--- title: Confidential Containers pattern date: 2024-10-03 tier: sandbox summary: This pattern helps you get started with deploying confidential containers in OpenShift Container Platform. rh_products: - Red Hat OpenShift Container Platform - Red Hat Advanced Cluster Management - Red Hat OpenShift Sandbox Containers industries: - General aliases: /coco-pattern/ pattern_logo: coco-logo.png links: github: https://github.com/validatedpatterns/coco-pattern install: coco-pattern-getting-started bugs: https://github.com/validatedpatterns/coco-pattern/issues feedback: https://docs.google.com/forms/d/e/1FAIpQLScI76b6tD1WyPu2-d_9CCVDr3Fu5jYERthqLKJDUGwqBg7Vcg/viewform --- :toc: :imagesdir: /images :_content-type: ASSEMBLY include::modules/comm-attributes.adoc[] = About the Confidential Containers pattern Confidential computing is a technology for securing data in use. It uses a https://en.wikipedia.org/wiki/Trusted_execution_environment[Trusted Execution Environment] provided within the hardware of the processor to prevent access from others who have access to the system. https://confidentialcontainers.org/[Confidential containers] is a project to standardize the consumption of confidential computing by making the security boundary for confidential computing to be a Kubernetes pod. https://katacontainers.io/[Kata containers] is used to establish the boundary via a shim VM. A core goal of confidential computing is to use this technology to isolate the workload from both Kubernetes and hypervisor administrators. image::coco-pattern/isolation.png[Schematic describing the isolation of confidential contains from the hosting system] This pattern uses https://docs.redhat.com/en/documentation/openshift_sandboxed_containers/1.7/html/user_guide/deploying-on-azure#deploying-cc_azure-cc[Red Hat OpenShift sandbox containers] to deploy and configure confidential containers on Microsoft Azure. It deploys three copies of 'Hello OpenShift' to demonstrate some of the security boundaries that enforced with confidential containers. == Requirements - An an azure account with the link:./coco-pattern-azure-requirements/[required access rights] - An OpenShift cluster, within the Azure environment updated beyond 4.16.10 == Security considerations **This pattern is a demonstration only and contains configuration that is not best practice** - The default configuration deploys everything in a single cluster for testing purposes. The https://www.ietf.org/archive/id/draft-ietf-rats-architecture-22.html[RATS] architecture mandates that the Key Broker Service (e.g. https://github.com/confidential-containers/trustee[Trustee]) is in a trusted security zone. - The https://github.com/confidential-containers/trustee/tree/main/attestation-service[Attestation Service] has wide open security policies. == Future work * Deploying the environment the 'Trusted' environment including the KBS on a separate cluster to the secured workloads * Deploying to alternative environments supporting confidential computing including bare metal x86 clusters; IBM Cloud; IBM Z * Finishing the sample AI application == Architecture Confidential Containers typically has two environments. A trusted zone, and an untrusted zone. In these zones, Trustee, and the sandbox container operator are deployed, respectively. ** For demonstration purposes the pattern currently is converged on one cluster** image::coco-pattern/overview-schematic.png[Schematic describing the high level architecture of confidential containers] == References - https://docs.redhat.com/en/documentation/openshift_sandboxed_containers/1.7/html/user_guide/about-osc#about-confidential-containers_about-osc[OpenShift sandboxed containers documentation] - https://www.redhat.com/en/blog/exploring-openshift-confidential-containers-solution[OpenShift confidential containers solution blog]