Attestation with Anjuna Policy Manager

The Anjuna Policy Manager (APM) can be used as a solution for accessing secrets from within Anjuna Confidential Pods on AKS. This is accomplished by enabling APM attestation in the enclave configuration file defined when creating the disk image. This process is similar to when deploying an Anjuna Confidential Container using the Anjuna SEV Runtime.

IP addresses for Anjuna Confidential Pods

In some AKS deployment scenarios, a Pod performs attestation with an APM server using a public IP address. In this scenario, the source IP address of the Pod will be the public IP of the Confidential VM (CVM) it is running on.

Currently, CVMs used by the Anjuna Custom Container Runtime do not allocate IP addresses, so Azure dynamically allocates IP addresses. This may be a challenge if you are using source address-based firewall rules to limit access to the APM server.

Those rules may need to be relaxed to allow for all addresses in an Azure address pool, or global public access, to be enabled. This is a simple solution for less critical development or proof of concept deployments.

Alternatively, secure private network tunnels could be utilized. In these cases, or in cases where the AKS cluster and APM are both deployed on Azure, local IP routing can be utilized. Also, public access to the APM server should be further restricted to authorized clients only. Additionally, local hostname-based resolution can be utilized for private IP routing, which can also be used in the APM TLS certificate.

Learn more about the Anjuna Policy Manager

Additional information specific to attestation with Azure Confidential VMs can be found in the Attestation with the Anjuna Policy Manager documentation.

General information on deployment and use of the APM can also be found in the Anjuna Policy Manager documentation.