Appearance
Docker
Enclave provides docker images to run the agent. Our registry is available on AWS ECR. You can find the images here: https://gallery.ecr.aws/sidechannel/enclave-agent
Running in Docker
Pull the container:
bash
docker pull public.ecr.aws/sidechannel/enclave-agent:latestTo run the agent in docker, run the following command:
bash
docker run \
-d \
--env AGENT_TOKEN=$AGENT_TOKEN \
--cap-add=NET_ADMIN \
--device=/dev/net/tun \
public.ecr.aws/sidechannel/enclave-agent:latestINFO
Be sure to set the $AGENT_TOKEN environment variable before you run the command.
i.e. export AGENT_TOKEN=123456789
Some notes on this command:
| Argument | What it does |
|---|---|
-d | Run a container in detacted mode |
--env AGENT_TOKEN=$AGENT_TOKEN | Pass the agent token as an environment variable. This is required to authenticate the agent with the Enclave platform. |
--cap-add=NET_ADMIN | Add the NET_ADMIN capability to the container. This is required to create the tunnel interface. |
--device=/dev/net/tun | Mount the tun device into the container. This is required to create the tunnel interface. |
public.ecr.aws/sidechannel/enclave-agent:latest | The docker image to run. |
Running in Kubernetes
To run the agent in Kubernetes, it is best to run as a sidecar container. This allows the agent to run in the same pod as your application. This is the recommended way to run the agent.
To run the agent in Kubernetes, use the following manifest as a starting point:
yaml
apiVersion: v1
kind: Pod
metadata:
name: my-pod
spec:
containers:
- name: my-app
image: my-app:latest
ports:
- containerPort: 80
- name: enclave-agent
image: public.ecr.aws/sidechannel/enclave-agent:latest
env:
- name: AGENT_TOKEN
value: $AGENT_TOKEN
securityContext:
capabilities:
add: ["NET_ADMIN"]
privileged: true
volumeMounts:
- name: enclave-tun
mountPath: /dev/net/tun
volumes:
- name: enclave-tun
hostPath:
path: /dev/net/tun