Volumes
In this section, you will learn how to leverage Kubernetes volumes in order to mount files and directories inside a Confidential Pod.
| Using persistent storage in the context of Confidential Pods might present a security risk to the application, as the Anjuna Nitro Runtime creates shared storage between the AWS Nitro Enclave and the untrusted parent instance. Refer to the Persistent storage security section before proceeding. |
As mentioned on a previous page, there are two ways to create the Enclave Image File (EIF) in order to run it in the Confidential Pod: build on the fly, or build in advance. While it is recommended to build the EIF in advance, for ease of explanation, some of the examples on this page use the option of building the EIF on the fly.
Mounting a ConfigMap
A common use case for Kubernetes volumes is mounting configuration files inside of Pods.
In the example below,
the Anjuna Kubernetes Toolset for AWS EKS will automatically create an Enclave Image File from the Pod spec.
This includes correctly mapping the specified volumeMounts to the enclave
so that the application running inside the Confidential Pod can access the ConfigMap contents.
---
apiVersion: v1
kind: ConfigMap
metadata:
name: config-map-name
data:
data.txt: "Welcome to Anjuna!"
---
apiVersion: v1
kind: Pod
metadata:
name: nitro-busybox-pod
labels:
nitro.k8s.anjuna.io/managed: "yes"
spec:
containers:
- name: nitro-busybox-pod
command:
- "sh"
- "-ec"
- |
cat /tmp/data/data.txt && echo
sleep infinity
image: busybox
resources:
limits:
memory: "2048Mi"
cpu: "2"
volumeMounts:
- name: config-volume
mountPath: /tmp/data
volumes:
- name: config-volume
configMap:
name: config-map-nameAfter its startup,
the enclave will display the contents of /tmp/data/data.txt and sleep indefinitely.
You can create this Pod by saving the Pod spec above to example-configmap.yaml and then running:
$ kubectl create -f example-configmap.yamlCheck the Pod logs to confirm that the enclave can access the mounted file:
$ kubectl logs nitro-busybox-pod -fThe output will include many logs,
including the steps the Anjuna Kubernetes Toolset for AWS EKS takes to create an Enclave Image File from your Pod spec.
Then, the application (as specified in the command field) will run.
You should see the following toward the end of the output:
ANJ-ENCLAVE: Service anjunafs started with original pid=465
ANJ-ENCLAVE: Mounting volume with mountPath '/tmp/data'
ANJ-ENCLAVE: Mounting volume with mountPath '/var/run/secrets/kubernetes.io/serviceaccount'
ANJ-ENCLAVE: Launched "/bin/sh" with pid=470
Welcome to Anjuna!Using PersistentVolume and PersistentVolumeClaim
Another common use case for volumes is providing persistent storage to Pods,
which have ephemeral filesystems.
Applications running inside enclaves can benefit from the persistent volumes in Kubernetes.
In the example below,
you will mount /tmp/data,
backed by a 1Gi Persistent Volume that is dynamically provisioned by the Storage Class gp2
(the default for EKS).
Note that manually provisioned volumes should work in the same way.
The application will write a file to the persisted directory
(see the command field of the Pod spec).
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: data-pvc
spec:
storageClassName: gp2
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 1Gi
---
apiVersion: v1
kind: Pod
metadata:
name: nitro-busybox-pod
labels:
nitro.k8s.anjuna.io/managed: "yes"
spec:
containers:
- name: nitro-busybox-pod
command:
- "sh"
- "-ec"
- |
echo "I am a persisted file" | tee /tmp/data/file.txt
sleep infinity
image: busybox
resources:
limits:
memory: "2048Mi"
cpu: "2"
volumeMounts:
- name: data
mountPath: /tmp/data
volumes:
- name: data
persistentVolumeClaim:
claimName: data-pvcTo create this example, save the manifests above to example-pvc.yaml and run:
kubectl create -f example-pvc.yamlUsing volumes with pre-built EIFs
In the examples above, the Anjuna Kubernetes Toolset for AWS EKS automatically created an EIF from your Pod spec. This will generate enclave configuration files dynamically, which will map the volume mounts inside the enclave.
To use Kubernetes Volumes with pre-built EIFs,
you must explicitly configure basic volume mounts in your enclave configuration file.
For more information about the basic volume mounts,
read about Persistent storage and
Basic mounts.
Volume names starting with the anjuna-system- prefix are reserved for internal use
and will not be mounted inside the enclave.
Avoid using this prefix for custom volumes to prevent unexpected behavior.
|
As an example,
you could create or extend your existing enclave configuration file with a new basic mount for
the data volume,
as shown below.
Note that the name of the mount must match the volume name in the Pod spec,
and the mountPath of the mount must match the mountPath in the Pod spec:
version: 1.8
# ... other fields of your enclave config file ...
mounts:
- type: basic
name: data # must match the volume name in the Pod spec
mountPath: /tmp/data # must match the mountPath in the Pod specAfter building and pushing your new EIF, you can transform the previous Pod spec with a
PersistentVolumeClaim to use a pre-built EIF saved to s3://<bucket>/busybox.eif by adding
the nitro.k8s.anjuna.io/imageLocation annotation:
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: data-pvc
spec:
storageClassName: gp2
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 1Gi
---
apiVersion: v1
kind: Pod
metadata:
name: nitro-busybox-pod
labels:
nitro.k8s.anjuna.io/managed: "yes"
annotations:
nitro.k8s.anjuna.io/imageLocation: "s3://<bucket>/busybox.eif"
spec:
containers:
- name: nitro-busybox-pod
image: busybox
resources:
limits:
memory: "2048Mi"
cpu: "2"
volumeMounts:
- name: data
mountPath: /tmp/data
volumes:
- name: data
persistentVolumeClaim:
claimName: data-pvc