Anjuna Nitro Kubernetes toolset overview
AWS EKS, by itself, can’t leverage the AWS Nitro technology. AWS EKS customers that wish to protect their sensitive applications and data using AWS Nitro Enclaves must rewrite their applications and Docker images.
With the Anjuna Nitro K8s Toolset, AWS EKS customers can seamlessly deploy their existing applications, unchanged, inside AWS Nitro Enclaves using AWS EKS.
Anjuna Nitro K8s Toolset
The Anjuna Nitro K8s Toolset, which enables running K8s Pods inside AWS Nitro Enclaves on AWS EKS clusters, consists of three parts as described below.
| Do not delete any of the Anjuna Nitro Toolset Pods |
Anjuna Nitro Webhook
The Anjuna Nitro Webhook is a MutatingWebhookConfiguration admission webhook. It automatically intercepts Pod creation requests and deploys the Pod in an AWS Nitro Enclave if a proper annotation exists in the Pod spec file.
Anjuna Nitro Launcher
The Anjuna Nitro Launcher launches either a pre-built EIF or builds an EIF on the fly from the Docker image inside an AWS Nitro Enclave.
| Anjuna recommends pre-building EIFs since pre-building provides security guarantees (your signing key never leaves your trusted environment) and speed (no need to build the EIF when Pods are deployed). |
Anjuna Device Manager
Interacting with AWS Nitro Enclaves requires accessing Linux devices (/dev/vsock,
/dev/nitro_enclaves) not present in EKS Pods by default.
Accessing those Linux devices from an EKS Pod requires the Pod to be privileged.
The Anjuna Launcher Pods must access those devices to interact with AWS Nitro Enclaves.
However, setting every Launcher Pod as privileged can be problematic. Instead, Anjuna is using the
common practice of deploying a privileged device manager Pod.
The Anjuna Device Manager is a DaemonSet that deploys one Anjuna Device Manager Pod per EKS Node
and enables all Anjuna Launcher Pods running on those Nodes to access the AWS Nitro
Enclave devices while removing the high-privileges requirement from the Anjuna Launcher Pods.