Red Hat announced that it will support the Cloud Native Computing Foundation’s (CNCF) new Confidential Containers (CoCo) project. The technology should improve the security of containers in Kubernetes clusters.
The CoCo project aims to strengthen the security of containers in Kubernetes clusters. The technology helps deploy Kubernetes containers in so-called ‘hardware-enforced’ enclaves. Enclaves prevent hosts from accessing the information contained in containers.
The project revolves around deploying containers in so-called Trusted Execution Environments (TEE). Most processor architectures already offer a similar technology. To run containers in a TEE, communications between the TEE and the host machine must be restricted. This cannot be done with current containers, which are essentially processes running directly on the host kernel.
To solve this problem, developers closely examined VMs. Running encrypted VMs is fairly accessible these days due to support for AMD’s SEV and SEV-ES, as well as Intel’s SGX and TDX.
The CoCo project uses a different technology for running Kubernetes container workloads: Kata Containers. The OpenStack-supported technology is based on an amalgamation of Intel ClearContainers and Hyper runV.
Support for five TEE technologies
Ultimately, the CoCo project supports five different TEE technologies: the AMD and Intel tools mentioned above, and two IBM technologies dubbed Protected Execution Facility (PEF) and Secure Execution for Linux (SE).
If these TEE technologies prove successful, support for Arm (TrustZone) and RISC-V may eventually be added. Currently, the technology’s configuration can be limited to checking a box on the Kubernetes config page in a line of YAML code.
Red Hat’s vision
Red Hat has not yet announced what its support will entail. According to the hybrid cloud vendor, the company strives to be one of the first to provide the tooling that customers require to adhere to technical regulatory changes. Confidential Computing is a high priority in this regard. Red Hat sees the field as a game-changer.
According to the vendor, Confidential Container technology helps companies lay the foundation for Confidential Computing. The long-term integration of Confidential Containers into Red Hat OpenShift is a priority.
Meanwhile, the first version of CoCo (v0.1.0) is available. As the version number indicates, the technology is very new and not yet suitable for immediate deployments.