Anjuna Nitro Kubernetes Toolset overview

AWS EKS, by itself, cannot leverage the AWS Nitro technology. AWS EKS customers that wish to protect their sensitive applications and data using AWS Nitro Enclaves must rewrite their applications and Docker images.

With the Anjuna Nitro Kubernetes Toolset, AWS EKS customers can seamlessly deploy their existing applications, unchanged, inside AWS Nitro Enclaves using AWS EKS.

Kubernetes and the Anjuna Nitro Kubernetes Toolset

In Kubernetes, the Pod is the logical unit of deployment. When you deploy a Pod, it is scheduled on a Node (where other Pods may be running).

When using the Anjuna Nitro Kubernetes Toolset, a Pod can be deployed as an AWS Nitro Enclave. Since AWS Nitro Enclaves cannot communicate directly with the kubelet and other Kubernetes components, Anjuna provides a Launcher that handles the differences. The Anjuna Nitro Kubernetes Toolset consists of the Anjuna Nitro Launcher and other components described below.

Components

Anjuna Nitro Launcher

The Anjuna Nitro Launcher is a Pod that creates a new AWS Nitro Enclave and connects it to the Kubernetes cluster using the Anjuna Nitro Runtime. These AWS Nitro Enclaves can benefit from standard Kubernetes features like self-healing, autoscaling, and logging.

The Anjuna Nitro Launcher can launch AWS Nitro Enclaves based on pre-built EIFs. It can also build a new EIF at runtime based on a Docker image and immediately run the resulting EIF.

Anjuna recommends pre-building EIFs for better security and performance. This ensures that signing keys will not be exposed in an EKS cluster. Launching a new Pod is also faster, because it will not require additional time to build the EIF before starting the application.

Anjuna Nitro Webhook

Manually updating Pod specifications to use the Anjuna Nitro Launcher can be tedious and error-prone. This process is automated using the Anjuna Nitro Webhook.

The Anjuna Nitro Webhook is a MutatingAdmissionWebhook. It automatically intercepts Pod creation requests and rewrites them to create an Anjuna Nitro Launcher Pod that will run the original container inside an AWS Nitro Enclave.

The Webhook only modifies Pods that are labeled nitro.k8s.anjuna.io/managed: "yes".

Workload objects like Deployments create Pods based on the template field, so they work with Anjuna too. To configure the Pods that are created by the workload objects, you can update the spec.template.metadata.labels to ensure that the resulting Pods are labeled correctly.

Anjuna Device Manager

By default, Pods in EKS cannot interact with AWS Nitro Enclaves. The Anjuna Device Manager enables Pods to interact with AWS Nitro Enclaves through the /dev/nitro_enclaves Linux device.

Accessing this device from a Pod requires the Pod to be privileged. Anjuna uses the standard Kubernetes pattern of deploying a privileged DaemonSet to manage devices without requiring that all Pods are privileged.

The Anjuna Device Manager is a DaemonSet that deploys one Anjuna Device Manager Pod for each Node that is labeled anjuna-nitro-device-manager: enabled. This enables all Anjuna Launcher Pods running on those Nodes to access the AWS Nitro Enclave devices and ensures that Anjuna Launcher Pods do not need to be privileged.

Kubernetes Secret for the Anjuna license

The Anjuna Nitro Runtime requires a license file. When used with the Anjuna Nitro Kubernetes Toolset, this license file should be present as a Kubernetes Secret named anjuna-license.

The Anjuna Nitro Webhook will mount the Anjuna license file to the Pod automatically.