About this document

Red Hat OpenShift sandboxed containers for Red Hat OpenShift Container Platform integrates Kata Containers as an optional runtime, providing enhanced security and isolation by running containerized applications in lightweight virtual machines. This integration provides a more secure runtime environment for sensitive workloads without significant changes to existing OpenShift workflows. This runtime supports containers in dedicated virtual machines (VMs), providing improved workload isolation. A peer pod in OpenShift sandboxed containers extends the concept of a standard pod. Unlike a standard sandboxed container, where the virtual machine is created on the compute node itself, in a peer pod, the virtual machine is created through a remote hypervisor using any supported hypervisor or cloud provider API. The peer pod acts as a regular pod on the compute node, with its corresponding VM running elsewhere. The remote location of the VM is transparent to the user and is specified by the runtime class in the pod specification. The peer pod design circumvents the need for nested virtualization.

The Hyper Protect contract is essential for the workload lifecycle within the secure execution environment and is a unique capability of the Hyper Protect Platform, enabled through IBM Secure Execution for Linux. The workload itself and its contract are passed into the container runtime environment in the KVM guest during the deployment, and this container runtime environment is also known as Hyper Protect Container Runtime (HPCR). To safeguard the contract, a public/private key pair is used to encrypt the contract contents. This public/private key pair helps maintain the confidentiality of the contract during its distribution and before it is decrypted by the HPCR image.

For more information about;

• The Red Hat OpenShift Container Platform, visit Red Hat OpenShift Container Platform Overview.
• The Hyper Protect Services, visit IBM Hyper Protect Services.

Confidential Containers

The Confidential Containers project is a significant community initiative aimed at protecting containers and data by verifying that your workload is running in a Trusted Execution Environments (TEE). You can deploy this feature to safeguard the privacy of big data analytics and machine learning inferences.

Trustee is a component of Confidential Containers. Trustee is an attestation service that verifies the trustworthiness of the location where you plan to run your workload or where you plan to send confidential information. Trustee includes components deployed on a trusted side and used to verify whether the remote workload is running in a Trusted Execution Environment (TEE). Trustee is flexible and can be deployed in several different configurations to support a wide variety of applications and hardware platforms.

You can sign container images by using a tool such as Red Hat Trusted Artifact Signer. Then, you create a container image signature verification policy. The Trustee Operator verifies the signatures, ensuring that only trusted and authenticated container images are deployed in your environment.

Intended audience

This document is intended for Systems Integrators, IT Architects, Systems Administrators, and Application Developers. It is assumed that the reader has experience with Kubernetes, Red Hat OpenShift Container Platform, IBM Z and IBM® LinuxONE, and Red Hat® Enterprise Linux®.