Secure Smart Intersection Deployment with Trusted Compute#
This comprehensive guide walks you through deploying a Smart Intersection application within a Trusted Compute (TC) environment. The Smart Intersection serves as a powerful reference implementation that demonstrates how to achieve secure video analytics for intelligent traffic management systems.
Built on the robust DL Streamer Pipeline Server architecture, this solution employs pre-trained object detection models to analyze complex traffic patterns and generate actionable real-time insights. When deployed within a Trusted Compute environment, the entire video analytics pipeline benefits from hardware-backed isolation, creating a secure execution environment that safeguards sensitive traffic data and AI models from other workloads on the same device.
System Prerequisites#
Ensure your deployment environment meets these essential requirements before proceeding:
Trusted Compute Infrastructure: A fully operational TC environment is required for secure deployment
Complete installation procedures are documented in the TC Installation Guide
Container Orchestration Platform: K3s (lightweight Kubernetes distribution) for efficient workload management
Package Management Tool: Helm for streamlined Kubernetes application deployment and lifecycle management
Implementation Guide#
Step 1: Infrastructure Foundation Setup#
Deploy K3s Kubernetes Platform:
# Download and install K3s
curl -sfL https://get.k3s.io | sh -
# Verify the installation
sudo systemctl status k3s
# Check cluster readiness
sudo k3s kubectl get nodes
# Configure kubectl access
mkdir -p ~/.kube
sudo cp /etc/rancher/k3s/k3s.yaml ~/.kube/config
sudo chown $USER:$USER ~/.kube/config
chmod 600 ~/.kube/config
# Set environment variable for kubectl
export KUBECONFIG=/etc/rancher/k3s/k3s.yaml
echo 'export KUBECONFIG=/etc/rancher/k3s/k3s.yaml' >> ~/.bashrc
source ~/.bashrc
Install Helm Package Manager:
# Download Helm installation script
curl -fsSL -o get_helm.sh https://raw.githubusercontent.com/helm/helm/master/scripts/get-helm-3
chmod +x get_helm.sh
# Install Helm
./get_helm.sh
# Verify installation
helm version
Step 2: Source Code Acquisition#
Retrieve the Smart Intersection application from the Edge AI Suites repository:
# Clone the release branch
git clone https://github.com/open-edge-platform/edge-ai-suites.git -b release-2026.0.0
# Navigate to the Smart Intersection directory
cd edge-ai-suites/metro-ai-suite/metro-vision-ai-app-recipe/
Step 3: Enable Trusted Compute Security#
Configure the deployment to leverage Kata Containers runtime for enhanced security isolation:
# Navigate to DL Streamer Pipeline Server templates
cd smart-intersection/chart/templates/dlstreamer-pipeline-server/
Option 1: Manual Runtime Configuration
Integrate the runtimeClassName: kata-qemu directive into your deployment template:
spec:
replicas: 1
selector:
matchLabels:
app: {{ .Release.Name }}-dlstreamer-pipeline-server
template:
metadata:
labels:
app: {{ .Release.Name }}-dlstreamer-pipeline-server
spec:
runtimeClassName: kata-qemu
securityContext:
supplementalGroups: [109,110,992]
volumes:
Option 2: Automated Runtime Configuration
Apply the runtime configuration automatically using this command:
sed -i '/template:/,/volumes:/ { /spec:/a\
runtimeClassName: kata-qemu
}' deployment.yaml
Network Configuration Setup:
Configure the WebRTC signaling server settings in configmap.yaml:
Option 1: Manual Network Configuration
# Replace:
WEBRTC_SIGNALING_SERVER: "ws://localhost:8443"
# With (substitute your host IP):
WEBRTC_SIGNALING_SERVER: "ws://<Host_IP>:8443"
Option 2: Automated Network Configuration
# Run the following command
DEVICE_IP=$(hostname -I | awk '{print $1}') && sed -i "s|ws://localhost:8443|ws://$DEVICE_IP:8443|g" configmap.yaml
Step 4: Application Deployment#
Launch the Smart Intersection application using Helm with the configured Trusted Compute settings. For comprehensive deployment procedures and advanced configuration options, consult the official documentation:
Step 5: Deployment Verification and Monitoring#
Confirm Secure Isolation:
Verify that the DL Streamer Pipeline Server is operating within a Trusted Compute virtual machine environment:
ps aux | grep qemu
Successful Trusted Compute deployment will display a QEMU process containing:
Complete VM launch parameters and configuration
Allocated CPU cores and memory resources
Unique process identifier (PID) for monitoring
Performance Monitoring:
Monitor application health and performance metrics by examining DL Streamer logs:
kubectl logs <dl-streamer-deployment-name> -n smart-intersection
Application Management#
Uninstalling the Smart Intersection Application#
Before deploying a new Smart Intersection instance, ensure any existing deployment is properly removed:
# Uninstall the current application deployment
helm uninstall smart-intersection -n smart-intersection
# Remove the namespace and all associated resources
kubectl delete namespace smart-intersection
Enhanced Security Architecture#
This Trusted Compute implementation delivers comprehensive security advantages through multiple layers of protection:
Complete Workload Isolation: Video analytics pipelines execute within dedicated, hardware-isolated virtual machines, preventing cross-contamination between workloads
Memory Encryption: Provides runtime protection for sensitive traffic video and detection models by safeguarding against cold boot attacks and physical threats to the memory subsystem
Secure Boot Process: Ensures only authenticated and verified code executes within the trusted environment
Full Disk Encryption (FDE) Process: Prevents unauthorized access to disk data, particularly in scenarios involving device theft, loss, or physical compromise
This robust isolated execution environment ensures that all traffic analysis operations maintain the highest standards of security and data protection while delivering uncompromised functionality and performance. The hardware-backed security guarantees provide protection for traffic management systems.