Blog
Manage and scale Confidential Containers
Moritz Eckert
As the cloud computing landscape evolves, the need for enhanced security, paired with scalability, is increasingly paramount. At Edgeless Systems, we've tackled this challenge head-on. As we identified the absence of a production-ready management tool for confidential containers, through our work on Confidential Containers (CoCo), we created Contrast—a solution for simplifying the deployment of confidential containers in production environments. In this blog post, we explore its genesis, capabilities, and differences compared to our existing product, Constellation.
Our experiences with CoCo highlighted the challenges in deploying and managing confidential containers at scale. While our other product, Constellation, successfully isolated Kubernetes (K8s) clusters using confidential VMs (CVMs), it treated the cluster as a monolithic entity, which, while secure, lacked the flexibility some of our clients desired. Recognizing this, we saw a clear need for a solution that integrated with existing Kubernetes platforms and provided fine-grained control over the confidentiality of individual container deployments.
Contrast bridges this gap by integrating confidential containers with managed Kubernetes services, allowing users to deploy and manage confidential containers without altering their existing workflows.
By isolating each container within its own confidential micro-VM environment, it adds a layer of confidentiality to containers with minimal modifications required from the user, effectively isolating individual workloads from the rest of an untrusted cluster. This means that while the control plane and other aspects of the cluster remain outside the trust boundary, the data and applications within each confidential container are fully secured. For the data in-transit, Contrast provides transparent network encryption between the containers. Furthermore, it provides one succinct attestation statement for your deployment, proving that your deployment adheres to a given manifest.
The Contrast command-line interface (CLI) is used by the workload owner to manage a Contrast deployment. In the first step, the CLI is used to generate execution policies for workloads to be deployed. The execution policies capture what actions the control plane can do inside the confidential pod. While some actions must remain allowed for Kubernetes orchestration to work, policies restrict access to the pod and pin the exact workload that can run inside the pod. The Contrast CLI adds the generated policies as annotations to the Kubernetes YAML.
The policy hashes of your deployment are captured in a manifest file, along with the reference values of CVMs where your workload is expected to run. The manifest configures the Contrast Coordinator, which is the central attestation and enforcement component of a Contrast deployment. The Coordinator itself runs as part of the deployment inside a CVM in your cluster, and it is attested by the CLI when setting the manifest.
Based on the manifest, the Coordinator will attest the workloads of the deployment. It will verify the attestation report of the CVM a workload is running in and, if the verification succeeds, issue a certificate for the pod. To facilitate the attestation and certificate pulling, Contrast comes with an InitContainer that can be added to your workload pod. In this way, your workload can stay untouched. The certificates issued by the Coordinator can be used for secure communication between different pods of a deployment, using mTLS. Contrast has a drop-in service mesh solution for this.
To verify the state of a deployment, the verifying party requests the attestation report of the Coordinator and the configured manifest that is enforced. If the verification succeeds, the root certificate of the Coordinator can be used to establish a secure connection to the workload.
While both Contrast and Constellation provide comprehensive solutions for confidential computing, they cater to different needs. Constellation encrypts entire Kubernetes clusters, offering a "lift and shift" approach for users seeking to protect their entire infrastructure with minimal effort. In contrast ;-), Contrast adopts a more granular approach by securing individual container deployments. This not only provides greater flexibility but also ensures that each container's security is independently managed and attested, offering a more tailored and secure solution for applications requiring the highest levels of data protection.
Contrast represents the next step in the evolution of confidential computing. By offering a solution that combines the ease of use of managed Kubernetes services with the security of confidential containers, we're enabling organizations to deploy confidential applications at scale with unprecedented ease and flexibility. Whether you're an existing user of Constellation looking for more granular control or new to the world of confidential computing, Contrast provides a robust, scalable, and secure platform for your needs.
Getting started with Contrast is straightforward. It seamlessly integrates with Azure Kubernetes Service (AKS).
Our CLI equips you with the essential tools needed to elevate your existing deployments into the realm of confidential computing. By managing attestation and operations specific to confidential containers, the Contrast CLI simplifies the process, ensuring that the rest of your workflow remains aligned with standard Kubernetes practices.
While our initial focus is on Azure-only integration, plans are already in motion to extend Contrast’s capabilities to other major platforms, including Google Kubernetes Engine (GKE) and Amazon Elastic Kubernetes Service (EKS).
For more info on Contrast, you can visit our product page, watch the talk at OC3 2024 on our YouTube channel, or schedule a call with our experts.
Author: Moritz Eckert
