Understanding Confidential Containers - Workshop on ARO

Red Hat Openshift sandboxed containers provides the capability to run Confidential Containers (CoCo). Confidential Containers are containers deployed within an isolated hardware enclave protecting data and code from privileged users such as cloud or cluster administrators. The CNCF Confidential Containers project is the foundation for the OpenShift CoCo solution.Note that CoCo is an additional feature provided by OpenShift sandboxed containers, and consequently, it’s available through the OpenShift sandboxed containers operator.

Please refer to the Exploring the OpenShift Confidential Containers solution blogpost for more information.

In this workshop, we are also showing another operator, the confidential compute attestation operator (also known as Trustee), which can verify the trustworthiness of TEEs remotely. For more information, please refer to this blogpost.

We will show how to set up the Trustee and OSC operator and run a simple hello-openshift Confidential Container running with the kata-remote runtime class (peer pods solution). This effectively means that the hello-openshift container runs in a separate, confidential, independent virtual machine, and not in the worker node. In a another example, we will also show how attestation and secure key retrieval worflow happens between a CoCo pod and Trustee.

The goal of this workshop is to provide the user not only an environment and documentation to test CoCo, but also provide additional explanations on the design choices behind some options and the benefit they bring to the overall user experience. CoCo is designed to bring confidential computing at kubernetes level, making it as simple as possible while preserving all security benefits that confidential computing brings.

Before starting this workshop, we suggest to read the following blogposts to get a background on CoCo:

All blogposts are under this blog series.

Chose your guide

There are three guides:

  • The theory, to get an high level overview of what confidential computing is and what are the two operators we are going to use.

  • The Admin guide, to learn how to install and configure the operators, which configs to set up and why we need such things. This is useful for admins that need to set up the cluster environment.

  • The User guide, where both OSC and Trustee will be automatically installed and configured, and what is left to do is just run the confidential container. This is useful for end users that want to experiment CoCo without going into the installation steps.

In this workshop, we will install Trustee in the same cluster that hosts OSC and therefore Confidential Containers. This is not a suitable solution for production environments. Because the Trustee operator contains the refernce values and secrets that are necessary to enstablish the if a Confidential Container is running in a truly safe environment, it should be installed in a separate cluster running in a trusted environment (on prem, for example). Because of the limitations of this ARO workshop, it is not possible to set up two clusters. You can assume that everything running in the trustee-operator-system namespace should run in a trusted, separate environment.