Red Hat has announced that officially supports the CNCF Project (Cloud Native Computing Foundation), whose mission is improve container security in Kubernetes clusters. To do this, you want to run them on a certain hardware platform. In fact, Red Hat is investing in a relatively new project from the Confidential Computing Consortium, which is in turn supported by the CNCF Project: Confidential Containers.
This project, also known as CoCo Project, has just released its first version, 0.1.0. A very low number, indicating that this is a new technology that is not ready for mass adoption or use. Even its documentation is not very complete yet. In any case, the idea behind this project is to run containers in a Trusted Execution Environment (TEE), something that has been offered by most processor architectures for a few years now.
The main point of the project is that the purpose of running a container inside a TEE is to limit the communication between said TEE and the host machine, something that cannot be done directly with a conventional container. But running an encrypted virtual machine is already relatively easy, and has hardware support from several companies. This happens with the SEV platforms from AMD, SGX from Intel, and TDX, also from Intel and more recent.
Therefore, to have workloads running inside trusted execution environments managed by Kubernetes, the CoCo project uses another technology: Kata Containers (Kata Containers), arising from the merger of Intel ClearContainers and Hyper runV, and supported by the OpenStack Foundation.
According to the CoCo project documentation, in principle the tool supports five TEE technologies. They are the ones already mentioned from AMD and Intel or two others from IBM: Protected Execution Facility (PEF), which is for POWER servers, and Secure Execution, for z-architecture mainframes. If this initiative is successful, it could very well support more architectures in the future.
