Confidential Containers
Definition
Confidential Containers are a security approach designed to protect data in use by isolating container workloads using hardware-based Trusted Execution Environments (TEEs). This ensures that sensitive data processed within the container remains confidential, even from the host operating system and cloud provider. By leveraging TEEs, confidential containers provide a secure enclave for executing code and data, mitigating risks associated with multi-tenant environments.
Secure Settings Example
apiVersion: apps/v1
kind: Deployment
metadata:
name: confidential-app
spec:
template:
spec:
containers:
- name: app-container
image: confidential-image:latest
securityContext:
runAsUser: 1000
runAsGroup: 3000
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
runtimeClassName: confidential-runtime
Insecure Settings Example
apiVersion: apps/v1
kind: Deployment
metadata:
name: insecure-app
spec:
template:
spec:
containers:
- name: app-container
image: insecure-image:latest
securityContext:
runAsUser: 0
allowPrivilegeEscalation: true
capabilities:
add:
- SYS_ADMIN
runtimeClassName: default-runtime