NitroEnclaveDeployment (v1alpha1) API Reference
NitroEnclaveDeployment is a Kubernetes CustomResourceDefinition (CRD) that defines a deployment of AWS Nitro Enclaves within an OBLV Deploy cluster. It specifies the desired number of enclave instances (replicas) and their configuration (resources, networking, plugins, etc.), and reports status information such as the number of running enclaves.
NitroEnclaveDeployment v1alpha1 k8s
Field | Description |
---|---|
apiVersion | APIVersion defines the versioned schema of this object. Servers should convert recognized schemas to the latest internal value and may reject unrecognized values. More info |
kind | Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info |
metadata | Standard object metadata. More info |
spec | Specification of the desired behavior of the NitroEnclaveDeployment. |
status | Most recently observed status of the NitroEnclaveDeployment. |
NitroEnclaveDeploymentSpec v1alpha1 k8s
Field | Description |
---|---|
replicas | Required. The number of enclave pod replicas to run. |
serviceName | The name of the headless Service governing the pods of the underlying StatefulSet. |
podLabels | Key-value pairs to label each enclave pod (applied to pod metadata). |
ingress | Configuration for network ingress to the enclaves. If not specified, ingress is disabled by default. |
enclaveCpuCount | Required. The number of vCPUs to allocate to each enclave. Must be at least 1. |
hugepages-1Gi | The amount of 1 GiB hugepages to allocate to the enclave (e.g., "1Gi"). One of hugepages-1Gi or hugepages-2Mi must be provided. |
hugepages-2Mi | The amount of 2 MiB hugepages to allocate to the enclave (e.g., "512Mi"). One of hugepages-1Gi or hugepages-2Mi must be provided. |
serviceAccount | Service account name to use for the enclave pods (for access to Kubernetes API or other resources). |
caCertDetails | Required. The CA certificate details to use inside the enclave for establishing trust. |
userPlugins | Required. A list of user-provided plugin containers to run inside each enclave. Must include at least one plugin. |
plugins | Configuration for the privileged built-in plugins (Auth, Logging, Telemetry). |
NitroEnclaveDeploymentStatus v1alpha1 k8s
Field | Description |
---|---|
deploymentName | The name of the underlying Kubernetes StatefulSet that is running the enclave pods. |
status | Overall status of the NitroEnclaveDeployment (e.g., "Scheduled", "Error"). |
replicas | The number of enclave pod replicas currently running. |
selector | The label selector used to identify the enclave pods. |
readyReplicas | The number of enclave pod replicas that are in Ready state. |
availableReplicas | The number of enclave pod replicas considered available. |
readyReplicasRatio | The ratio of ready replicas to total replicas (e.g., "3/5"). |
Ingress v1alpha1 k8s
The ingress field configures an optional network ingress (AWS Network Load Balancer) for reaching the enclave pods.
Field | Description |
---|---|
enabled | Required. Whether to enable an ingress for this NitroEnclaveDeployment. |
internetFacing | Whether the ingress load balancer should be internet-facing (external) or internal to the VPC. Required if enabled is true. |
dnsHostName | The DNS host name to use for the ingress load balancer. Required if enabled is true. |
ingressTlsCertificate | Name of the Kubernetes Secret containing the TLS certificate to use at the ingress (the certificate must be in PEM format). Required if enabled is true. |
ports | List of port mappings for the ingress. Each mapping defines a load balancer port and target port. At least one port must be specified if ingress is enabled. |
ingressSecurityGroups | (Optional) A list of AWS security group IDs to attach to the ingress load balancer. |
Each entry in ports
is a port mapping for the ingress:
port
: Port number on the load balancer (NLB) to expose (1-65535).targetPort
: Port on the enclave pod to forward traffic to (1-65535).
CaCertDetails v1alpha1 k8s
CaCertDetails provides the configuration for injecting a Certificate Authority (or other certificate material) into the enclave. This is used to establish a trusted certificate inside the enclave for TLS communications.
Field | Description |
---|---|
enclaveCertType | The mode of certificate provisioning for the enclave. Supported values: CA_PROVIDED , ENCLAVE_GENERATED , LEAF_CERT_PROVIDED , ACME . This setting determines how the enclave gets its TLS certificate: for example, CA_PROVIDED means you supply a CA certificate and key, ENCLAVE_GENERATED means the enclave will generate its own certificate, LEAF_CERT_PROVIDED means you supply an existing leaf certificate and key, and ACME means the certificate will be obtained via ACME (Let's Encrypt). Required. |
bucket | The S3 bucket name where certificate material is stored (used for CA_PROVIDED or LEAF_CERT_PROVIDED types). |
caCertS3Key | The S3 object key (path) for the certificate file in the bucket. For CA_PROVIDED, this should be the CA certificate. For LEAF_CERT_PROVIDED, this is the leaf certificate. |
caEncryptedS3Key | The S3 object key for the encrypted private key file corresponding to the certificate. For CA_PROVIDED, this is the CA’s private key (encrypted). For LEAF_CERT_PROVIDED, this is the leaf certificate’s private key (encrypted). |
awsRegion | AWS region where the S3 bucket (and KMS key) reside. |
kmsKeyId | The ID of the AWS KMS key used to encrypt the private key file in S3. |
encryptionAlgorithm | The algorithm used for encrypting the private key (for example, AES-256). |
acmeCertDomainName | The domain name for which to obtain a certificate via ACME (Let's Encrypt). |
acmeContactEmail | The contact email used for ACME registration (Let’s Encrypt account email). |
acmeServerUrl | The URL of the ACME server to use for certificate issuance. |
acmeRootCa | The root CA certificate for the ACME server. This is retrieved from a ConfigMap. |
subjectAltNames | A list of additional Subject Alternative Names (DNS names) to include in the certificate. |
For acmeRootCa
reference:
configMapKeyRef
– Specifies a key from a ConfigMap to retrieve the root CA certificate. Provide the ConfigMapname
and the desiredkey
containing the certificate in PEM format.
Note:
- For
enclaveCertType = ACME
, you must provideacmeCertDomainName
,acmeContactEmail
, andsubjectAltNames
. - For
enclaveCertType = CA_PROVIDED
orLEAF_CERT_PROVIDED
, ensure that you have providedbucket
,caCertS3Key
,caEncryptedS3Key
,awsRegion
, andkmsKeyId
pointing to the certificate and key stored in S3.
UserPlugin v1alpha1 k8s
The userPlugins field is a list of user-provided plugin container configurations. Each entry defines one container that will run inside the enclave alongside the built-in plugins.
Field | Description |
---|---|
name | Required. Name of the user plugin (unique identifier). |
image | Required. Container image for the user plugin. |
imagePullSecret | Name of a Secret for pulling the image from a private registry (if needed). |
hostNetwork | Whether the plugin's pod should use the host's network namespace. Defaults to false. |
ports | Port mappings for this container (hostPort to containerPort). |
volumes | List of volumes to mount into the container. |
env | List of environment variables to set in the container. |
outboundConnections | List of allowed outbound connections from this container. |
command | Override default container entrypoint with this command (if provided). More info. |
args | Arguments to pass to the container entrypoint/command. More info. |
securityContext | Security settings for the container |
Ports: If ports
are specified, each item should include:
hostPort
: Port number on the host to expose (1025-65535). Optional; if not provided, the port will not be accessible from the host network.containerPort
: Port number inside the container to expose (1-65535). Required for each port mapping.
PrivilegedPlugin v1alpha1 k8s
The plugins field configures the privileged plugins that run alongside user plugins within the enclave. Three plugins are available:
- auth: Authentication and authorization service.
- logging: Log streaming service (for enclave logs).
- telemetry: Telemetry and metrics collection service.
Each plugin can be configured and structure for each plugin is similar to a user plugin, with some differences as noted below.
Field | Description |
---|---|
auth | Configuration of the auth plugin. |
logging | Configuration of the logging plugin. |
telemetry | Configuration of the telemetry plugin. |
AuthPlugin v1alpha1 k8s
The auth plugin provides authentication and authorization within the enclave.
Field | Description |
---|---|
name | Required. Name of the auth plugin container. |
image | Required. Container image for the auth plugin. |
imagePullSecret | Secret name for pulling the auth plugin image, if required. |
ports | Port mappings for the auth plugin container (hostPort to containerPort). |
volumes | List of volumes to mount into the auth container. |
env | List of environment variables to set in the auth container. |
outboundConnections | List of allowed outbound connections from the auth container. |
command | Command to override the container's entrypoint for the auth plugin (if needed). More info. |
args | Arguments for the auth plugin command. More info. |
securityContext | Security settings for the auth container |
resources | Resource limits for the auth plugin container |
Ports: Same structure as described above for userPlugins.
LoggingPlugin v1alpha1 k8s
The logging plugin forwards enclave logs.
Field | Description |
---|---|
name | Required. Name of the logging plugin container. |
image | Required. Container image for the logging plugin. |
imagePullSecret | Secret name for pulling the logging plugin image, if required. |
volumes | List of volumes to mount into the logging container. |
env | List of environment variables to set in the logging container. |
outboundConnections | List of allowed outbound connections from the logging container. |
command | Command to override the container's entrypoint for the logging plugin. More info. |
args | Arguments for the logging plugin command. More info. |
securityContext | Security settings for the logging container |
TelemetryPlugin v1alpha1 k8s
The telemetry plugin collects metrics and telemetry data.
Field | Description |
---|---|
name | Required. Name of the telemetry plugin container. |
image | Required. Container image for the telemetry plugin. |
imagePullSecret | Secret name for pulling the telemetry plugin image, if required. |
ports | Port mappings for the telemetry plugin container (hostPort to containerPort). |
volumes | List of volumes to mount into the telemetry container. |
env | List of environment variables to set in the telemetry container. |
outboundConnections | List of allowed outbound connections from the telemetry container. |
command | Command to override the container's entrypoint for the telemetry plugin. |
args | Arguments for the telemetry plugin command. |
securityContext | Security settings for the telemetry container |
Ports: Same structure as described above for userPlugins.
Volume v1alpha1 k8s
A Volume describes a volume that can be mounted into a container. It may reference a host path or a ConfigMap.
Field | Description |
---|---|
name | Required. Name of the volume (must be unique within the container). |
containerPath | Required. Path inside the container where the volume will be mounted. |
readOnly | Required. Whether the volume mount is read-only (true or false ). |
source | Required. The source of the volume content. Exactly one of the following must be specified: a host path on the node, or a ConfigMap reference. |
The source
field is an object that must include either:
hostPath
– Path on the host filesystem to mount into the enclave (e.g.,/mnt/data
).configMap
– Reference to a ConfigMap to mount. The ConfigMap reference has:name
– Name of the ConfigMap.items
– A list of key/path pairs specifying which entries in the ConfigMap to project into the volume. Each item has akey
(the ConfigMap key) andpath
(the file path under the mount where that value will be written).
Note: You must specify either hostPath
or configMap
in a Volume's source, but not both.
EnvVar v1alpha1 k8s
An EnvVar represents an environment variable to set in a container.
Field | Description |
---|---|
name | Required. Name of the environment variable. |
value | The literal value of the environment variable. Mutually exclusive with valueFrom . |
valueFrom | Source for the environment variable's value. Mutually exclusive with value . |
If valueFrom
is used, it should reference exactly one of:
configMapKeyRef
– Selects a key from a ConfigMap. Provide the ConfigMapname
and the desiredkey
. Optionally, setoptional: true
to ignore this env var if the ConfigMap or key is missing.secretKeyRef
– Selects a key from a Secret. Provide the Secretname
andkey
. Optionally, setoptional: true
to ignore this env var if the Secret or key is missing.fieldRef
– Selects a field of the pod (such asmetadata.name
orstatus.podIP
). Provide thefieldPath
to specify which field to use.
OutboundConnection v1alpha1 k8s
OutboundConnection defines an allowed outgoing network connection from an enclave container.
Field | Description |
---|---|
type | The type of outbound connection. One of "default" , "enclave" , or "proxy" . Defaults to "default" .
|
fqdn | Fully Qualified Domain Name of the destination host. Required. |
port | Destination port number (1-65535). Required. |
proxyUrl | URL of the attestation proxy (for proxy type connections). Required if type = "proxy" . |
attestationPort | Port on the proxy to use for attestation (for proxy type). Required if type = "proxy" . |
attestationIntervalSeconds | Interval (in seconds) for periodic attestation. Must be between 60 and 3600. Default is 300. For enclave and proxy types, this defines how frequently attestation is performed. |
configMap | Name of a ConfigMap containing configuration for peer enclave connections (used only for enclave type). Required if type = "enclave" . |
SecurityContext v1alpha1 k8s
SecurityContext sets security options for a container (either a user plugin or a built-in plugin). These fields correspond to Kubernetes container securityContext settings.
Field | Description |
---|---|
allowPrivilegeEscalation | Allow processes in the container to gain privileges via setuid/setgid binaries. Defaults to true if not set. |
capabilities | Linux capabilities to add or drop from the container. This is an object with two optional lists: add and drop , each listing capability names. |
privileged | Run the container in privileged mode (with full host privileges). |
readOnlyRootFilesystem | Mount the container's root filesystem as read-only. |
runAsUser | The Unix user ID to run the container process as. |
runAsGroup | The Unix group ID to run the container process as. |
runAsNonRoot | Require that the container runs as a non-root user. If true, the container will not start if run as UID 0 (root). |
seLinuxOptions | SELinux label to apply to the container, given as an object with fields user , role , type , and level . |
seccompProfile | Seccomp filtering profile for the container, provided as an object with fields:
|