# Confidential containers roadmap When looking at the project's roadmap we distinguish between short term roadmap (2-4 month) vs the mid/long term roadmap (4-12 month): - The **short term roadmap** is focused on achieving an end-to-end easy to deploy confidential containers solution using at least one HW encryption solution and integrated to k8s (with forked versions if needed) - The **mid/long term solutions** focuses on maturing the components of the short term solution and adding a number of enhancements both to the solution and the project (such as CI, interoperability with other projects etc...) # Short term roadmap The short term roadmap aims to achieve the following: - MVP stack for running confidential containers - Based on and compatible with Kata Containers 2 - Based on at least one confidential computing implementation (SEV, TDX, SE, etc) - Integration with Kubernetes: kubectl apply -f confidential-pod.yaml The work is targeted to be completed by end of November 2021 and includes 3 milestones: ![September 2021](./images/RoadmapSept2021.jpg) - **September 2021** - Unencrypted image pulled inside the guest, kept in tmpfs - Pod/Container runs from pulled image - Agent API is restricted - crictl only ![October 2021](./images/RoadmapOct2021.jpg) - **October 2021** - Encrypted image pulled inside the guest, kept in tmpfs - Image is decrypted with a pre-provisioned key (No attestation) ![November 2021](./images/RoadmapNov2021.jpg) - **November 2021** - Image is optionally stored on an encrypted, ephemeral block device - Image is decrypted with a key obtained from a key brokering service (KBS) - Integration with kubelet For additional details on each milestone see [Confidential Containers v0](https://docs.google.com/presentation/d/1SIqLogbauLf6lG53cIBPMOFadRT23aXuTGC8q-Ernfw/edit#slide=id.p) Tasks are tracked on a weekly basis through a dedicated spreadsheet. For more information see [Confidential Containers V0 Plan](https://docs.google.com/spreadsheets/d/1M_MijAutym4hMg8KtIye1jIDAUMUWsFCri9nq4dqGvA/edit#gid=0&fvid=1397558749). # Mid term roadmap Continue our journey using knowledge and support of Subject Matter Experts (SME's) in other projects to form stronger opinions on what is needed from components which can be integrated to deliver the confidential containers objectives. - Harden the code used for the demos, - Improve CI/CD pipeline, - Clarify the release process - Establish processes and tools to support planning, prioritisation, and work in progress - Simple process to get up and running regardless of underlying Trusted Execution Environment technology. - Develop a small, simple, secure, lightweight and high performance OCI container image management library [image-rs](https://github.com/confidential-containers/image-rs) for confidential containers. - Develop small, simple shim firmware ( [td-shim](https://github.com/confidential-containers/td-shim) ) in support of trusted execution environment for use with cloud native confidential containers. - Document threat model and trust model, what are we protecting, how are we achieving it. - Identify technical convergence points with other confidential computing projects both inside and outside CNCF. # Longer term roadmap Focused meetings will be setup to discuss architecture and the priority of longer term objectives in the process of being setup. Each meeting will have an agreed focus with people sharing material/thoughts ahead of time. Topics under consideration: - CI/CD + Repositories - Community Structure and expectations - 2 on Mid Term Architecture - Attestation - Images - Runtimes Proposed Topics to influence long term direction/architecture. - Baremetal / Peer Pod - Composability of alternative technologies to deliver confidential containers. - Performance - Identity / Service Mesh - Reproducible Builds/Demos - Edge Computing - Reduce footprint of image pull