Skip to main content

Manifests

Allowlists for Outbound Connections

In OBLV Deploy, managing outbound connections for your containers and plugins is crucial for controlling network access and security. You can explicitly define rules for outbound connections in the NitroEnclaveDeployment, ensuring that only approved connections are allowed.

Defining Outbound Connections

The outbound connections schema allows you to specify rules for outbound connections in your containers and plugins. Each outbound connection is represented as an object with the following properties:

FieldDescriptionUsage
typeStands for the kind of outboundCan be default, enclave, or proxy
fqdnStands for Fully Qualified Domain Name, representing the destination of the outbound connectionExample: oblv.com
portSpecifies the port number for the outbound connection.Integer value specifying the port number
proxyUrlSpecifies the url of the attestation proxyExample: https://kms-proxy.oblv.com
attestationPortPort for attestation on the attestation proxyInteger value specifying the port number
proxyAttestationIntervalSecondsInterval at which the enclave will re-attest with the proxyDefault is 15 but can be configured to any value from 15 to 300
configMapReference to a ConfigMap containing the configuration file of the peer enclave.The name of the configmap as a string

Usage

Within the specification of your user plugin or a privileged plugin, include the outboundConnections attribute and specify the outbound connection rules. You can define multiple outbound connections by adding objects to the array.

Example
userPlugins:
- name: fastapi
image: public.ecr.aws/oblivious-ai/oblv-sample-fastapi:latest
ports:
- containerPort: 8001
hostPort: 4455
command:
- "python"
- "/app/uvicorn_runner.py"
outboundConnections:
- type: default
fqdn: "oblv.com"
port: 443
- type: proxy
fqdn: "kms.us-west-2.amazonaws.com"
port: 443
proxyUrl: "https://kms-proxy.oblv.com"
attestationPort: 12200
- type: enclave
fqdn: spark-worker.default.svc.cluster.local
port: 7076
configMap: "spark-worker-oblv-cli-config"

In this example:

  • The first outbound connection specifies the FQDN oblv.com. This is a normal TCP outbound.
  • The second outbound connection connects to kms.us-west-2.amazonaws.com using an attestation proxy running at https://kms-proxy.oblv.com. This outbound is of type proxy.
  • The third outbound connection is to another enclave within the same Kubernetes cluster.