Overview
c8s makes any Kubernetes cluster confidential — your workloads' data and artifacts stay encrypted in TEE memory while they're in the cluster, and the guarantee is provable to any independent third party.
c8s (Confidential Kubernetes) makes any Kubernetes cluster confidential. You have a cluster, you want it confidential — c8s is the switch. Your workloads' data and artifacts — model weights, prompts, responses, datasets, and credentials — stay encrypted in hardware-backed Trusted Execution Environment (TEE) memory from the moment they enter the cluster until they leave it, and that property is cryptographically provable to any independent third party.
Private inference, training and fine-tuning, agents, or any existing Kubernetes workload can inherit that guarantee with minimal changes — c8s keeps the Kubernetes surface you already use.
The design assumption is simple and uncompromising: the host is adversarial. The cloud provider, the bare-metal operator, and anything that can read raw host memory or inspect a QEMU command line are all outside the trust boundary. "It works on a normal cluster" is not the bar. It must work on a confidential one, with the threat model intact.
New here? This section walks you end to end:
- Understand the runtime model
- Provision a TEE node
- Install c8s
- Run a confidential workload
- Verify its confidentiality
Start with this page, then choose your deployment shape.
From zero to verified, in four steps
Bring up a Kubernetes cluster on confidential (TEE) hardware — managed in the cloud or your own host.
One CLI command sets up the attestation root of trust, the encrypted service mesh, and image-policy enforcement.
Confidential pods boot as attested CVMs and get TEE-bound certs.
Any client — even a browser — cryptographically verifies the enclave.
Why Confidential Kubernetes
Running workloads on someone else's infrastructure creates a three-sided trust problem, and contractual promises do not solve any side of it:
- Artifact owners — model weights, datasets, proprietary code — risk exfiltration the moment their artifacts touch third-party infrastructure.
- Compute providers want to host valuable workloads without being able (or liable) to observe them.
- End users in healthcare, legal, financial, and national-security settings need a hard guarantee that their inputs and outputs stay opaque to the operator.
Hardware TEEs (AMD SEV-SNP, Intel TDX, and NVIDIA Confidential Computing) resolve all three at once: they encrypt the runtime in hardware, measure the code that booted, and let that measurement be attested to a remote verifier. c8s turns those primitives into a working Kubernetes platform — even on managed services like GKE and AKS where the control plane itself cannot be attested.
Read the full design in the c8s whitepaper (arXiv).
The five principles
c8s applies the same five principles end-to-end:
- Encrypt the runtime — workloads run in hardware-encrypted memory the host cannot read.
- Measure the code — the hardware computes a launch digest over exactly what booted.
- Bind identity to measurement — credentials are issued only after the measurement is verified, so a certificate is proof of what is running.
- Verify before connecting — peers require an attestation-rooted identity before traffic flows.
- Secure the egress — all traffic is encrypted to verified destinations.
How the pieces fit
UNTRUSTED HOST
╔══ TEE BOUNDARY · HOST CANNOT READ ═════════╗
║ ║
║ ┌─────────────┐ challenge ┌───────────┐ ║ inject ┌──────────────────┐
║ │ CDS │◄─── + CSR ──┤ Workload │◄╫────────┤ c8s operator │
║ │ │ │ pod │ ║ │ webhook · CRDs │
║ │ evidence · ├── leaf ────►│ │ ║ └──────────────────┘
║ │ sign CSR · │ cert │ + get-cert│ ║
║ │ mesh CA │ │ sidecar │◄╫──┐ ┌──────────────────┐
║ └──────┬──────┘ └─────┬─────┘ ║ │ │ nri-image-policy │
║ │ verify RA-TLS │ ║ └─────┤ digest allowlist │
║ ▼ ▼ ║ enforce└──────────────────┘
║ ┌─────────────┐ ┌───────────┐ ║
║ │attestation- │ │ ratls-mesh│ ║
║ │ api │ │ │ ║
║ │SEV-SNP /TDX │ │ RA-TLS L4 │ ║
║ │ verifier │ │ proxy │ ║
║ └─────────────┘ └───────────┘ ║
║ ║
╚════════════════════════════════════════════╝| Component | Role |
|---|---|
| CDS — Certificate Distribution Service | Verifies TEE attestation evidence and signs workload CSRs with an in-process mesh CA whose key never leaves the TEE. The trust root of the cluster. |
| c8s operator | Runs the CRDs, status mirroring, and the admission webhook that injects the get-cert init/sidecar container into workload pods. Runs on the untrusted host, outside the trust boundary — confidentiality never depends on it. |
| attestation-api | Verifies hardware evidence (AMD SEV-SNP, Intel TDX). Runs as a host DaemonSet under node-as-CVM, or inside the guest at 127.0.0.1:8400 under pod-as-CVM (Kata). |
| ratls-mesh | Transparent L4 proxy that wraps inter-node Kubernetes traffic in RA-TLS (attested mTLS). |
| nri-image-policy | NRI plugin (or in-guest policy-monitor) enforcing a container-image digest allowlist. |
| get-cert | CLI / init-container that runs the attestation flow to obtain a TEE-bound certificate for a workload. |
One term you will see throughout: RA-TLS (Remote-Attestation TLS) — mTLS where each certificate carries hardware attestation evidence, so a peer verifies both identity and that the peer runs in a genuine TEE at an expected measurement.
Two deployment shapes
c8s supports two trust boundaries; the choice is the most important architectural decision you will make:
Pod-as-CVM
Each pod is its own confidential VM (via Kata). Per-pod attestation; strongest isolation from the cluster operator. Needs a bare-metal-class confidential host.
Node-as-CVM
The whole Kubernetes node is one confidential VM; pods are ordinary containers inside it. Simpler and denser; the deployment shape available on Azure AKS.
Your path through the docs
1 · Understand the runtime
Pod-as-CVM vs node-as-CVM — the unit of trust — plus Kata, measured boot, and the guest image.
2 · Provision a confidential cluster
Create a managed AKS cluster on a confidential node pool — node-as-CVM, ready for c8s.
3 · Install c8s
One CLI command, with every flag explained.
4 · Bootstrap trust
CDS bootstrapping, the mesh CA, and how workload certificates are signed.
5 · Manage the allowlist
Control exactly which container images may run.
6 · Verify confidentiality
How an end consumer — even a browser — proves the enclave.