Contact Sales

Running Redis in an Anjuna Enclave Using Azure Kubernetes Services

Anjuna Enterprise Enclaves for Azure confidential computing


Anjuna Enterprise Enclaves makes it quick and simple to protect cloud data and IP with Microsoft’s Azure confidential computing. 

Azure confidential computing leverages Intel® Software Guard Extensions (SGX)-enabled CPUs to establish secure enclaves that protect the confidentiality and integrity of data and applications while being processed in the public cloud. Within seconds, Anjuna Enterprise Enclaves can automatically establish a secure enclave that isolates and encrypts all application resources in runtime, at rest, and on the network. 

The result is the strongest full stack protection available. Anjuna’s “lift and shift” approach eliminates the need to work with ever-changing applications and software development kits (SDKs). And no changes to applications, recompilation, or operations are required.

azure-logo

Introduction

This document walks you through the process of deploying a Redis server in a secure Anjuna enclave using Microsoft’s Azure Kubernetes Services.

Before We Get Started

In order to run Anjuna’s secure runtime, you first need to set up Azure Kubernetes Services with support for Confidential Computing. To set up a cluster with the necessary support, follow the instructions in Microsoft’s guide to setting up confidential computing nodes.

When you reach the section titled "Adding confidential computing node to existing AKS cluster," return to this document to continue.

1. Register an Access Token


In order for your Kubernetes cluster to pull Anjuna Docker images, you’ll need an access token for Anjuna’s Azure Container Registry. You can get your token by contacting Anjuna at by submitting this form:

2. Set Up the Azure Command-line Interface

The command-line interface to Azure is called az. You can find Microsoft’s instructions for installing az at the Azure documentation site. Follow the instructions there to set it up before continuing with the next step.

3. Securely Store Your Token

To store your access token as a Kubernetes secret, execute the following command in the shell:

kubectl create secret docker-registry anjuna-acr-secret \
--docker-server anjunaaks.azurecr.io \
--docker-username [username provided by Anjuna] \
--docker-password [password provided by Anjuna]

If you’d prefer to pull the docker image to your local machine, you must first authenticate your terminal session to Anjuna’s Azure Container Repository. Use the following shell command to do that:

docker login \
--username [username provided by Anjuna] \
--password [password provided by Anjuna] \
anjunaaks.azurecr.io

4. Deploy Redis Running in the Anjuna Runtime Container

Now that you’ve deployed a Kubernetes cluster and configured an access token, you can deploy Anjuna applications to the cluster. Create a file named "anjuna-redis.yaml" and populate it with the following text:

apiVersion: apps/v1
kind: Deployment
metadata:
  name: anjuna-redis
spec:
  selector:
    matchLabels:
      app: anjuna-redis
  replicas: 1
  template:
    metadata:
      labels:
        app: anjuna-redis
    spec:
      containers:
      - name: anjuna-redis
        image: anjunaaks.azurecr.io/redis:dcap
        ports:
        - containerPort: 6379
          name: redis
        resources:
          limits:
            kubernetes.azure.com/sgx_epc_mem_in_MiB: 40
      imagePullSecrets:
      - name: anjuna-acr-secret
---
apiVersion: v1
kind: Service
metadata:
  name: anjuna-redis
spec:
  ports:
  - port: 6379
  selector:
    app: anjuna-redis

Now use kubectl to deploy the Redis container to your cluster:

$ kubectl apply -f anjuna-redis.yaml

After a few seconds, kubectl displays the following messages to let you know the deployment has succeeded:

deployment.apps/anjuna-redis created
service/anjuna-redis created

5. Check the Deployment’s Status

Now you can use kubectl to check the containers logs. You should see something similar to this:

$ kubectl logs -l app=anjuna-redis --tail=50
[    1] Anjuna Runtime version heads/master-0-g51583366, Copyright (C) Anjuna Security, Inc. All rights reserved.
[    1] Enclave initialized:
[    1]     Enclave base address:           0x0000000800000000
[    1]     Enclave size:                   1GB
[    1]     Maximum number of threads:      20
[    1]     Enclave attributes:             0x0000000000000004
[    1]     Enclave SSA frame size:         1
[    1]     Enclave MRSIGNER:               32982de78e16455960c4b3df570b9c59b41caf89bc7e9ae092fb5c8585b4730b
[    1]     Enclave MRENCLAVE:              a9817bdbcd2aa53290f2925bfd16743fa1b0f4be3614df7319f66a021a7ac8ef
1:C 17 Sep 2020 19:03:12.723 # oO0OoO0OoO0Oo Redis is starting oO0OoO0OoO0Oo
1:C 17 Sep 2020 19:03:12.723 # Redis version=6.0.8, bits=64, commit=00000000, modified=0, pid=1, just started
1:C 17 Sep 2020 19:03:12.723 # Configuration loaded
1:M 17 Sep 2020 19:03:12.723 * Running mode=standalone, port=6379.
1:M 17 Sep 2020 19:03:12.723 # Server initialized
1:M 17 Sep 2020 19:03:12.723 # WARNING you have Transparent Huge Pages (THP) support enabled in your kernel. This will create
latency and memory usage issues with Redis. To fix this issue run the command 'echo madvise > /sys/kernel/mm/transparent_hugepage/enabled' as root, and add it to your /etc/rc.local in order to retain the setting after a reboot. Redis must be
restarted after THP is disabled (set to 'madvise' or 'never').
1:M 17 Sep 2020 19:03:12.815 * Ready to accept connections
 

Some of the details may differ from the example here.

6. Start a Redis Client Job

Next, let’s create a client process to store and fetch data in the new Redis instance. Notice that we deployed Redis with kind: Deployment. A Deployment is a service that is meant to run continuously.

Our client will instead be a simple batch program that just sets a key in Redis and then gets it, and it’s done. The kind: for a process like that, which runs once to completion, is Job.

Put this configuration text into a file named redis-client.yaml:

apiVersion: batch/v1
kind: Job
metadata:
  name: redis-client
  labels:
    app: redis-client
spec:
  template:
    metadata:
      labels:
        app: redis-client
    spec:
      containers:
      - name: redis-client
        image: redis
        command: ["/bin/bash"]
        args: ["-c", "redis-cli -h anjuna-redis set test_key FinestHomegrownSecrets && redis-cli -h anjuna-redis get test_key"]
      restartPolicy: Never
  backoffLimit: 0

Notice that this Job is configured to run without the Anjuna runtime. In other words, the container is not configured to require the Anjuna runtime or SGX support. The client process will therefore run in an unprotected container, but it will communicate with a container protected by the Anjuna runtime.

Start the client using the following command:

$ kubectl apply -f redis-client.yaml

7. Review the Client's Logs

As before, you can display the job’s logs using kubectl:

$ kubectl logs -l app=redis-client
OK
FinestHomegrownSecrets

The client has successfully stored the text "FinestHomegrownSecrets" in the Redis instance, then fetched it out again!

8. Clean Up Resources

After your client job is finished, you should tear down the cluster and release its resources. You can find instructions on how to do that in Microsoft’s guide to setting up confidential computing nodes, in the section titled "Clean up resources".

Getting Support

If you have any questions, contact our team for support. 

 

join the Anjuna community slack

See the power of protection for yourself.

Contact us to get started on an Azure confidential computing project.