Understanding Confidential Containers - Workshop on ARO

Red Hat Openshift sandboxed containers provides the capability to run Confidential Containers (CoCo). Confidential Containers are containers deployed within an isolated hardware enclave protecting data and code from privileged users such as cloud or cluster administrators. The CNCF Confidential Containers project is the foundation for the OpenShift CoCo solution.Note that CoCo is an additional feature provided by OpenShift sandboxed containers, and consequently, it’s available through the OpenShift sandboxed containers operator.

Please refer to the Exploring the OpenShift Confidential Containers solution blogpost for more information.

In this workshop, we are also showing another operator, the confidential compute attestation operator (also known as Trustee), which can verify the trustworthiness of TEEs remotely. For more information, please refer to this blogpost.

We will show how to set up the Trustee and OSC operator and run a simple hello-openshift Confidential Container running with the kata-remote runtime class (peer pods solution). This effectively means that the hello-openshift container runs in a separate, confidential, independent virtual machine, and not in the worker node. In a another example, we will also show how attestation and secure key retrieval worflow happens between a CoCo pod and Trustee.

The goal of this workshop is to provide the user not only an environment and documentation to test CoCo, but also provide additional explanations on the design choices behind some options and the benefit they bring to the overall user experience. CoCo is designed to bring confidential computing at kubernetes level, making it as simple as possible while preserving all security benefits that confidential computing brings.

Before starting this workshop, we suggest to read the following blogposts to get a background on CoCo:

All blogposts are under this blog series.

Setting up the environment

  1. Navigate to the console website: Openshift Console

  2. Login as administrator:

    • Username: kubeadmin

    • Password: insert_your_pw_here

  3. Go into the terminal on the right and run the following commands:

    • Log into azure CLI: az login --service-principal -u insert_your_sp_here -p insert_your_sppw_here --tenant insert_your_tid_here

    • Export the AZURE_RESOURCE_GROUP variable. It will needed when setting up the operator: export AZURE_RESOURCE_GROUP=insert_your_rg_here

Next: This workshop follows a different approach from the official documentation, and in order to set up the whole system for CoCo only once, we recommend starting with Trustee installation and configuration. Only then we can configure OSC to interface directly with Trustee.

If you are running this workshop from an Azure self managed OCP cluster, note that there are very small tweaks to follow, but they are too documented in this guide.