Skip to content

SconeApps: nginx

Deploy a secure nginx to your Kubernetes cluster.

Prerequisites

Upload a policy into CAS for nginx

In order to deploy your confidential nginx, you can use the upload_policy command to help you to upload the nginx scone template which configures TLS and a liveness probe for nginx. You can edit the template to accommodate your confidential workloads.

The upload_policy command will generate a chart values file (nginx_chart_values.yml) that you can use to deploy your confidential workload with help of HELM.

Create an alias for the upload_policy container.

alias scone="docker run -it --rm \
    -v \"$HOME/.docker/config.json:/root/.docker/config.json\" \
    -v \"\$PWD:/root\" \
    -v \"\$PWD:/values\" \
    registry.scontain.com/sconecuratedimages/experimental:upload-policy "

upload_policy comes with the templates for sconeapps preloaded. Assuming that you've created the alias above, use the following command to use the default policy for nginx.

scone upload_policy templates/nginx

If everything went well, upload_policy created the nginx_chart_values.yml file in your current directory.

In case you want to not use the default policy maintained by Scontain, you can upload a custom policy. See scone upload_policy --help for more information. It will always generate the chart values with the CAS address (SCONE_CAS_ADDR var) and SCONE_CONFIG_ID for remote attestation pointing to the policies created.

Install the chart

Add the repo

If you haven't yet, please add SconeApps repo to Helm.

To deploy nginx SCONE with the default parameters to your Kubernetes cluster:

helm install my-nginx sconeapps/nginx

If you want to use a custom parameters defined by the upload_policy command:

helm install my-nginx sconeapps/nginx -f nginx_chart_values.yml

Have a look at the Parameters section for a complete list of parameters this chart supports.

SGX device

By default, this helm chart uses the SCONE SGX Plugin. Hence, it sets the resource limits of CAS as follows:

resources:
  limits:
    sgx.intel.com/enclave: 1

Alternatively, set useSGXDevPlugin to azure (e.g., --useSGXDevPlugin=azure) to support Azure's SGX Device Plugin. Since Azure requires the amount of EPC memory allocated to your application to be specified, the parameter sgxEpcMem (SGX EPC memory in MiB) becomes required too (e.g., --set useSGXDevPlugin=azure --set sgxEpcMem=16).

In case you do not want to use the SGX plugin, you can remove the resource limit and explicitly mount the local SGX device into your container by setting:

extraVolumes:
  - name: dev-isgx
    hostPath:
      path: /dev/isgx

extraVolumeMounts:
  - name: dev-isgx
    path: /dev/isgx

Please note that mounting the local SGX device into your container requires privileged mode, which will grant your container access to ALL host devices. To enable privileged mode, set securityContext:

securityContext:
  privileged: true

Testing your chart

To run the tests, simply run:

helm test my-nginx

Helm will print the result of the tests:

NAME: my-nginx
LAST DEPLOYED: Wed Dec 16 11:15:47 2020
NAMESPACE: default
STATUS: deployed
REVISION: 1
TEST SUITE:     my-nginx-nginx-scone-test-connection
Last Started:   Wed Dec 16 11:16:24 2020
Last Completed: Wed Dec 16 11:16:29 2020
Phase:          Succeeded

If the tests are successful, Helm will delete the deployed tests resources automatically.

Accessing your nginx

This chart supports two service types for nginx: ClusterIP and NodePort.

ClusterIP

If service.type is set to "ClusterIP", a headless service will be created for nginx, which means that each nginx instance can only be accessed from within the cluster, through its internal DNS name (e.g., RELEASE-nginx-scone-7dbb5d97c7-ktt78).

You can access the pod as follows:

Get the application URL by running these commands:

export POD_NAME=$(kubectl get pods --namespace default -l "app.kubernetes.io/name=nginx-scone" -o jsonpath="{.items[0].metadata.name}")
echo "Visit http://127.0.0.1:8080/live to use your application"
kubectl --namespace default port-forward $POD_NAME 8080:443

You can then manually check that the nginx is working by:

curl -o /dev/null -k -s -w "%{http_code}" https://127.0.0.1:8080/live

It should then return 200

NodePort

You can also set service.type to NodePort, and the nginx instance will be exposed to the outside through the same port in every worker node. By default, the port is randomly assigned by Kubernetes. You can define a custom port by setting service.nodePort, but keep in mind that this port must be available (service creation will fail otherwise).

You can then access the nginx as follows:

Get the application URL by running these commands:

export NODE_PORT=$(kubectl get --namespace default -o jsonpath="{.spec.ports[0].nodePort}" services my-nginx-nginx-scone)
export NODE_IP=$(kubectl get nodes --namespace default -o jsonpath="{.items[0].status.addresses[0].address}")
echo http://$NODE_IP:$NODE_PORT/live

You can then manually check that the nginx is working by:

curl -o /dev/null -k -s -w "%{http_code}" https://$NODE_IP:$NODE_PORT/live
It should then return 200

Internal DNS entries (e.g., RELEASE-nginx-scone-7dbb5d97c7-ktt78) will still be created, so you can use them when contacting nginx from inside the cluster.

Parameters

A complete list of parameters this chart supports.

Parameter Description Default
replicaCount How many nginx instances to deploy 1
image.repository nginx SCONE repository registry.scontain.com/sconecuratedimages/apps
image.pullPolicy nginx SCONE pull policy Always
image.tag nginx SCONE tag nginx-1.14.2-alpine-scone5
imagePullSecrets.name nginx SCONE pull secrets [{"name": "sconeapps"}]
scone.attestation.enabled Enable SCONE remote attestation true
scone.attestation.lasUseHostIP Use node host IP as LAS address true
scone.attestation.las LAS address, to be exported as SCONE_LAS_ADDR. Defaults to the Docker network interface address. Note that this value is not considered if lasUseHostIP is set to true. nil
scone.attestation.cas CAS address, to be exported as SCONE_CAS_ADDR scone-cas.cf
scone.attestation.nginxConfigID nginx SCONE session. To be exported as SCONE_CONFIG_ID nginx_policy/nginx
scone.attestation.env SCONE environment variables to be exported into the container SCONE_HEAP=2G,SCONE_FORK=1,SCONE_MODE=hw
useSGXDevPlugin Use SGX Device Plugin to access SGX resources. "scone"
sgxEpcMem Required to Azure SGX Device Plugin. Protected EPC memory in MiB nil
volume.enabled Enables a volume in the pod to load custom nginx configuration false
volume.name Name of the nginx config volume nginx-config
volume.volumeMounts.mountPath The path within the nginx container where the config is to be mounted /etc/nginx
volume.hostPath.path The within the host to the nginx config /data/nginx
volume.hostPath.type The type of the object accessed by the hostPath Directory
serviceAccount.create Create a serviceAccount to be used by the application false
serviceAccount.annotations Set annotations for the service account {}
serviceAccount.name Set a name for the service account ""
podAnnotations Define annotations for the pod nil
podSecurityContext Configure a security context for the pod nil
securityContext Configure a security context for the pod {}
service.type nginx SCONE service type. Use ClusterIP for a headless service. Use NodePort to have it exposed to the outside of the cluster. ClusterIP
service.port nginx SCONE server port 443
service.nodePort Set a custom port to be used as NodePort. It must be available on all nodes nil
ingress.enabled Enable ingress controller resource false
ingress.annotations Ingress annotations {}
ingress.hosts.host Default host for the ingress resource chart-example.local
ingress.hosts.tls Enable TLS configuration for the hostname defined at ingress.hosts.host parameter []
resources CPU/Memory resource requests/limits for node. {}
autoscaling.enabled Enable autoscaling for nginx deployment false
autoscaling.minReplicas Minimum number of replicas to scale back 1
autoscaling.maxReplicas Maximum number of replicas to scale out 100
autoscaling.targetCPUUtilizationPercentage Target CPU utilization percentage 80
nodeSelector Node labels for pod assignment (this value is evaluated as a template) {}
tolerations List of node taints to tolerate (this value is evaluated as a template) []
affinity Map of node/pod affinities (The value is evaluated as a template) {}

Set Parameters

Specify each parameter using the --set key=value[,key=value] argument to helm install. For example,

helm install my-nginx-release --set scone.attestation.NGINXConfigID=my_name_space/nginx_policy,scone.attestation.cas=cas.example.com sconeapps/nginx

The above command sets the policy to my_name_space/memcached_policy and using the CAS cas.example.com.

Alternatively, a YAML file that specifies the values for the parameters can be provided while installing the chart. For example,

helm install my-nginx-release -f values.yaml sconeapps/nginx

One can use the default values.yaml in the SconeApps repo