Embrace, Extend, and… Enclave? Microsoft guards Kubernetes' privates with TEEs

Kubecon 2019 Microsoft had a quiet Kubecon, with technology such as Azure Arc conspicuous by its absence as the company continued its efforts to be a good open source citizen.

Having built up a head of steam at its Ignite event with Arc, Gabe Monroy (director for Microsoft's Azure Application Platform) told The Register, "We'd rather focus our time here, you know, on other areas, but also importantly on community stuff," adding: "Promoting individual proprietary projects is not a thing that I'm super keen on doing at this event."

Indeed, Sarah Novotny, recently appointed "Open Source Wonk" for the Azure Office, remarked that having managed to avoid the Beast of Redmond for the last 20 years before signing up in May, she'd found the "know it all culture" that had previously pervaded the company had been replaced by what she described as "humbleness" as the Windows giant sought to build bridges with developers.

Of course, that didn't stop Lachlan Evenson, principal program manager for Azure, bounding up on stage to the strains of Men at Work's "Down Under" (no, we don't know why tech conferences feel the need for five-second jingle for every... single speaker) and asking the audience for a cheer as he unveiled this week's major Microsoft contribution to the Kubernetes project: Confidential Computing.

Guard your privates

The confidential computing initiative is all about keeping data private, not just at rest or in flight, but also while in memory during processing. With not a jot of irony, Intel is also involved via Chipzilla's Software Guard Extensions (SGX) hardware.

The theory is that data isolation during processing should happen within the hardware itself, in Trusted Execution Environments (TEEs) or "enclaves".

The Linux Foundation had already signed up Windows giant (among others) to its Confidential Computing Consortium back in August, with Microsoft contributing the Open Enclave SDK. That SDK can now be used inside containers to create enclaves for computations safe from prying eyes.

Giving a pod access to a TEE is a simple matter of adding a few lines to the pod specification specifying how much of the Intel SGX Encrypted Page Cache (EPC) is to be advertised to the Kubernetes scheduler.

While it naturally works very well (and is available today) for AKS Engine clusters on Azure, Monroy was at pains to tell us that users didn't have to be a customer of Microsoft's cloud. "It was critical, " he said, "that the tech we developed was useable on any Kubernetes anywhere." Assuming, of course, the requisite silicon is available.

"We just made it easier to use on Azure."

KEDA grows up, events get cloudy and stacks double up

Enclaves aside, Microsoft has also shoehorned support for both IPv4 and IPv6 address for the same Pods in Kubernetes (currently in alpha for Kubernetes 1.16, so tread carefully) and enthusiastically trumpeted Helm 3.0, which was released last week. To cheers from the Kubecon audience, the removal of Tiller was highlighted as well as a glowing security scorecard for the package manager.

Also emerging from the shadows was the Kubernetes-based Event Driven Autoscaler (KEDA), which first nosed its way into the light back in May and has now hit the version 1.0 milestone.

The tech can help Kubernetes scale apps up from and down to zero to keep CPU usage under control and when paired up with the open-sourced Azure Functions runtime opens up some intriguing serverless possibilities.

The model, according to principal PM manager for Azure Serverless, Jeff Hollan, "provides a programming model that can run anywhere: in a container running on-premises, fully managed in Azure, or in any Kubernetes cluster." The latter point is particularly interesting for those who would prefer to pick and choose their own cloud.

Hollan added that the team was in the process of nominating and donating KEDA to the CNCF as a sandbox project and said, "We believe that the best products are made in an open and inclusive way." Who are you, and what have you done with Microsoft?

Finally, support for the CNCF's CloudEvents v1.0 was added to the Azure Event Grid in order to simplify publishing and consuming cloud-based events over multiple cloud providers. ®