Anjuna Kubernetes Toolset for AMD SEV

Each version of the Anjuna Seaglass software is supported for one year after release.

Version 2.0. Release Date - February 19th, 2025

Access the installer here.

What’s new?

The 2.0 release of the Anjuna Kubernetes Toolset includes several major improvements, as well as some breaking changes.

Support for OpenShift on Google Cloud is now generally available.
- The Anjuna Seaglass Operator for OpenShift is available through OpenShift OperatorHub. It has been certified by Red Hat to meet best practices for deployment on Red Hat OpenShift clusters.
- See Installing the Anjuna Kubernetes Toolset to OpenShift on Google Cloud and Quickstart guides for OpenShift on Google Cloud for more information.
- This release includes support for Red Hat Enterprise Linux 8 and Red Hat Enterprise Linux 9.
This version includes the first preview for supporting Init and Sidecar containers with the Anjuna Kubernetes Toolset for AKS in Azure and OpenShift on Google Cloud. If you would like to test this new functionality, please contact support@anjuna.io.
- The new format of the Confidential Pod configuration file supports and enforces additional specifications for containers in the same Confidential Pod. This is a breaking change, as described in the next item.
Breaking change: the format of the Confidential Pod configuration has changed. See Configuration Reference for more details.
- Specifying the URI of the container to be used in the Confidential Pod has moved from the CLI parameters into the Confidential Pod configuration file.
- The Confidential Pod configuration is now a mandatory parameter for the Anjuna K8s CLI: anjuna-k8s-cli build <cloud> --cpod-config <filepath>.

Breaking change: renamed various labels and annotations for consistency. You will need to update any uses of the old labels to use the new names.

The following table maps the changes.

Old label name New label name

Old label name	New label name
`io.anjuna/run-confidential: yes`	`anjuna.io/run-confidential: yes`
`io.anjuna.sev.image: <image>`	`cvm.anjuna.io/image: <image>`
`io.anjuna.sev.machine_type: <machine_type>`	`cvm.anjuna.io/machine_type: <machine_type>`
`io.anjuna.sev/vm`	`cvm.anjuna.io/sev`

io.anjuna/run-confidential: yes

anjuna.io/run-confidential: yes

io.anjuna.sev.image: <image>

cvm.anjuna.io/image: <image>

io.anjuna.sev.machine_type: <machine_type>

cvm.anjuna.io/machine_type: <machine_type>

io.anjuna.sev/vm

cvm.anjuna.io/sev

Updated the names of some Anjuna Kubernetes Toolset Pods for consistency: anjuna-operator-install-daemon, anjuna-extended-resources-updater, and anjuna-webhook-controller-manager.
Confidential VMs launched by the Anjuna Kubernetes Toolset now have a new naming convention to prevent conflicts. See Identifying the CVM associated with a Pod for more information.

Version 1.7. Release Date - December 23rd, 2024

Access the installer here.

What’s new?

The Anjuna Webhook now uses the label io.anjuna/run-confidential: "yes" to determine which Pods should be launched as Anjuna Confidential Pods. Previously, it used runtimeClassName: anjuna-remote.
- As part of this change, the Anjuna Webhook now only intercepts Pods with the io.anjuna/run-confidential label. Previously, all Pods were intercepted.
The Anjuna Kubernetes Toolset for Microsoft Azure now automatically determines the best VM size based on Pod resource requests.
- Also, added a feature to explicitly specify the desired VM size for a Pod.
- See Configuring Anjuna Confidential Pod VM Sizes for details.
Some CLI commands will now print more logging information when they fail, to assist debugging.
This release contains continued improvements to the beta version for supporting OpenShift on Google Cloud.

Relevant bug fixes

Bug number

Severity

Description

ANJ-10959

Medium

Fixed a bug where Confidential VM instance deletions could time out, leading to errors like context deadline exceeded in the Node and Pod event logs.

Relevant security fixes

Bug number

Severity

Description

ANJ-11156

Medium

Fixed several potential vulnerabilities by upgrading dependencies, addressing CVE-2023-44487 and CVE-2024-45337. There was no known way to exploit these vulnerabilities in the Anjuna Runtime.

Version 1.6. Release Date - November 20th, 2024

Access the installer here.

What’s new?

Renamed some resources to help users identify components and improved the packaging of the binaries.
Various Anjuna Kubernetes Toolset components now print the version of the Anjuna software to their logs.
This release contains continued improvements to the beta version for supporting OpenShift on Google Cloud.

Relevant security fixes

Bug number

Severity

Description

ANJ-11031

Medium

Fixed several potential vulnerabilities by upgrading dependencies, addressing CVE-2023-44487, CVE-2024-21626, and CVE-2024-45310. There was no known way to exploit these vulnerabilities in the Anjuna Runtime.

Version 1.5. Release Date - September 30th, 2024

Access the installer here.

What’s new?

This release contains improvements to the beta version for supporting OpenShift on Google Cloud.

Relevant bug fixes

Bug number

Severity

Description

ANJ-10928

High

In the sample Terraform scripts, the azurerm Terraform provider was upgraded to version v3.90. Older versions rely on now-deprecated APIs, notably Microsoft.TimeSeriesInsights, which would lead to errors when trying to perform resource provider registration.

ANJ-10913

Medium

Fixed a bug where Kubernetes Toolset Pods could be evicted. The priorityClass of the Anjuna Kubernetes Toolset Pods has been increased to avoid eviction unless strictly necessary.

Version 1.4. Release Date - September 4th, 2024

Access the installer here.

What’s new?

Improved the Anjuna Kubernetes Toolset to ensure versions match between enclave images and the anjuna-k8s-cli.
Added support to anjuna-k8s-cli for the disk create flags changed in SEV Runtime v1.12.
When the Anjuna Kubernetes Toolset creates a new Confidential VM, the name of the VM now includes the namespace of the Pod. The new format is podvm-<namespace>-<podname>.
The logs for the Cloud API Adaptor now include a prefix with the Pod’s namespace and name, like [pod=default/nginx-<hash>].
AKS with Kubernetes v1.30 was tested and is approved to be used with the Anjuna Kubernetes Toolset.
AKS with Kubernetes version 1.26 is no longer supported due to the Azure end of support.
This release contains a beta version for supporting OpenShift on Google Cloud.

Relevant bug fixes

Bug number

Severity

Description

ANJ-10748

Medium

Fixed a build issue that caused the anjuna-k8s-toolset Docker images to have a created timestamp in the year 1980. The timestamp is now correct.

Version 1.3. Release Date - August 7th, 2024

Access the installer here.

What’s new?

This release contains an alpha version of OpenShift support. There are no changes to the existing functionality for Azure Kubernetes Service (AKS).

Version 1.2. Release Date - July 3rd, 2024

Access the installer here.

What’s new?

To support future cloud service providers (CSPs), anjuna-k8s-cli now requires explicitly passing the CSP as part of the command, e.g., anjuna-k8s-cli build azure…. This is a breaking change, and commands will fail if the CSP is not provided.
AKS with Kubernetes v1.29 was tested and is approved to be used with the Anjuna Kubernetes Toolset.
AKS with Kubernetes version 1.25 is no longer supported due to the Azure end of support.

Relevant security fixes

Bug number

Severity

Description

ANJ-10397

Medium

Upgraded several dependencies to prevent potential denial-of-service (DoS) vulnerabilities.

Version 1.1. Release Date - April 5th, 2024

Access the installer here.

What’s new?

Reduced the trusted computing base (TCB) of the Anjuna Kubernetes Enclave Services. The overall size decreased from 301 MB to 110 MB, which also results in smaller Anjuna Confidential Pod images.

Relevant bug fixes

Bug number

Severity

Description

ANJ-10221

Medium

Fixed a bug that caused enclave services to log Anjuna Toolset Version: unknown. Now, the correct version will be displayed.

ANJ-10315

Medium

Fixed a bug that could cause VM instance deletion to fail under certain conditions with Error deleting an instance : VM name not found.

Relevant security fixes

Bug number

Severity

Description

ANJ-10333

High

Updated a dependency to address the "Leaky Vessels" CVE-2024-21626 vulnerability. There was no known way to exploit this vulnerability in the Anjuna Runtime.

ANJ-10163

Medium

Fixed four potential DoS vulnerabilities by upgrading dependencies.

Version 1.0. Release Date - January 22nd, 2024

Access the installer here.

What’s new?

In the first generally-available release of the Anjuna Kubernetes Toolset for AMD SEV, you can deploy a container as an Anjuna Confidential Pod on Azure Kubernetes Service (AKS). The Anjuna Confidential Pod provides the same hardware-grade security and attestation capabilities of the Anjuna Confidential Container, while seamlessly integrating into the Kubernetes network and other standard Kubernetes features.

To get started, see Documentation for the Anjuna Kubernetes Toolset for AMD SEV.