Release Notes#

This document describes the new features and known issues for the NVIDIA Confidential Containers Reference Architecture.

1.1.0#

This release expands hardware coverage and updates the validated software stack.

New Features#

  • Added support for the NVIDIA HGX B300 platform with both single-GPU and multi-GPU passthrough.

  • Added support for Ubuntu 26.04 as a host operating system.

  • Added support for the following software components:

    • Kata Containers 3.31.0

    • containerd 2.3.x

Docs Changelog#

The Install the Kata Containers Helm Chart procedure was updated for this release. Changes include:

  • Installs kata-deploy with a values file instead of inline --set flags.

  • Includes a new sample values file, samples/kata-nvidia-gpu-values.yaml, that configures the kata-deploy Helm chart for the NVIDIA Confidential Containers reference architecture (NVIDIA GPU shims only, NFD disabled, nydus snapshotter, and per-shim runtime class node selectors).

  • Adds a readiness verification step using kubectl rollout status ds/kata-deploy. This step relies on the readiness reporting added in Kata Containers 3.31.0 and lets you confirm that kata-deploy has finished extracting artifacts and restarting containerd on every node before continuing.

1.0.0#

This is the initial general availability (GA) release of the NVIDIA Confidential Containers Reference Architecture, a validated deployment model for running GPU-accelerated AI workloads inside hardware-enforced Trusted Execution Environments (TEEs). It is designed for organizations in regulated industries that require strong isolation and cryptographic verification to protect model intellectual property and sensitive data on untrusted infrastructure.

The architecture combines NVIDIA GPU Confidential Computing, Kata Containers, and the NVIDIA GPU Operator to provide a secure, attestable, Kubernetes-native platform for confidential AI workloads.

Key Features#

  • This release supports HGX platforms with:

    • NVIDIA H100 (single-GPU passthrough)

    • NVIDIA H200 (single-GPU passthrough)

    • NVIDIA H100 Protected PCIe (multi-GPU passthrough)

    • NVIDIA H200 Protected PCIe (multi-GPU passthrough)

    • NVIDIA B200 (single-GPU and multi-GPU passthrough)

    • NVIDIA RTX Pro 6000 BSE (single-GPU passthrough)

    • AMD Genoa / Milan CPUs with Ubuntu 25.10 (kernel 6.17+) for SEV-SNP

    • Intel Emerald Rapids / Granite Rapids CPUs with Ubuntu 25.10 (kernel 6.17+) for TDX

  • This release supports the following software components:

    • NVIDIA GPU Operator v26.3.1

    • Kata Containers 3.29 (installed with the kata-deploy Helm chart)

    • Kata Lifecycle Manager 0.1.4

    • Key Broker Service (KBS) protocol 0.4.0

    • QEMU 10.1 + Patches

    • OVMF edk2-stable202511

    • Containerd 2.2.2

    • Kubernetes 1.32+

    • Ubuntu 25.10 (host OS)

  • This release has Technology Preview support for Red Hat OpenShift Sandboxed Containers 1.12.

Limitations and Restrictions#

  • NVIDIA supports the GPU Operator and confidential computing with the containerd runtime only.

  • All GPUs on the host must be configured for Confidential Computing. Configuring only a subset of GPUs on a node is not supported. For multi-GPU passthrough, all GPUs must be assigned to a single confidential VM.