NVIDIA Confidential Containers#

NVIDIA Confidential Containers is a validated reference architecture for running GPU-accelerated AI workloads on Kubernetes inside hardware-enforced Trusted Execution Environments (TEEs). It extends NVIDIA GPU Confidential Computing to standard Kubernetes deployments using CNCF Confidential Containers and Kata Containers with the NVIDIA GPU Operator. Use it to protect model intellectual property and sensitive data from untrusted infrastructure across public cloud, on-premises, and edge deployments.

Benefits#

Confidential Containers provides the following benefits:

Protect model IP and sensitive data on untrusted public cloud, on-premises, or edge infrastructure.
Deploy proprietary generative AI models in regulated industries on third-party or private clusters.
Isolate GPU workloads in hardware-protected enclaves with encrypted memory and integrity verification.
Operate confidential workloads with standard Kubernetes pods, runtime classes, and scheduling.
Verify TEE state through remote attestation before releasing secrets or decrypted model weights.

Refer to Reference Architecture for the full value proposition, trust model, and architecture diagrams.

Use Cases#

Common scenarios include protecting proprietary model IP on third-party infrastructure, running frontier models in a sovereign environment, and processing sensitive enterprise data in data clean rooms. Refer to Use Cases in the Reference Architecture for workflows and deployment scenarios.

Core Concepts#

Confidential Containers runs Kubernetes pods in hardware-isolated virtual machines instead of on the shared host kernel, protecting workloads from the host and other tenants. On supported hardware (AMD SEV-SNP or Intel TDX), that isolation forms a trusted execution environment (TEE) with encrypted memory and integrity verification.

Attestation, sealed secrets, and encrypted container images are core to the model. Refer to Background in the Reference Architecture.

Core Components#

This documentation focuses on the components you install, configure, and operate to run workloads in a Confidential Containers runtime on Kubernetes. The Reference Architecture describes the full stack. The install guides cover Kata Containers and the NVIDIA GPU Operator end to end.

Kata Containers: Runs pods inside TEE-protected virtual machines instead of on the shared host kernel. Install Kata Deploy and TEE-specific runtime shims in Quickstart Install and Detailed Install Guide. Schedule workloads with a TEE-aware RuntimeClass in Configuring Workloads.
NVIDIA GPU Operator: Automates GPU Confidential Computing on eligible nodes, including CC mode, VFIO passthrough, and GPU allocation for Kata pods. Configure the Operator and node labels in Detailed Install Guide. Manage CC mode in Managing the Confidential Computing Mode.

For Confidential Containers, the Operator deploys:
- NVIDIA Confidential Computing Manager (cc-manager)
- NVIDIA Kata Sandbox Device Plugin
- NVIDIA VFIO Manager
- Node Feature Discovery (NFD)

Using This Documentation#

This documentation describes the NVIDIA reference architecture for Confidential Containers and deployment recommendations for the upstream CNCF Confidential Containers project with NVIDIA GPUs. It covers NVIDIA-specific configurations needed to run Confidential Containers workloads on Kubernetes. This primarily includes the steps to enable and configure Kata Containers and the NVIDIA GPU Operator on your cluster.

For advanced Confidential Containers topics and day-two operations, refer to the upstream Confidential Containers documentation, as the workflows and implementations are not NVIDIA specific. For example, an attestation implementation is not specific to NVIDIA GPUs. A brief attestation overview and evaluation quickstart is available in Attestation, but full production attestation implementation guides are in the upstream Confidential Containers attestation documentation.