Introduction

The Nitro Enclaves Device Plugin gives your pods and containers the ability to access the Nitro Enclaves device driver. The device plugin works with both Amazon EKS and self-managed Kubernetes nodes.

AWS Nitro Enclaves is an Amazon EC2 capability that enables customers to create isolated compute environments to further protect and securely process highly sensitive data within their EC2 instances.

Prerequisites

To utilize this device plugin, you will need:

• A configured Kubernetes cluster.
• At least one enclave-enabled node available in the cluster. An enclave-enabled node is an EC2 instance with the EnclaveOptions parameter set to true. For more information on creating an enclaving an enclave-enabled node, review the using Nitro Enclaves with EKS user guide.

To build the plugin, you will need:

• Docker

Usage

To deploy the device plugin to your Kubernetes cluster, use the following command:

kubectl -f apply https://raw.githubusercontent.com/aws/aws-nitro-enclaves-k8s-device-plugin/main/aws-nitro-enclaves-k8s-ds.yaml

After deploying the device plugin, use labelling to enable the device plugin on a particular node:

kubectl label node <node-name> aws-nitro-enclaves-k8s-dp=enabled

To see list of the nodes that have plugin enabled, use the following command:

kubectl get nodes --show-labels | grep aws-nitro-enclaves-k8s-dp=enabled

To disable the plugin on a particular node, use the following command:

kubectl label node <node-name> aws-nitro-enclaves-k8s-dp-

Building the Device Plugin

To build the device plugin from its sources, use the following command:

./scripts/build.sh

After successfully running the script, the device plugin will be built as a Docker image with the name aws-nitro-enclaves-k8s-device-plugin.

Running Nitro Enclaves in a Kubernetes Cluster

There is a guide available on how to run Nitro Enclaves in EKS clusters. See this link to learn more.

License

This project is licensed under the Apache-2.0 License.