aws / aws-nitro-enclaves-k8s-device-plugin Goto Github PK

Nitro Enclaves Kubernetes Device Plugin

License: Apache License 2.0

Dockerfile 3.59% Go 73.73% Shell 22.68%

aws-nitro-enclaves-k8s-device-plugin's Introduction

Introduction

The Nitro Enclaves Device Plugin gives your pods and containers the ability to access the Nitro Enclaves device driver. The device plugin works with both Amazon EKS and self-managed Kubernetes nodes.

AWS Nitro Enclaves is an Amazon EC2 capability that enables customers to create isolated compute environments to further protect and securely process highly sensitive data within their EC2 instances.

Prerequisites

To utilize this device plugin, you will need:

A configured Kubernetes cluster.
At least one enclave-enabled node available in the cluster. An enclave-enabled node is an EC2 instance with the EnclaveOptions parameter set to true. For more information on creating an enclaving an enclave-enabled node, review the using Nitro Enclaves with EKS user guide.

To build the plugin, you will need:

Docker

Usage

To deploy the device plugin to your Kubernetes cluster, use the following command:

kubectl -f apply https://raw.githubusercontent.com/aws/aws-nitro-enclaves-k8s-device-plugin/main/aws-nitro-enclaves-k8s-ds.yaml

After deploying the device plugin, use labelling to enable the device plugin on a particular node:

kubectl label node <node-name> aws-nitro-enclaves-k8s-dp=enabled

To see list of the nodes that have plugin enabled, use the following command:

kubectl get nodes --show-labels | grep aws-nitro-enclaves-k8s-dp=enabled

To disable the plugin on a particular node, use the following command:

kubectl label node <node-name> aws-nitro-enclaves-k8s-dp-

Building the Device Plugin

To build the device plugin from its sources, use the following command:

./scripts/build.sh

After successfully running the script, the device plugin will be built as a Docker image with the name aws-nitro-enclaves-k8s-device-plugin.

Running Nitro Enclaves in a Kubernetes Cluster

There is a guide available on how to run Nitro Enclaves in EKS clusters. See this link to learn more.

License

This project is licensed under the Apache-2.0 License.

aws-nitro-enclaves-k8s-device-plugin's People

Contributors

Stargazers

Watchers

Forkers

jatanloya-skyflow seanpm2001 shankar95raju vincentarthur jessedye

aws-nitro-enclaves-k8s-device-plugin's Issues

k8s.io/kubelet/pkg/apis/deviceplugin/v1beta1: cannot compile Go 1.22 code

I have EKS v1.29 and one worker node with the function "Nitro Enclaves". When I run the command ./scripts/build.sh I have an error

Step 7/10 : RUN CGO_ENABLED=0 go build -a -ldflags='-s -w -extldflags="-static"' . ---> Running in eb24d5a92f02 k8s.io/kubelet/pkg/apis/deviceplugin/v1beta1: cannot compile Go 1.22 code The command '/bin/sh -c CGO_ENABLED=0 go build -a -ldflags='-s -w -extldflags="-static"' .' returned a non-zero code: 1

Chande dockerfile where install GO v1.19.

`# Copyright 2022 Amazon.com, Inc. or its affiliates. All Rights Reserved.
# SPDX-License-Identifier: Apache-3.0

# Build the device plugin from sources

FROM amazonlinux:2 as builder

# Install dependencies
RUN yum install -y wget tar gzip

# Download and install Go 1.19
RUN wget https://go.dev/dl/go1.19.linux-amd64.tar.gz
RUN tar -C /usr/local -xzf go1.19.linux-amd64.tar.gz

# Set Go environment variables
ENV PATH=$PATH:/usr/local/go/bin
ENV GOPATH=/go
ENV PATH=$GOPATH/bin:$PATH

WORKDIR build_dir/
COPY *.go ./
COPY go.sum ./

RUN go mod init k8s-ne-device-plugin && \
    go mod tidy && \
    go mod vendor

RUN CGO_ENABLED=0 go build -a -ldflags='-s -w -extldflags="-static"' .

# Create a bare minumum image that only contains the device plugin binary.

FROM scratch as device_plugin

COPY --from=builder /build_dir/k8s-ne-device-plugin /usr/bin/k8s-ne-device-plugin

CMD ["/usr/bin/k8s-ne-device-plugin","-logtostderr=true","-v=0"]`

After that, I get the Docker image:

docker images
REPOSITORY                             TAG          IMAGE ID       CREATED          SIZE
aws-nitro-enclaves-k8s-device-plugin   0.1-x86_64   80c0010ef8bf   22 seconds ago   9.66MB
ne-k8s-device-plugin-build             latest       8787e57c058d   24 seconds ago   1.44GB
amazonlinux                            2            e76800ed324e   2 weeks ago      165MB

But this image does not run in EKS

Back-off restarting failed container aws-nitro-enclaves-k8s-dp in pod aws-nitro-enclaves-k8s-daemonset-8lb8v_kube-system

My manifest file of k8s. Change only parameter IMAGES to my ECR

apiVersion: v1
kind: Namespace
metadata:
  name: nitro-enclaves
  labels:
    name: nitro-enclaves
---
apiVersion: apps/v1
kind: DaemonSet
metadata:
  name: aws-nitro-enclaves-k8s-daemonset
  namespace: kube-system
  labels:
    name: aws-nitro-enclaves-k8s-dp
    role: agent
spec:
  selector:
    matchLabels:
      name: aws-nitro-enclaves-k8s-dp
  updateStrategy:
    type: RollingUpdate
  template:
    metadata:
      labels:
        name: aws-nitro-enclaves-k8s-dp
      annotations:
        node.kubernetes.io/bootstrap-checkpoint: "true"
    spec:
      nodeSelector:
        aws-nitro-enclaves-k8s-dp: enabled
      priorityClassName: "system-node-critical"
      hostname: aws-nitro-enclaves-k8s-dp
      containers:
      - name: aws-nitro-enclaves-k8s-dp
        image: 123456789012.dkr.ecr.us-west-1.amazonaws.com/enclave:1
        imagePullPolicy: Always
        securityContext:
          allowPrivilegeEscalation: false
          capabilities:
            drop: ["ALL"]
        resources:
          limits:
            cpu: 100m
            memory: 15Mi
          requests:
            cpu: 10m
            memory: 15Mi
        volumeMounts:
          - name: device-plugin
            mountPath: /var/lib/kubelet/device-plugins
          - name: dev-dir
            mountPath: /dev
          - name: sys-dir
            mountPath: /sys
      volumes:
        - name: device-plugin
          hostPath:
            path: /var/lib/kubelet/device-plugins
        - name: dev-dir
          hostPath:
            path: /dev
        - name: sys-dir
          hostPath:
            path: /sys
      terminationGracePeriodSeconds: 30

[Question] - Increase the nitro_enclaves capacity

I'm testing the EKS using Enclave Nitro and I'm not getting any progress

When I apply the plugin it adds in the node's Capacity the valueaws.ec2.nitro/nitro_enclaves: "1"

This way it is possible to use only 1 pod with nitro enclave in each node.

Is it possible to increase this value? How can I do this?

Helm Chart

While the installation of the device plugin is simple enough, it would be great to have a helm chart installation option. This would help simplify plugin version management and installation when tools like Terraform and Renovate are used.

Increase the nitro_enclaves capacity to 4 as per the documentation

Hi, now that AWS Nitro Enclaves supports up to 4 enclaves per Instance. It would be great if this could also be reflected in the device plugin

aws / aws-nitro-enclaves-k8s-device-plugin Goto Github PK

aws-nitro-enclaves-k8s-device-plugin's Introduction

Introduction

Prerequisites

Usage

Building the Device Plugin

Running Nitro Enclaves in a Kubernetes Cluster

License

aws-nitro-enclaves-k8s-device-plugin's People

Contributors

Stargazers

Watchers

Forkers

aws-nitro-enclaves-k8s-device-plugin's Issues

k8s.io/kubelet/pkg/apis/deviceplugin/v1beta1: cannot compile Go 1.22 code

[Question] - Increase the nitro_enclaves capacity

Helm Chart

Increase the nitro_enclaves capacity to 4 as per the documentation

Recommend Projects

React

Vue.js

Typescript

TensorFlow

Django

Laravel

D3

Recommend Topics

javascript

web

server

Machine learning

Visualization

Game

Recommend Org

Facebook

Microsoft

Google

Alibaba

D3

Tencent