Deploy Nitro Enclaves from a Kubernetes pod.
By: Date: 10/02/2023 Categories: AWS,AWScommunity Tags:

Amazon Elastic Kubernetes Service to orchestrate, scale, and deploy Nitro Enclaves from a Kubernetes pod. Kubernetes is an open source platform for container orchestration. The following diagram provides a conceptual overview of how Nitro Enclaves integrates with Amazon EKS.

Image description

All pods and containers in the same Amazon EKS node or Amazon EC2 instance that has the Nitro Enclaves Kubernetes device plugin installed will be able to communicate with the enclave that is attached to that parent Amazon EC2 instance.

How to create an Amazon EKS cluster with a managed node group and one enclave-enabled node. It shows how to install the Nitro Enclaves Kubernetes device plugin, how to prepare the Hello Enclaves sample application for deployment, and how to deploy the prepared Hello Enclaves Docker image to the cluster.

There are two key components to this process:

Launch templates. The process requires a launch template that is properly configured. The launch template must have enclaves enabled and an it must include specific user data that is provided in Step 1: Create a launch template. This launch template will be used to create the enclave-enabled nodes in the cluster.

The Nitro Enclaves Kubernetes device plugin. This device plugin gives your pods and containers the ability to create and terminate enclaves using the Nitro Enclaves Command Line Interface. The device plugin works with both Amazon EKS and self-managed Kubernetes nodes.

The following tools are required to complete this tutorial:

  • bash shell
  • AWS CLI version 2. For more information about installing the AWS CLI, see Getting started with the AWS CLI.
  • eksctl, a simple command line tool for creating and managing Kubernetes clusters on Amazon EKS. For more information, see Installing or updating eksctl.
  • Docker, an open platform used for packaging your enclave applications into images that can be deployed into containers on your worker nodes. For more information, see Get Docker.
  • jq, a command line JSON processor. For more information, see Download jq.
  • kubectl version 1.20 and later versions that include the Docker runtime. kubectl is the Kubernetes command line tool that enables you to deploy applications, inspect and manage cluster resources, and view logs. For more information, see Installing or updating kubectl in the Amazon EKS User Guide.

Step 1: Create a launch template
Create a launch template that will be used to launch the enclave-enabled worker nodes (Amazon EC2 instances) in the cluster. You can create the launch template using either the create-launch-template AWS CLI command or the Amazon EC2 console.

When you create the launch template, you must do the following:
Specify a supported instance type.

  1. Enable Nitro Enclaves.
  2. Specify the following user data, which automates the AWS Nitro Enclaves CLI installation, and preallocates the memory and the vCPUs for enclaves on the instance.
  3. The CPU_COUNT and MEMORY_MIB variables in the user data specify the number of vCPUs and amount of memory (in MiB) respectively. For the purpose of this tutorial, the user data below specifies 2 vCPUs and 768 MiB of memory.

Step 2: Create Kubernetes cluster and node
Create the cluster with node groups and worker nodes. In this tutorial, we use the eksctl command line tool to create an Amazon EKS cluster with one managed node group with one worker node using the launch template created in the previous step.

To create the cluster, node group, and worker node

  1. Create a cluster configuration file named cluster_config.yaml and add the following configuration, which specifies the following:
  • The name of the cluster (metadata:name)
  • The AWS Region in which to create the cluster (region)
  • The name of the node group (managedNodeGroups:name)
  • The ID and version of the launch template to use to create the worker nodes (id and version)
  • The number of nodes in the node group (desiredCapacity)
  • For the purpose of this tutorial, the configuration file creates a cluster named ne-cluster in us-east-1, it creates 1 node in a node group named ne-group using version 1 of launch template lt-01234567890abcdef.
  1. Create the cluster, node group, and worker node using the cluster configuration file. Run the following eksctl command and specify the cluster configuration file created in the previous step. eksctl create cluster -f cluster_config.yaml

Step 3: Install the Nitro Enclaves Kubernetes device plugin
Deploy the Nitro Enclaves Kubernetes device plugin to the cluster and then enable it on each worker node in the cluster using kubectl. The plugin enables the pods on each worker node to access the Nitro Enclaves device driver. The plugin is deployed to the Kubernetes cluster as a daemonset.
To deploy and enable the Nitro Enclaves Kubernetes device plugin

  1. Deploy the Nitro Enclaves Kubernetes device plugin to the cluster using the following command. kubectl apply -f
  2. Get the name of the worker node on which to install the Nitro Enclaves Kubernetes device plugin using the following command. kubectl get nodes
  3. Enable the Nitro Enclaves Kubernetes device plugin on the worker node. Use the following kubectl command and specify the node name from the previous step. kubectl label node node_name aws-nitro-enclaves-k8s-dp=enabled

Step 4: Prepare the image
Nitro Enclaves uses Docker images as a convenient file format for packaging your applications. You must build the Docker image that includes your enclave application and any other commands that are needed to run the application. This Docker image will be deployed to the worker node in the following step.

AWS provides a command line tool, enclavectl that automates the steps that are needed to build an enclave image file and to package your enclave image file into a Docker image. Additionally, the tool includes features that automate Amazon EKS cluster and node group creation, and application deployment. For an end-to-end tutorial on how to use the enclavectl tool to automate cluster creation, application packaging, and application deployment,

To prepare the image

  1. The enclavectl utility can be found in the aws-nitro-enclaves-with-k8s GitHub repo. Clone the GitHub repo and navigate into the directory. git clone [email protected]:aws/aws-nitro-enclaves-with-k8s.git && cd aws-nitro-enclaves-with-k8s
  2. Source the script to add the enclavectl tool to you PATH variable. source
  3. Configure the enclavectl for the tutorial. The settings.json file includes some default parameters that are used only if you create a cluster using enclavectl. Since the cluster was created manually in the previous steps, the parameters in the settings.json are not used; but you must run this command to configure the tool before using it. enclavectl configure --file settings.json
  4. Build the Hello Enclaves enclave image file and package it into a Docker image. The required files are located in the /container/hello directory. Use the enclavectl build command and specify the name of the directory. enclavectl build --image hello
  5. The Docker image is created with a name in the following format: hello-unique_uuid. To view the full name of the image, run the following command. docker image ls | grep hello

Step 5: Deploy the application to the cluster
Finally, you need to deploy the application to your cluster.

To deploy the application to the cluster

  1. Create a deployment specification. Create a new file named deployment_spec.yaml and add the following content.

For more details- Enclaves with Amazon EKS