https://github.com/google/cc-device-plugin
A Kubernetes device plugin that exposes Confidential Computing devices to workloads in Google Kubernetes Engine (GKE) clusters.
https://github.com/google/cc-device-plugin
confidential-computing device-plugin gcp gke golang google kubernetes remote-attestation
Last synced: 9 days ago
JSON representation
A Kubernetes device plugin that exposes Confidential Computing devices to workloads in Google Kubernetes Engine (GKE) clusters.
- Host: GitHub
- URL: https://github.com/google/cc-device-plugin
- Owner: google
- License: apache-2.0
- Created: 2024-03-07T20:56:02.000Z (about 2 years ago)
- Default Branch: main
- Last Pushed: 2026-02-13T00:56:35.000Z (30 days ago)
- Last Synced: 2026-02-23T16:40:14.178Z (19 days ago)
- Topics: confidential-computing, device-plugin, gcp, gke, golang, google, kubernetes, remote-attestation
- Language: Go
- Homepage: https://cloud.google.com/security/products/confidential-computing
- Size: 23.4 KB
- Stars: 6
- Watchers: 1
- Forks: 4
- Open Issues: 2
-
Metadata Files:
- Readme: README.md
- Contributing: CONTRIBUTING.md
- License: LICENSE
Awesome Lists containing this project
README
# Confidential Computing device plugin for Kubernetes
[](https://goreportcard.com/report/github.com/google/cc-device-plugin)
## Introduction
This is a [Kubernetes][k8s] [device plugin][dp] implementation that enables
the registration of Confidential Computing devices in a Google Kubernetes
Engine (GKE) cluster for compute workloads. With the appropriate GKE setup
and this plugin deployed, your Kubernetes cluster will be able to run jobs
(e.g., Attestation) that require Confidential Computing devices.
This plugin supports the following technologies on GKE:
* **vTPM / AMD SEV:** Exposes `google.com/cc` resource.
* **AMD SEV-SNP:** Exposes `amd.com/sev-snp` resource. Requires AMD SNP machines.
* **Intel TDX:** Exposes `intel.com/tdx` resource. Requires Intel TDX machines.
## Prerequisites
* A GKE cluster with node pools configured to support the desired
Confidential Computing technology (SEV, SEV-SNP, or TDX). This
includes selecting appropriate machine types and enabling Confidential
Nodes in the node pool settings.
* For SEV-SNP, ensure the node pool uses AMD SEV-SNP machine types.
* For TDX, ensure the node pool uses Intel TDX machine types.
## Limitations
* This plugin targets Kubernetes v1.18+.
* Refer to [Confidential VM Supported Configurations](https://cloud.google.com/confidential-computing/confidential-vm/docs/supported-configurations)
for specific version and region availability.
## Deployment
The device plugin needs to be run on all the nodes that are equipped with
Confidential Computing devices. The simplest way to do this is to create a
Kubernetes [DaemonSet][dp], which runs a copy of a pod on all (or some) Nodes
in the cluster.
We have a pre-built Docker image on [Google Artifact Registry][release] that
you can use with your DaemonSet. This repository also has a pre-defined yaml
file named `cc-device-plugin.yaml`. You can create a DaemonSet in your
Kubernetes cluster by running this command using a stable version from the
release repository:
```
kubectl create -f manifests/cc-device-plugin.yaml
```
or directly pull from the web using
```
kubectl create -f https://raw.githubusercontent.com/google/cc-device-plugin/main/manifests/cc-device-plugin.yaml
```
[dp]: https://kubernetes.io/docs/concepts/cluster-administration/device-plugins/
[k8s]: https://kubernetes.io
[tpm]: https://cloud.google.com/compute/shielded-vm/docs/shielded-vm#vtpm
[sevsnp]: https://cloud.google.com/confidential-computing/confidential-vm/docs/confidential-vm-overview#amd_sev-snp
[tdx]: https://cloud.google.com/blog/products/identity-security/confidential-vms-on-intel-cpus-your-datas-new-intelligent-defense
[release]: https://us-central1-docker.pkg.dev/gce-confidential-compute/release/cc-device-plugin