Manifests
Allowlists for Outbound Connections
In OBLV Deploy, managing outbound connections for your containers and plugins is crucial for controlling network access and security. You can explicitly define rules for outbound connections in the NitroEnclaveDeployment, ensuring that only approved connections are allowed.
Defining Outbound Connections
The outbound connections schema allows you to specify rules for outbound connections in your containers and plugins. Each outbound connection is represented as an object with the following properties:
Field | Description | Usage |
---|---|---|
type | Stands for the kind of outbound | Can be default , enclave , or proxy |
fqdn | Stands for Fully Qualified Domain Name, representing the destination of the outbound connection | Example: oblv.com |
port | Specifies the port number for the outbound connection. | Integer value specifying the port number |
proxyUrl | Specifies the url of the attestation proxy | Example: https://kms-proxy.oblv.com |
attestationPort | Port for attestation on the attestation proxy | Integer value specifying the port number |
proxyAttestationIntervalSeconds | Interval at which the enclave will re-attest with the proxy | Default is 15 but can be configured to any value from 15 to 300 |
configMap | Reference to a ConfigMap containing the configuration file of the peer enclave. | The name of the configmap as a string |
Usage
Within the specification of your user plugin or a privileged plugin, include the outboundConnections
attribute and specify the outbound connection rules. You can define multiple outbound connections by adding objects to the array.
Example
Example
userPlugins:
- name: fastapi
image: public.ecr.aws/oblivious-ai/oblv-sample-fastapi:latest
ports:
- containerPort: 8001
hostPort: 4455
command:
- "python"
- "/app/uvicorn_runner.py"
outboundConnections:
- type: default
fqdn: "oblv.com"
port: 443
- type: proxy
fqdn: "kms.us-west-2.amazonaws.com"
port: 443
proxyUrl: "https://kms-proxy.oblv.com"
attestationPort: 12200
- type: enclave
fqdn: spark-worker.default.svc.cluster.local
port: 7076
configMap: "spark-worker-oblv-cli-config"
In this example:
- The first outbound connection specifies the FQDN oblv.com. This is a normal TCP outbound.
- The second outbound connection connects to
kms.us-west-2.amazonaws.com
using an attestation proxy running athttps://kms-proxy.oblv.com
. This outbound is of typeproxy
. - The third outbound connection is to another enclave within the same Kubernetes cluster.