The Next Episode in Workload Isolation: Confidential Containers

This talk explores Confidential Containers (Coco), a CNCF Sandbox project that enhances workload isolation by leveraging Trusted Execution Environments (TEEs) on modern CPUs. Jeremi Piotrowski from Microsoft details how Coco builds upon Kata Containers to provide confidential virtual machines, focusing on AMD SEV-SNP technology. The presentation covers key aspects like memory encryption, integrity, and remote attestation, along with various deployment options from bare metal to nested VMs in cloud environments. It highlights how Confidential Containers enable secure cloud-native computing by protecting containers and data.