Many companies have adopted Google Kubernetes Engine (GKE) as a key component in their application infrastructure. In some cases, the advantages of using containers and Kubernetes can surpass those of traditional architectures, but migrating to and operating apps in the cloud often requires strategic planning to reduce risk and prevent data breaches. This is where Confidential GKE Nodes can be utilized to enhance the security of your GKE clusters or node pools.
Confidential GKE Nodes leverage specialized hardware to encrypt data in-use and are ideal for organizations processing sensitive data in the cloud. To make it easier to start using Confidential GKE Nodes, GKE standard workloads you run today can run as confidential GKE workloads without code changes on your end.
Security underpinnings of Confidential GKE Nodes
As we expand the Confidential Computing product portfolio from Confidential VMs to Confidential GKE Nodes to Confidential Dataproc, ensuring high performance is key. Confidential GKE Nodes are built on the same technology foundation as Confidential VM and utilize the Secure Encrypted Virtualization (SEV) capability of AMD EPYC™ processors. This feature allows you to keep data encrypted in memory with node-specific, dedicated keys that are generated and managed by the processor. The keys are generated in hardware during node creation and reside solely within the processor, making them unavailable to Google Cloud or other nodes running on the host.
Combined with the high performance of C2D VMs
Previously, Confidential GKE Nodes were generally available only on general purpose N2D VMs, but now they’re also available on compute optimized C2D VMs. The C2D machine series provides VM sizes ranging from 2 vCPUs to 112 vCPUs, offers up to 896 GB of memory, and are suited for performance-intensive workloads. C2D standard and C2D high-CPU machines serve compute-bound workloads including high-performance web servers and media transcoding. C2D high-memory machines serve specialized workloads such as high-performance computing (HPC) and electronic design automation (EDA), which require more memory.
Confidential GKE Nodes on compute-optimized C2D VMs could be a fit for use cases that require high performance and security. You can achieve encryption in-use for data processed inside your GKE cluster or just on specific node pools, without significant performance degradation. This is relevant for industries such as financial services, healthcare, retail, blockchain, and telecommunications, which often have sensitive data or personally identifiable information (PII) that requires additional security measures.
How MATRIXX used Confidential GKE Nodes
MATRIXX Software chose Confidential GKE Nodes to provide transparent encryption for data in-use to supplement encryption for data at-rest to secure personal subscriber data as required by privacy regulations.
MATRIXX Digital Commerce Platform (DCP) is a real-time 5G monetization for the communications industry, serving many of the world’s largest operator groups, regional carriers, and emerging digital service providers. MATRIXX used Google Cloud Confidential GKE Nodes to deliver a cloud-first digital commerce solution that enables commercial and operational agility for current and new telco business models.
A whitepaper titled “Protecting Your 5G Revenue Stream in the Cloud,” described how when MATRIXX DCP is deployed with Confidential Computing on Google Cloud, “its subscriber data, account balances, network events and charges/revenue streams are encrypted in use without making any code changes to the application or compromising on performance.”
Confidential GKE Nodes are globally available
At Google Cloud, we’re committed to investing in Confidential Computing, so we’ve expanded our support to VM families like C2D VMs. Confidential GKE Nodes running on C2D VMs are available in regions across the globe, including us-central1 (Iowa), asia-southeast1 (Singapore), us-east1 (South Carolina), us-east4 (North Virginia), asia-east1 (Taiwan), and europe-west4 (Netherlands). Note that Confidential GKE Nodes are available where C2D or N2D machines are available.
Pricing for Confidential GKE Nodes
Try out Confidential GKE Nodes for cluster-level enablement
First, go to the Google Kubernetes Engine page in the Google Cloud console. In the top navigation bar, click Create. In the Create Cluster modal, choose ‘Standard: You manage your cluster’ and click Configure.
Next, from the left navigation pane, under Cluster, click Security. Select the ‘Enable Confidential GKE Nodes’ checkbox.
Then, from the left navigation pane again, under Node Pools, click Nodes. Under Machine Configuration and Machine family, select the Compute-optimized tab, and choose a C2D machine type.
Configure the rest of the cluster as desired and click Create.
Making secure design choices should be easy, especially when the workloads involve high-performance processing of sensitive data. You can help protect your sensitive applications and data today by adding Confidential GKE Nodes to your GKE workloads. Learn more about Confidential Computing here.
Cloud BlogRead More