Continuum AI is now public. Try out the most secure GenAI service!

Contrast

Manage and scale Confidential Containers


Contrast integrates Confidential Containers, based on Kata Containers, seamlessly with existing managed Kubernetes platforms, adding a layer of confidential computing without disrupting workflows.

Deploy and manage confidential containers with ease

Confidential Containers


Containers running in confidential micro VMs based on AMD SEV and Intel TDX. Keeping all data encrypted during processing.

Lightweight


Compatible with managed Kubernetes, Contrast can be installed as a day-2 operation in existing clusters.

cloud icon

Remote attestation


Contrast provides one succinct attestation statement for your deployment, proving that your deployment adheres to a given manifest.

Identity and Key Management


Contrast securely manages keys for your containers, provisions certificates, and sets up transparent mTLS connections between them.

How Contrast works


Contrast secures applications by running containers within confidential micro VMs, offering stringent protections like runtime encryption and remote attestation. This approach safeguards data integrity and confidentiality.

Once installed into your Kubernetes cluster, Contrast serves as a slim but effective isolation layer, allowing native Kubernetes orchestration of your confidential containers with minimal DevOps involvement. This setup maintains the operational model of managed Kubernetes services while Contrast ensures the confidentiality and integrity of your containers.

With its rigorous runtime policy enforcement, Contrast provides refined access control, suitable for multi-party scenarios and securing data against even the own Kubernetes administrators.

Contrast illustration
Contrast logo

Easy to use and integrate


Contrast comes with an easy-to-use CLI. It can be installed within minutes into a Kubernetes cluster that supports confidential containers.

The CLI creates synthesizes a manifest from your Kubernetes YAML file. This manifest is then enforced by Contrast's in-cluster attestation service.

Once configured, you can manage your application with Kubernetes as usual. Contrast independently ensures the integrity and confidentiality of your containers and of the entire distributed application.

The benefits of Contrast



Migrate sensitive workloads to the cloud


Contrast creates confidential containers for applications, safeguarding them from unauthorized access and threats, even in shared cloud environments. Ensuring that sensitive operations can be migrated to the cloud without compromising security.


Make your SaaS more trustworthy


Contrast introduces a trust model that distinctly separates your applications from cloud service providers, ensuring operational integrity and data privacy. Furthermore, Contrast supports enforcing strict runtime policies through cryptographic verification. This ensures that only authorized users can access sensitive operations.


Simplify regulatory compliance


Designed to meet stringent regulatory requirements, Contrast facilitates compliance with laws and standards such as GDPR and DORA. Its foundation in confidential computing makes it simpler for organizations to adhere to compliance mandates, ensuring that sensitive data is handled securely in the cloud.

The logo of Contrast

Contrast works with Azure Kubernetes Service (AKS)


With Contrast, you get end-to-end confidential computing for your cloud-native application, while enjoying the benefits of managed Kubernetes. The Kubernetes control plane and the rest of the infrastructure remain outside the trusted computing base (TCB).

Contrast works with the managed Azure Kubernetes Service (AKS). Support for other platforms, like AWS EKS and GCP GKE will be added once these support confidential containers.

Azure logo

Watch our presentation at OC3 about Contrast


Learn more about the conceptualization and the technical details of the all-in-one Confidential Containers platform, including a demo, from our Chief Architect Moritz Eckert and Security Software Engineer Paul Meyer.

Is Contrast the right choice for my project?

Contrast is a tool for customers who want to use confidential computing with managed Kubernetes offerings, face multi-party use cases, or exclude their own administrators from the application data. They do not shy away from handling confidential container deployments and writing app-specific manifests.

If your goal is to shield the entire Kubernetes cluster with zero changes, our product Constellation may be the better choice.

FAQ

Which Kubernetes distributions are supported by Contrast?

Contrast supports Azure Kubernetes Service (AKS) out of the box. Support for AWS EKS and GCP GKE will be added in the future. For detailed deployment instructions and prerequisites, please refer to the documentation.

What are the infrastructure requirements? Can it run on bare metal?

Contrast requires either AMD SEV-SNP or Intel TDX for operation. It is capable of running on bare metal. To set up a bare-metal instance, ensure that your hardware and firmware support these technologies, and follow the necessary steps for BIOS configuration, kernel installation, and Kubernetes setup.


For comprehensive installation instructions—covering how to download the Contrast CLI, create a cluster, and configure the required environment—please refer to the documentation.

Contrast is open-source, but what is the commercial model?

Contrast is open-source and licensed under the GNU Affero General Public License (AGPL)v3.0. The community edition is free to use, while a commercial license is required for enterprise use, which includes additional features and support. For specific pricing details, please contact us directly.

What’s the difference between Contrast and Constellation? When should I use each?

Contrast is a platform designed for confidential containers, providing isolation for individual workloads. It is intended for users who want to integrate confidential computing with managed Kubernetes offerings, handle multi-party use cases, or restrict access to application data from their own administrators. With Contrast, users are required to define a manifest for their applications, allowing for precise control over their setup.


Constellation is a Kubernetes distribution that isolates entire clusters, providing a standard Kubernetes and DevOps experience. It is best suited for organizations looking to use third-party infrastructure or operate in high-security environments. With Constellation, the complexities of confidential computing are managed for you, allowing users to focus on their applications without dealing with underlying security details.


If your goal is to shield an entire Kubernetes cluster with minimal changes, Constellation is likely the better choice. However, if you need more granular control over workloads and are comfortable writing app-specific manifests, Contrast provides this flexibility.

Do I need to modify my application?

You do not need to modify your application code to deploy on Contrast, but some adjustments to your Kubernetes deployment may be necessary. Contrast is designed for users who want to secure their deployments on managed Kubernetes offerings by integrating confidential computing, and who are comfortable managing confidential container deployments and creating app-specific manifests.

Can I use Contrast with Kubernetes tools like Helm, GitOps, and security, logging, or monitoring tools?

Yes, Contrast integrates seamlessly with Kubernetes tools such as Helm for package management and GitOps tools like ArgoCD and Flux for continuous deployment. You can also use standard security, logging, and monitoring tools within your Kubernetes environment alongside Contrast to enhance observability and security. This compatibility ensures that you can leverage your existing workflows while implementing confidential computing features with Contrast.

Want to chat?


Leave your email or send us your questions.

The form failed to load. Please send an email to contact@edgeless.systems. Loading likely fails because you are using privacy settings or ad blocks.