Home
Technology
Try CC!

Kubernetes

Kubernetes has faced criticism for weak container isolation, making it vulnerable to attacks due to inadequate patch management. This compromises node, pod, and workload isolation, posing concerns for Cloud Service Providers. Demonstrations have shown adversaries breaching the virtualization perimeter and compromising all virtualized nodes.

To address these issues, enclaive introduces Confidential Kubernetes (cK8s), which ensures fine-grained confidentiality by protecting workloads with encrypted, attested containers. The solution incorporates user-friendly Confidential Containers and a vault running in an enclave, simplifying deployment and management. Customers are responsible for their own Confidential Vault and Containers within a secure enclave-supported K8s cluster. Ownership verification of containers requires validating MRENCLAVE and MRSIGNER attributes for enhanced security.

Issues

Kubernetes poses two primary concerns for application confidentiality: security and privacy.

Security

Kubernetes has faced significant criticism regarding its container isolation capabilities, which are considered weak. This vulnerability has made it susceptible to various attacks, particularly when adversaries exploit container vulnerabilities due to inadequate patch management. As a result, Kubernetes' security model allows for the contamination of both the node and all its associated pods. This issue is particularly concerning for Cloud Service Providers (CSPs) who virtualize compute resources, as the isolation of nodes and clusters and customers' workloads is also compromised. Recent demonstrations have shown that adversaries can breach the virtualization perimeter, take control of the underlying bare metal machine, and infiltrate all virtualized nodes. Consequently, there is a pressing need to strengthen the isolation measures against these aforementioned threats.

Privacy

Another critique levelled against Kubernetes is its lack of privacy, which is a critical requirement in various regulated industries such as healthcare, pharmaceuticals, finance, and the public sector. Compliance with regulatory standards necessitates the isolation of workloads from the underlying CSP infrastructure to safeguard data and ensure secure data processing.

Solution

In response to these concerns, enclaive has introduced Confidential Kubernetes (cK8s), aiming to protect customers' workloads with the utmost precision. This solution focuses on achieving fine-grained confidentiality by safeguarding the workload at the level of confidential containers running within a pod.

Drawing
Example: Confidential Kubernetes (cK8s) using Intel SGX

Enclaive's Confidential Kubernetes cluster has been meticulously designed to simplify the deployment of confidential workloads while ensuring straightforward operation and management. Our primary objective was to incorporate existing tools, best practices, and the workflows DevOps professionals and engineers utilize in their day-to-day operations while minimizing the complexities associated with hardware secure enclaves. The fundamental components of this solution are as follows:

Confidential Containers

Similar to standard Docker containers, Confidential Containers are accompanied by a user-friendly build description language and inherit the ease of deployment. However, they possess additional capabilities by default, as they are ready for hardware secure enclave. This means that the applications within these containers are encrypted in memory, can be attested for verification, and offer provisional functionalities.

Confidential Vault

At the core of the cK8s cluster lies the Confidential Vault. Running within an enclave empowers developers to generate, manage, and provision environments, keys, and certificates for attested confidential containers. The Confidential Vault utilizes the HashiCorp Vault engine within an hardware secure enclave and incorporates essential functionalities such as attestation and secret key provisioning protocols.

To ensure simplicity for our customers (engineers, DevOps), we have adopted the following role model:

The Cloud Service Provider (CSP) offers a K8s cluster with hardware secure enclave support, comprising:

  • Kubernetes nodes equipped with hardware secure enclave drivers

  • Access to the Provisioning Certification Service (PCS) through the Datacenter Provisioning Certification Caching Service (PCCS)

The customer's responsibilities include:

  • Building, deploying, and provisioning their own Confidential Vault within the cluster

  • Building, deploying, and provisioning their own Confidential Containers within the cluster

  • Any additional requirements typical in a non-enclaved setting

It is important to note that for customers to claim ownership of a container, they must possess the capability to verify the secure attributes, which are integral to the security of the solution.

Last updated