Features

Primitives provided by Confidential Containers

In addition to running pods inside of enclaves, Confidential Containers provides several other features that can be used to protect workloads and data. Securing complex workloads often requires using some of these features.

Most features depend on and require attestation, which is described in the next section.


Get Attestation

Workloads that request attestation evidence

Get Secret Resources

Workloads that request resources from Trustee

Signed Images

Procedures to generate and deploy signed OCI images with CoCo

Encrypted Images

Procedures to encrypt and consume OCI images in a TEE

Authenticated Registries

Use private OCI registries

Sealed Secrets

Generate and deploy protected Kubernetes secrets

Init-Data

Use Init-Data to inject dynamic configurations for Pods

Image Pull Proxy

Pull containers from self-hosted registries

Local Registries

Pull containers from self-hosted registries

Protected Storage

Add protected volumes to a pod

Last modified November 8, 2024: docs: new structure for docs (b121158)