Deploy Nginx as an Anjuna Confidential Pod
To deploy Nginx as an Anjuna Confidential Pod, create a Kubernetes Deployment specification:
|
The Note that the cluster must have access to your container image as well.
In the example below, since |
$ cat <<EOF > nginx.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: nginx
namespace: default
spec:
selector:
matchLabels:
app: nginx
replicas: 1
template:
metadata:
labels:
app: nginx
# use the Anjuna Custom Container Runtime
# to run this Pod as a Confidential Pod
io.anjuna/run-confidential: "yes"
annotations:
# reference the Anjuna Confidential Pod image ID
io.anjuna.sev.image: "${AZURE_IMAGE_ID}"
spec:
containers:
- name: nginx
image: docker.io/library/nginx:latest
ports:
- containerPort: 80
imagePullPolicy: Always
EOFTo leverage the confidentiality of AMD SEV-SNP through Anjuna’s Kubernetes offering, the following are required:
-
Specify the
io.anjuna/run-confidential: "yes"label in the Pod deployment metadata labels (line 18 above). -
Point to the measured Anjuna Confidential Pod image that was built earlier, through the
io.anjuna.sev.imageannotation.
The io.anjuna/run-confidential: "yes" label achieves the following:
-
Tells Kubernetes to use the Anjuna Kubernetes Toolset to launch the Pod as a Confidential Pod in Azure with AMD SEV-SNP
-
Tells the webhook to mutate the Nginx specification to ensure consistent resource allocation in the Node
Start the Nginx Pod
To start the Anjuna Confidential Pod, run the following command:
$ kubectl apply -f nginx.yamlThis will apply the Deployment spec to the cluster, launching a new Anjuna Confidential Pod that runs the Nginx application.
Use the following command to check the status of the Nginx Pod:
$ kubectl get pod -l app=nginxWhen the Pod status is Running,
run the following commands to confirm Nginx was started successfully.
These commands will create a temporary curl Pod and send a request to the Nginx Pod IP.
$ NGINX_IP=$(kubectl get $(kubectl get pods -l app=nginx -oname) --template '{{.status.podIP}}')
$ kubectl run -it --rm --restart=Never --image curlimages/curl curl -- -s ${NGINX_IP}:80You should see an HTML result similar to the following:
<!DOCTYPE html>
<html>
<head>
<title>Welcome to nginx!</title>
<style>
body {
width: 35em;
margin: 0 auto;
font-family: Tahoma, Verdana, Arial, sans-serif;
}
</style>
</head>
<body>
<h1>Welcome to nginx!</h1>
<p>If you see this page, the nginx web server is successfully installed and
working. Further configuration is required.</p>
<p>For online documentation and support please refer to
<a href="http://nginx.org/">nginx.org</a>.<br/>
Commercial support is available at
<a href="http://nginx.com/">nginx.com</a>.</p>
<p><em>Thank you for using nginx.</em></p>
</body>
</html>Nginx is running as an Anjuna Confidential Pod, and it benefits from the same security guarantees as Anjuna Confidential Containers: data is protected in-use, from outside threats and untrusted parties.
Furthermore, you can integrate this Anjuna Confidential Pod with the Anjuna Policy Manager (APM) to automatically and securely distribute secrets to your unmodified application.
|
You can configure your Anjuna Confidential Pod to fetch secrets from an APM instance. Secrets will be provided to your application only after its measurements are verified by the APM through a remote attestation process. Refer to the Anjuna Policy Manager documentation to see how to configure an APM integration for your Anjuna Confidential Pod. After you create an enclave configuration file that specifies an APM connection,
you need to provide it to the |