1 of 10

Confidential Containers v0

2 of 10

Goals

MVP stack for running confidential containers

Based on and compatible with Kata Containers 2

Based on at least one confidential computing implementation (SEV, TDX, SE, etc)

Integration with Kubernetes: kubectl apply -f confidential-pod.yaml

Proof of Concept to be presented as a CNCF sandbox project

3 of 10

Confidential Containers v0

Relying Party

Confidential VM

Key Broker Service (KBS)

+

Attestation

Service

VMM

(Cloud-Hypervisor/QEMU)

CRIO

containerd

kata-shim-v2

kata-agent

Container

Image

(Pod scope)

🔑

Ephemeral Block Device

image mgmt

ocicrypt

keyprovider

Restricted API via vsock

Attestation

Agent

firmware

kubelet

umoci

skopeo

Container

Image

Registry

4 of 10

Milestones

  • September 2021
    • Unencrypted image pulled inside the guest, kept in tmpfs
    • Pod/Container runs from pulled image
    • Agent API is restricted
    • crictl only
  • October 2021
    • Encrypted image pulled inside the guest, kept in tmpfs
    • Image is decrypted with a pre-provisioned key (No attestation)
  • November 2021
    • Image is optionally stored on an encrypted, ephemeral block device
    • Image is decrypted with a key obtained from a key brokering service (KBS)
    • Integration with kubelet

5 of 10

Confidential Containers v0 - September 2021

Confidential VM

VMM

(Cloud-Hypervisor/QEMU)

CRIO

containerd

kata-shim-v2

kata-agent

Container

Image

(Pod scope)

image mgmt

Restricted API via vsock

firmware

crictl

umoci

skopeo

Container

Image

Registry

6 of 10

Confidential Containers v0 - October 2021

Confidential VM

VMM

(Cloud-Hypervisor/QEMU)

CRIO

containerd

kata-shim-v2

kata-agent

Container

Image

(Pod scope)

🔑

image mgmt

ocicrypt

keyprovider

Restricted API via vsock

Attestation

Agent

firmware

crictl

umoci

skopeo

Container

Image

Registry

🔑

7 of 10

Confidential Containers v0 - November 2021

Relying Party

Confidential VM

Key Broker Service (KBS)

+

Attestation

Service

VMM

(Cloud-Hypervisor/QEMU)

CRIO

containerd

kata-shim-v2

kata-agent

Container

Image

(Pod scope)

🔑

Ephemeral Block Device

image mgmt

ocicrypt

keyprovider

Restricted API via vsock

Attestation

Agent

firmware

kubelet

umoci

skopeo

Container

Image

Registry

Optional

8 of 10

High Level Flows - Pod Creation

kata-agent

skopeo

ocicrypt-rs

Attestation Agent

umoci

kata-shim

PullImage

Pull

Decrypt

GetKeys

Keys

Decrypted

Pulled

Pulled

CreateContainer

Unpack

Unpacked

Created

9 of 10

Confidential Containers v1

Build on top on v0

Make it closer to production quality

Improve and Fix

10 of 10

Confidential Containers v1

Switch to image_rs

Getting rid of Skopeo and umoci

Volumes and storage

How do we add data (persistent or not) into a CC pod?

Threat model

SGX integration

Deployment via the operator

CI/CD (With and *without* a TEE)

Container images sharing/storage (Probably v2, depends on benchmark initial results)

Benchmark definitions + initial measurements(?)