aws-nitro-enclaves-k8s-ds.yaml (70 lines of code) (raw):
apiVersion: v1
kind: Namespace
metadata:
name: nitro-enclaves
labels:
name: nitro-enclaves
---
apiVersion: apps/v1
kind: DaemonSet
metadata:
name: aws-nitro-enclaves-k8s-daemonset
namespace: kube-system
labels:
name: aws-nitro-enclaves-k8s-dp
role: agent
spec:
selector:
matchLabels:
name: aws-nitro-enclaves-k8s-dp
updateStrategy:
type: RollingUpdate
template:
metadata:
labels:
name: aws-nitro-enclaves-k8s-dp
annotations:
node.kubernetes.io/bootstrap-checkpoint: "true"
spec:
nodeSelector:
aws-nitro-enclaves-k8s-dp: enabled
priorityClassName: "system-node-critical"
hostname: aws-nitro-enclaves-k8s-dp
containers:
- name: aws-nitro-enclaves-k8s-dp
env:
# max 4 devices supported
- name: MAX_ENCLAVES_PER_NODE
value: "4"
# advertises CPUs dedicated for enclave use (offline cpus) as 'aws.ec2.nitro/nitro_enclaves_cpus'
- name: ENCLAVE_CPU_ADVERTISEMENT
value: "false"
image: public.ecr.aws/aws-nitro-enclaves/aws-nitro-enclaves-k8s-device-plugin:v0.3
imagePullPolicy: Always
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop: ["ALL"]
resources:
limits:
cpu: 100m
memory: 15Mi
requests:
cpu: 10m
memory: 15Mi
volumeMounts:
- name: device-plugin
mountPath: /var/lib/kubelet/device-plugins
- name: dev-dir
mountPath: /dev
- name: sys-dir
mountPath: /sys
volumes:
- name: device-plugin
hostPath:
path: /var/lib/kubelet/device-plugins
- name: dev-dir
hostPath:
path: /dev
- name: sys-dir
hostPath:
path: /sys
terminationGracePeriodSeconds: 30