From 4102c7ea75d26625b22e93c565ebacb0436f0957 Mon Sep 17 00:00:00 2001 From: Jimmy Chiu <57710725+jimmychiuuuu@users.noreply.github.com> Date: Fri, 13 Mar 2026 18:16:45 -0700 Subject: [PATCH 1/2] Add usage examples for exposed devices in README Added examples for requesting Intel TDX, AMD SEV, and vTPM devices in Kubernetes pods. --- README.md | 71 +++++++++++++++++++++++++++++++++++++++++++++++++++++-- 1 file changed, 69 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 799cab6..f7f24bc 100644 --- a/README.md +++ b/README.md @@ -31,7 +31,6 @@ node images) are branch-dependent: * Refer to [Confidential VM Supported Configurations][supported-configs] for specific version and region availability. - ## Deployment The device plugin needs to be run on all the nodes that are equipped with Confidential Computing devices. The simplest way to do this is to create a @@ -52,10 +51,78 @@ or directly pull from the web using kubectl create -f https://raw.githubusercontent.com/google/cc-device-plugin/main/manifests/cc-device-plugin.yaml ``` +## Using the Exposed Devices + +To use the devices, request them in your Pod's resource limits. This will cause +the device plugin to mount the appropriate device node into your container. + +**Example: Requesting Intel TDX** + +```yaml +apiVersion: v1 +kind: Pod +metadata: + name: example-tdx-pod +spec: + containers: + - name: test-container + image: ubuntu # Your application image + command: ["/bin/sh", "-c", "ls -l /dev/tdx_guest; sleep 3600"] + resources: + limits: + intel.com/tdx: 1 # Request TDX device + nodeSelector: + cloud.google.com/gke-confidential-nodes-instance-type: "TDX" + cloud.google.com/machine-family: "c3" +``` +Inside this container, `/dev/tdx_guest` will be available for interacting with the Intel Trust Domain. + +**Example: Requesting vTPM / AMD SEV** + +**Example: Requesting AMD SEV-SNP** + +```yaml +apiVersion: v1 +kind: Pod +metadata: + name: example-sev-snp-pod +spec: + containers: + - name: test-container + image: ubuntu # Your application image + command: ["/bin/sh", "-c", "ls -l /dev/sev-guest; sleep 3600"] + resources: + limits: + amd.com/sev-snp: 1 # Request SEV-SNP device + nodeSelector: + cloud.google.com/gke-confidential-nodes-instance-type: "SEV_SNP" + cloud.google.com/machine-family: "n2d" +``` +Inside this container, `/dev/sev-guest` will be available for interacting with the AMD Secure Processor. + +```yaml +apiVersion: v1 +kind: Pod +metadata: + name: example-vtpm-pod +spec: + containers: + - name: test-container + image: ubuntu # Your application image + command: ["/bin/sh", "-c", "ls -l /dev/tpmrm0; sleep 3600"] + resources: + limits: + google.com/cc: 1 # Request vTPM device + nodeSelector: + cloud.google.com/gke-confidential-nodes-instance-type: "SEV" +``` +Inside this container, `/dev/tpmrm0` will be available. + [dp]: https://kubernetes.io/docs/concepts/cluster-administration/device-plugins/ [k8s]: https://kubernetes.io [tpm]: https://cloud.google.com/compute/shielded-vm/docs/shielded-vm#vtpm [sevsnp]: https://cloud.google.com/confidential-computing/confidential-vm/docs/confidential-vm-overview#amd_sev-snp -[tdx]: https://cloud.google.com/blog/products/identity-security/confidential-vms-on-intel-cpus-your-datas-new-intelligent-defense +[tdx]: https://cloud.google.com/confidential-computing/confidential-vm/docs/confidential-vm-overview#intel_tdx [release]: https://us-central1-docker.pkg.dev/gce-confidential-compute/release/cc-device-plugin [supported-configs]: https://cloud.google.com/confidential-computing/confidential-vm/docs/supported-configurations +[gke-cc-docs]: https://cloud.google.com/kubernetes-engine/docs/how-to/confidential-gke-nodes From afd1df667071a4d0965878a03eaca58338d9b400 Mon Sep 17 00:00:00 2001 From: Jimmy Chiu <57710725+jimmychiuuuu@users.noreply.github.com> Date: Fri, 13 Mar 2026 18:40:43 -0700 Subject: [PATCH 2/2] Refactor README for clarity and completeness Updated README to improve formatting --- README.md | 25 +++++++++++++++---------- 1 file changed, 15 insertions(+), 10 deletions(-) diff --git a/README.md b/README.md index f7f24bc..5e11cbc 100644 --- a/README.md +++ b/README.md @@ -5,14 +5,17 @@ This is a [Kubernetes][k8s] [device plugin][dp] implementation that enables the registration of Confidential Computing devices in a Google Kubernetes -Engine (GKE) cluster for compute workloads. With the appropriate GKE setup -and this plugin deployed, your Kubernetes cluster will be able to run jobs -(e.g., Attestation) that require Confidential Computing devices. +Engine (GKE) cluster for compute workloads. With the appropriate +[GKE setup][gke-cc-docs] and this plugin deployed, your Kubernetes cluster +will be able to run jobs (e.g., Attestation) that require Confidential +Computing devices. This plugin supports the following technologies on GKE: -* **vTPM / AMD SEV:** Exposes `google.com/cc` resource. -* **AMD SEV-SNP:** Exposes `amd.com/sev-snp` resource. Requires AMD SNP machines. -* **Intel TDX:** Exposes `intel.com/tdx` resource. Requires Intel TDX machines. +* **vTPM / AMD SEV:** Exposes `google.com/cc` resource. +* **AMD SEV-SNP:** Exposes `amd.com/sev-snp` resource. Requires AMD SNP + machines. +* **Intel TDX:** Exposes `intel.com/tdx` resource. Requires Intel TDX + machines. ## Prerequisites * A GKE cluster with node pools configured to support the desired @@ -75,9 +78,8 @@ spec: cloud.google.com/gke-confidential-nodes-instance-type: "TDX" cloud.google.com/machine-family: "c3" ``` -Inside this container, `/dev/tdx_guest` will be available for interacting with the Intel Trust Domain. - -**Example: Requesting vTPM / AMD SEV** +Inside this container, `/dev/tdx_guest` will be available for interacting +with the Intel Trust Domain. **Example: Requesting AMD SEV-SNP** @@ -98,7 +100,10 @@ spec: cloud.google.com/gke-confidential-nodes-instance-type: "SEV_SNP" cloud.google.com/machine-family: "n2d" ``` -Inside this container, `/dev/sev-guest` will be available for interacting with the AMD Secure Processor. +Inside this container, `/dev/sev-guest` will be available for interacting +with the AMD Secure Processor. + +**Example: Requesting vTPM / AMD SEV** ```yaml apiVersion: v1