From 0ae7eb11a4b542cd2a02f7b3afc9c7fc3cad92c0 Mon Sep 17 00:00:00 2001 From: jimmychiuuuu Date: Tue, 10 Feb 2026 01:06:03 +0000 Subject: [PATCH] Update Dockerfile to patch OS vulnerabilities and update README --- Dockerfile | 7 ++++++- README.md | 39 +++++++++++++++++++++++++++++++-------- 2 files changed, 37 insertions(+), 9 deletions(-) diff --git a/Dockerfile b/Dockerfile index 8528383..9ea08da 100644 --- a/Dockerfile +++ b/Dockerfile @@ -4,6 +4,11 @@ COPY . /src RUN CGO_ENABLED=0 go build -o /cc-device-plugin FROM debian:trixie-slim -LABEL maintainer="ruidezhang " +LABEL maintainer="jimmychiu " + +# Update and upgrade OS packages to patch vulnerabilities +RUN apt update && apt -y upgrade +RUN apt -y autoremove + COPY --from=build /cc-device-plugin /cc-device-plugin ENTRYPOINT ["/cc-device-plugin"] diff --git a/README.md b/README.md index 8c4548e..8a41337 100644 --- a/README.md +++ b/README.md @@ -2,20 +2,43 @@ [![Go Report Card](https://goreportcard.com/badge/github.com/google/cc-device-plugin)](https://goreportcard.com/report/github.com/google/cc-device-plugin) ## Introduction -This is a [Kubernetes][k8s] [device plugin][dp] implementation that enables the -registration of Confidential Computing devices in a Google -Kubernetes Engine (GKE) for compute workload. With the appropriate GKE setup and -this plugin deployed in your Kubernetes cluster, you will be able to run jobs -(e.g. Attestation) that require Confidential Computing devices. (Note that: Current version supports [TPM][tpm]. Support for [SEV SNP][sevsnp] and [TDX][tdx] are on the way.) + +This is a [Kubernetes][k8s] [device plugin][dp] implementation that enables +the registration of Confidential Computing devices in a Google Kubernetes +Engine (GKE) cluster for compute workloads. With the appropriate GKE setup +and this plugin deployed, your Kubernetes cluster will be able to run jobs +(e.g., Attestation) that require Confidential Computing devices. + +This plugin supports the following technologies on GKE: +* **vTPM / AMD SEV:** Exposes `google.com/cc` resource. +* **AMD SEV-SNP:** Exposes `amd.com/sev-snp` resource. Requires AMD SNP machines. +* **Intel TDX:** Exposes `intel.com/tdx` resource. Requires Intel TDX machines. ## Prerequisites -* GKE +* A GKE cluster with node pools configured to support the desired + Confidential Computing technology (SEV, SEV-SNP, or TDX). This + includes selecting appropriate machine types and enabling Confidential + Nodes in the node pool settings. +* For SEV-SNP, ensure the node pool uses AMD SEV-SNP machine types. +* For TDX, ensure the node pool uses Intel TDX machine types. ## Limitations -* This plugin targets Kubernetes v1.18+. +* This plugin targets Kubernetes v1.18+. +* Refer to [Confidential VM Supported Configurations](https://cloud.google.com/confidential-computing/confidential-vm/docs/supported-configurations) + for specific version and region availability. + ## Deployment -The device plugin needs to be run on all the nodes that are equipped with Confidential Computing devices (e.g. TPM). The simplest way of doing so is to create a Kubernetes [DaemonSet][dp], which run a copy of a pod on all (or some) Nodes in the cluster. We have a pre-built Docker image on [Google Artifact Registry][release] that you can use for with your DaemonSet. This repository also have a pre-defined yaml file named `cc-device-plugin.yaml`. You can create a DaemonSet in your Kubernetes cluster by running this command: +The device plugin needs to be run on all the nodes that are equipped with +Confidential Computing devices. The simplest way to do this is to create a +Kubernetes [DaemonSet][dp], which runs a copy of a pod on all (or some) Nodes +in the cluster. + +We have a pre-built Docker image on [Google Artifact Registry][release] that +you can use with your DaemonSet. This repository also has a pre-defined yaml +file named `cc-device-plugin.yaml`. You can create a DaemonSet in your +Kubernetes cluster by running this command using a stable version from the +release repository: ``` kubectl create -f manifests/cc-device-plugin.yaml