Skip to content

SconeApps: nginx

Deploy a secure nginx to your Kubernetes cluster.

Prerequisites

  • A Kubernetes cluster;

Install the chart

Add the repo

If you haven't yet, please add the SconeApps repo to Helm.

Create a SCONE CAS policy for nginx

The default policy name for the memcached chart is set to be nginx_policy/nginx and the default SCONE is defined to be 5-0-0.scone-cas.cf. You can overwrite these defaults by setting parameters scone.attestation.cas and scone.attestation.NGINXConfigID (see Parameters).

See secure document management for details about how to create a policy that defines TLS certificates for nginx.

Install the chart

To deploy nginx SCONE with the default parameters to your Kubernetes cluster:

helm install my-nginx sconeapps/nginx

Have a look at the Parameters section for a complete list of parameters this chart supports.

SGX device

By default, this helm chart uses the SCONE SGX Plugin. Hence, it sets the resource limits of CAS as follows:

resources:
  limits:
    sgx.k8s.io/sgx: 1

Alternatively, set useSGXDevPlugin to azure (e.g., --useSGXDevPlugin=azure) to support Azure's SGX Device Plugin. Since Azure requires the amount of EPC memory allocated to your application to be specified, the parameter sgxEpcMem (SGX EPC memory in MiB) becomes required too (e.g., --set useSGXDevPlugin=azure --set sgxEpcMem=16).

In case you do not want to use the SGX plugin, you can remove the resource limit and explicitly mount the local SGX device into your container by setting:

extraVolumes:
  - name: dev-isgx
    hostPath:
      path: /dev/isgx

extraVolumeMounts:
  - name: dev-isgx
    path: /dev/isgx

Please note that mounting the local SGX device into your container requires privileged mode, which will grant your container access to ALL host devices. To enable privileged mode, set securityContext:

securityContext:
  privileged: true

Testing your chart

This chart includes tests to make sure your nginx is working as expected. This current version does not yet possess a corresponding policy, and thus scone.attestation is current not enabled.

To run the tests, simply run:

helm test my-nginx

Helm will print the result of the tests:

NAME: my-nginx
LAST DEPLOYED: Wed Dec 16 11:15:47 2020
NAMESPACE: default
STATUS: deployed
REVISION: 1
TEST SUITE:     my-nginx-nginx-scone-test-connection
Last Started:   Wed Dec 16 11:16:24 2020
Last Completed: Wed Dec 16 11:16:29 2020
Phase:          Succeeded

If the tests are successful, Helm will delete the deployed tests resources automatically.

Accessing your nginx

This chart supports two service types for nginx: ClusterIP and NodePort.

ClusterIP

If service.type is set to "ClusterIP", a headless service will be created for nginx, which means that each nginx instance can only be accessed from within the cluster, through its internal DNS name (e.g., RELEASE-nginx-scone-7dbb5d97c7-ktt78).

You can access the pod as follows:

Get the application URL by running these commands: 

export POD_NAME=$(kubectl get pods --namespace default -l "app.kubernetes.io/name=nginx-scone,app.kubernetes.io/instance=chart-1608114800" -o jsonpath="{.items[0].metadata.name}")
echo "Visit http://127.0.0.1:8080 to use your application"
kubectl --namespace default port-forward $POD_NAME 8080:80

You can then manually check that the nginx is working by:

curl -o /dev/null -s -w "%{http_code}" 127.0.0.1:8080

It should then return 200

NodePort

You can also set service.type to NodePort, and the nginx instance will be exposed to the outside through the same port in every worker node. By default, the port is randomly assigned by Kubernetes. You can define a custom port by setting service.nodePort, but keep in mind that this port must be available (service creation will fail otherwise).

You can then access the nginx as follows:

Get the application URL by running these commands:

export NODE_PORT=$(kubectl get --namespace default -o jsonpath="{.spec.ports[0].nodePort}" services my-nginx-nginx-scone)
export NODE_IP=$(kubectl get nodes --namespace default -o jsonpath="{.items[0].status.addresses[0].address}")
echo http://$NODE_IP:$NODE_PORT

You can then manually check that the nginx is working by:

curl -o /dev/null -s -w "%{http_code}" http://$NODE_IP:$NODE_PORT

It should then return 200

Internal DNS entries (e.g., RELEASE-nginx-scone-7dbb5d97c7-ktt78) will still be created, so you can use them when contacting nginx from inside the cluster.

Parameters

A complete list of parameters this chart supports.

Parameter Description Default
replicaCount How many nginx instances to deploy 1
image.repository nginx SCONE repository registry.scontain.com:5050/sconecuratedimages/apps
image.pullPolicy nginx SCONE pull policy Always
image.tag nginx SCONE tag nginx-1.14.2-alpine-scone5
imagePullSecrets.name nginx SCONE pull secrets [{"name": "sconeapps"}]
scone.attestation.enabled Enable SCONE remote attestation false
scone.attestation.lasUseHostIP Use node host IP as LAS address true
scone.attestation.las LAS address, to be exported as SCONE_LAS_ADDR. Defaults to the Docker network interface address. Note that this value is not considered if lasUseHostIP is set to true. nil
scone.attestation.cas CAS address, to be exported as SCONE_CAS_ADDR 5-0-0.scone-cas.cf
scone.attestation.NGINXConfigID nginx SCONE session. To be exported as SCONE_CONFIG_ID nginx_policy/nginx
scone.attestation.env SCONE environment variables to be exported into the container SCONE_HEAP=2G,SCONE_FORK=1,SCONE_MODE=hw
useSGXDevPlugin Use SGX Device Plugin to access SGX resources. "scone"
sgxEpcMem Required to Azure SGX Device Plugin. Protected EPC memory in MiB nil
volume.enabled Enables a volume in the pod to load custom nginx configuration false
volume.name Name of the nginx config volume nginx-config
volume.volumeMounts.mountPath The path within the nginx container where the config is to be mounted /etc/nginx
volume.hostPath.path The within the host to the nginx config /data/nginx
volume.hostPath.type The type of the object accessed by the hostPath Directory
serviceAccount.create Create a serviceAccount to be used by the application false
serviceAccount.annotations Set annotations for the service account {}
serviceAccount.name Set a name for the service account ""
podAnnotations Define annotations for the pod nil
podSecurityContext Configure a security context for the pod nil
securityContext Configure a security context for the pod {}
service.type nginx SCONE service type. Use ClusterIP for a headless service. Use NodePort to have it exposed to the outside of the cluster. ClusterIP
service.port nginx SCONE server port 80
service.nodePort Set a custom port to be used as NodePort. It must be available on all nodes nil
ingress.enabled Enable ingress controller resource false
ingress.annotations Ingress annotations {}
ingress.hosts.host Default host for the ingress resource chart-example.local
ingress.hosts.tls Enable TLS configuration for the hostname defined at ingress.hosts.host parameter []
resources CPU/Memory resource requests/limits for node. {}
autoscaling.enabled Enable autoscaling for nginx deployment false
autoscaling.minReplicas Minimum number of replicas to scale back 1
autoscaling.maxReplicas Maximum number of replicas to scale out 100
autoscaling.targetCPUUtilizationPercentage Target CPU utilization percentage 80
nodeSelector Node labels for pod assignment (this value is evaluated as a template) {}
tolerations List of node taints to tolerate (this value is evaluated as a template) []
affinity Map of node/pod affinities (The value is evaluated as a template) {}

Set Parameters

Specify each parameter using the --set key=value[,key=value] argument to helm install. For example,

helm install my-nginx-release --set scone.attestation.NGINXConfigID=my_name_space/nginx_policy,scone.attestation.cas=cas.example.com sconeapps/nginx

The above command sets the policy to my_name_space/memcached_policy and using the CAS cas.example.com.

Alternatively, a YAML file that specifies the values for the parameters can be provided while installing the chart. For example,

helm install my-nginx-release -f values.yaml sconeapps/nginx

One can use the default values.yaml in the SconeApps repo