AKS Confidential Containers
Definition
AKS Confidential Containers is a feature in Azure Kubernetes Service (AKS) that enhances the security of containerized applications by leveraging hardware-based Trusted Execution Environments (TEEs). This feature ensures that data in use is protected from unauthorized access, even from privileged users or the host operating system. By using confidential computing, AKS Confidential Containers provide an additional layer of security for sensitive workloads, ensuring that data remains encrypted and isolated during processing.
Secure Settings Example
apiVersion: v1
kind: Pod
metadata:
name: confidential-pod
spec:
containers:
- name: confidential-container
image: mysecureimage:latest
securityContext:
runAsUser: 1000
runAsGroup: 3000
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
resources:
limits:
memory: "512Mi"
cpu: "500m"
env:
- name: AZURE_CONFIDENTIAL_COMPUTE
value: "true"
Insecure Settings Example
apiVersion: v1
kind: Pod
metadata:
name: insecure-pod
spec:
containers:
- name: insecure-container
image: myinsecureimage:latest
securityContext:
runAsUser: 0
allowPrivilegeEscalation: true
capabilities:
add:
- NET_ADMIN
resources:
limits:
memory: "512Mi"
cpu: "500m"
env:
- name: AZURE_CONFIDENTIAL_COMPUTE
value: "false"