The Confidential Containers project aims to introduce Confidential Computing into the kubernetes ecoystem. The premise is lift-and-shift: Users should be able to move their k8s apps into a TEE with little effort and the need make adjustments to their apps.

This means we are faced with a unique challenge to perform attestation of an application in such an environment. The TCB of a Confidential Containers stack contains a linux kernel for a utility VM and a container runtime in userland. In kubernetes Pods are a set of colocated containers that are spawned and managed in a highly dynamic Sandbox, driven by imperative APIs and subject to multiple hard-to-predict factors during their lifecycle.

We will discuss the approach that the project has taken to provide Attestation for Confidential Container Workloads (Launch Measurements, Measured Boot, Container Runtime Policies) and where they still fall short in terms of usability and security.