Detect confidential computing capabilities of the cluster node

[bpradipt]

This issue is to track the work required for operator to detect the node capability w.r.to SEV/TDX/SGXSE/PEF.

Also adding a reference to k8s node-feature-discovery - https://github.com/kubernetes-sigs/node-feature-discovery/

[mythi]

the work required for operator to detect the node capability

How we do this with SGX is that our SgxDevicePlugin CRD has a field for nodeSelector that gets added to a DaemonSet. The labels are created using NFD, plus we install a custom NFD source hook for additional SGX specific labels.

Would this pattern work for CcRuntime too?

[hbrueckner]

fyi, for Secure Execution there also a NFD PR to detect it: https://github.com/kubernetes-sigs/node-feature-discovery/pull/790

[fidencio]

So, SE, SGX, and TDX are already supported by the NFD. SEV-* support is still missing there, and by the moment it gets added we should rely on NFD for properly labelling the nodes.

[ariel-adam]

@bpradipt is this issue still relevant or can be closed? If it's still relevant to what release do you think we should map it to (mid-November, end-December, mid-February etc...)?

[fidencio]

This issue is still relevant, se the comment from 6 days ago: https://github.com/confidential-containers/operator/issues/24#issuecomment-1269655667

I don't think this is material for this coming release, though, so I'm labelling it for the future ones.

[ariel-adam]

@fidencio should I remove this out of the upcoming V0.3.0 release (22nd of January)?

[ariel-adam]

Following comments from @fidencio moving to V0.4.0

[fidencio]

I'll drop this one from v0.8.0, and make sure we get it in as part of v0.9.0.

The reason for that being TDX would be the one to benefit the most from this at this point, but our CCv0 CI has a way too old kernel that doesn't help us here. So, I'm postponing this to be part of the merge to main, so we can take advantage of a newer kernel there.