Deploying a pod as a Nitro Enclave

The previous sections were all about setting up an AWS EKS cluster with the Anjuna Nitro Kubernetes tools installed in the cluster. You are now able to start a container in a Nitro Enclave without changing the container, and verify that it is in fact running in an enclave. In this section you will load a simple nginx container in an enclave.

Run the following command:

$ kubectl apply -f workspace/specs/nitro-nginx.yaml

Wait for the pod to start by running the command until the pod is running:

$ kubectl get pods

When the pod is running, run the following command to see what the pod did:

$ kubectl logs nitro-nginx-pod

Inspecting the logs, you will see that the pod nitro-nginx-pod is:

  • downloading the nginx container,

  • converting it into an EIF (enclave image file) using the Anjuna Nitro Runtime,

  • configuring the networking settings using the Anjuna Nitro Runtime,

  • stating the enclave in debug mode,

  • showing the Nitro console output, which indicates that nginx should have started.

To confirm that nginx is in fact running, you can connect to the pod, and issue a curl to verify that nginx is responding to requests.

$ kubectl exec -it nitro-nginx-pod -- /bin/bash

This command starts a bash interpreter on the nitro-nginx-pod. You should see a prompt like this:

bash-4.2#

Enter the following command to make a request to nginx (192.168.0.1 is the private address of the enclave):

# curl 192.168.0.1

which should display a welcome page from nginx.

To confirm that the nginx process is not running in this pod, run the following command:

# ps -ef | grep nginx

The output should show that no process named nginx is running (although there is a process that started the Nitro Enclave).

You can exit the bash session on the pod:

# exit

How does this work?

To understand how the Anjuna Nitro Kubernetes tools are told to create an enclave, you have to inspect the pod specification used for nginx. Open the file workspace/specs/nitro-nginx.yaml.

 1      apiVersion: v1
 2      kind: Pod
 3      metadata:
 4        name: nitro-nginx-pod
 5        labels:
 6          name: nitro-nginx-pod
 7          nitro.k8s.anjuna.io/managed: "yes"
 8        annotations:
 9          nitro.k8s.anjuna.io/launcherMemory: "2Gi"
10          nitro.k8s.anjuna.io/launcherCPU: "500m"
11      spec:
12        containers:
13        - name: nitro-nginx-pod
14          image: nginx:latest
15          imagePullPolicy: Always
16          env:
17            - name: ANJ_ENCLAVE_DEBUG_MODE
18              value: "yes"
19            - name: ANJ_ENCLAVE_STREAM_CONSOLE
20              value: "yes"
21          resources:
22            limits:
23              memory: "2048Mi"
24              cpu: "2"
25          ports:
26            - containerPort: 80

  • Lines 1-6: Declare that a pod nitro-nginx-pod will be created.

  • Line 7: Declares that this pod should be running in a Nitro Enclave by using the nitro.k8s.anjuna.io/managed label.

  • Lines 8-10: Limit the resources of the launcher pod, the one that launches the Nitro Enclave - Optional.

  • Line 14: The pod should launch the container nginx:latest in the Nitro Enclave.

  • Lines 16-20: The Anjuna Nitro Runtime tools should launch the enclave in DEBUG mode, and display the Nitro console output in its logs.

  • Lines 21-24: Declare the resources that should be allocated to the enclave ( number of CPUs, RAM).

All pod configured volumes are automatically mounted into the enclave using a bind mount.