sigs.k8s.io/cluster-api-provider-azure@v1.14.3/docs/book/src/topics/confidential-vms.md (about) 1 # Confidential VMs 2 3 This document describes how to deploy a cluster with Azure [Confidential VM](https://learn.microsoft.com/azure/confidential-computing/confidential-vm-overview) nodes. 4 5 ## Limitations 6 7 Before you begin, be aware of the following: 8 9 - [VM Size Support](https://learn.microsoft.com/azure/confidential-computing/confidential-vm-overview#size-support) 10 - [OS Support](https://learn.microsoft.com/azure/confidential-computing/confidential-vm-overview#os-support) 11 - [Limitations](https://learn.microsoft.com/azure/confidential-computing/confidential-vm-overview#limitations) 12 13 ## Confidential VM Images 14 15 One of the limitations of Confidential VMs is that they support specific OS images, as they need to get [successfully attested](https://learn.microsoft.com/azure/confidential-computing/confidential-vm-overview#attestation-and-tpm) during boot. 16 17 Confidential VM images are not included in the list of `capi` reference images. Before creating a cluster hosted on Azure Confidential VMs, you can create a [custom image](custom-images.md) based on a Confidential VM supported OS image using [image-builder](https://github.com/kubernetes-sigs/image-builder). For example, you can run the following to create such an image based on Ubuntu Server 22.04 LTS for CVMs: 18 19 ```bash 20 $ make -C images/capi build-azure-sig-ubuntu-2204-cvm 21 # many minutes later... 22 ==> sig-ubuntu-2204-cvm: 23 Build 'sig-ubuntu-2204-cvm' finished. 24 25 ==> Builds finished. The artifacts of successful builds are: 26 --> sig-ubuntu-2204-cvm: Azure.ResourceManagement.VMImage: 27 28 OSType: Linux 29 ManagedImageResourceGroupName: cluster-api-images 30 ManagedImageName: capi-ubuntu-2204-cvm-1684153817 31 ManagedImageId: /subscriptions/01234567-89ab-cdef-0123-4567890abcde/resourceGroups/cluster-api-images/providers/Microsoft.Compute/images/capi-ubuntu-2204-cvm-1684153817 32 ManagedImageLocation: southcentralus 33 ManagedImageSharedImageGalleryId: /subscriptions/01234567-89ab-cdef-0123-4567890abcde/resourceGroups/cluster-api-images/providers/Microsoft.Compute/galleries/ClusterAPI/images/capi-ubuntu-2204-cvm/versions/0.3.1684153817 34 ``` 35 36 ## Example 37 38 The below example shows how to deploy a cluster with the control-plane nodes as Confidential VMs. SecurityEncryptionType is set to VMGuestStateOnly (i.e. only the VMGuestState blob will be encrypted), while VTpmEnabled and SecureBootEnabled are both set to true. Make sure to choose a supported VM size (e.g. `Standard_DC4as_v5`) and OS (e.g. Ubuntu Server 22.04 LTS for Confidential VMs). 39 NOTE: the same can be applied to worker nodes 40 41 ```yaml 42 kind: AzureMachineTemplate 43 apiVersion: infrastructure.cluster.x-k8s.io/v1beta1 44 metadata: 45 name: capz-confidential-vms-example 46 spec: 47 template: 48 spec: 49 image: 50 computeGallery: 51 subscriptionID: "01234567-89ab-cdef-0123-4567890abcde" 52 resourceGroup: "cluster-api-images" 53 gallery: "ClusterAPI" 54 name: "capi-ubuntu-2204-cvm-1684153817" 55 version: "0.3.1684153817" 56 securityProfile: 57 securityType: "ConfidentialVM" 58 uefiSettings: 59 vTpmEnabled: true 60 secureBootEnabled: true 61 osDisk: 62 diskSizeGB: 128 63 osType: "Linux" 64 managedDisk: 65 storageAccountType: "Premium_LRS" 66 securityProfile: 67 securityEncryptionType: "VMGuestStateOnly" 68 vmSize: "Standard_DC4as_v5" 69 ````