edgelesssys / contrast

Deploy and manage confidential containers on Kubernetes
https://docs.edgeless.systems/contrast
GNU Affero General Public License v3.0
200 stars 8 forks source link

Contrast

Contrast

Contrast runs confidential container deployments on Kubernetes at scale.

Contrast is based on the Kata Containers and Confidential Containers projects. Confidential Containers are Kubernetes pods that are executed inside a confidential micro-VM and provide strong hardware-based isolation from the surrounding environment. This works with unmodified containers in a lift-and-shift approach. Contrast currently targets the CoCo preview on AKS.

Concept

Goal

Contrast is designed to keep all data always encrypted and to prevent access from the infrastructure layer. It removes the infrastructure provider from the trusted computing base (TCB). This includes access from datacenter employees, privileged cloud admins, own cluster administrators, and attackers coming through the infrastructure, for example, malicious co-tenants escalating their privileges.

Contrast integrates fluently with the existing Kubernetes workflows. It's compatible with managed Kubernetes, can be installed as a day-2 operation and imposes only minimal changes to your deployment flow.

Use cases

Features

🔒 Everything always encrypted

🔍 Everything verifiable

🏝️ Everything isolated

🧩 Lightweight and easy to use

Documentation

To learn more, see the documentation. You may want to start with one of the following sections.

Known limitations

See the current list of known limitations in the documentation.

Upcoming Contrast features

Contributing

See the contributing guide. Please follow the Code of Conduct.

Support