SconeApps: nginx
Deploy a secure nginx to your Kubernetes cluster.
Prerequisites
- A Kubernetes cluster;
Install the chart
Add the repo
If you haven't yet, please add the SconeApps repo to Helm.
Create a SCONE CAS policy for nginx
The default policy name for the memcached chart is set to be nginx_policy/nginx
and the default SCONE is defined to
be 5-0-0.scone-cas.cf
. You can overwrite these defaults by setting parameters scone.attestation.cas
and scone.attestation.NGINXConfigID
(see Parameters).
See secure document management for details about how to create a policy that defines TLS certificates for nginx
.
Install the chart
To deploy nginx SCONE with the default parameters to your Kubernetes cluster:
helm install my-nginx sconeapps/nginx
Have a look at the Parameters section for a complete list of parameters this chart supports.
SGX device
By default, this helm chart uses the SCONE SGX Plugin. Hence, it sets the resource limits of CAS as follows:
resources:
limits:
sgx.k8s.io/sgx: 1
Alternatively, set useSGXDevPlugin
to azure
(e.g., --useSGXDevPlugin=azure
) to support Azure's SGX Device Plugin. Since Azure requires the amount of EPC memory allocated to your application to be specified, the parameter sgxEpcMem
(SGX EPC memory in MiB) becomes required too (e.g., --set useSGXDevPlugin=azure --set sgxEpcMem=16
).
In case you do not want to use the SGX plugin, you can remove the resource limit and explicitly mount the local SGX device into your container by setting:
extraVolumes:
- name: dev-isgx
hostPath:
path: /dev/isgx
extraVolumeMounts:
- name: dev-isgx
path: /dev/isgx
Please note that mounting the local SGX device into your container requires privileged mode, which will grant your container access to ALL host devices. To enable privileged mode, set securityContext
:
securityContext:
privileged: true
Testing your chart
This chart includes tests to make sure your nginx is working as expected. This current version does not yet possess a corresponding policy, and thus scone.attestation
is current not enabled.
To run the tests, simply run:
helm test my-nginx
Helm will print the result of the tests:
NAME: my-nginx
LAST DEPLOYED: Wed Dec 16 11:15:47 2020
NAMESPACE: default
STATUS: deployed
REVISION: 1
TEST SUITE: my-nginx-nginx-scone-test-connection
Last Started: Wed Dec 16 11:16:24 2020
Last Completed: Wed Dec 16 11:16:29 2020
Phase: Succeeded
If the tests are successful, Helm will delete the deployed tests resources automatically.
Accessing your nginx
This chart supports two service types for nginx: ClusterIP
and NodePort
.
ClusterIP
If service.type
is set to "ClusterIP", a headless service will be created for nginx, which means that each nginx instance can only be accessed from within the cluster, through its internal DNS name (e.g., RELEASE-nginx-scone-7dbb5d97c7-ktt78
).
You can access the pod as follows:
Get the application URL by running these commands:
export POD_NAME=$(kubectl get pods --namespace default -l "app.kubernetes.io/name=nginx-scone,app.kubernetes.io/instance=chart-1608114800" -o jsonpath="{.items[0].metadata.name}")
echo "Visit http://127.0.0.1:8080 to use your application"
kubectl --namespace default port-forward $POD_NAME 8080:80
You can then manually check that the nginx is working by:
curl -o /dev/null -s -w "%{http_code}" 127.0.0.1:8080
It should then return 200
NodePort
You can also set service.type
to NodePort
, and the nginx instance will be exposed to the outside through the same port in every worker node. By default, the port is randomly assigned by Kubernetes. You can define a custom port by setting service.nodePort
, but keep in mind that this port must be available (service creation will fail otherwise).
You can then access the nginx as follows:
Get the application URL by running these commands:
export NODE_PORT=$(kubectl get --namespace default -o jsonpath="{.spec.ports[0].nodePort}" services my-nginx-nginx-scone)
export NODE_IP=$(kubectl get nodes --namespace default -o jsonpath="{.items[0].status.addresses[0].address}")
echo http://$NODE_IP:$NODE_PORT
You can then manually check that the nginx is working by:
curl -o /dev/null -s -w "%{http_code}" http://$NODE_IP:$NODE_PORT
It should then return 200
Internal DNS entries (e.g., RELEASE-nginx-scone-7dbb5d97c7-ktt78
) will still be created, so you can use them when contacting nginx from inside the cluster.
Parameters
A complete list of parameters this chart supports.
Parameter | Description | Default |
---|---|---|
replicaCount |
How many nginx instances to deploy | 1 |
image.repository |
nginx SCONE repository | registry.scontain.com:5050/sconecuratedimages/apps |
image.pullPolicy |
nginx SCONE pull policy | Always |
image.tag |
nginx SCONE tag | nginx-1.14.2-alpine-scone5 |
imagePullSecrets.name |
nginx SCONE pull secrets | [{"name": "sconeapps"}] |
scone.attestation.enabled |
Enable SCONE remote attestation | false |
scone.attestation.lasUseHostIP |
Use node host IP as LAS address | true |
scone.attestation.las |
LAS address, to be exported as SCONE_LAS_ADDR . Defaults to the Docker network interface address. Note that this value is not considered if lasUseHostIP is set to true . |
nil |
scone.attestation.cas |
CAS address, to be exported as SCONE_CAS_ADDR |
5-0-0.scone-cas.cf |
scone.attestation.NGINXConfigID |
nginx SCONE session. To be exported as SCONE_CONFIG_ID |
nginx_policy/nginx |
scone.attestation.env |
SCONE environment variables to be exported into the container | SCONE_HEAP=2G,SCONE_FORK=1,SCONE_MODE=hw |
useSGXDevPlugin |
Use SGX Device Plugin to access SGX resources. | "scone" |
sgxEpcMem |
Required to Azure SGX Device Plugin. Protected EPC memory in MiB | nil |
volume.enabled |
Enables a volume in the pod to load custom nginx configuration | false |
volume.name |
Name of the nginx config volume | nginx-config |
volume.volumeMounts.mountPath |
The path within the nginx container where the config is to be mounted | /etc/nginx |
volume.hostPath.path |
The within the host to the nginx config | /data/nginx |
volume.hostPath.type |
The type of the object accessed by the hostPath | Directory |
serviceAccount.create |
Create a serviceAccount to be used by the application | false |
serviceAccount.annotations |
Set annotations for the service account | {} |
serviceAccount.name |
Set a name for the service account | "" |
podAnnotations |
Define annotations for the pod | nil |
podSecurityContext |
Configure a security context for the pod | nil |
securityContext |
Configure a security context for the pod | {} |
service.type |
nginx SCONE service type. Use ClusterIP for a headless service. Use NodePort to have it exposed to the outside of the cluster. | ClusterIP |
service.port |
nginx SCONE server port | 80 |
service.nodePort |
Set a custom port to be used as NodePort. It must be available on all nodes | nil |
ingress.enabled |
Enable ingress controller resource | false |
ingress.annotations |
Ingress annotations | {} |
ingress.hosts.host |
Default host for the ingress resource | chart-example.local |
ingress.hosts.tls |
Enable TLS configuration for the hostname defined at ingress.hosts.host parameter |
[] |
resources |
CPU/Memory resource requests/limits for node. | {} |
autoscaling.enabled |
Enable autoscaling for nginx deployment | false |
autoscaling.minReplicas |
Minimum number of replicas to scale back | 1 |
autoscaling.maxReplicas |
Maximum number of replicas to scale out | 100 |
autoscaling.targetCPUUtilizationPercentage |
Target CPU utilization percentage | 80 |
nodeSelector |
Node labels for pod assignment (this value is evaluated as a template) | {} |
tolerations |
List of node taints to tolerate (this value is evaluated as a template) | [] |
affinity |
Map of node/pod affinities (The value is evaluated as a template) | {} |
Set Parameters
Specify each parameter using the --set key=value[,key=value]
argument to helm install
. For example,
helm install my-nginx-release --set scone.attestation.NGINXConfigID=my_name_space/nginx_policy,scone.attestation.cas=cas.example.com sconeapps/nginx
The above command sets the policy to my_name_space/memcached_policy
and using the CAS cas.example.com
.
Alternatively, a YAML file that specifies the values for the parameters can be provided while installing the chart. For example,
helm install my-nginx-release -f values.yaml sconeapps/nginx
One can use the default values.yaml
in the SconeApps repo