SGX EPC Limit Plugin

This chart deploys the sgx-epc Node Resource Interface (NRI) plugin. This plugin can be used to set limits on the encrypted page cache usage of containers using annotations and (a yet to be merged pull request to) the cgroup v2 misc controller.

Prerequisites

  • Kubernetes 1.24+

  • Helm 3.0.0+

  • Container runtime:

    • containerD:

      • At least containerd 1.7.0 release version to use the NRI feature.

      • Enable NRI feature by following these detailed instructions. You can optionally enable the NRI in containerd using the Helm chart during the chart installation simply by setting the nri.runtime.patchConfig parameter. For instance,

        helm install my-sgx-epc nri-plugins/nri-sgx-epc --set nri.runtime.patchConfig=true --namespace kube-system

        Enabling nri.runtime.patchConfig creates an init container to turn on NRI feature in containerd and only after that proceed the plugin installation.

    • CRI-O

      • At least v1.26.0 release version to use the NRI feature

      • Enable NRI feature by following these detailed instructions. You can optionally enable the NRI in CRI-O using the Helm chart during the chart installation simply by setting the nri.runtime.patchConfig parameter. For instance,

        helm install my-sgx-epc nri-plugins/nri-sgx-epc --namespace kube-system --set nri.runtime.patchConfig=true

Installing the Chart

Path to the chart: nri-sgx-epc.

helm repo add nri-plugins https://containers.github.io/nri-plugins
helm install my-sgx-epc nri-plugins/nri-sgx-epc --namespace kube-system

The command above deploys sgx-epc NRI plugin on the Kubernetes cluster within the kube-system namespace with default configuration. To customize the available parameters as described in the Configuration options below, you have two options: you can use the --set flag or create a custom values.yaml file and provide it using the -f flag. For example:

# Install the sgx-epc plugin with custom values provided using the --set option
helm install my-sgx-epc nri-plugins/nri-sgx-epc --namespace kube-system --set nri.runtime.patchConfig=true

# Install the sgx-epc plugin with custom values specified in a custom values.yaml file
cat <<EOF > myPath/values.yaml
nri:
  runtime:
    patchConfig: true
  plugin:
    index: 10

tolerations:
- key: "node-role.kubernetes.io/control-plane"
  operator: "Exists"
  effect: "NoSchedule"
EOF

helm install my-sgx-epc nri-plugins/nri-sgx-epc --namespace kube-system -f myPath/values.yaml

Uninstalling the Chart

To uninstall the sgx-epc plugin run the following command:

helm delete my-sgx-epc --namespace kube-system

Configuration options

The tables below present an overview of the parameters available for users to customize with their own values, along with the default values.

Name

Default

Description

image.name

ghcr.io/containers/nri-plugins/nri-sgx-epc

container image name

image.tag

unstable

container image tag

image.pullPolicy

Always

image pull policy

resources.cpu

25m

cpu resources for the Pod

resources.memory

100Mi

memory qouta for the Pod

nri.runtime.config.pluginRegistrationTimeout

“”

set NRI plugin registration timeout in NRI config of containerd or CRI-O

nri.runtime.config.pluginRequestTimeout

“”

set NRI plugin request timeout in NRI config of containerd or CRI-O

nri.runtime.patchConfig

false

patch NRI configuration in containerd or CRI-O

nri.plugin.index

90

NRI plugin index to register with

initImage.name

ghcr.io/containers/nri-plugins/config-manager

init container image name

initImage.tag

unstable

init container image tag

initImage.pullPolicy

Always

init container image pull policy

tolerations

[]

specify taint toleration key, operator and effect

affinity

[]

specify node affinity

nodeSelector

[]

specify node selector labels

podPriorityClassNodeCritical

true

enable marking Pod as node critical