Skip to content

SconeApps: memcached

Deploys a confidential memcached to your Kubernetes cluster.

Prerequisites

  • A Kubernetes cluster with access to SGX machines

Install the chart

Add the repo

If you haven't yet, please add the SconeApps repo to Helm.

Create a SCONE CAS policy for memcached

The default policy name for the memcached chart is set to be memcached_policy/memcached and the default SCONE is defined to be 5-0-0.scone-cas.cf. You can overwrite these defaults by setting parameters scone.attestation.cas and scone.attestation.MEMCACHEDConfigID (see Parameters).

See secure document management for details about how to create a policy that defines TLS certificates for memcached.

Install the chart

To deploy memcached SCONE with the default parameters to your Kubernetes cluster:

helm install my-memcached sconeapps/memcached

Have a look at the Parameters section for a complete list of parameters this chart supports.

SGX device

By default, this helm chart uses the SCONE SGX Plugin. Hence, it sets the resource limits of CAS as follows:

resources:
  limits:
    sgx.k8s.io/sgx: 1

Alternatively, set useSGXDevPlugin to azure (e.g., --useSGXDevPlugin=azure) to support Azure's SGX Device Plugin. Since Azure requires the amount of EPC memory allocated to your application to be specified, the parameter sgxEpcMem (SGX EPC memory in MiB) becomes required too (e.g., --set useSGXDevPlugin=azure --set sgxEpcMem=16).

In case you do not want to use the SGX plugin, you can remove the resource limit and explicitly mount the local SGX device into your container by setting:

extraVolumes:
  - name: dev-isgx
    hostPath:
      path: /dev/isgx

extraVolumeMounts:
  - name: dev-isgx
    path: /dev/isgx

Please note that mounting the local SGX device into your container requires privileged mode, which will grant your container access to ALL host devices. To enable privileged mode, set securityContext:

securityContext:
  privileged: true

Testing your chart

To test that the memcached is working as expected, simply run:

kubectl --namespace default port-forward svc/my-memcached 11211:11211 &
echo stats | nc 127.0.0.1 11211

You should see something like:

STAT pid 1
STAT uptime 28
STAT time 1608215390
STAT version 1.6.7
...
END

Accessing your memcached

This chart supports two service types for memcached: ClusterIP and NodePort.

ClusterIP

If service.type is set to "ClusterIP", a headless service will be created for memcached, which means that each memcached instance can only be accessed from within the cluster, through its internal DNS name (e.g., RELEASE-memcached-scone-7dbb5d97c7-ktt78).

You can access the pod as follows:

kubectl --namespace default port-forward svc/my-memcached 11211:11211 &

NodePort

You can also set service.type to NodePort, and the memcached instance will be exposed to the outside through the same port in every worker node. By default, the port is randomly assigned by Kubernetes. You can define a custom port by setting service.nodePort, but keep in mind that this port must be available (service creation will fail otherwise).

You can then access the memcached as follows:

Get the application URL by running these commands:

export NODE_PORT=$(kubectl get --namespace default -o jsonpath="{.spec.ports[0].nodePort}" services my-memcached-memcached-scone)
export NODE_IP=$(kubectl get nodes --namespace default -o jsonpath="{.items[0].status.addresses[0].address}")
echo http://$NODE_IP:$NODE_PORT

You can then manually check that the memcached is working by:

curl -o /dev/null -s -w "%{http_code}" http://$NODE_IP:$NODE_PORT

It should then return 200

Internal DNS entries (e.g., RELEASE-memcached-scone-7dbb5d97c7-ktt78) will still be created, so you can use them when contacting memcached from inside the cluster.

Parameters

The following tables lists the configurable parameters of the Memcached chart and their default values.

Parameter Description Default
global.imageRegistry Global Docker image registry nil
global.imagePullSecrets Global Docker registry secret names as an array [] (does not add image pull secrets to deployed pods)
image.registry Memcached image registry registry.scontain.com:5050
image.repository Memcached Image name sconecuratedimages/apps
image.tag Memcached Image tag memcached-1.6.7-alpine-scone5
image.pullPolicy Memcached image pull policy Always
image.pullSecrets Specify docker-registry secret names as an array [sconeapps] (does not add image pull secrets to deployed pods)
scone.attestation.enabled Enable SCONE remote attestation true
scone.attestation.lasUseHostIP Use node host IP as LAS address true
scone.attestation.las LAS address, to be exported as SCONE_LAS_ADDR. Defaults to the Docker network interface address. Note that this value is not considered if lasUseHostIP is set to true. nil
scone.attestation.cas CAS address, to be exported as SCONE_CAS_ADDR 5-0-0.scone-cas.cf
scone.attestation.MEMCACHEDConfigID memcached SCONE session. To be exported as SCONE_CONFIG_ID memcached_policy/memcached
scone.attestation.env SCONE environment variables to be exported into the container SCONE_HEAP=2G,SCONE_MODE=hw
useSGXDevPlugin Use SGX Device Plugin to access SGX resources. "scone"
sgxEpcMem Required to Azure SGX Device Plugin. Protected EPC memory in MiB nil
extraEnv Additional env vars to pass {}
replicaCount Number of containers 1
clusterDomain Kubernetes cluster domain cluster.local
nameOverride String to partially override memcached.fullname template with a string nil
fullnameOverride String to fully override memcached.fullname template with a string nil
arguments Arguments to pass ["/run.sh"]
service.type Kubernetes service type for Memcached ClusterIP
service.port Memcached service port 11211
service.clusterIP Specific cluster IP when service type is cluster IP. Use None for headless service nil
service.nodePort Kubernetes Service nodePort nil
service.loadBalancerIP loadBalancerIP if service type is LoadBalancer nil
service.annotations Additional annotations for Memcached service {}
resources.requests CPU/Memory resource requests {memory: "256Mi", cpu: "250m"}
resources.limits CPU/Memory resource limits {}
persistence.enabled Enable persistence using PVC (Requires architecture: "high-availability") true
persistence.storageClass PVC Storage Class for Memcached volume nil (uses alpha storage class annotation)
persistence.accessMode PVC Access Mode for Memcached volume ReadWriteOnce
persistence.size PVC Storage Request for Memcached volume 8Gi
podAnnotations Pod annotations {}
podAffinityPreset Pod affinity preset. Ignored if affinity is set. Allowed values: soft or hard ""
podAntiAffinityPreset Pod anti-affinity preset. Ignored if affinity is set. Allowed values: soft or hard soft
nodeAffinityPreset.type Node affinity preset type. Ignored if affinity is set. Allowed values: soft or hard ""
nodeAffinityPreset.key Node label key to match. Ignored if affinity is set. ""
nodeAffinityPreset.values Node label values to match. Ignored if affinity is set. []
affinity Affinity for pod assignment {} (evaluated as a template)
nodeSelector Node labels for pod assignment {} (evaluated as a template)
tolerations Tolerations for pod assignment [] (evaluated as a template)
priorityClassName Controller priorityClassName nil

Set Parameters

Specify each parameter using the --set key=value[,key=value] argument to helm install. For example,

helm install my-release --set scone.attestation.MEMCACHEDConfigID=my_name_space/memcached_policy,scone.attestation.cas=cas.example.com sconeapps/memcached

The above command sets the policy to my_name_space/memcached_policy and using the CAS cas.example.com.

Alternatively, a YAML file that specifies the values for the parameters can be provided while installing the chart. For example,

helm install my-release -f values.yaml sconeapps/memcached

One can use the default values.yaml in the SconeApps repo