Red Hat OpenShift sandboxed containers 1.11 and Red Hat build of Trustee 1.0 accelerate confidential computing across the hybrid cloud

Red Hat is excited to announce the release of Red Hat OpenShift sandboxed containers 1.11 and Red Hat build of Trustee 1.0, marking a significant milestone in our confidential computing journey. These releases bring production-grade support for confidential containers in Microsoft Azure Red Hat OpenShift and introduce technology preview support for bare metal environments with Intel TDX and AMD SEV-SNP processors. Organizations can now protect their most sensitive workloads with hardware-based memory encryption and attestation capabilities across cloud and on-premises infrastructure.

OpenShift sandboxed containers 1.11: A focus on security and enterprise readiness

Across both cloud and bare metal, OpenShift sandboxed containers 1.11 introduces features that harden your security posture and improve usability.

• Secure by default: We are implementing a new restrictive agent policy by default. This policy blocks host-level commands like oc exec for confidential containers, providing true isolation from the administrator. A debug mode can be enabled via a pod annotation for development.
• Trusted supply chain: We've enhanced support for signed container images, a critical part of a trusted software supply chain.
• Secure secret release: A key value of attestation is the secure delivery of secrets. Red Hat build of Trustee is used to verify the integrity of a pod before releasing sensitive data, like database credentials or private keys. Such secrets are retrieved from the attestation service.
• Improved supportability: We have improved our must-gather tooling to automatically collect Trustee logs, making it easier for our support teams to help you troubleshoot attestation workflows.

Red Hat build of Trustee 1.0: Simplifying the configuration and deployment

Red Hat build of Trustee 1.0 delivers enterprise-grade remote attestation capabilities that form the foundation of secure secret management for confidential workloads. This release dramatically simplifies deployment through the new Trustee Config custom resource, reducing configuration complexity from dozens of manual steps to just a few declarative settings while maintaining full enterprise configurability.

• Enterprise-grade disconnected support provides comprehensive air-gapped capabilities with automated AMD VCEK certificate caching for SEV-SNP environments, enabling full attestation workflows in completely isolated networks. The system supports multiple certificate secrets for different AMD processor generations (Milan, Genoa, Turin), addressing critical requirements for highly regulated industries, government deployments, and organizations with strict network isolation policies.
• Production enterprise features include native cert-manager integration for automated HTTPS and attestation token certificate management, plus native high availability through Kubernetes-native replica scaling and distributed configuration management via etcd. Production operations are enhanced with native Prometheus metrics integration, providing comprehensive observability, while the new Trustee command-line interface (CLI) enables local development, testing, and advanced deployment patterns.
• With full support for Red Hat OpenShift and the latest AMD SEV-SNP processor generations, Red Hat build of Trustee 1.0 delivers a zero-trust architecture where secrets are released only to hardware-attested workloads, never exposing plaintext to cluster administrators. This establishes Red Hat build of Trustee as the cornerstone for policy-driven secret management across hybrid and multicloud confidential computing environments.

Production-ready on Azure: Confidential containers GA on Azure Red Hat OpenShift

Azure Red Hat OpenShift is a managed OpenShift service on Azure run jointly by Red Hat and Microsoft. The Azure Red Hat OpenShift confidential containers solution, which includes OpenShift sandboxed containers and Red Hat build of Trustee, allows you to protect sensitive data while it is in use.

By using the hardware-backed trusted execution environments (TEEs) on Azure, you can now isolate your workloads from the host administrator, the cloud provider, and other tenants.

"The general availability of confidential containers on Azure Red Hat OpenShift is a direct answer to our customers' need for security without complexity. This isn't just about a new feature, it's about delivering verifiable, hardware-level protection as a fully managed service. Enterprises can now move their most sensitive applications to the cloud with confidence, knowing the service is jointly backed by Red Hat and Microsoft. It’s the zero-trust promise, simplified and delivered at scale."

— Marcos Entenza Garcia, Product Manager

This general availability release is built on a foundation of stability, performance, and improved cloud integration. Key features include:

• Faster boot times: Virtual machine (VM) boot times on Azure are now optimized, leading to quick and reliable pod startup.
• Improved Azure integration: OpenShift sandboxed containers can now leverage pre-created VM images for peer pods, allowing for better resource management and integration with Azure's infrastructure.
• Proven stability: Every release is rigorously validated on Azure, providing consistent and reliable performance for your production confidential workloads.

For more detailed information around this announcement, please read: Enhance workload security with confidential containers on Azure Red Hat OpenShift.

Explore the interactive demo and see confidential containers on Azure Red Hat OpenShift in action: interactive demo. 

Expanding to bare metal: Technology preview for Intel TDX and AMD SEV-SNP

The technical preview solution allows you to deploy confidential containers directly onto OpenShift 4.20+ nodes equipped with TEE-capable hardware, such as AMD SEV-SNP or Intel TDX.

"Our hybrid cloud strategy means meeting customers where they are, and that includes their on-premises data centers. The tech preview for bare metal is a critical step in providing a consistent confidential computing experience everywhere. This unlocks new possibilities for protecting data-intensive workloads like AI and analytics right on their own hardware. We are excited to work with our customers and partners on this preview to shape the future of on-premises secure computing."

— Marcos Entenza Garcia, Product Manager

This technical preview centers on enhanced built-in automation, with the OpenShift sandboxed containers operator now automatically:

1. Detecting TEE hardware: The operator detects node labels for AMD SNP and Intel TDX.
2. Creating runtimes: It dynamically creates the kata-cc RuntimeClass.
3. Configuring the host: It manages the CRI-O configuration via MachineConfigs to use the new runtime class.

This automation simplifies the "Hello TEE" experience, allowing you to boot your first confidential container on bare metal.

For additional information on the confidential containers on bare metal solutions, we recommend reading our previous blog: Introducing confidential containers on bare metal.

Real-world use cases and problems solved

The value of confidential containers is already being proven in production environments. DBS Bank, Singapore's largest bank, re-platformed its digital asset custodian operations on OpenShift using confidential containers, in what is recognized as a world-first deployment. This initiative delivered a more scalable, security-focused, and future-ready foundation for their digital asset services while strengthening security, reducing operational risk, and accelerating service delivery. The deployment earned DBS Bank the AI & Emerging Tech category win at the Red Hat APAC Innovation Awards 2025. As Ang Li Khim, Group Head of DBS Bank Institutional Banking Group Technology, noted, "Our collaboration with Red Hat on the production deployment of confidential containers on our digital assets infrastructure has enabled us to innovate at greater speed and scale, providing secure and resilient services to our customers." This real-world implementation demonstrates how confidential containers address critical security and compliance requirements in highly regulated industries where protecting sensitive data and cryptographic assets is paramount.

What's next

Our work on confidential containers is just getting started. With OpenShift sandboxed containers 1.11 now available on Azure and Azure Red Hat OpenShift, we're turning our attention to expanding the reach and capabilities of this technology to meet other needs of enterprise security.

Bare metal support is a top priority. Many organizations require the performance and control that comes with running workloads directly on physical infrastructure, and we're committed to bringing confidential containers to bare metal environments. This will give users the flexibility to deploy confidential workloads wherever their infrastructure demands, whether in the cloud or on-premises.

We're also investing heavily in enabling confidential computing for AI workloads. As organizations increasingly rely on sensitive data to train and run AI models, protecting that data throughout the entire lifecycle becomes critical. We're collaborating closely to bring confidential GPU capabilities to OpenShift, so you can run AI and machine learning workloads with the same strong isolation and attestation you expect from non-AI workloads via confidential containers.

Beyond Azure, we're working to extend confidential container support to additional cloud platforms where OpenShift runs. Our goal is to provide a consistent, confidential computing experience regardless of where you choose to deploy, giving you the freedom to select the platform that best fits your needs without compromising on security.

Finally, we remain focused on simplifying the experience of deploying and managing confidential workloads. We'll continue refining our tooling, documentation, and workflows to make it increasingly simple to protect your most sensitive applications with confidential containers.

Try confidential containers on OpenShift today

Your most sensitive workloads deserve hardware-backed protection that keeps data encrypted, protecting it even from infrastructure administrators.

Get started through the Red Hat Hybrid Cloud Console and begin protecting your most sensitive workloads with OpenShift and confidential containers in minutes.