TL; DR: You can now run Kubernetes on from google.
Google today (08.09.2020/XNUMX/XNUMX, approx. translator) at the event announced the expansion of its product line with the launch of a new service.
Confidential GKE nodes add more privacy to workloads running on Kubernetes. In July, the first product called , and today these virtual machines are already publicly available to everyone.
Confidential Computing is a novelty that involves storing data in encrypted form during their processing. This is the last link in the data encryption chain, as cloud service providers already encrypt data in and out. Until recently, it was necessary to decrypt data during processing, and many experts see this as a clear hole in the field of data encryption.
Google's Confidential Computing Initiative is based on a collaboration with the Confidential Computing Consortium, an industry group to advance the concept of Trusted Execution Environments (TEEs). TEE is a secure part of the processor in which the downloaded data and code are encrypted, which means that other parts of the same processor cannot access this information.
Google's Confidential VMs run on N2D virtual machines running on AMD's second-generation EPYC processors, which use Secure Encrypted Virtualization technology to isolate virtual machines from the hypervisor they run on. There is a guarantee that the data remains encrypted regardless of its use: workloads, analytics, requests to train models for artificial intelligence. These virtual machines are designed to meet the needs of any company that works with sensitive data in regulated areas such as the banking industry.
Perhaps more pressing is the announcement of the upcoming beta testing of Confidential GKE nodes, which Google says will be introduced in the upcoming 1.18 release. (GKE). GKE is a managed, production-ready environment for running containers that host parts of modern applications that can be run across multiple computing environments. Kubernetes is an open source orchestration tool used to manage these containers.
The addition of Confidential GKE nodes provides more privacy when running GKE clusters. When adding a new product to the Confidential Computing line, we wanted to provide a new level of
privacy and portability for containerized workloads. Built on the same technology as Confidential VMs, Google's Confidential GKE nodes allow you to encrypt in-memory data with a per-node unique encryption key generated and managed by the AMD EPYC processor. These nodes will use hardware-based memory encryption based on AMD's SEV feature, which means that your workloads running on such nodes will be encrypted while they are running.
Sunil Potti and Eyal Manor, Cloud Engineers, Google
On Confidential GKE hosts, customers can configure GKE clusters to run host pools on Confidential VMs. Simply put, any workloads running on such nodes will be encrypted during data processing.
Many enterprises need even more privacy when using public cloud services than for on-premise workloads running in-house to protect against intruders. Google Cloud is expanding its line of Confidential Computing to raise this bar by providing users with the ability to provide privacy for GKE clusters. And given the popularity of Kubernetes, this is a key step forward for the industry, giving companies more options to securely host next-generation applications in the public cloud.
Holger Mueller, Analyst at Constellation Research.
Note On September 28-30, our company launches an updated intensive for those who do not yet know Kubernetes, but want to get to know it and start working. And after this event, on October 14-16, we launch an updated for experienced Kubernetes users who need to know all the latest practical solutions in working with the latest versions of Kubernetes and possible "rake". On we will analyze in theory and practice the subtleties of installing and configuring a production-ready cluster (“the-not-so-easy-way”), mechanisms for ensuring security and application fault tolerance.
Among other things, Google said that its Confidential VMs will get some new features as they go public from this day forward. For example, audit reports have emerged containing detailed logs of the integrity check of the AMD Secure Processor firmware used to generate keys for each instance of Confidential VMs.
There are also more controls for setting specific access rights, and Google has added the ability to disable any non-secret virtual machine on a given project. Google also pairs Confidential VMs with other privacy mechanisms for security purposes.
You can use a combination of shared VPCs with firewall rules and organizational policy restrictions to ensure that Confidential VMs can communicate with other Confidential VMs, even if they are running in different projects. In addition, you can use VPC Service Controls to set the GCP resource realm for your Confidential VMs.
Sunil Potti and Eyal Manor
Source: habr.com