Attestation

The Confidential Containers deployment guide configures your cluster to run workloads in a Confidential Container. To strengthen workload security, configure attestation to verify the guest Trusted Execution Environment (TEE) for the CPU and GPU before secrets are released to a workload.

Attestation is required for any feature that depends on secrets, including:

• Pulling encrypted container images

• Accessing authenticated container registries

• Using sealed secrets

• Requesting secrets directly from workloads

When a workload requires a secret, such as a key to decrypt a container image or model, guest components collect hardware evidence from the active CPU and GPU enclaves. The evidence is sent to a remote verifier, Trustee, which evaluates the evidence against configured policies and conditionally releases the secret. Trustee is typically deployed in a separate trusted environment that is reachable from your worker nodes over the network.

Note

This page is an educational overview of attestation with Confidential Containers, not a complete configuration guide. The attestation workflow is fully documented in the upstream Confidential Containers documentation, which is the source of truth for setup and configuration details.

Attestation is not required to deploy Confidential Containers, but is required for features that rely on secrets in your cluster.

Prerequisites

• A Kubernetes cluster configured to deploy Confidential Containers workloads. Refer to the deployment guide for configuration steps.

• A machine to host the Trustee instance. For production, deploy Trustee in a separate trusted environment. For development, Trustee can run in the same cluster. Trustee does not require Confidential Computing hardware or a GPU.

• Network connectivity from the worker nodes in your Kubernetes cluster to the Trustee instance.

Configuration Workflow

After you meet the prerequisites, complete the following steps to enable attestation:

1. Provision Trustee, the remote verifier and key broker, in a trusted environment.

2. Configure your workloads to point to the Trustee network endpoint.

3. Optionally, customize attestation workflows for your use cases.

After configuration, the Confidential Containers runtime automatically runs the attestation flow when a workload requires it.

Provision Trustee

Trustee is an open-source framework used in Confidential Containers to verify attestation evidence and conditionally release secrets. For a full overview of attestation with Trustee, refer to the upstream Trustee documentation.

To provision a Trustee instance, follow the recommended upstream Install Trustee in Docker guide.

Note

Guests with many passthrough devices, such as NVIDIA PPCIE GPUs, can produce attestation tokens that exceed HTTP header size limits.

To avoid this, set verbose_token to false in the Attestation Service configuration file and restart Trustee. Refer to the upstream Attestation Service configuration documentation for details.

After you complete installation, Trustee is configured to use the NVIDIA Remote Attestation Service (NRAS) to evaluate GPU evidence by default.

Configure Workloads for Attestation

To enable attestation for your workloads, point them to the Trustee network endpoint, also called the Key Broker Service (KBS) endpoint, by adding the following annotation to your workload pod spec:

io.katacontainers.config.hypervisor.kernel_params: "agent.aa_kbc_params=cc_kbc::http://<kbs-ip>:<kbs-port>"

Replace <kbs-ip> with the IP address or hostname at which your Trustee instance is reachable from the worker nodes. Replace <kbs-port> with the port that Trustee listens on (default: 8080).

Refer to the upstream Setup Confidential Containers documentation for more information on configuring workloads for attestation.

Optional: Customize Attestation Workflows

Confidential Containers enables sensible default attestation policies for NVIDIA Confidential Computing GPUs. In most cases, the default policy is appropriate and you only need to provide reference values. For more information, refer to the upstream Confidential Containers reference values documentation.

You can use the Key Broker Service (KBS) Client Tool to configure Trustee reference values and secrets. Refer to the upstream documentation on using the KBS Client Tool.

For more advanced customization, refer to the following upstream Confidential Containers documentation:

• Resources: Create the resources, such as secrets, that your workloads need.

• Policies: Configure the policy types that secure workloads at different layers.

• Features: Browse the full list of attestation features and how to configure them.

Troubleshooting

If attestation does not succeed after provisioning Trustee, enable debug logging by setting the RUST_LOG=debug environment variable in the Trustee environment. Use the Trustee log to diagnose the attestation process.

Next Steps

• Refer to the upstream Confidential Containers Features for complete documentation on attestation features.

• If you haven’t already, refer to the Confidential Containers deployment guide to configure your environment for confidential workloads.