github/confidential-containers
1
0
Fork 0
mirror of https://github.com/confidential-containers/confidential-containers.git synced 2026-05-18 13:37:44 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
541ae903647dfd369a08286c38084f18e5201016
confidential-containers/quickstart.md
Fabiano Fidêncio 36efa68457 docs: Replace Operator references with Helm charts 
The Confidential Containers Operator is being replaced by Helm charts
as the primary deployment method. This commit updates all documentation
to reflect this change.

Changes:
- quickstart.md: Updated installation instructions to use Helm charts
  instead of kubectl apply with kustomize
- README.md: Updated 'Get started quickly' link to point to charts repo
- guides/coco-dev.md: Updated reference from operator to Helm charts
- guides/troubleshooting.md: Updated issue link to charts repo
- guides/ibm-se.md: Rewrote installation instructions for Helm charts
- demos/ssh-demo/README.md: Updated runtime setup reference
- .github/ISSUE_TEMPLATE/release-check-list.md: Updated release process
  to use scripts/prepare-release.sh from charts repo
- demos/operator-demo/: Removed obsolete operator demo

The new charts repository is at:
https://github.com/confidential-containers/charts

Signed-off-by: Fabiano Fidêncio <ffidencio@nvidia.com>
2026-01-12 16:10:50 -05:00

6.7 KiB
Raw Blame History

Getting Started

Confidential Containers (CoCo) provides a uniform workflow, trust model, and feature set across a wide array of platforms and deployment models.

In general, using CoCo involves the following steps:

  • Install CoCo using the Helm charts
  • Add a runtimeClassName to your pod yaml
  • Deploy signed/encrypted container images (optional)
  • Setup attestation (optional)

This guide walks through these steps and touches on some platform-specific configurations. For more advanced features, specific hardware setup, and troubleshooting information, see the guides directory.

Confidential Containers is still maturing. See release notes for currrent hardware support and limitations.

Installation

You can enable Confidential Containers in an existing Kubernetes cluster using the Confidential Containers Helm charts. When installation is finished, your cluster will have new runtime classes for different hardware platforms, including a generic runtime for testing CoCo without confidential hardware support, a runtime using a remote hypervisor that allows for cloud integration, a runtime for process-based isolation using SGX, as well as runtimes for TDX and SNP.

Prerequisites

To install the Helm charts you must have an existing Kubernetes cluster that meets the following requirements.

  • Ensure a minimum of 8GB RAM and 4 vCPU for the Kubernetes cluster node
  • Only containerd runtime based Kubernetes clusters are supported with the current CoCo release
  • The minimum Kubernetes version should be 1.24
  • Ensure at least one Kubernetes node in the cluster has the labels node-role.kubernetes.io/worker= or node.kubernetes.io/worker=. This will assign the worker role to a node in your cluster, making it responsible for running your applications and services
  • Ensure SELinux is disabled or not enforced
  • Helm 3.8+ installed

For more details on the Helm charts, including detailed installation options and troubleshooting, refer to the charts repository.

Note

You can also use a Kind or Minikube cluster with containerd runtime to try out the CoCo stack for development purposes. Make sure to use the kata-clh runtime class for your workloads when using Kind or Minikube, as QEMU is known to not work with Kind or Minikube.

Helm Installation

Install the CoCo runtime using the Helm chart, substituting <VERSION> with the desired release version:

helm install coco oci://ghcr.io/confidential-containers/charts/confidential-containers \
  --version <VERSION> \
  --namespace coco-system \
  --create-namespace

For example, to install version 0.18.0:

helm install coco oci://ghcr.io/confidential-containers/charts/confidential-containers \
  --version 0.18.0 \
  --namespace coco-system \
  --create-namespace

Wait until each pod has the STATUS of Running.

kubectl get pods -n coco-system --watch

For platform-specific installation options (s390x, peer-pods, etc.) and advanced configuration, see the charts repository documentation.

Verify Installation

Check the RuntimeClasses that got created.

kubectl get runtimeclass

Output:

NAME                 HANDLER              AGE
kata                 kata-qemu            8d
kata-clh             kata-clh             8d
kata-qemu            kata-qemu            8d
kata-qemu-coco-dev   kata-qemu-coco-dev   8d
kata-qemu-snp        kata-qemu-snp        8d
kata-qemu-tdx        kata-qemu-tdx        8d

Details on each of the runtime classes:

  • kata - Convenience runtime that uses the handler of the default runtime
  • kata-clh - standard kata runtime using the cloud hypervisor
  • kata-qemu - same as kata
  • kata-qemu-coco-dev - standard kata runtime using the QEMU hypervisor including all CoCo building blocks for a non CC HW
  • kata-qemu-snp - using QEMU, and support for AMD SNP HW
  • kata-qemu-tdx -using QEMU, and support Intel TDX HW based on what's provided by Ubuntu and CentOS 9 Stream.

The CoCo environment has been setup and deployed!

Platform Setup

While the Helm charts deploy all the required binaries and artifacts and set up runtime classes that use them, certain platforms may require additional configuration to enable confidential computing. For example, a specific host kernel or firmware may be required. See the guides for more information.

Using CoCo

Below is a brief summary and description of some of the CoCo use cases and features:

  • Container Launch with Only Memory Encryption (No Attestation) - Launch a container with memory encryption
  • Container Launch with Encrypted Image - Launch an encrypted container by proving the workload is running in a TEE in order to retrieve the decryption key
  • Container Launch with Image Signature Verification - Launch a container and verify the authenticity and integrity of an image by proving the workload is running in a TEE
  • Sealed secret - Implement wrapped kubernetes secrets that are confidential to the workload owner and are automatically decrypted by proving the workload is running in a TEE
  • Ephemeral Storage - Temporary storage that is used during the lifecycle of the container but is cleared out when a pod is restarted or finishes its task. At the moment, only ephemeral storage of the container itself is supported and it has to be explicityly configured.
  • Authenticated Registries - Create secure container registries that require authentication to access and manage container images that ensures that only trusted images are deployed in the Confidential Container. The host must have access to the registry credentials.
  • Secure Storage - Mechanisms and technologies used to protect data at rest, ensuring that sensitive information remains confidential and tamper-proof.
  • Peer Pods - Enable the creation of VMs on any environment without requiring bare metal servers or nested virtualization support. More information about this feature can be found here.

Platforms

With some TEEs, the CoCo use cases and/or configurations are implemented differently. Those are described in each corresponding guide section. To get started using CoCo without TEE hardware, follow the CoCo-dev guide below:

Reference in New Issue View Git Blame Copy Permalink