Confidential Cluster is defined by:
- Redhat: A confidential cluster (CCl) is a cluster of confidential virtual machines, which are considered to be part of a single trust domain
- Google: Confidential GKE Nodes is built on top of Compute Engine Confidential VM, which encrypts the memory contents of VMs in-use. Confidential GKE Nodes can be enabled as a cluster-level security setting or a node pool-level security setting.
- Edgeless: Leverages confidential computing to isolate entire Kubernetes clusters from the infrastructure.
Trusted Cluster is End-to-End measurement for Confidential Cluster:
In above diagram:
- CCNP is used to calculate the measurement for node, namespace, POD and cluster level.
- CC Trusted API provides unified API to tenant to access measurement, event log and quote (report).
| Google GKE | Azure AKS | |
|---|---|---|
| Resource | N2D(AMD EPYC)/C3(Intel Sapphire Rapids) | DCasv5/ECasv5(AMD), DCesv5/ECesv5(Intel) |
| OS | CentOS/ContainerOS/Debian/Fedora/RHEL/... | Ubuntu Server 22.04 LTS/SUSE Linux Enterprise Server/Red Hat Enterprise Linux |
| CPU Accelerator | AMX | AMX |
| Full Disk Encryption | Yes | Yes |
| Key | customer-managed encryption keys (CMEK) | PMK (platform-managed key) and CMK (customer-managed key) |
| Attestation | Google Managed vTPM | Microsoft Azure Attestation/Intel® Trust Authority |
| Tutorial | Here | here |
There are 3 options creating a confidential cluster.
- Create a few confidential VMs (CVMs) and deploy Kubernetes within them. The CVMs can be on local hosts if you have supported hardware. The CVMs can also be applied from CSP. The document csp_cvm.md shows how to apply for a TD on Google Cloud or Azure and start a Kubernetes cluster in the single confidential node.
- Create Confidential GKE node on Google cloud.
- Create a Constellation based confidential cluster on top of a TDX machine. Follow the steps here to deploy the cluster.
Find details in deployment guide.