Skip to main content

Getting Started

Prerequisites

To install and set up the Kube OBLV Stack chart, there are a few important configuration steps that need to be completed. These steps involve configuring the necessary dependencies for two controllers that are required for proper functionality. Once these configurations are in place, you can proceed with the installation process.

Users guide

This page content is for administrators who want to deploy an application with OBLV Deploy. If you are a user and want to connect to a deployed application, refer to the Making an Attested Connection guide.

The kube-oblv-stack is a Helm chart designed for Kubernetes deployment. It includes the OBLV Deploy Helm chart, which installs OBLV Deploy, as well as the required dependencies. Each dependency below is a controller that needs its own configuration. You need to create the service account and link their IAM Policy to it:

  • AWS Load Balancer Plugin: The LoadBalancer Controller is a controller that manages Elastic Load Balancers (ELBs) for a cluster. It's designed to work with Amazon EKS (Elastic Kubernetes Service) and provides a way to expose the applications running inside the enclaves to users through AWS Load Balancers.
  • Bitnami External DNS Chart: The Bitnami External DNS Addon is a Kubernetes add-on that automatically manages DNS records for services in a Kubernetes cluster. It sets up DNS records pointing towards LoadBalancers so that the users can connect to the applications using the DNS name.

The Kube OBLV Stack chart can be installed with all the bundled dependencies, or you can choose to install only the required ones if they have already been installed in the cluster.

How to choose dependencies

When installing oblv-deploy-stack umbrella chart, you should set the enabled value to true for controllers or subcharts that you want to install. For example, if the AWS Load balancer controller is not already installed, you would set the enabled=true value:

  --set aws-load-balancer-controller.enabled=true

Prerequisites to pull Enclave Image File

To enable the enclave pod to securely access necessary resources, we need to configure AWS S3 access. This involves creating an IAM policy that grants the required permissions for the enclave pod to pull in the Enclave Image File, which is essential for booting up the enclave services. Additionally, we will create a Service Account and attach the IAM Policy to it to ensure the enclave pod has the necessary permissions.

  1. Create the required IAM policy document aws_s3_access.json.
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:Get*",
                "s3:List*",
                "s3:Describe*",
                "s3-object-lambda:Get*",
                "s3-object-lambda:List*"
            ],
            "Resource": "*"
        }
    ]
}
  1. Using the created policy document, create an IAM Policy for the enclave pod.
  aws iam create-policy \
  --policy-name "EnclavePodS3AccessPolicy" \
  --policy-document file://aws_s3_access.json
Important

Remember to copy the Amazon Resource Names (ARN) of the IAM Policy object returned by this command. The ARN will be used in the next step.

  1. Create a Service Account for the enclave pod and attach the IAM Policy to it.
  eksctl create iamserviceaccount \
    --name enclave-pod \
    --namespace default \
    --cluster ${CLUSTER_NAME} \
    --attach-policy-arn={ARN of the created IAM Policy from the previous step} \
    --approve \
    --override-existing-serviceaccounts \
    --region ${CLUSTER_REGION}

Prerequisites for the LoadBalancer Controller

The AWS LoadBalancer Controller spins up load balancers to expose applications running inside the enclaves for its users. The policy document required for the AWS LoadBalancer controller can be downloaded.

  1. Download the policy document:
  curl -O https://raw.githubusercontent.com/kubernetes-sigs/aws-load-balancer-controller/v2.5.4/docs/install/iam_policy.json
  1. Using the downloaded policy document, create the IAM Policy for the LoadBalancer Controller:
  aws iam create-policy \
    --policy-name AWSLoadBalancerControllerIAMPolicy \
    --policy-document file://iam_policy.json
Important

Remember to copy the Amazon Resource Names (ARN) of the IAM Policy object returned by this command. The ARN will be used in the next step.

  1. Create a service account for the AWS LoadBalancer Controller and attach the policy to it:
  eksctl create iamserviceaccount \
    --cluster=${CLUSTER_NAME} \
    --namespace=kube-system \
    --name=aws-load-balancer-controller \
    --role-name AmazonEKSLoadBalancerControllerRole \
    --attach-policy-arn={ARN of the created IAM Policy from the previous step} \
    --region ${CLUSTER_REGION} \
    --approve
Reference

You can find more information about these commands in the LoadBalancer Controller reference page.

Prerequisites for the External DNS Addon

The External DNS controller creates DNS records pointing at the Load Balancers, so that users can just use the hostname while connecting to the applications hosted inside the enclaves.

For the External DNS controller to work, it requires permissions to list and change Route53 resources inorder to sync the DNS records as and when needed.

  1. Create a policy document named external_dns_iam_policy.json:
  {
    "Version": "2012-10-17",
    "Statement": [
      {
        "Effect": "Allow",
        "Action": [
          "route53:ChangeResourceRecordSets"
        ],
        "Resource": [
          "arn:aws:route53:::hostedzone/${HOSTED_ZONE_ID}"
        ]
      },
      {
        "Effect": "Allow",
        "Action": [
          "route53:ListHostedZones",
          "route53:ListResourceRecordSets"
        ],
        "Resource": [
          "*"
        ]
      }
    ]
  }
  1. Using the created policy document, create an IAM Policy for the DNS Controller.
  aws iam create-policy \
  --policy-name "ExternalDNSUpdatesPolicy" \
  --policy-document file://external_dns_iam_policy.json
Important

Remember to copy the Amazon Resource Names (ARN) of the IAM Policy object returned by this command. The ARN will be used in the next step.

  1. Create a Service Account for the External DNS Controller and attach the IAM Policy to it.
  eksctl create iamserviceaccount \
    --name external-dns \
    --namespace kube-system \
    --cluster ${CLUSTER_NAME} \
    --attach-policy-arn={ARN of the created IAM Policy from the previous step} \
    --approve \
    --override-existing-serviceaccounts \
    --region ${CLUSTER_REGION}
Reference

You can find more information about these commands in the External DNS Addon reference page.

What's Next?

After installing everything OBLV Deploy needs to run, you can access the Installation and Setup page to continue with the Getting Started guide.