SGX-Aware Container Orchestration for Heterogeneous Clusters

by   Sébastien Vaucher, et al.

Containers are becoming the de facto standard to package and deploy applications and micro-services in the cloud. Several cloud providers (e.g., Amazon, Google, Microsoft) begin to offer native support on their infrastructure by integrating container orchestration tools within their cloud offering. At the same time, the security guarantees that containers offer to applications remain questionable. Customers still need to trust their cloud provider with respect to data and code integrity. The recent introduction by Intel of Software Guard Extensions (SGX) into the mass market offers an alternative to developers, who can now execute their code in a hardware-secured environment without trusting the cloud provider. This paper provides insights regarding the support of SGX inside Kubernetes, an industry-standard container orchestrator. We present our contributions across the whole stack supporting execution of SGX-enabled containers. We provide details regarding the architecture of the scheduler and its monitoring framework, the underlying operating system support and the required kernel driver extensions. We evaluate our complete implementation on a private cluster using the real-world Google Borg traces. Our experiments highlight the performance trade-offs that will be encountered when deploying SGX-enabled micro-services in the cloud.


page 1

page 2

page 3

page 4


HEATS: Heterogeneity- and Energy-Aware Task-based Scheduling

Cloud providers usually offer diverse types of hardware for their users....

Security, Performance and Energy Trade-offs of Hardware-assisted Memory Protection Mechanisms

The deployment of large-scale distributed systems, e.g., publish-subscri...

Snort Intrusion Detection System with Intel Software Guard Extension (Intel SGX)

Network Function Virtualization (NFV) promises the benefits of reduced i...

Dynamic Binary Translation for SGX Enclaves

Enclaves, such as those enabled by Intel SGX, offer a hardware primitive...

Binary Compatibility For SGX Enclaves

Enclaves, such as those enabled by Intel SGX, offer a powerful hardware ...

Aneka: A Software Platform for .NET-based Cloud Computing

Aneka is a platform for deploying Clouds developing applications on top ...

Supporting RISC-V Performance Counters through Performance analysis tools for Linux (Perf)

Increased attention to RISC-V in Cloud, Data Center, Automotive and Netw...