Run a Sample Workload

After completing the deployment steps, verify your installation by running a basic single-GPU sample workload inside a Confidential Container.

This page intentionally uses the simplest possible manifest so that you can confirm the deployment end-to-end. For the full set of workload configuration options, including runtime class selection, resource type naming, and multi-GPU passthrough, refer to Configuring Confidential Container Workloads.

1. Create a file named cuda-vectoradd-kata.yaml with the following sample manifest:

   apiVersion: v1
   kind: Pod
   metadata:
     name: cuda-vectoradd-kata
     namespace: default
   spec:
     runtimeClassName: kata-qemu-nvidia-gpu-snp # or kata-qemu-nvidia-gpu-tdx
     restartPolicy: Never
     containers:
       - name: cuda-vectoradd
         image: "nvcr.io/nvidia/k8s/cuda-sample:vectoradd-cuda12.5.0-ubuntu22.04"
         resources:
           limits:
             nvidia.com/pgpu: "1"
             memory: 16Gi
   

   Before applying the manifest, adjust the two highlighted lines for your environment:

   • Runtime class. Use kata-qemu-nvidia-gpu-snp on AMD SEV-SNP nodes or kata-qemu-nvidia-gpu-tdx on Intel TDX nodes.

   • GPU resource type. The sample requests nvidia.com/pgpu, which is the default resource name advertised by the NVIDIA Kata sandbox device plugin. If your cluster was installed with the P_GPU_ALIAS="" setting, replace it with the model-specific name advertised on your node, for example nvidia.com/GH100_H200_141GB.

   Refer to Configuring Confidential Container Workloads for guidance on each option.

2. Create the pod:

   $ kubectl apply -f cuda-vectoradd-kata.yaml
   

   Example Output:

   pod/cuda-vectoradd-kata created
   

3. Optional: Verify the pod is running:

   $ kubectl get pod cuda-vectoradd-kata
   

   Example Output:

   NAME                  READY   STATUS    RESTARTS   AGE
   cuda-vectoradd-kata   1/1     Running   0          10s
   

4. View the logs from the pod after the container starts:

   $ kubectl logs -n default cuda-vectoradd-kata
   

   Example Output:

   [Vector addition of 50000 elements]
   Copy input data from the host memory to the CUDA device
   CUDA kernel launch with 196 blocks of 256 threads
   Copy output data from the CUDA device to the host memory
   Test PASSED
   Done
   

5. Delete the pod:

   $ kubectl delete -f cuda-vectoradd-kata.yaml
   

Next Steps

• Configure Confidential Container workloads for runtime class selection, resource type naming, and single- or multi-GPU passthrough patterns.

• Configure Attestation with the Trustee framework to enable remote verification of your confidential environment.

• Manage the confidential computing mode on your GPUs.