Anjuna Runtime for AWS Nitro Enclaves

Improved support for Node autoscaling, by adding a new resource nitro.k8s.anjuna.io/cpu to assist with Kubernetes scheduling.

Improved persistent storage support for block mounts. Block mounts are now simpler to use, as it is no longer required to compile and deploy a kernel module.

The sample Terraform scripts for EKS deployment now accept Node Group minimum and maximum sizes.

AWS EKS with Kubernetes v1.32 was tested and is approved for use with the Anjuna Kubernetes Toolset for AWS EKS and the Anjuna Helm recipe.

The Anjuna Kubernetes Toolset for AWS EKS documentation has been updated to reflect the latest supported versions of Helm, 3.10.x to 3.16.x.

AWS EKS with Kubernetes v1.31 was tested and is approved to be used with the Anjuna Nitro EKS Toolset and with the Anjuna Helm recipe.

Added support for the encrypted configuration where a proxy is required for reaching AWS KMS.

anjuna-nitro-encrypt now supports encrypting arbitrary files, using the --binary flag. Previously, anjuna-nitro-encrypt only supported Anjuna enclave configuration YAML files.

Added the anjuna-nitro-decrypt utility, which can be used to decrypt data that was encrypted using anjuna-nitro-encrypt.

Updated the documentation for deploying the Anjuna Kubernetes Toolset to an existing EKS cluster using a new Node Group and Launch Template. The previous version could fail in situations involving autoscaling.

Added the new flag --log-level to anjuna-nitro-netd-parent to control the log verbosity. The new default level is info.

Added a new troubleshooting item that addresses errors like error getting EC2 region while getting encrypted config: context deadline exceeded when using AWS EC2’s Instance Metadata Service Version 2 (IMDSv2).

AWS EKS with Kubernetes v1.30 was tested and is approved to be used with the Anjuna Nitro EKS Toolset and with the Anjuna Helm recipe.

Added the environment variable ANJ_ENCLAVE_KMS_DECRYPT_RETRY_TIMEOUT_SECONDS, which allows you to configure the duration of retries for AWS KMS calls used in the encrypted configuration. This environment variable is included in untrustedConfig.envVars by default, meaning it can be inherited from the parent instance or Kubernetes manifest.

Changed the precedence of environment variables provided by untrusted configuration.

The Anjuna Nitro Runtime now supports Amazon Linux 2023 in both EC2 instances and the Anjuna Nitro Kubernetes Toolset.

Added the ability to set UserPublicKey in the Nitro Attestation Endpoint, enabling applications to easily use the KMS integration for Nitro Enclaves. See documentation for instructions.

This release includes a new How-to guides section, which includes instructions on the following tasks:

AWS EKS with Kubernetes v1.29 was tested and is approved to be used with the Anjuna Nitro EKS Toolset and with the Anjuna Helm recipe.

AWS EKS with Kubernetes v1.28 was tested and is approved to be used with the Anjuna Nitro EKS Toolset and with the Anjuna Helm recipe.

Added the ability to generate an attestation report at runtime, using the Anjuna attestation endpoint. See Github: anjuna-security/go-nitro-attestation for details.

Added the ability to validate an attestation report using a Go package, which is part of go-nitro-attestation. See Validate an AWS Nitro Attestation Report for usage.

Added a new documentation page for Best Practices on Remote Attestation describing how to use Anjuna’s attestation capabilities, including the (new) attestation endpoint and the (existing) boot-time secrets, to improve your application’s security.

Added the ability to provide encrypted configuration files at enclave start time, using local files. This improves deployment flexibility: you can now run the same application with different sets of secrets, without rebuilding the EIF.

To improve security in situations when an attacker could target the encrypted configuration file, it is now required to specify an encryptedConfig.allowList, which defines which files and environment variables can be injected into the enclave: see docs for details.

For consistency, encrypted configuration files stored in S3 are now configured using encryptedConfig with type: s3 and uri: s3://<path in S3>. This is a breaking change if you were previously using attestedConfURL. The encryptedConfig.allowList is also required now, as mentioned above.

Encrypted configuration files provide secrets to the enclave as environment variables and files; no other configuration options are supported, as non-secret configuration options can be stored in the (unencrypted) enclave configuration file. This is a breaking change if you were previously providing options like entrypoint using the encrypted configuration file.

AWS EKS with Kubernetes v1.27 was tested and is approved to be used with the Anjuna Nitro EKS Toolset and with the Anjuna Helm recipe.

Amazon EKS version 1.22 is no longer supported due to the Amazon EKS end of support

The Anjuna Nitro Runtime now supports multiple enclaves per EC2 instance or EKS Node, up to the AWS limit of four.

anjuna-nitro-cli run-enclave and the Anjuna Nitro EKS Toolset will now abort if the EIF is built with a different version of the Anjuna Nitro Runtime, to prevent incompatibilities between versions.

AWS EKS with Kubernetes v1.26 was tested and is approved to be used with the Anjuna Nitro EKS Toolset and with the Anjuna Helm recipe.

Added documentation on using the Anjuna Nitro Runtime on Red Hat Enterprise Linux 8.

Updated the Terraform script used to create a new EKS cluster with the Anjuna Nitro Kubernetes Toolset, since AWS S3 ACLs are now disabled by default.

AWS EKS with Kubernetes v1.25 was tested and is approved to be used with the Anjuna Nitro EKS Toolset and with the Anjuna Helm recipe.

Amazon EKS version 1.21 is no longer supported due to the Amazon EKS end of support.

Added priorityClassName: "system-node-critical" to guarantee scheduling for the Anjuna Nitro Kubernetes Webhook Deployment. Previously, the Webhook could be evicted when cluster load increased.

Removed the /dev/vsock dependency in anjuna-nitro-netd-parent. As a result, the Anjuna Nitro Kubernetes Toolset will no longer mount /dev/vsock to enclave Pods.

Amazon EKS version 1.20 is no longer supported due to the Amazon EKS end of support.

The Anjuna Nitro EKS Toolset will now automatically detect the anjuna-license Kubernetes secret and use it for new Pods. Users no longer need to manually update their Pod definitions to include the license mount.

AWS EKS with Kubernetes v1.24 was tested and is approved to be used with the Anjuna Nitro EKS Toolset and with the Anjuna Helm recipe.

Updated the Anjuna Kubernetes Toolset to run anjuna-nitro-webhook-app as a Deployment instead of a bare Pod. This ensures that the webhook app will be rescheduled if the Pod or Node fails. Previously this was announced in v1.29 but was not included due to a packaging issue.

Added logging for disk usage at enclave boot time, which improves the debugging experience when an enclave fails to boot due to lack of disk space.

Improved logging performance for production enclaves.

Added a search bar for the documentation site.

The Anjuna Nitro Runtime now requires a license file to build and run enclaves. See Licensing the Anjuna Nitro Runtime for more information.

Updated the Anjuna Kubernetes Toolset to run `anjuna-nitro-webhook-app` as a Deployment instead of a bare Pod. This ensures that the webhook app will be rescheduled if the Pod or Node fails. Due to a packaging issue, this was actually released as part of v1.31.

Added forceMount flag to control whether volume mounts may overwrite existing enclave paths. See Anjuna Nitro Enclave Configuration for details.

Added documentation on system requirements to build an EIF.

Amazon EKS version 1.19 is no longer supported due to the Amazon EKS end of support

Added the ability to provide a non-trusted configuration for an enclave.

Added support for user IDs in the Dockerfile and Nitro Enclave Configuration file. Previously only names were supported.

Added support for group names and group IDs in the Dockerfile and Nitro Enclave Configuration file. Previously the user’s default group was always used.

AWS EKS with Kubernetes v1.23 was tested and is approved to be used with the Anjuna EKS tools and with the Anjuna Helm recipe.

Added new docs for deploying to an existing EKS cluster.

Improved logging for the Anjuna EKS toolset for easier troubleshooting.

Helm v3.9.x was tested and is approved to deploy the Anjuna EKS tools with the Anjuna Helm recipe.

Helm v3.7 and v3.8 were tested and are approved to deploy the Anjuna EKS tools with the Anjuna Helm recipe.

Improved supportability for the Anjuna Nitro tools for EKS.

Reduced the dependencies of the Anjuna Device Manager for EKS, to make its deployment simpler.

Additional abilities for the anjuna-nitro-cli tool

Added the ability to build the x86-64 Docker Images with build-anjuna-docker-images on a platform that is not x86-64.

The Block persistency type value has changed from drbd to block. Existing enclave configuration files should be updated to continue working with the new version.

Added a Helm Chart for easier deployment of the Anjuna components in AWS EKS.

Added support for EKS with K8s version 1.22.

Added the binary for the AWS Nitro Device Plugin for customers who want to build the Device Manager Container on their own.

Added support for applications that access /dev/stdout, /dev/stdin and /dev/stderr when running in the enclave.

Differentiated the logging messages coming from inside the enclave for easier troubleshooting.

Removed unneeded messages that are shown when the enclave is automatically terminated while viewing the enclave output via anjuna-nitro-cli console.

Added an option to automatically terminate the enclave when the Container running within it exits.

Added support for version 18 of the Terraform module for EKS. This enables running Pods in enclaves in unmanaged nodes.

Replaced the base image of the Webhook Container with alpine:latest in order to reduce the container’s size and load time.

Improved usability:

Improvements in handling the configuration files:

The EKS tutorial scripts were improved to ensure that kubectl points to the correct cluster on every run.

Updated the persistent storage infrastructure to improve its stability.

Added the ability to control which ports are exposed from an enclave.

Added support for EKS with K8s versions 1.19 through 1.21; this is in addition to 1.18 that was already supported.

Added a log message where the enclave does not have enough memory configured when using the "mount" option, for better troubleshooting.

Several improvements to the parent-drbd-setup.sh script.

Added the --version flag to the anjuna-nitro-kms-policy command line tool.

Added an option to the networking proxy process to enable it to run as a daemon.

The software version of the Anjuna tools inside the enclave is logged on startup and is available when running the anjuna-nitro-cli console or kubectl logs.

Improvements on the TCP Stack virtualization for better performance and ease of use.

Added the ability to control the grace period time for the enclave termination via the CLI.

The Kubernetes artifacts for AWS Nitro are now packaged in a way that customers can build the tools on their own, based on their organization standards.

Added support for a graceful exit of the enclave before it is terminated.

The parameters for the CLI tool anjuna-nitro-encrypt were updated to align with other Anjuna CLI tools.

The enclave console output is now available in the parent VM or via kubectl logs with production enclaves. Previously, it was only available when running the enclave in debug mode.

Added visibility into startup failures previously only available when running the enclave in debug mode.

Added command line and configuration file references.

Detailed information about how to configure an EC2 instance for running an enclave.

Detailed requirements for adding Nitro capabilities to an existing EKS cluster

Detailed steps for upgrading the Anjuna Kubernetes tools.

Added support for Terraform 0.15.x in the Terraform example scripts.