The Nitro Enclaves Device Plugin gives your pods and containers the ability to access the Nitro Enclaves device driver.
The device plugin works with both Amazon EKS and self-managed Kubernetes nodes.
AWS Nitro Enclaves is an Amazon EC2 capability that enables customers to create isolated compute environments to further protect and securely process highly sensitive data within their EC2 instances.
To utilize this device plugin, you will need:
- A configured Kubernetes cluster.
- At least one enclave-enabled node available in the cluster. An enclave-enabled node is an EC2 instance with the EnclaveOptions parameter set to true.
For more information on creating an enclave-enabled EKS worker node, review the using Nitro Enclaves with EKS user guide.
To build the plugin, you will need:
- Docker
The device plugin supports the following two configuration options via the device-plugins daemon-set environment variables:
AWS EKS nodes can support up to 4 enclaves per node. Number can be reduced if required and evaluated by the Kubernetes scheduler.
- name: MAX_ENCLAVES_PER_NODE
value: "4"If deployed, EKS worker nodes do advertise the number of available enclave resources in the following way:
Capacity:
aws.ec2.nitro/nitro_enclaves: 4resources:
limits:
aws.ec2.nitro/nitro_enclaves: "1"
requests:
aws.ec2.nitro/nitro_enclaves: "1"Advertise the number of offline CPUs on a specific EKS worker node. The number of offline CPUs reflect the number of CPUs allocated by the Nitro allocation service during EKS worker node startup.
By advertising the number of available CPUs, workloads can request specific amount of CPUs for their enclaves and the Kubernetes scheduler can place workloads according to available CPUs on EKS worker nodes. Set to false per default.
- name: ENCLAVE_CPU_ADVERTISEMENT
value: "false"If enabled, EKS worker nodes do advertise the allocatable CPUs in the following way:
Capacity:
aws.ec2.nitro/nitro_enclaves_cpus: 12Kubernetes workloads can request CPUs for their enclaves (e.g. 2) by adding aws.ec2.nitro/nitro_enclaves_cpus: "2" to the resources limits and requests sections as shown below:
resources:
limits:
aws.ec2.nitro/nitro_enclaves_cpus: "2"
requests:
aws.ec2.nitro/nitro_enclaves_cpus: "2"The following snippet represents a fully populated resources section for a Kubernetes pod requesting access to a single enclave that requires 2Gi of memory and access to 2 CPUs.
Refer to the official Using Nitro Enclaves with Amazon EKS documentation for more information on the different options in the deployment spec.
resources:
limits:
aws.ec2.nitro/nitro_enclaves: "1"
aws.ec2.nitro/nitro_enclaves_cpus: "2"
hugepages-1Gi: 2Gi
cpu: 250m
requests:
aws.ec2.nitro/nitro_enclaves: "1"
aws.ec2.nitro/nitro_enclaves_cpus: "2"
hugepages-1Gi: 2GiTo deploy the device plugin to your Kubernetes cluster, use the following command:
kubectl apply -f https://raw.githubusercontent.com/aws/aws-nitro-enclaves-k8s-device-plugin/main/aws-nitro-enclaves-k8s-ds.yamlAfter deploying the device plugin, use labelling to enable the device plugin on a particular node:
kubectl label node <node-name> aws-nitro-enclaves-k8s-dp=enabledTo see list of the nodes that have plugin enabled, use the following command:
kubectl get nodes --show-labels | grep aws-nitro-enclaves-k8s-dp=enabledTo disable the plugin on a particular node, use the following command:
kubectl label node <node-name> aws-nitro-enclaves-k8s-dp-To deploy the Helm chart for the device plugin to your Kubernetes cluster refer to Helm Readme
To build the device plugin from its sources, use the following command:
./scripts/build.shAfter successfully running the script, the device plugin will be built as a Docker image with the name aws-nitro-enclaves-k8s-device-plugin.
There is a guide available on how to run Nitro Enclaves in EKS clusters. See this link to learn more.
This project is licensed under the Apache-2.0 License.