Trust No One - Bringing Confidential Computing to Containers

Explore confidential computing for containers in this 27-minute conference talk from KubeCon + CloudNativeCon North America 2021. Delve into the challenges of protecting container data and code in multi-tenant cloud environments. Learn about Trusted Execution Environments (TEEs) and their role in safeguarding cloud assets at rest, in transit, and during use. Discover how emerging hardware technologies enable tenants to maintain exclusive trust. Examine cloud native gaps in supporting confidential computing, including memory encryption, authenticated launch, and application attestability. Understand how secure container runtimes like Kata can address these challenges. Gain insights into a proposed software architecture for implementing confidential computing in cloud native workloads. Cover topics such as the existing trust computing base, data protection methods, software stack verification, hardware and software dependencies, and potential blockers. Explore solutions like KATA Containers and service offload, and understand their implications for users. Conclude with a summary of the current gaps and future directions in confidential computing for containers.

Introduction
Existing Trust Computing Base
What is Trust No One
How do we get there
Protecting data
Verifying software stack
Hardware dependencies
Software dependencies
Blockers
Solutions
KATA Containers
Service Offload
Walkthrough
What does this mean for the user
Gaps
Summary