strieflin
commented
1 year ago Using a PodTemplate would allow for maximum flexibility. The values of the pod template must be merged with the Klyshko-generated values.
Closed strieflin closed 1 year ago
strieflin
commented
1 year ago Using a PodTemplate would allow for maximum flexibility. The values of the pod template must be merged with the Klyshko-generated values.
strieflin
commented
1 year ago Since using a full-fledged K8s API PodTemplate bears a lot of technical risks due to the very broad range of customization options, I have introduced a tailored extension of the TupleGenerator CRG that allows for customizing a very limited set of aspects only. This includes: affinity, image, imagePullPolicy, and resources. This set can be extended if required. The implementation is available in #86.
Deploying a TEE-protected CRG requires to deploy the CRG pod on a K8s node with confidential computing support. This can be done using node affinity / pools (see here for an example). It could also be required for, e.g., cryptographic offline phases that require high-performance I/O.