Deploy a custom Anjuna Confidential Pod
To deploy your custom application as an Anjuna Confidential Pod, create a Kubernetes Pod specification:
|
The Note that the cluster must have access to your container image as well. |
Create an image pull secret
If the container image (${CONTAINER_IMAGE}) built on the previous page was pushed to a private registry,
you must create an image pull secret so that Kubernetes can pull it when deploying your Anjuna Confidential Pod.
For example, to create an image pull secret for the Azure Container Registry provisioned by Terraform, run:
$ export ACR_TOKEN_NAME="acr-token-${RANDOM}"
$ export ACR_TOKEN=$(az acr token create -n ${ACR_TOKEN_NAME} \
-r ${AZURE_REGISTRY_NAME} \
--repository env content/read \
| jq -r '.credentials.passwords[] | select(.name == "password1") | .value')
$ kubectl create secret docker-registry anjuna-kubernetes-env \
--docker-server ${AZURE_REGISTRY_NAME}.azurecr.io \
--docker-username ${ACR_TOKEN_NAME} \
--docker-password ${ACR_TOKEN}Once the secret is created, reference it in the field imagePullSecrets of your Pod specification.
$ cat <<EOF > env.yaml
apiVersion: v1
kind: Pod
metadata:
name: env
labels:
app: env
annotations:
# reference the Anjuna Confidential Pod image ID
io.anjuna.sev.image: "${AZURE_IMAGE_ID}"
spec:
# use the Anjuna Custom Container Runtime
# to run this Pod as a Confidential VM
runtimeClassName: anjuna-remote
imagePullSecrets:
- name: anjuna-kubernetes-env
containers:
- name: env
image: "${CONTAINER_IMAGE}:latest"
imagePullPolicy: Always
env:
- name: LOG_LEVEL
value: "debug"
- name: DB_USERNAME
value: "root"
- name: DB_PASSWORD
value: "p4$$w0rd"
EOFThis Anjuna Confidential Pod specification sets three environment variables in lines 21-27:
-
LOG_LEVEL=debug -
DB_USERNAME=root -
DB_PASSWORD=p4$$w0rd
But only LOG_LEVEL will be applied to the Anjuna Confidential Pod,
as it was explicitly allowed by the enclave configuration file.
The other environment variables defined in the Pod specification will be ignored.
Refer to Untrusted configuration
to learn more about how to set environment variables,
and how to allow environment variables and volume mounts from the Pod specification.
Refer to the Troubleshooting section to see the log message that notifies you when these environment variables have been ignored.
|
Since Instead, you can configure your Anjuna Confidential Pod to fetch secrets from an Anjuna Policy Manager (APM) instance. Secrets will be provided to your application only after its measurements are verified by the APM through a remote attestation process. Refer to the Anjuna Policy Manager documentation to see how to configure an APM integration for your Anjuna Confidential Pod. |
Start the application Pod
To start the Anjuna Confidential Pod, run the following command:
$ kubectl apply -f env.yamlThis will apply the Pod spec to the cluster, which will in turn launch a new Anjuna Confidential Pod for the custom application.
Use the following command to check the status of your Pod:
$ kubectl get pod envWhen the Pod status is Running,
run the following commands to see the logs of the application:
$ kubectl logs envYou should see an output similar to the following:
LOG_LEVEL=debug
PWD=/
HOME=/root
DB_USERNAME=user
TERM=xterm
SHLVL=1
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
_=/usr/bin/envNote that:
-
LOG_LEVELis set to "debug", as defined in the Pod specification (and allowed by the enclave configuration file). -
DB_USERNAMEis set touser, which is the value defined in the enclave configuration file. The value set in the Pod specification (root) was ignored becauseDB_USERNAMEwas not explicitly allowed by the enclave’suntrustedConfigconfiguration. -
DB_PASSWORDis not set, as it is only defined in the Pod specification, but not explicitly allowed by the enclave’suntrustedConfigconfiguration.