Kubernetes Pod specification
This section describes the changes you need to make to a Kubernetes Pod specification in order to instruct the Anjuna Nitro Kubernetes software to run the specified application in a Nitro Enclave.
Enabling Running in a Nitro Enclave
To indicate that a Pod should be running in a Nitro Enclave, set the label nitro.k8s.anjuna.io/managed
to yes
in the Pod specification:
1 apiVersion: v1 2 kind: Pod 3 metadata: 4 name: nginx-pod 5 labels: 6 name: nginx-pod 7 nitro.k8s.anjuna.io/managed: "yes" 8 <snip>...
Setting this label to yes
instructs the Anjuna Nitro Webhook
to intercept the creation
of that Pod, and automatically convert it into a Nitro Enclave.
Controlling the resources allocated to the Nitro Enclave
Use the standard Kubernetes Pod specification attributes to control the vCPUs and memory reserved for the enclave:
-
spec.containers[].resources.limits.cpu
-
spec.containers[].resources.limits.memory
spec.containers[].resources.limits.cpu MUST be an integer when used in the
context of a Nitro Enclave (a regular Kubernetes Pod supports fractional vCPU values). The number
of vCPU cores must be an even number due to hyperthreading.
|
This is an example Pod configuration that reserves 2GB of memory and 2 vCPUs for a Nitro Enclave (see lines 14-16):
1 apiVersion: v1 2 kind: Pod 3 metadata: 4 name: nginx-pod 5 labels: 6 name: nginx-pod 7 nitro.k8s.anjuna.io/managed: "yes" 8 spec: 9 containers: 10 - name: nginx-pod 11 image: nginx:latest 12 imagePullPolicy: Always 13 resources: 14 limits: 15 memory: "2048Mi" 16 cpu: "2" 17 ports: 18 - containerPort: 80
Passing parameters to the Anjuna Nitro Runtime
When a Pod is launched in a Nitro Enclave, the Anjuna Nitro Runtime is used to build, configure and run the Nitro enclave.
The following environment variables are use to control how the Anjuna Nitro Runtime behaves:
-
ANJ_ENCLAVE_DEBUG_MODE
: Set this variable to “yes” to create a debug enclave. If not defined or set, the Anjuna Nitro Kubernetes will start the Nitro Enclave in production mode. -
ANJ_ENCLAVE_STREAM_CONSOLE
: Set this variable to “yes” to stream the enclave console output into the Pod logs. This allows monitoring the startup of the Nitro Enclave by Kubernetes (using thekubectl
command).
Downloading an EIF instead of building it on the fly
The Anjuna Nitro Kubernetes tools can create the Enclave Image File automatically from the
Pod specification. However, you also have the option to pre-create an EIF and instruct the
Anjuna Nitro Kubernetes to download the EIF from an S3 bucket by using the
nitro.k8s.anjuna.io/imageLocation
annotation:
1 apiVersion: v1 2 kind: Pod 3 metadata: 4 name: secure-eif-pod 5 labels: 6 name: secure-eif-pod 7 nitro.k8s.anjuna.io/managed: "yes" 8 annotations: 9 nitro.k8s.anjuna.io/imageLocation: "s3://your-eif-bucket/your-eif-file" 10 <snip>...
When using this option, the container image in the Pod specification is ignored, although the Kubernetes Pod specification requires a value. You can simply leave the container image used in the original Pod specification.
Controlling the resources assigned to the Nitro Pod
You have the ability to control the resources assigned to the Nitro Parent Pod by specifying the following annotations:
-
nitro.k8s.anjuna.io/launcherCPU
: The limit for the number of vCPUs for the Pod. -
nitro.k8s.anjuna.io/launcherMemory
: The limit for the amount of memory for the Pod.
The values for these annotations are in the same format than the limits
properties
(memory
/cpu
) for a Pod specification:
<snip> annotations: <snip>... nitro.k8s.anjuna.io/launcherMemory: "4Gi" nitro.k8s.anjuna.io/launcherCPU: "750m" <snip>...
If you don’t specify these annotations, no resource limits are set on the launcher Pod. This is particularly useful when creating Enclave Image Files (EIF) automatically, which is a memory-intensive process. Once the EIF has been created, the resource requirements for the launcher Pod are minimal.
Example
The following Pod specification creates a Nitro Enclave for the Nginx web server.
1 apiVersion: v1 2 kind: Pod 3 metadata: 4 name: nginx-pod 5 labels: 6 name: nginx-pod 7 nitro.k8s.anjuna.io/managed: "yes" 8 spec: 9 containers: 10 - name: nginx-pod 11 image: nginx:latest 12 imagePullPolicy: Always 13 env: 14 - name: ANJ_ENCLAVE_DEBUG_MODE 15 value: "yes" 16 - name: ANJ_ENCLAVE_STREAM_CONSOLE 17 value: "yes" 18 resources: 19 limits: 20 memory: "2048Mi" 21 cpu: "2" 22 ports: 23 - containerPort: 80