Security News > 2022 > October > Red Hat backs CNCF project, spills TEE support over Kubernetes
Red Hat is backing a Cloud Native Computing Foundation project that aims to improve the security of containers in Kubernetes clusters by running them inside hardware-enforced enclaves.
A company blog post says Red Hat is investing in Confidential Containers, which is a relatively new project from the CNCF-backed Confidential Computing Consortium.
The idea is to run containers inside a Trusted Execution Environment, a facility offered by most processor architectures for some years now - The Reg wrote about OpenTEE in 2015 although we've also covered ways researchers have found to escape them.
The hard part is that the whole objective of running inside a TEE is to limit communication between the TEE and the host machine, and you can't readily do that with your usual container: containers are just normal processes running directly on top of the host kernel, as our Brief History of Virtualization explained before Docker was a twinkle in dotCloud's eye.
So to deliver workloads running inside TEEs but managed by Kubernetes, the CoCo project uses another technology - Kata Containers - which came out of merging Intel ClearContainers and Hyper runV, and is backed by the OpenStack Foundation.
Which, of course, will be welcomed in turn by silicon vendors, because even very lightweight VMs still take more resources than containers.