SconeApps: nginx
Deploy a secure nginx to your Kubernetes cluster.
Prerequisites
- A Kubernetes cluster;
- SconeApps setup
Upload a policy into CAS for nginx
In order to deploy your confidential nginx, you can use the upload_policy command to help you to upload the nginx scone template which configures TLS and a liveness probe for nginx. You can edit the template to accommodate your confidential workloads.
The upload_policy command will generate a chart values file (nginx_chart_values.yml) that you can use to deploy your confidential workload with help of HELM.
Create an alias for the upload_policy container.
alias scone="docker run -it --rm \
-v \"$HOME/.docker/config.json:/root/.docker/config.json\" \
-v \"\$PWD:/root\" \
-v \"\$PWD:/values\" \
registry.scontain.com:5050/sconecuratedimages/experimental:upload-policy "
upload_policy comes with the templates for sconeapps preloaded. Assuming that you've created the alias above, use the following command to use the default policy for nginx.
scone upload_policy templates/nginx
If everything went well, upload_policy created the nginx_chart_values.yml file in your current directory.
In case you want to not use the default policy maintained by Scontain, you can upload a custom policy. See scone upload_policy --help for more information. It will always generate the chart values with the CAS address (SCONE_CAS_ADDR var) and SCONE_CONFIG_ID for remote attestation pointing to the policies created.
Install the chart
Add the repo
If you haven't yet, please add SconeApps repo to Helm.
To deploy nginx SCONE with the default parameters to your Kubernetes cluster:
helm install my-nginx sconeapps/nginx
If you want to use a custom parameters defined by the upload_policy command:
helm install my-nginx sconeapps/nginx -f nginx_chart_values.yml
Have a look at the Parameters section for a complete list of parameters this chart supports.
SGX device
By default, this helm chart uses the SCONE SGX Plugin. Hence, it sets the resource limits of CAS as follows:
resources:
limits:
sgx.intel.com/enclave: 1
Alternatively, set useSGXDevPlugin to azure (e.g., --useSGXDevPlugin=azure) to support Azure's SGX Device Plugin. Since Azure requires the amount of EPC memory allocated to your application to be specified, the parameter sgxEpcMem (SGX EPC memory in MiB) becomes required too (e.g., --set useSGXDevPlugin=azure --set sgxEpcMem=16).
In case you do not want to use the SGX plugin, you can remove the resource limit and explicitly mount the local SGX device into your container by setting:
extraVolumes:
- name: dev-isgx
hostPath:
path: /dev/isgx
extraVolumeMounts:
- name: dev-isgx
path: /dev/isgx
Please note that mounting the local SGX device into your container requires privileged mode, which will grant your container access to ALL host devices. To enable privileged mode, set securityContext:
securityContext:
privileged: true
Testing your chart
To run the tests, simply run:
helm test my-nginx
Helm will print the result of the tests:
NAME: my-nginx
LAST DEPLOYED: Wed Dec 16 11:15:47 2020
NAMESPACE: default
STATUS: deployed
REVISION: 1
TEST SUITE: my-nginx-nginx-scone-test-connection
Last Started: Wed Dec 16 11:16:24 2020
Last Completed: Wed Dec 16 11:16:29 2020
Phase: Succeeded
If the tests are successful, Helm will delete the deployed tests resources automatically.
Accessing your nginx
This chart supports two service types for nginx: ClusterIP and NodePort.
ClusterIP
If service.type is set to "ClusterIP", a headless service will be created for nginx, which means that each nginx instance can only be accessed from within the cluster, through its internal DNS name (e.g., RELEASE-nginx-scone-7dbb5d97c7-ktt78).
You can access the pod as follows:
Get the application URL by running these commands:
export POD_NAME=$(kubectl get pods --namespace default -l "app.kubernetes.io/name=nginx-scone" -o jsonpath="{.items[0].metadata.name}")
echo "Visit http://127.0.0.1:8080/live to use your application"
kubectl --namespace default port-forward $POD_NAME 8080:443
You can then manually check that the nginx is working by:
curl -o /dev/null -k -s -w "%{http_code}" https://127.0.0.1:8080/live
It should then return 200
NodePort
You can also set service.type to NodePort, and the nginx instance will be exposed to the outside through the same port in every worker node. By default, the port is randomly assigned by Kubernetes. You can define a custom port by setting service.nodePort, but keep in mind that this port must be available (service creation will fail otherwise).
You can then access the nginx as follows:
Get the application URL by running these commands:
export NODE_PORT=$(kubectl get --namespace default -o jsonpath="{.spec.ports[0].nodePort}" services my-nginx-nginx-scone)
export NODE_IP=$(kubectl get nodes --namespace default -o jsonpath="{.items[0].status.addresses[0].address}")
echo http://$NODE_IP:$NODE_PORT/live
You can then manually check that the nginx is working by:
curl -o /dev/null -k -s -w "%{http_code}" https://$NODE_IP:$NODE_PORT/live
200
Internal DNS entries (e.g., RELEASE-nginx-scone-7dbb5d97c7-ktt78) will still be created, so you can use them when contacting nginx from inside the cluster.
Parameters
A complete list of parameters this chart supports.
| Parameter | Description | Default |
|---|---|---|
replicaCount |
How many nginx instances to deploy | 1 |
image.repository |
nginx SCONE repository | registry.scontain.com:5050/sconecuratedimages/apps |
image.pullPolicy |
nginx SCONE pull policy | Always |
image.tag |
nginx SCONE tag | nginx-1.14.2-alpine-scone5 |
imagePullSecrets.name |
nginx SCONE pull secrets | [{"name": "sconeapps"}] |
scone.attestation.enabled |
Enable SCONE remote attestation | true |
scone.attestation.lasUseHostIP |
Use node host IP as LAS address | true |
scone.attestation.las |
LAS address, to be exported as SCONE_LAS_ADDR. Defaults to the Docker network interface address. Note that this value is not considered if lasUseHostIP is set to true. |
nil |
scone.attestation.cas |
CAS address, to be exported as SCONE_CAS_ADDR |
scone-cas.cf |
scone.attestation.nginxConfigID |
nginx SCONE session. To be exported as SCONE_CONFIG_ID |
nginx_policy/nginx |
scone.attestation.env |
SCONE environment variables to be exported into the container | SCONE_HEAP=2G,SCONE_FORK=1,SCONE_MODE=hw |
useSGXDevPlugin |
Use SGX Device Plugin to access SGX resources. | "scone" |
sgxEpcMem |
Required to Azure SGX Device Plugin. Protected EPC memory in MiB | nil |
volume.enabled |
Enables a volume in the pod to load custom nginx configuration | false |
volume.name |
Name of the nginx config volume | nginx-config |
volume.volumeMounts.mountPath |
The path within the nginx container where the config is to be mounted | /etc/nginx |
volume.hostPath.path |
The within the host to the nginx config | /data/nginx |
volume.hostPath.type |
The type of the object accessed by the hostPath | Directory |
serviceAccount.create |
Create a serviceAccount to be used by the application | false |
serviceAccount.annotations |
Set annotations for the service account | {} |
serviceAccount.name |
Set a name for the service account | "" |
podAnnotations |
Define annotations for the pod | nil |
podSecurityContext |
Configure a security context for the pod | nil |
securityContext |
Configure a security context for the pod | {} |
service.type |
nginx SCONE service type. Use ClusterIP for a headless service. Use NodePort to have it exposed to the outside of the cluster. | ClusterIP |
service.port |
nginx SCONE server port | 443 |
service.nodePort |
Set a custom port to be used as NodePort. It must be available on all nodes | nil |
ingress.enabled |
Enable ingress controller resource | false |
ingress.annotations |
Ingress annotations | {} |
ingress.hosts.host |
Default host for the ingress resource | chart-example.local |
ingress.hosts.tls |
Enable TLS configuration for the hostname defined at ingress.hosts.host parameter |
[] |
resources |
CPU/Memory resource requests/limits for node. | {} |
autoscaling.enabled |
Enable autoscaling for nginx deployment | false |
autoscaling.minReplicas |
Minimum number of replicas to scale back | 1 |
autoscaling.maxReplicas |
Maximum number of replicas to scale out | 100 |
autoscaling.targetCPUUtilizationPercentage |
Target CPU utilization percentage | 80 |
nodeSelector |
Node labels for pod assignment (this value is evaluated as a template) | {} |
tolerations |
List of node taints to tolerate (this value is evaluated as a template) | [] |
affinity |
Map of node/pod affinities (The value is evaluated as a template) | {} |
Set Parameters
Specify each parameter using the --set key=value[,key=value] argument to helm install. For example,
helm install my-nginx-release --set scone.attestation.NGINXConfigID=my_name_space/nginx_policy,scone.attestation.cas=cas.example.com sconeapps/nginx
The above command sets the policy to my_name_space/memcached_policy and using the CAS cas.example.com.
Alternatively, a YAML file that specifies the values for the parameters can be provided while installing the chart. For example,
helm install my-nginx-release -f values.yaml sconeapps/nginx
One can use the default values.yaml in the SconeApps repo