The Confidential Clusters project integrates confidential computing technology into Kubernetes clusters. It's an end-to-end solution that provides data confidentiality on cloud platforms by isolating a cluster from its underlying infrastructure. In a confidential cluster, all nodes run on top of confidential virtual machines (cVM). Before a node can join the cluster and access secrets, the platform and environment's authenticity are verified through remote attestation. This process involves communication with a trusted remote server.
Confidential Clusters enables you to use Red Hat OpenShift, a trusted platform to develop, modernize, and deploy applications at scale and leverage the convenience and flexibility of the cloud services without compromising on data security. This is critical for industries such as financial services, health care, and government that need to adhere to the regulatory requirements such as the European Digital Operational Resiliency Act (DORA).
The general availability of OpenShift confidential nodes on cVM is now offered with AMD SEV-SNP and Intel TDX integration on Google Cloud Platform (GCP), as well as with AMD SEV-SNP on Azure in OpenShift version 4.19. Support for Intel TDX on Azure will be available in version 4.20 and above. Additionally, the integration of remote attestation is currently under development and will be included in future OpenShift releases.
It’s a complex technology, but that doesn't mean it's complex to set up. Here are three articles to get you started. This is a rapidly developing topic, so stay tuned for more article in the future.
Running Red Hat OpenShift clusters on confidential nodes
If you're new to confidential computing, then read this introductory article for an explanation of all the most important concepts. Learn about common use cases for confidential clusters, including digital sovereignty in industries like government and finance and secure cloud bursting, for scaling into the cloud for intensive workloads while maintaining hardware-level isolation. If you're looking for specifications about how the components fit together, then the graphs and illustrations in this article are particularly useful to help you visualize what needs to be in place when implementing confidential clusters.
How to set up OpenShift confidential clusters on Microsoft Azure
This guide explains how to deploy a self-managed Red Hat OpenShift Container Platform cluster on Microsoft Azure confidential virtual machines. It assumes familiarity with confidential computing and OpenShift, and focuses on a development or experimental setup rather than production. It guides you through the process of downloading the Red Hat OpenShift client and installer, obtaining a pull secret, and creating a Service Principal in Azure with the Contributor and User Access Administrator roles to ensure that it has the correct permissions to provision resources. In other words, it's everything you need to get started on Azure with Red Hat OpenShift and confidential clusters.
How to install OpenShift with confidential nodes on Google Cloud
The article guides you through installing a Red Hat OpenShift cluster with confidential nodes on Google Cloud, using either AMD SEV-SNP or Intel TDX-enabled confidential virtual machines to provide memory encryption and isolation. It demonstrates how to generate an SSH key for encrypted access, how to obtain a pull secret, and how to configure your local environment for the installation process.
In the configuration file, you can assign confidential machine types and appropriate settings (such as secure boot, type, and the confidential compute mode) for all cluster nodes, ensuring your workloads are shielded from external actors and even the infrastructure provider. The article shows you how to verify a node's confidentiality by inspecting system logs for AMD SEV-SNP or Intel TDX features, and then shows you how to deploy and destroy a cluster.
Try confidential clusters
Whether or not you work in an industry that mandates confidentiality, the need for usable and transparent encryption is important. Confidential clusters gives you the confidence that your data is encrypted even while it's in use on the cloud. Now is a great time to learn more about it.
关于作者
Nitesh Narayan Lal is a Software Engineering Manager at Red Hat in the Virtualization group.
With more than 20 years in the tech world, Meirav Dean is a passionate and curious leader who constantly stays up-to-date with the latest technology. Through her various management roles, she has developed a strong background in networking, cybersecurity, virtualization, and confidential computing.
As a Senior Manager at Red Hat, Meirav leads a talented engineering group, fostering innovation and driving success. Her expertise, leadership skills, and commitment to continuous learning make her an influential speaker and thought leader in the tech community.
