Skip to content
Products
Platform
Developer Tools
Portal

Introduction to Confidential Kubernetes

STACKIT Confidential Kubernetes is a scalable, self-managed confidential computing platform allowing customers to easily provision and manage containerized applications in a cluster shielded from the underlying cloud infrastructure. Everything inside is always encrypted, including at runtime in memory. The encryption can be proven to third parties.

Applications and use cases

Section titled “Applications and use cases”

Protecting containerized workload from unauthorized third party access

Section titled “Protecting containerized workload from unauthorized third party access”

Completely encrypt and isolate your containerized Kubernetes workloads and control plane, increasing the overall security and preventing unauthorized third party access.

Moving sensitive workloads from on-prem to the cloud

Section titled “Moving sensitive workloads from on-prem to the cloud”

Protecting your data from unauthorized access with STACKIT Confidential Kubernetes allows you to migrate even sensitive workloads to the cloud. The STACKIT Cloud turns into your Private Cloud.

Meeting regulatory requirements

Section titled “Meeting regulatory requirements”

Remote attestation of encryption and isolation of data allows you to prove that you meet regulatory requirements.

Functions

Section titled “Functions”

STACKIT Confidential Kubernetes is based on the Kubernetes engine Constellation provided by Edgeless Systems. Customers can create and operate self-managed Kubernetes clusters, offering the following security features:

  • Runtime encryption: Constellation runs all Kubernetes nodes inside STACKIT Confidential Virtual Machines (CVMs). This setup ensures runtime encryption for the entire cluster.
  • Network and storage encryption: Constellation augments this with transparent encryption of the network and storage. Thus, workloads and control plane are truly end-to-end encrypted: at rest, in transit, and at runtime.
  • Transparent key management: Constellation manages the corresponding cryptographic keys inside CVMs.
  • Node attestation and verification: The integrity of each new CVM-based node is verified using remote attestation. Only “good” nodes receive the cryptographic keys required to access the network and storage of a cluster.
  • “Whole cluster” attestation: Towards the DevOps engineer, Constellation provides a single hardware-rooted certificate from which all of the above can be verified.

The security features are complemented by Constellation DevOps-features, e.g. supporting high availability, day-2-operations (upgrades and recovery), as well as Infrastructure-as-Code.

Advantages

Section titled “Advantages”
  • You can easily protect containerized workload from unauthorized access and prevent data leaks.
  • You can move sensitive containerized Workloads from on-prem to the Cloud with little effort. You turn the Public Cloud to a Private Cloud.
  • You can increase the trustworthiness of your SaaS-offering running on STACKIT.
  • You can prove meeting regulatory or compliance requirements in terms of data protection.