Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Confidential containers, a feature of Red Hat OpenShift sandboxed containers, offer a robust solution to protect sensitive data within cloud environments. When you use hardware-based trusted execution environments (TEEs), confidential containers provide a secure enclave within the host system, isolating applications and their data from potential threats. This isolation ensures that even if the host system is compromised, the confidential data remains protected.
This article describes the benefits of using confidential containers to safeguard sensitive data and explains how confidential containers function within Azure Red Hat OpenShift.
Benefits of Using confidential containers
Confidential containers offer several key benefits:
- Enhanced Data Security: By isolating applications and their data within a secure enclave, confidential containers protect sensitive information from unauthorized access, even if the host system is compromised.
- Regulatory Compliance: Industries such as healthcare, finance, and government are subject to stringent data privacy regulations. Confidential containers can help organizations meet these compliance requirements by providing a robust mechanism for protecting sensitive data.
- Improved Trust and Confidence: confidential containers can foster trust between cloud service providers and their customers by demonstrating commitment to data security and privacy.
- Reduced Risk of Data Breaches: The use of confidential containers can significantly reduce the risk of data breaches, which can have devastating consequences for organizations.
- Increased Efficiency: confidential containers can streamline the development and deployment of applications by providing a secure and efficient environment for running sensitive workloads.
Typical use cases
The following table describes the most common use cases for deploying confidential containers.
| Use case | Industry | Example |
|---|---|---|
| Regulator compliance Meeting strict data protection and privacy regulations. |
Government, Finance, Healthcare | A healthcare provider using Confidential containers to process and store patient data in compliance with HIPAA regulations. |
| Multi-tenancy environments Hosting multiple clients' applications and data with strong isolation. |
SaaS providers, Cloud service providers | A cloud service provider offering isolated environments for different clients within the same infrastructure. |
| Confidential Analytics | Any industry using sensitive data processing. | Safely process proprietary or regulated data where confidentiality is essential. |
How confidential containers work
Confidential containers are a feature of Red Hat OpenShift sandboxed containers, which provide an isolated environment for running containerized applications. The core of confidential containers is the Confidential Virtual Machine (CVM). This specialized virtual machine, operating within a Trusted Execution Environment (TEE), establishes a secure enclave for applications and their associated data. TEEs, hardware-based isolated environments fortified with enhanced security features, ensure that even if the host system is compromised, the data residing within the CVM remains protected.
Azure Red Hat OpenShift serves as the orchestrator, overseeing the sandboxing of workloads (pods) through the utilization of virtual machines. With CVMs, Azure Red Hat OpenShift empowers Confidential Container capabilities for your workloads. After a confidential containers workload is created, Azure Red Hat OpenShift deploys it within a CVM executing within the TEE, providing a secure and isolated environment for your sensitive data.
The diagram shows the three main steps for using confidential containers on a cluster:
- The OpenShift sandboxed containers Operator is deployed on the cluster.
- Kata Runtime container on a worker node uses the cloud-api-adapter to create a peer pod on a confidential virtual machine.
- The remote attestation agent on the peer pod initiates the attestation of the container image before the kata-agent deploys it, ensuring the integrity of the image.
Note
The confidential containers feature is supported on Azure Red Hat OpenShift clusters with version 4.15 or higher.
Attestation
Attestation constitutes a fundamental component of confidential containers, particularly within the context of zero-trust security. Before you deploy a workload as a confidential containers workload, it's imperative to verify the trustworthiness of the TEE where the workload is executed. Attestation ensures that the TEE is indeed secure and possesses the capability to safeguard your confidential data.
The Red Hat build of Trustee project
The Red Hat build of Trustee project provides the attestation capabilities essential for confidential containers. It executes attestation operations and delivers secrets to the TEE following successful verification. Key components of the Red Hat build of Trustee include the following items:
- Guest agents: These components operate within the CVM, including the Attestation Agent (AA) responsible for transmitting evidence to substantiate the environment's trustworthiness.
- Key Broker Service (KBS): This service functions as an entrypoint for remote attestation, forwarding evidence to the Attestation Service (AS) for verification.
- Attestation Service (AS): This service validates the TEE evidence.
Red Hat build of Trustee Operator
The Red Hat build of Trustee Operator, an integral component of the Azure Red Hat OpenShift confidential containers solution, facilitates the deployment and management of Red Hat build of Trustee services within a cluster. It streamlines the configuration of Red Hat build of Trustee services and the management of secrets for confidential containers workloads.
A Unified perspective
A typical confidential containers deployment involves Azure Red Hat OpenShift working with the Red Hat build of Trustee Operator deployed in a separate, trusted environment. The workload is executed within a CVM operating inside a TEE, benefiting from the encrypted memory and integrity guarantees provided by the TEE. Red Hat build of Trustee agents that reside within the CVM perform attestation and acquire requisite secrets, safeguarding the security and confidentiality of your data.
Next steps
To deploy confidential containers on your Azure Red Hat OpenShift cluster, see the following articles: