C8s: A Confidential Kubernetes Architecture
4 hours ago
- #confidential computing
- #TEE attestation
- #Kubernetes security
- C8s is a confidential computing architecture for Kubernetes using hardware Trusted Execution Environments (TEEs) like AMD SEV-SNP, Intel TDX, and NVIDIA Confidential Computing.
- It provides cryptographically verifiable confidentiality, integrity, and verifiability guarantees for Kubernetes clusters, even against infrastructure operators.
- The architecture is compatible with managed Kubernetes services (e.g., Amazon EKS, Google GKE, Microsoft AKS) where the control plane cannot be attested.
- Data and artifact owners can deploy sensitive workloads and proprietary artifacts on third-party infrastructure without risk of exfiltration.
- Compute providers can offer execution services without revealing workloads to cloud operators, and end users can submit requests opaque to all parties except the attested TEE.