github/confidential-containers
1
0
Fork 0
mirror of https://github.com/confidential-containers/confidential-containers.git synced 2025-10-21 15:31:13 +00:00
Code Issues Packages Projects Releases Wiki Activity

update according to comments

Browse Source 
Signed-off-by: hairongchen <hairong.chen@intel.com>
This commit is contained in:
hairongchen
2023-01-13 10:03:48 +08:00
committed by Fabiano Fidêncio
parent 019e9fb93b
commit f381a4a594
1 changed files with 13 additions and 14 deletions
Download Patch File Download Diff File Expand all files Collapse all files

27
quickstart.md
View File

@@ -112,9 +112,16 @@ Details on each of the runtime classes:
- *kata-qemu-tdx* - using QEMU, with TDVF, and support for Intel TDX CC HW
- *kata-qemu-sev* - using QEMU, and support for AMD SEV HW
For the process based CoCo TEE (aka. `enclave-cc`) the operator setup steps are the same but instead
of `ccruntime.yaml`, either `ccruntime-enclave-cc-sim.yaml` or `ccruntime-enclave-cc.yaml` for the
**simulated** SGX mode build or **hardware** SGX mode build, respectively, should be used.
For the process based CoCo TEE (aka. `enclave-cc`) the operator setup steps are the same and the custom resources
can be deployed using either
```
kubectl apply -k github.com/confidential-containers/operator/config/samples/enclave-cc/sim?ref=<RELEASE_VERSION>
```
or
```
kubectl apply -k github.com/confidential-containers/operator/config/samples/enclave-cc/hw?ref=<RELEASE_VERSION>
```
for the **simulated** SGX mode build or **hardware** SGX mode build, respectively.
These result in a `RuntimeClass` as follows:
@@ -187,17 +194,9 @@ root@cluster01-master-0:/home/ubuntu# crictl -r unix:///run/containerd/contain
## Creating a sample Coco workload using enclave-cc
Following the previous example that used the `kata` runtime class, we setup a sample *hello world*
workload with an encrypted and cosign signed image using the `enclave-cc` runtime class.
For the process based CoCo TEE (aka. `enclave-cc`) the operator setup steps are the same and the custom resources
can be deployed using either
```
kubectl apply -k github.com/confidential-containers/operator/config/samples/enclave-cc/sim?ref=<RELEASE_VERSION>
```
or
```
kubectl apply -k github.com/confidential-containers/operator/config/samples/enclave-cc/hw?ref=<RELEASE_VERSION>
```
for the **simulated** SGX mode build or **hardware** SGX mode build, respectively.
workload with an encrypted and cosign signed container image using the `enclave-cc` runtime class for process based TEEs.
The deployment below assumes the hardware SGX mode build is installed by the operator. To try on a non-TEE system, please
use simulate SGX mode build.
The example uses a trivial hello world C application:
```