CAS Backup Controller
Quick Start Guide
This is an end-to-end example of leveraging the CAS Backup Controller to run on a Kubernetes cluster. Although this guide assumes a Kubernetes cluster running on Azure Kubernetes Service, it should be reproducible on any cluster.
- Deploy LAS to the target Kubernetes cluster.
helm install las sconeapps/las \
--set image="registry.scontain.com/sconecuratedimages/kubernetes:las.microsoft-azure-scone5" \
--set useSGXDevPlugin="azure"
- Deploy CAS to the target Kubernetes cluster. Make sure to enable CAS database persistence (
--set persistence.enabled=true).
helm install cas sconeapps/cas \
--set image="registry.scontain.com/sconecuratedimages/services:cas-scone5" \
--set persistence.enabled="true" \
--set persistence.storageClass="managed" \
--set service.type="LoadBalancer" \
--set useSGXDevPlugin="azure"
- Retrieve the CAS key hash and provisioning token from the CAS pod logs.
export CAS_KEY_HASH=$(kubectl logs cas-0 | grep "CAS key hash" | awk ' { print $7 } ')
export CAS_PROVISIONING_TOKEN=$(kubectl logs cas-0 | grep "CAS provisioning token" | awk ' { print $7 } ')
export SCONE_CAS_ADDR=$(kubectl get svc --namespace default cas --template "{{ range (index .status.loadBalancer.ingress 0) }}{{.}}{{ end }}")
export MY_POLICY_NAME="my-cas-backup-controller-$RANDOM"
mkdir -p owner-config
cat > owner-config/config.toml <<EOF
[api_identity]
common_name = "mycas"
alt_names = ["mycas", "cas", "cas.default", "localhost", "$SCONE_CAS_ADDR"]
[dcap]
subscription_key = "00000000000000000000000000000000"
EOF
- The CAS owner is identified by a PKCS#8 private key. This identity gives the owner power to upgrade and perform backups. The key must be protected and can be generated as follows:
mkdir -p identity
openssl genrsa -out identity/keypair.pem 2048
openssl pkcs8 -topk8 -inform PEM -outform PEM -nocrypt -in identity/keypair.pem -out identity/pkcs8.key
- Start a SCONE CLI container locally to provision CAS and create policies.
docker run -it --rm \
--network=host \
-v $PWD/identity:/identity \
-v $PWD/owner-config:/owner-config \
-e SCONE_CLI_CONFIG="/identity/config.json" \
-e CAS_KEY_HASH="$CAS_KEY_HASH" \
-e CAS_PROVISIONING_TOKEN="$CAS_PROVISIONING_TOKEN" \
-e SCONE_CAS_ADDR="$SCONE_CAS_ADDR" \
-e MY_POLICY_NAME="$MY_POLICY_NAME" \
registry.scontain.com/sconecuratedimages/sconecli:alpine3.10-scone5
- Inside of the SCONE CLI container, provision CAS. The owner identity and CLI configuration will be persisted to your local machine (at
./identity/config.json).
$ scone cas provision $SCONE_CAS_ADDR \
-c $CAS_KEY_HASH \
--token $CAS_PROVISIONING_TOKEN \
--config-file /owner-config/config.toml \
with-attestation -GCS --only_for_testing-debug --only_for_testing-ignore-signer --only_for_testing-trust-any
This command will provision and claim ownership of a CAS.
The ownership will be bound to the cryptographic identity used during this provisioning.
Holding the owner's identity is necessary to change CAS settings, register backups, and upgrade to new CAS versions.
Please be sure to store the owner's identity securely.
Note: If no identity is specified on the command line, the identity stored in the CLI configuration file is used.
This tool seems to run inside of a container.
Please be extra careful that the owner's identity is not lost when the container is removed!
CAS owner configuration contains IAS API credentials. Going to attempt to attest CAS using the EPID quote.
CAS owner configuration includes DCAP API credentials. Going to try to attest and verify CAS using the DCAP quote.
CAS localhost at https://localhost:8081/ is trustworthy
Done, CAS configuration was successfully provisioned. You are now the owner of the CAS.
Do not exit the CLI container just yet.
- The CAS Backup Controller runs the SCONE CLI on your behalf to register backups. To do this securely, we must create a policy that contains the CLI configuration and owner identity. For development this might look like this:
export CLI_OWNER_CONFIG="$(sed 's/^/ /' /identity/config.json)"
export SCONE_CLI_MRENCLAVE="$(SCONE_HASH=1 scone cas)"
cat > /identity/session.yaml <<EOF
name: $MY_POLICY_NAME
version: "0.3"
security:
attestation:
tolerate: [debug-mode, hyperthreading, outdated-tcb, software-hardening-needed]
ignore_advisories: "*"
services:
- name: register
image_name: cli
mrenclaves: [$SCONE_CLI_MRENCLAVE]
command: "scone cas register-backup @@3"
environment:
SCONE_MODE: hw
SCONE_LOG: error
SCONE_CLI_CONFIG: /etc/owner-identity.json
\@\@SCONE_LAS_ADDR: ""
pwd: /
images:
- name: cli
injection_files:
- path: /etc/owner-identity.json
content: |
$CLI_OWNER_CONFIG
EOF
scone session create /identity/session.yaml
exit
- Deploy CAS Backup Controller with the appropriate policy name.
helm install cbc sconeappsee/cas-backup-controller \
--set cas="$SCONE_CAS_ADDR" \
--set session="$MY_POLICY_NAME/register" \
--set useSGXDevPlugin="azure"
- Check the logs of the CAS Backup Controller pod for successful and failed registrations.
$ kubectl logs -l app.kubernetes.io/name=cas-backup-controller --tail -1
2022-07-21 22:42:16,254 INFO: Using session cas-backup-controller-e2e/register
2022-07-21 22:42:16,256 INFO: Starting controller...
2022-07-21 22:42:16,305 INFO: Backup CAS resources will be named 'cas-backup'-<node_name>
2022-07-21 22:42:16,305 INFO: Selecting LAS pods that match selector app.kubernetes.io/name=las on namespace kube-system
2022-07-21 22:42:16,350 INFO: Provisioning backup CAS on node aks-confcompool2-21345908-vmss000000: cas-backup-aks-confcompool2-21345908-vmss000000
Backup CAS registered
2022-07-21 22:42:29,437 INFO: Successfully registered backup on node aks-confcompool2-21345908-vmss000000
2022-07-21 22:42:29,504 INFO: Provisioning backup CAS on node aks-confcompool2-21345908-vmss000001: cas-backup-aks-confcompool2-21345908-vmss000001
Backup CAS registered
2022-07-21 22:43:02,107 INFO: Successfully registered backup on node aks-confcompool2-21345908-vmss000001
2022-07-21 22:43:44,070 INFO: Nodes with registered CAS backups (check logs for failed registrations):
{
"aks-confcompool2-21345908-vmss000000": true,
"aks-confcompool2-21345908-vmss000001": true
}