GKE Confidential Nodes with Cluster Autoscaler

pbrissaud · 10-16-2024 04:42 AM

Hello,

I’m experiencing an issue with Cluster Autoscaler on GKE where I have a pod that needs explicitly to run on a Confidential VM, using the following nodeSelector:

nodeSelector:
  cloud.google.com/gke-confidential-nodes: "true"

However, I’ve noticed that the Cluster Autoscaler doesn’t trigger a scale-up to add Confidential VM nodes for the new pod.

I aim to have Confidential VM support only for specific required services without making all nodes confidential. Is it expected behavior that enables Confidential VMs at the cluster level to apply to all nodes? Is there any way to selectively use Confidential VMs within a GKE cluster? Or is the only solution to create separate node pools for confidential and non-confidential workloads?

Thanks for your help and insights!

Regards,

Paul

nmagcalengjr

Hi @pbrissaud,

Welcome to Google Cloud Community!

Please note that if Confidential GKE Nodes are enabled at the cluster level, all nodes will automatically use Confidential VMs. However, if this setting is disabled at the cluster level, you can selectively enable Confidential GKE Nodes on specific node pools.

When you enable Confidential GKE Nodes on a cluster or on a node pool, data in workloads running on the confidential nodes is encrypted-in-use.

You can enable Confidential GKE Nodes when doing one of the following:

Create a new cluster
Create a new node pool
Update an existing node pool

NOTE: You cannot update an existing cluster to change the cluster-level Confidential GKE Nodes setting.

The following table shows you the GKE behavior that applies when you enable Confidential GKE Nodes at the cluster level or at the node pool level:

You can also refer to these documentations, which might help for future reference.

I hope the above information is helpful.