SconeApps: memcached
Deploys a confidential memcached to your Kubernetes cluster.
Prerequisites
- A Kubernetes cluster with access to SGX machines
Install the chart
Add the repo
If you haven't yet, please add the SconeApps repo to Helm.
Create a SCONE CAS policy for memcached
The default policy name for the memcached chart is set to be memcached_policy/memcached and the default SCONE is defined to
be 5-0-0.scone-cas.cf. You can overwrite these defaults by setting parameters scone.attestation.cas and scone.attestation.MEMCACHEDConfigID (see Parameters).
See secure document management for details about how to create a policy that defines TLS certificates for memcached.
Install the chart
To deploy memcached SCONE with the default parameters to your Kubernetes cluster:
helm install my-memcached sconeapps/memcachedHave a look at the Parameters section for a complete list of parameters this chart supports.
SGX device
By default, this helm chart uses the SCONE SGX Plugin. Hence, it sets the resource limits of CAS as follows:
resources:
limits:
sgx.intel.com/enclave: 1Alternatively, set useSGXDevPlugin to azure (e.g., --useSGXDevPlugin=azure) to support Azure's SGX Device Plugin. Since Azure requires the amount of EPC memory allocated to your application to be specified, the parameter sgxEpcMem (SGX EPC memory in MiB) becomes required too (e.g., --set useSGXDevPlugin=azure --set sgxEpcMem=16).
In case you do not want to use the SGX plugin, you can remove the resource limit and explicitly mount the local SGX device into your container by setting:
extraVolumes:
- name: dev-isgx
hostPath:
path: /dev/isgx
extraVolumeMounts:
- name: dev-isgx
path: /dev/isgxPlease note that mounting the local SGX device into your container requires privileged mode, which will grant your container access to ALL host devices. To enable privileged mode, set securityContext:
securityContext:
privileged: trueTesting your chart
To test that the memcached is working as expected, simply run:
kubectl --namespace default port-forward svc/my-memcached 11211:11211 &
echo stats | nc 127.0.0.1 11211You should see something like:
STAT pid 1
STAT uptime 28
STAT time 1608215390
STAT version 1.6.7
...
ENDAccessing your memcached
This chart supports two service types for memcached: ClusterIP and NodePort.
ClusterIP
If service.type is set to "ClusterIP", a headless service will be created for memcached, which means that each memcached instance can only be accessed from within the cluster, through its internal DNS name (e.g., RELEASE-memcached-scone-7dbb5d97c7-ktt78).
You can access the pod as follows:
kubectl --namespace default port-forward svc/my-memcached 11211:11211 &NodePort
You can also set service.type to NodePort, and the memcached instance will be exposed to the outside through the same port in every worker node. By default, the port is randomly assigned by Kubernetes. You can define a custom port by setting service.nodePort, but keep in mind that this port must be available (service creation will fail otherwise).
You can then access the memcached as follows:
Get the application URL by running these commands:
export NODE_PORT=$(kubectl get --namespace default -o jsonpath="{.spec.ports[0].nodePort}" services my-memcached-memcached-scone)
export NODE_IP=$(kubectl get nodes --namespace default -o jsonpath="{.items[0].status.addresses[0].address}")
echo http://$NODE_IP:$NODE_PORTYou can then manually check that the memcached is working by:
curl -o /dev/null -s -w "%{http_code}" http://$NODE_IP:$NODE_PORTIt should then return 200
Internal DNS entries (e.g., RELEASE-memcached-scone-7dbb5d97c7-ktt78) will still be created, so you can use them when contacting memcached from inside the cluster.
Parameters
The following tables lists the configurable parameters of the Memcached chart and their default values.
| Parameter | Description | Default |
|---|---|---|
global.imageRegistry |
Global Docker image registry | nil |
global.imagePullSecrets |
Global Docker registry secret names as an array | [] (does not add image pull secrets to deployed pods) |
image.registry |
Memcached image registry | registry.scontain.com |
image.repository |
Memcached Image name | sconecuratedimages/apps |
image.tag |
Memcached Image tag | memcached-1.6.7-alpine-scone5 |
image.pullPolicy |
Memcached image pull policy | Always |
image.pullSecrets |
Specify docker-registry secret names as an array | [sconeapps] (does not add image pull secrets to deployed pods) |
scone.attestation.enabled |
Enable SCONE remote attestation | true |
scone.attestation.lasUseHostIP |
Use node host IP as LAS address | true |
scone.attestation.las |
LAS address, to be exported as SCONE_LAS_ADDR. Defaults to the Docker network interface address. Note that this value is not considered if lasUseHostIP is set to true. |
nil |
scone.attestation.cas |
CAS address, to be exported as SCONE_CAS_ADDR |
5-0-0.scone-cas.cf |
scone.attestation.MEMCACHEDConfigID |
memcached SCONE session. To be exported as SCONE_CONFIG_ID |
memcached_policy/memcached |
scone.attestation.env |
SCONE environment variables to be exported into the container | SCONE_HEAP=2G,SCONE_MODE=hw |
useSGXDevPlugin |
Use SGX Device Plugin to access SGX resources. | "scone" |
sgxEpcMem |
Required to Azure SGX Device Plugin. Protected EPC memory in MiB | nil |
extraEnv |
Additional env vars to pass | {} |
replicaCount |
Number of containers | 1 |
clusterDomain |
Kubernetes cluster domain | cluster.local |
nameOverride |
String to partially override memcached.fullname template with a string | nil |
fullnameOverride |
String to fully override memcached.fullname template with a string | nil |
arguments |
Arguments to pass | ["/run.sh"] |
service.type |
Kubernetes service type for Memcached | ClusterIP |
service.port |
Memcached service port | 11211 |
service.clusterIP |
Specific cluster IP when service type is cluster IP. Use None for headless service |
nil |
service.nodePort |
Kubernetes Service nodePort | nil |
service.loadBalancerIP |
loadBalancerIP if service type is LoadBalancer |
nil |
service.annotations |
Additional annotations for Memcached service | {} |
resources.requests |
CPU/Memory resource requests | {memory: "256Mi", cpu: "250m"} |
resources.limits |
CPU/Memory resource limits | {} |
persistence.enabled |
Enable persistence using PVC (Requires architecture: "high-availability") | true |
persistence.storageClass |
PVC Storage Class for Memcached volume | nil (uses alpha storage class annotation) |
persistence.accessMode |
PVC Access Mode for Memcached volume | ReadWriteOnce |
persistence.size |
PVC Storage Request for Memcached volume | 8Gi |
podAnnotations |
Pod annotations | {} |
podAffinityPreset |
Pod affinity preset. Ignored if affinity is set. Allowed values: soft or hard |
"" |
podAntiAffinityPreset |
Pod anti-affinity preset. Ignored if affinity is set. Allowed values: soft or hard |
soft |
nodeAffinityPreset.type |
Node affinity preset type. Ignored if affinity is set. Allowed values: soft or hard |
"" |
nodeAffinityPreset.key |
Node label key to match. Ignored if affinity is set. |
"" |
nodeAffinityPreset.values |
Node label values to match. Ignored if affinity is set. |
[] |
affinity |
Affinity for pod assignment | {} (evaluated as a template) |
nodeSelector |
Node labels for pod assignment | {} (evaluated as a template) |
tolerations |
Tolerations for pod assignment | [] (evaluated as a template) |
priorityClassName |
Controller priorityClassName | nil |
Set Parameters
Specify each parameter using the --set key=value[,key=value] argument to helm install. For example,
helm install my-release --set scone.attestation.MEMCACHEDConfigID=my_name_space/memcached_policy,scone.attestation.cas=cas.example.com sconeapps/memcachedThe above command sets the policy to my_name_space/memcached_policy and using the CAS cas.example.com.
Alternatively, a YAML file that specifies the values for the parameters can be provided while installing the chart. For example,
helm install my-release -f values.yaml sconeapps/memcachedOne can use the default values.yaml in the SconeApps repo