Preparing EKS Nodes

In this section you will configure your K8s Nodes and install AWS Nitro dependencies.

Add a label to each of your AWS Nitro-based Nodes in order to let the Anjuna Device Manager access its devices and map them to the Pods running under the Node:

$ kubectl label nodes [AWS Nitro-based Node name] \
      "anjuna-nitro-device-manager=enabled"

Configure your AWS Nitro-based K8s Nodes and install all AWS Nitro dependencies by executing the following Bash script on your K8s node.
This script reserves two vCPUs and 4GB of RAM for AWS Nitro Enclaves.

To change these settings (for example, to reserve eight vCPUs for your AWS Nitro Enclaves), change lines 3 and 4 of the script:

#!/bin/bash

export NITRO_RESERVED_CPU=2
export NITRO_RESERVED_MEM_MB=4196

# To build EIFs on-the-fly on EKS v1.24 and later, you must ensure that the
# Docker service is installed and running:
INSTALL_DOCKER=true

# Create a group for accessing the AWS Nitro Enclaves hardware and set a static GID to it
sudo groupadd --gid 75 --system ne

# Install dependencies
sudo amazon-linux-extras install -y aws-nitro-enclaves-cli
sudo yum install -y aws-nitro-enclaves-cli-devel jq openssl11-libs

# Add the current user to the Nitro Enclaves and Docker groups
sudo usermod -aG ne "${USER}"
sudo usermod -aG docker "${USER}"

# Automatically load the device drivers needed for communicating with the AWS Nitro Enclaves hardware
echo 'KERNEL=="vsock", MODE="660", GROUP="ne"' | sudo tee /usr/lib/udev/rules.d/99-vsock.rules
echo 'KERNEL=="nitro_enclaves", MODE="660", GROUP="ne"' | sudo tee /usr/lib/udev/rules.d/99-nitro_enclaves.rules
sudo udevadm control --reload-rules
sudo udevadm trigger

# Configure the Nitro Allocator Service
cat <<EOF | sudo install -D --mode 0644 /dev/stdin /etc/nitro_enclaves/allocator.yaml
---
cpu_count: ${NITRO_RESERVED_CPU}
# keep memory_mib under 1GB to force usage of 2MB hugepage
memory_mib: 512
EOF

# Start the Nitro Allocator Service
sudo systemctl daemon-reload
sudo systemctl enable nitro-enclaves-allocator.service
sudo systemctl start nitro-enclaves-allocator.service

# Find out number of pages (2MB in size) required to allocate
RES_PAGES=$(( ${NITRO_RESERVED_MEM_MB} / 2 ))

# If the requested memory is odd number, add one more page
REMAINDER=$(( ${NITRO_RESERVED_MEM_MB} % 2 ))
if [[ ${REMAINDER} == "1" ]]; then
    RES_PAGES=$(( ${RES_PAGES} + 1 ))
fi

# Set the number of hugepages to reflect the reserved memory for AWS Nitro Enclaves
sudo sysctl -w vm.nr_hugepages=${RES_PAGES}
# Automatically set the number of hugepages
echo vm.nr_hugepages = ${RES_PAGES} | sudo tee /etc/sysctl.d/99-anjuna.conf

if [[ "$INSTALL_DOCKER" == "true" ]]; then
    sudo amazon-linux-extras install -y docker
    sudo systemctl daemon-reload
    sudo systemctl enable docker.service
    sudo systemctl start docker.service
fi

After executing the script above, reboot your K8s Nodes for the settings to take effect.