Confidential Kubernetes Clusters and Containers

Understanding the differences

If you are new to confidential computing, I suggest you start with the following article on understanding a confidential computing solution.

In the Kubernetes world, there are two broad ways for you to use confidential computing:

1. Confidential Cluster: The entire Kubernetes cluster is running inside a confidential environment. The cluster nodes are confidential VMs, and any workload deployed on these cluster nodes benefits from confidentiality.
2. Confidential Container: The Kubernetes pod is running inside a confidential environment. This approach is more granular, where confidentiality is available to the workload of your choice.

Source: Image created by the author

Both confidential Kubernetes clusters and containers aim to enhance data security and privacy of Kubernetes workloads by leveraging hardware-based encryption and attestations for trust.

In this blog, I’ll briefly discuss the differences between these two approaches so that you can make an informed decision. I’ll also include some examples for you to get started.

Differences:

• Scope: Confidential clusters encompass an entire Kubernetes cluster, while confidential containers focus on individual workloads (pods).
• Isolation Level: Confidential clusters isolate at the cluster level, whereas confidential containers isolate at the workload (pod) level.
• Use Cases: Confidential clusters are ideal for scenarios where multiple sensitive workloads coexist from the same tenant. Confidential containers are suitable for specific applications within or outside a cluster and multi-tenant scenarios.

The following table lists the key differences:

Source: table created by the author

How to get started?

Confidential Clusters

The easiest way to get started with confidential clusters is to use the confidential Kubernetes distribution from edgeless systems.

You can also use confidential nodes with Google Kubernetes Engine (GKE) or Azure Kubernetes Service (AKS).

Confidential Containers

You can get started with the CNCF Confidential Containers (CoCo) project. The project aims to provide a standard confidential computing environment for Kubernetes pods that works across infrastructure providers.

Or you can also explore offerings from Azure or Red Hat.

Conclusion

Confidential Kubernetes clusters and containers are complementary technologies that contribute to a more secure and trusted Kubernetes computing environment. They are essential for protecting sensitive information such as financial data, healthcare records, and intellectual property and meeting compliance requirements.