Release Date: June 21st, 2024
This release is based on 3.6.0 of Kata Containers and v0.9.1 of enclave-cc.
This is an alpha release, with some limitations, but it builds significantly on the previous release. For a full feature set, please use v0.8.0 or the upcoming v0.9.0. For details of what has been added and what does not yet work, see the following sections.
Please see the quickstart guide for details on how to try out Confidential Containers.
Please refer to our Acronyms and Glossary pages for definitions of the acronyms used in this document.
- Cloud API Adaptor (peer pods) is included in the release and based on Kata main.
- Image pulling inside the guest via the nydus snapshotter is more stable.
- Platform support has been partially restored.
- Confidential runtime classes ship with filesystem sharing disabled by default.
kata-qemu-coco-devruntime class introduced for nontee development.- Several improvements to guest policy
guest_components_procsoption introduced to control which guest components are started.
This release tentatively supports multiple TEE platforms, although not all features are enabled for all platforms and test coverage is limited.
The following are known limitations of this release:
- Encrypted images and signed images are not yet supported.
- Sealed secrets and encrypted volumes are not yet supported.
- SEV(-ES) and SEV-SNP do not support attestation.
- Authenticated registries are not supported.
- Nydus snapshotter support is not mature.
- Nydus snapshotter sometimes fails to pull an image.
- Nydus snapshotter cannot handle pods with init containers.
- Host pulling with Nydus snapshotter is not yet enabled.
- Nydus snapshotter is not supported with enclave-cc.
- Pulling container images inside guest may have negative performance implications including greater resource usage and slower startup.
criosupport is still evolving.- Platform support is rapidly changing
- SELinux is not supported on the host and must be set to permissive if in use.
- Complete integration with Kubernetes is still in progress.
- OpenShift support is not yet complete.
- Existing APIs do not fully support the CoCo security and threat model. More info
- Some commands accessing confidential data, such as
kubectl exec, may either fail to work, or incorrectly expose information to the host
- The CoCo community aspires to adopting open source security best practices, but not all practices are adopted yet.
- We track our status with the OpenSSF Best Practices Badge, which remained at 75% at the time of this release.
- Community has adopted a security reporting protocol, but application and documentation of static and dynamic analysis still needed.
- Container metadata such as environment variables are not measured.
- The Kata Agent allows the host to call several dangerous endpoints
- Kata Agent does not validate mount requests. A malicious host might be able to mount a shared filesystem into the PodVM.
- Policy can be used to block endpoints, but it is not yet tied to the hardware evidence.
None