Subscribe to the feed
Confidential Containers logo and wordmark

What are Confidential Containers?

Confidential Containers (CoCo) is a new sandbox project of the Cloud Native Computing Foundation (CNCF) that enables cloud-native confidential computing by taking advantage of a variety of hardware platforms and technologies. The project brings together software and hardware companies including Alibaba-cloud, AMD, ARM, IBM, Intel, Microsoft, Red Hat, Rivos and others.

The CoCo project builds on existing and emerging hardware security technologies such as Intel SGX, Intel TDX, AMD SEV and IBM Z Secure Execution, in combination with new software frameworks to help better secure user data in use. This will establish a new level of confidentiality, which does not rely on trust in the cloud providers and their employees, but on hardware-level cryptography. CoCo will support multiple environments including public clouds, on-premise and edge computing.

The goal of the CoCo project is to standardize confidential computing at the container level and simplify its consumption in Kubernetes. This is in order to enable Kubernetes users to deploy confidential container workloads using familiar workflows and tools without extensive knowledge of underlying confidential computing technologies.

Confidential Containers are available from OpenShift sandboxed containers release version 1.7.0 as a tech preview on Azure cloud for both Intel TDX and AMD SEV-SNP. The tech preview also includes support for confidential containers on IBM Z and LinuxONE using Secure Execution for Linux (IBM SEL). Future releases will support bare metal deployments and additional public clouds.


LIST OF BLOGS

AI meets security: POC to run workloads in confidential containers using NVIDIA accelerated computing

November 12, 2024 - Ariel Adam, Emanuele Giuseppe Esposito, Pradipta Banerjee, Hema Shankar Bontha

This blog presents a proof-of-concept integrating NVIDIA GPUs with Kubernetes services like Red Hat OpenShift, the stack demonstrating how organizations can transition from traditional to confidential, accelerated workloads..…Read full post

Secure cloud bursting: Leveraging confidential computing for peace of mind

November 7, 2024 - Axel Sass, Ariel Adam, Pei Zhang, Emanuele Giuseppe Esposito, Pradipta Banerjee

For confidential computing, one of the key use cases is secure cloud bursting. The goal in this is to extend the trust organizations have in their on-premise environment to the public cloud while adhering to regulatory requirements..…Read full post

Confidential Containers with IBM Secure Execution for Linux

October 22, 2024 - Nicolas Maeding, Ariel Adam, Pradipta Banerjee

As part of OpenShift sandboxed containers release version 1.7.0 the support for Confidential Containers on IBM Z and LinuxONE using Secure Execution for Linux (SEL) is included. In this article we want to share further details on the solution and considerations in the context of the technology specifics...…Read full post

Deployment considerations for Red Hat OpenShift Confidential Containers solution

September 15, 2024 - David Hadas, Pradipta Banerjee, Jens Freimann, Ariel Adam

In our previous articles, we introduced the Red Hat OpenShift confidential containers (CoCo) solution and relevant use cases. We demonstrated how components of the CoCo solution, spread across trusted and untrusted environments, including confidential virtual machine (CVM), guest components, TEEs, Confidential compute attestation operator, Trustee agents, and more, work together as part of the solution. In this article, we take you a step further to discuss key deployment considerations for the Red Hat OpenShift CoCo solution and its components.…Read full post

Use cases and ecosystem for OpenShift confidential containers

September 8, 2024 - Ariel Adam, Pradipta Banerjee, Jens Freimann, Emanuele Giuseppe Esposito

Red Hat OpenShift sandboxed containers, built on Kata Containers, provide the additional capability to run confidential containers (CoCo). This article continues our previous one, Exploring the OpenShift confidential containers solution and looks at different CoCo use cases and the ecosystem around the confidential compute attestation operator..…Read full post

Exploring the OpenShift confidential containers solution

September 1, 2024 - Ariel Adam, Pradipta Banerjee, Jens Freimann

Red Hat OpenShift sandboxed containers, built on Kata Containers, now provide the additional capability to run confidential containers (CoCo). Confidential Containers are containers deployed within an isolated hardware enclave protecting data and code from privileged users such as cloud or cluster administrators.…Read full post

Introducing Confidential Containers Trustee: Attestation Services Solution Overview and Use Cases

April 4, 2024 - Ariel Adam, Pradipta Banerjee

We begin by introducing the RATS model and its components. After that, we discuss the Trustee project, its various components, and how they relate to the RATS model. Finally, we present a few use cases that demonstrate the usage of the CoCo Trustee and guest-components project....Read full post.

Confidential Containers for Financial Services on Public Cloud

March 8, 2024 - Axel Sass, Malini Bhandaru, Eric Adams, Jens Freimann, Emanuele Giuseppe Esposito, Ariel Adam, Benny Fuhry, Magnus Kulke, Suraj Deshmukh

Public clouds provide geo resilience in addition to being cost-effective when compared to on-premise deployments. Regulated industries such as the Financial Services Industry (FSI) traditionally have been unable to take advantage of public clouds since FSI is highly regulated from a security and resiliency standpoint...Read full post


LIST OF PREVIOUS BLOGS

What is the Confidential Containers project?

October 7, 2022 - Pradipta Banerjee, Christophe de Dinechin, Ariel Adam, Jochen Schroder, Martin Tessun

Understanding the Confidential Containers Attestation Flow

December 2, 2022 - Pradipta Banerjee, Samuel Ortiz

How to use Confidential Containers without confidential hardware

March 6, 2023 - Wainer dos Santos Moschetta, Steve Horsman

Deploying confidential containers on the public cloud

April 14, 2023 - Jens Freimann, Suraj Deshmukh, Amar Gowda, Ariel Adam, Pradipta Banerjee

Confidential Containers on Azure with OpenShift: A technical deep dive

May 22, 2023 - Magnus Kulke, Pradipta Banerjee, Suraj Deshmukh, Jens Freimann

Confidential containers on Azure with OpenShift: setup guide

June 8, 2023 - Pradipta Banerjee, Snir Sheriber, Suraj Deshmukh, Jens Freimann, Magnus Kulke

Confidential containers with AMD SEV

June 19, 2023 - Wainer dos Santos Moschetta, Ryan Savino

Protecting your intellectual property and AI models using Confidential Containers

October 26, 2023 - Ariel Adam, Tanay Baswa, Pradipta Banerjee, Suraj Deshmukh, Jens Freimann, Magnus Kulke, Prashanth Harshangi

Confidential containers for enhancing AI workload security in the public cloud

November 3, 2023 - Ariel Adam, Malini Bhandaru, Pradipta Banerjee, Eric Adams, Fabiano Fidêncio, Suraj Deshmukh, Sean Pryor

 


VIDEOS

Cloud bursting Demo - with TDX

This video is a cloud bursting demo. The pod is scaled to Azure running as Confidential Containers on TDX.

Retrieving secrets from a confidential container with the Trustee operator

This demo shows how a confidential container created with the Openshift Sandboxed Containers Operator can retrieve secrets from the Trustee operator by performing remote attestation.)

Confidential Containers with OpenShift on Azure

This demo shows a spark workload deployed as confidential containers using the OpenShift sandboxed containers peer-pods approach. The confidential containers are using Azure Confidential Virtual Machine (CVM)

Securing AI Models with Intel TDX-based Containers on Red Hat OpenShift for Azure

This video demonstrates decrypting a sample LLM and running the inference using OpenShift AI inside an Intel TDX Trusted Execution Environment with OpenShift confidential containers on Azure

Red Hat OpenShift confidential containers environment on Azure

Overview of components constituting a confidential containers solution on OpenShift

Red Hat OpenShift confidential containers key retrieval demo

Key retrieval by a "hello-world" application deployed as confidential containers on Openshift in Azure

Deploying a confidential container having an encrypted container image

Deploying a confidential container having encrypted container image on Openshift. Shows image decryption key retrieval from the Key Broker Service, after successful verification of the claims sent by the trusted execution environment.

Confidential Containers for financial services on public cloud

Demonstrates usage of Red Hat OpenShift confidential containers with Intel TDX to protect financial services workload in public cloud.


 

Related blog series

A blog series on various forms of attestation for Confidential Computing use cases.

 

A blog series on Confidential Virtual Machines (CVMs) which are a set of hardware and software technologies providing additional measures for the confidentiality of the data processed within the VMs.


About the author

UI_Icon-Red_Hat-Close-A-Black-RGB

Browse by channel

automation icon

Automation

The latest on IT automation for tech, teams, and environments

AI icon

Artificial intelligence

Updates on the platforms that free customers to run AI workloads anywhere

open hybrid cloud icon

Open hybrid cloud

Explore how we build a more flexible future with hybrid cloud

security icon

Security

The latest on how we reduce risks across environments and technologies

edge icon

Edge computing

Updates on the platforms that simplify operations at the edge

Infrastructure icon

Infrastructure

The latest on the world’s leading enterprise Linux platform

application development icon

Applications

Inside our solutions to the toughest application challenges

Original series icon

Original shows

Entertaining stories from the makers and leaders in enterprise tech