Confidential containers on Azure Kubernetes Service (AKS), leveraging the Kata confidential containers open-source project, is now in public preview. It enables you to run individual pods in their own trusted execution environment (TEE) with hardware-based confidentiality and integrity protections for your container workloads while in use in memory.
Confidential containers on AKS is supported as a new SKU that you can select when deploying your workload and will provide you with the following benefits for workloads processing highly sensitive data:
-
Ability to lift and shift workloads to a confidential environment without needing to take any dependencies on any confidential computing libraries.
-
In-memory encryption of data with a hardware based dedicated key per container group helping to guard against attacks from malicious OS or hypervisor components, and even your own tenant administrators.
-
Support for remote attestation to enable a relying party to verify that a service is running in a TEE before processing any sensitive data. As part of confidential containers on AKS, an agent will validate the authenticity of the hardware and application components which can be verified through a remote attestation service before any sensitive data is released to the TEE.
To learn more, read the blog announcement.