Configuing Outbound Rules
Configure egress allowlists for containers in a NitroEnclaveDeployment
Manifests
Overview
The NitroEnclaveDeployment CustomResourceDefinition (CRD) defines how AWS Nitro Enclaves are deployed and managed within a Kubernetes cluster. By declaring a NitroEnclaveDeployment resource, you can:
-
Provision Enclaves as Kubernetes Workloads: Enclaves get allocated dedicated CPU and memory on Nitro-enabled nodes, but are still administered through native Kubernetes constructs.
-
Customize Container Behavior: The CRD lets you configure the primary application (user plugins) and privileged plugins (e.g. telemetry, logging) that run inside the secure enclave environment.
-
Control Networking and Security: Set ingress rules, egress allowlists, and security contexts to strictly govern traffic flow and protect sensitive data.
By defining a NitroEnclaveDeployment manifest, users specify everything from CPU resources and hugepages to container images and environment variables, streamlining how enclave workloads are created, updated, and monitored within Kubernetes.