https://github.com/google/cc-device-plugin

A Kubernetes device plugin that exposes Confidential Computing devices to workloads in Google Kubernetes Engine (GKE) clusters.
https://github.com/google/cc-device-plugin

confidential-computing device-plugin gcp gke golang google kubernetes remote-attestation

Last synced: 6 months ago
JSON representation

A Kubernetes device plugin that exposes Confidential Computing devices to workloads in Google Kubernetes Engine (GKE) clusters.

• Host: GitHub
• URL: https://github.com/google/cc-device-plugin
• Owner: google
• License: apache-2.0
• Created: 2024-03-07T20:56:02.000Z (almost 2 years ago)
• Default Branch: main
• Last Pushed: 2025-03-13T00:15:39.000Z (11 months ago)
• Last Synced: 2025-08-12T15:56:39.822Z (6 months ago)
• Topics: confidential-computing, device-plugin, gcp, gke, golang, google, kubernetes, remote-attestation
• Language: Go
• Homepage: https://cloud.google.com/security/products/confidential-computing
• Size: 33.2 KB
• Stars: 3
• Watchers: 2
• Forks: 1
• Open Issues: 1
• Metadata Files:
  • Readme: README.md
  • Contributing: CONTRIBUTING.md
  • License: LICENSE

Awesome Lists containing this project

README

          
# Confidential Computing device plugin for Kubernetes

[![Go Report Card](https://goreportcard.com/badge/github.com/google/cc-device-plugin)](https://goreportcard.com/report/github.com/google/cc-device-plugin)

## Introduction

This is a [Kubernetes][k8s] [device plugin][dp] implementation that enables the

registration of Confidential Computing devices in a Google

Kubernetes Engine (GKE) for compute workload. With the appropriate GKE setup and

this plugin deployed in your Kubernetes cluster, you will be able to run jobs

(e.g. Attestation) that require Confidential Computing devices. (Note that: Current version supports [TPM][tpm]. Support for [SEV SNP][sevsnp] and [TDX][tdx] are on the way.)

## Prerequisites

* GKE

## Limitations

* This plugin targets Kubernetes v1.18+.

## Deployment

The device plugin needs to be run on all the nodes that are equipped with Confidential Computing devices (e.g. TPM).  The simplest way of doing so is to create a Kubernetes [DaemonSet][dp], which run a copy of a pod on all (or some) Nodes in the cluster.  We have a pre-built Docker image on [Goolge Artifact Registry][release] that you can use for with your DaemonSet.  This repository also have a pre-defined yaml file named `cc-device-plugin.yaml`.  You can create a DaemonSet in your Kubernetes cluster by running this command:

```

kubectl create -f manifests/cc-device-plugin.yaml

```

or directly pull from the web using

```

kubectl create -f https://raw.githubusercontent.com/google/cc-device-plugin/main/manifests/cc-device-plugin.yaml

```

[dp]: https://kubernetes.io/docs/concepts/cluster-administration/device-plugins/

[k8s]: https://kubernetes.io

[tpm]: https://cloud.google.com/compute/shielded-vm/docs/shielded-vm#vtpm

[sevsnp]: https://cloud.google.com/confidential-computing/confidential-vm/docs/confidential-vm-overview#amd_sev-snp

[tdx]: https://cloud.google.com/blog/products/identity-security/confidential-vms-on-intel-cpus-your-datas-new-intelligent-defense

[release]: https://us-central1-docker.pkg.dev/gce-confidential-compute/release/cc-device-plugin