Manage and scale Confidential Containers

Contrast integrates Confidential Containers, based on Kata Containers, seamlessly with existing managed Kubernetes platforms, adding a layer of confidential computing without disrupting workflows.

Deploy and manage confidential containers with ease

Confidential Containers

Containers running in confidential micro VMs based on AMD SEV and Intel TDX. Keeping all data encrypted during processing.

compatibility icon


Compatible with managed Kubernetes, Contrast can be installed as a day-2 operation in existing clusters.

cloud icon

Remote attestation

Contrast provides one succinct attestation statement for your deployment, proving that your deployment adheres to a given manifest.

Identity and Key Management

Contrast securely manages keys for your containers, provisions certificates, and sets up transparent mTLS connections between them.

How Contrast works

Contrast secures applications by running containers within confidential micro VMs, offering stringent protections like runtime encryption and remote attestation. This approach safeguards data integrity and confidentiality.

Once installed into your Kubernetes cluster, Contrast serves as a slim but effective isolation layer, allowing native Kubernetes orchestration of your confidential containers with minimal DevOps involvement. This setup maintains the operational model of managed Kubernetes services while Contrast ensures the confidentiality and integrity of your containers.

With its rigorous runtime policy enforcement, Contrast provides refined access control, suitable for multi-party scenarios and securing data against even the own Kubernetes administrators.

Contrast illustration
Contrast logo

Easy to use and integrate

Contrast comes with an easy-to-use CLI. It can be installed within minutes into a Kubernetes cluster that supports confidential containers.

The CLI creates synthesizes a manifest from your Kubernetes YAML file. This manifest is then enforced by Contrast's in-cluster attestation service.

Once configured, you can manage your application with Kubernetes as usual. Contrast independently ensures the integrity and confidentiality of your containers and of the entire distributed application.

The benefits of Contrast

Migrate sensitive workloads to the cloud

Contrast creates confidential containers for applications, safeguarding them from unauthorized access and threats, even in shared cloud environments. Ensuring that sensitive operations can be migrated to the cloud without compromising security.

Make your SaaS more trustworthy

Contrast introduces a trust model that distinctly separates your applications from cloud service providers, ensuring operational integrity and data privacy. Furthermore, Contrast supports enforcing strict runtime policies through cryptographic verification. This ensures that only authorized users can access sensitive operations.

Simplify regulatory compliance

Designed to meet stringent regulatory requirements, Contrast facilitates compliance with laws and standards such as GDPR and DORA. Its foundation in confidential computing makes it simpler for organizations to adhere to compliance mandates, ensuring that sensitive data is handled securely in the cloud.

The logo of Contrast

Contrast works with Azure Kubernetes Service (AKS)

With Contrast, you get end-to-end confidential computing for your cloud-native application, while enjoying the benefits of managed Kubernetes. The Kubernetes control plane and the rest of the infrastructure remain outside the trusted computing base (TCB).

Contrast works with the managed Azure Kubernetes Service (AKS). Support for other platforms, like AWS EKS and GCP GKE will be added once these support confidential containers.

Azure logo

Is Contrast the right choice for my project?

Contrast is a tool for customers who want to use confidential computing with managed Kubernetes offerings, face multi-party use cases, or exclude their own administrators from the application data. They do not shy away from handling confidential container deployments and writing app-specific manifests.

If your goal is to shield the entire Kubernetes cluster with zero changes, our product Constellation may be the better choice.

Want to chat?

Leave your email or send us your questions.