Hardware & OS Requirements
Physical Server requirements
- Intel® SecL-DC supports and uses a variety of Intel security features, but there are some key requirements to consider before beginning an installation. Most important among these is the Root of Trust configuration. This involves deciding what combination of TXT, Boot Guard, tboot, and UEFI Secure Boot to enable on platforms that will be attested using Intel® SecL.
Note
At least one "Static Root of Trust" mechanism must be used (TXT and/or BtG). For Legacy BIOS systems, tboot must be used. For UEFI mode systems, UEFI SecureBoot must be used* Use the chart below for a guide to acceptable configuration options. Only dTPM is supported on Intel® SecL-DC platform hardware.
Machines
-
Build Machine
-
K8s control-plane Node Setup on CSP (VMs/Physical Nodes + TXT/SUEFI enabled Physical Nodes)
-
K8s control-plane Node Setup on Enterprise (VMs/Physical Nodes)
OS Requirements
-
RHEL 8.3
/Ubuntu 18.04
for build -
RHEL 8.3
/Ubuntu 18.04
for K8s cluster deployments
Note
Foundational & Workload Security solution is built, installed and tested with root privileges. Please ensure that all the following instructions are executed with root privileges
Container Runtime
- Docker-19.03.13
- CRIO-1.17.5
K8s Distributions
- Single Node:
A single-node deployment uses microk8s
to deploy the entire control plane in a pod on a single hardware machine. This is best for POC or demo environments, but can also be used when integrating Intel SecL with another application that runs on a virtual machine
- Multi Node:
A multi-node deployment is a more typical Kubernetes architecture, where the Intel SecL management plane is simply deployed as a Pod, with the Intel SecL agents (the WLA and the TA, depending on use case) deployed as a DaemonSet. kubeadm
is the supported multi node distribution as of today.
Storage
hostPath
in case of single-nodemicrok8s
for all services and agentsNFS
in case of multi-nodekubeadm
for services andhostPath
for Trust Agent and Workload Agent