You encrypted the disk. You enabled TLS. You stored your secrets in a KMS. But what if a cloud provider administrator, a compromised hypervisor, or a malicious insider could directly read your virtual machine's memory?
This isn't a hypothetical threat. On public clouds, your workload's memory has never truly been "private" to someone with sufficient permissions. Traditional security models implicitly trust the underlying infrastructure — and in the age of AI and sensitive data processing, that assumption is becoming increasingly dangerous.
The Confidential Containers (CoCo) project is breaking that assumption.
Introduction: The Three States of Data Security
The security world has a classic "three states of data" framework:
| State | Protection | Maturity |
|---|---|---|
| Data at Rest | Disk encryption (LUKS/KMS) | ✅ Mature |
| Data in Transit | TLS/mTLS | ✅ Mature |
| Data in Use | Hardware TEE | 🔧 Maturing in 2026 |
The first two pieces have mature solutions. But data actively being processed in memory has long been a gap. CoCo fills it.
Part 1: Hardware TEE — Not Even the Hypervisor Is Trusted
The core of Confidential Computing is the Trusted Execution Environment (TEE) — not software-level encryption, but CPU hardware-level memory protection.
Three Major TEE Technologies
Intel TDX (Trust Domain Extensions), supported from 4th Gen Xeon. Partitions VMs into Trust Domains with MKTME (Multi-Key Total Memory Encryption). Even if the hypervisor is fully compromised, data inside a TD cannot be read.
AMD SEV-SNP (Secure Encrypted Virtualization - Secure Nested Paging), supported from AMD EPYC Milan. Each VM uses independent memory encryption keys; SPT (Secure Page Table) prevents memory remapping attacks.
IBM Secure Execution (s390x): The entire VM is contained in an encrypted image — even hypervisor administrators can't access it.
Key insight: These aren't "better software encryption." This is trust reconstruction at the CPU design level. Your code runs in a hardware-protected zone that not even the operating system kernel can fully control.
Part 2: CoCo Architecture — Where to Draw the Trust Boundary
CNCF's Confidential Containers project seamlessly integrates TEE capability with Kubernetes. The key architectural decision: build TEE protection at the Pod boundary (Pod-Centric).
┌─────────────────────────────────────────────────────┐
│ Kubernetes Node (UNTRUSTED host) │
│ │
│ kubelet → containerd → kata-shim → hypervisor │
│ │
│ ┌─────────────────────────────────────────────┐ │
│ │ PodVM / TEE Enclave (TRUSTED) │ │
│ │ │ │
│ │ kata-agent → pod │ │
│ │ image-rs → fetch/decrypt images │ │
│ │ CDH → retrieve secrets │ │
│ │ AA → generate TEE attestation │ │
│ └─────────────────────────────────────────────┘ │
└─────────────────────────────────────────────────────┘
│ KBS Protocol (TLS + attestation)
▼
┌─────────────────────────────────────────────────────┐
│ Trustee (deployed in trusted env) │
│ KBS (key broker) → AS (attestation verifier) → RVPS │
└─────────────────────────────────────────────────────┘
The revolutionary premise: the Kubernetes control plane (Kubelet/containerd/API Server) is considered untrusted.
Yes — even the Kubelet you deployed yourself is not trusted in CoCo's threat model. Only the TEE hardware interior is "trusted." This is a more radical zero-trust model.
Container Image Pulls Happen Inside the TEE
Traditional container runtimes pull images on the host and then mount them to containers, exposing image contents to the untrusted host. CoCo fundamentally changes this:
Traditional (dangerous):
Host → containerd pulls → filesystem forwarded to Guest
CoCo (secure):
kubelet → containerd → nydus-snapshotter
↓ (skip local pull, forward to Guest)
image-rs (inside TEE)
↓
OCI Registry (encrypted image)
↓
Verify signature + decrypt (key from KBS, requires attestation)
↓
Unpack image layers inside TEE
Image contents never appear in untrusted host memory.
Part 3: Remote Attestation — Proving "I Am Who I Say I Am"
This is CoCo's most elegant mechanism — Remote Attestation.
Imagine you have encrypted secrets (DB passwords, API keys) and you only want to release them to "a workload genuinely running inside a TDX TEE with the expected code." How do you verify this? You let the TEE hardware vouch for itself.
The KBS Protocol Attestation Flow
1. Workload → CDH: request secret
2. CDH → AA: initiate attestation
3. AA → TEE hardware: obtain raw Evidence (TDX Quote / SNP Report)
4. AA → KBS: POST /kbs/v0/auth (get challenge nonce)
5. AA → KBS: POST /kbs/v0/attest (Evidence + EK public key + nonce sig)
6. KBS → AS: verify Evidence
7. AS → RVPS: compare reference values ("is this the expected code?")
8. AS → KBS: output EAR attestation token
9. KBS: evaluate OPA policy ("attestation passed, but does this Pod have permission?")
10. KBS → CDH: encrypted secret (encrypted with EK public key)
11. CDH decrypts → workload
Security properties: nonce prevents replay attacks; ephemeral EK key pairs provide forward secrecy; hardware-signed Evidence cannot be forged.
Part 4: Getting Started — Running a Confidential Pod on Kubernetes
Install CoCo Runtime (Helm)
helm install coco oci://ghcr.io/confidential-containers/charts/confidential-containers \
--namespace coco-system \
--create-namespace \
--version 0.18.0
kubectl get runtimeclass
Available RuntimeClasses:
| RuntimeClass | Purpose |
|---|---|
kata-qemu-tdx |
Intel TDX (bare metal) |
kata-qemu-snp |
AMD SEV-SNP (bare metal) |
kata-qemu-nvidia-gpu-tdx |
TDX + GPU (AI training) |
kata-remote |
Peer Pods (cloud CVM) |
kata-qemu-coco-dev |
Dev/test (no security guarantee) |
Your First Confidential Pod
apiVersion: v1
kind: Pod
metadata:
name: confidential-app
spec:
runtimeClassName: kata-qemu-tdx # Use Intel TDX
containers:
- name: app
image: myregistry.io/myapp:v1.0@sha256:<digest> # Pin by digest
resources:
requests:
memory: "512Mi"
cpu: "500m"
Part 5: Use Cases and Maturity Assessment
Best-fit scenarios for CoCo:
- Healthcare data processing (HIPAA/GDPR compliance, multi-tenant)
- Financial risk models (IP protection + data privacy)
- Federated learning nodes (each party's data never exposed to the coordinator)
- Crypto/key management (protection against cloud provider insider threats)
- Confidential multi-party computation
Current limitations (2026):
- Hardware requirements: 4th Gen Intel Xeon or AMD EPYC Milan minimum
- Performance overhead: 30–60s extra startup, 5–15% CPU overhead from memory encryption
- Debugging challenge:
kubectl execis blocked by design - Ecosystem still maturing: support varies across cloud providers
Conclusion: The Age of Trust Reconstruction Has Arrived
CoCo isn't "adding a protection layer on top of existing systems" — it's redefining what "trusted computing" means at the threat model level.
As increasing amounts of sensitive data flow through GPU clusters in the AI era, Confidential Computing will evolve from a niche security requirement to a mainstream infrastructure standard. In 2026, CoCo sits at the critical inflection point from beta to production readiness. If your business handles sensitive data processing, now is the time to start evaluating this technology.
Key numbers: Intel TDX is fully supported across AWS/Azure/GCP. CoCo v0.18 supports K8s 1.29+. GPU TEE support (TDX + NVIDIA H100) entered Beta in late 2025.
References: CNCF Confidential Containers official docs, RATS RFC 9334, Trustee GitHub, Kata Containers documentation
Top comments (0)