='{.items[?(@.metadata.name=="coco-helloworld-py-node-port")].spec.clusterIP}'):8080
for more complex applications and workloads, please check our applications and experiments.
After you are done using SC2, you may completely remove the cluster by running:
inv sc2.destroy [--debug]
For further documentation, you may want to check these other documents:
- Attestation - instructions to set-up remote attestation in SC2.
- CoCo Upgrade - upgrade the current CoCo version.
- Guest Components - instructions to patch components inside SC2 guests.
- Host Kernel - bump the kernel version in the host.
- K8s - documentation about configuring a single-node Kubernetes cluster.
- Kata - instructions to build our custom Kata fork and
initrd
images. - Key Broker Service - docs on using and patching the KBS.
- Knative - documentation about Knative, our serverless runtime of choice.
- Local Registry - configuring a local registry to store OCI images.
- OVMF - notes on building OVMF and CoCo's OVMF boot process.
- SEV - speicifc documentation to get the project working with AMD SEV machines.
- Troubleshooting - tips to debug when things go sideways.