What happens in the Pod stays in the Pod: Confidential containers on OpenShift

Traditional data protection methods secure data at rest (disk encryption) and in transit (network encryption). However, the critical phase of data in use - when data is in memory and being processed - remains exposed to the infrastructure operator. This presentation introduces Confidential Computing (CC) as the solution.

CC leverages hardware-backed Trusted Execution Environments (TEEs) from major vendors like Intel and NVIDIA to create isolated, secure spaces. These TEEs guarantee data confidentiality, data integrity, and code integrity, ensuring that even the system administrator cannot access sensitive information during processing.

The talk outlines Red Hat's comprehensive strategy for adopting CC within OpenShift, covering:

• Confidential Workloads: Utilizing tools like Podman for existing containerized applications.

• Confidential Containers (CoCo): Standardizing CC for cloud-native environments, including advancements like Peer Pods.

• Confidential Virtualization: Enabling the deployment of confidential virtual machines via RHEL and OpenShift Virtualization.