Confidential Containers brings TEE support to Kubernetes • The Register

Red Hat supports a Cloud Native Computing Foundation (CNCF) project that aims to improve the security of containers in Kubernetes clusters by running them in hardware-backed enclaves.

According to a company blog post, Red Hat is investing in Confidential Containers, a relatively new project by the CNCF-backed Confidential Computing Consortium.

Confidential Containers, or “CoCo” for short (which should irritate any fan of the old TRS-80 Color Computer), has just released its first version, version 0.1.0. The very low version number is meant to be a warning: this is new technology and definitely not ready for prime time. Accordingly, its documentation is not very extensive.

The idea is to run containers in a Trusted Execution Environment (TEE), a facility that has been offered by most processor architectures for a number of years – the reg wrote about OpenTEE in 2015, for example, although we’ve also covered ways researchers have found to get around them.

The tricky part is that the whole goal of running in a TEE is to restrict communication between the TEE and the host machine, and you can’t easily do that with your usual container: containers are just normal processes running directly running on the host kernel, as our Brief History of Virtualization explained, before Docker was a wink to dotCloud.

In contrast, running an encrypted virtual machine is relatively easy these days, with hardware support from several companies including AMD’s SEV as used in Google Cloud, Intel’s comparable SGX, and the newer TDX.

To deploy workloads that run in TEEs but are managed by Kubernetes, the CoCo project uses a different technology – Kata Containers – that emerged from the merger of Intel ClearContainers and Hyper runV and is supported by the OpenStack Foundation.

According to the CoCo document overview, the tool initially supports five different TEE technologies, the AMD and Intel tools, as well as two different IBM technologies: Protected Execution Facility (PEF) for POWER servers and Secure Execution for z/Architecture mainframes.

If the initiative proves successful, additional architectures may be supported over time – for example, Arm has TrustZone and RISC-V also has its own version.

If you’re like that vulture from the frighteningly old-fashioned world of on-prem computing, encrypting your own virtual machines might sound a bit odd at first, but it makes sense when you’re running those VMs on someone else’s hardware somewhere out there on the internet .

Hardware support for this has been around for a while, but the implementation is still non-trivial. So, over time, if this can be reduced to a checkbox in a K8s configuration page or a line of YAML, it will be welcomed by many. Which, in turn, is of course welcomed by silicon manufacturers, because even very lightweight VMs still consume more resources than containers. ® Confidential Containers brings TEE support to Kubernetes • The Register

Rick Schindler

World Time Todays is an automatic aggregator of the all world’s media. In each content, the hyperlink to the primary source is specified. All trademarks belong to their rightful owners, all materials to their authors. If you are the owner of the content and do not want us to publish your materials, please contact us by email – The content will be deleted within 24 hours.

Related Articles

Back to top button