Limitations
Known gaps and deliberate non-goals in the current c8s milestone — what is not yet enforced, and what to plan around.
c8s is built around a strong threat model, but not every gap is closed yet. This page is the honest list of what the current milestone does not do, so you can plan around it. Several items are deliberate non-goals for now; others are tracked work.
Trust & enforcement gaps
- Measurements are not pinned by default. The chart ships with
cds.measurementsandratlsMesh.measurementsempty, which means "accept any attested peer". This is fine for demos but must be set for production — see the threat model. - Mesh peer verification doesn't pin the peer measurement. A mesh peer is accepted if its certificate chains to the mesh CA; the peer's launch measurement is not additionally checked on the handshake.
- Leaf certificates don't embed the verified TEE measurement. The measurement is checked at issuance time, but it is not carried inside the leaf for downstream re-verification.
- The image allowlist gates the digest only.
nri-image-policy/policy-monitorenforce the container-image digest — not args, env, mounts, capabilities, or the rest of the pod spec. - Allowlist write authorization is pinned-key, not PKI. Writes are authorized by long-lived
operator public keys pinned in
cds.operatorKeys. Revocation is coarse — removing the key and re-installing, with no CRL/OCSP. Write tokens are bound to body, method, and path but carry no cluster binding, so clusters pinning the same operator key accept each other's captured tokens within the five-minute validity cap — pin distinct keys per cluster. And the pinned list itself is host-supplied config outside the CDS launch measurement:c8s cds verifyreports the pinned-key fingerprints so a swap is visible, but not measured. A CA with short-lived operator certificates is the planned replacement. See Authorizing mutations. - No per-workload peer allowlists in the mesh. Any attested mesh peer can talk to any other; there is no per-workload restriction on who may connect to whom.
- No SPIFFE-style URI SAN identities. Workload identity is carried by the CDS-issued cert's SANs/CN, not a SPIFFE URI scheme.
Availability & operations
- The CDS is a singleton by default. The mesh CA key lives only in CDS process memory, so a
restart generates a new CA and invalidates existing leaves. HA via attested CA handoff is
opt-in (
cds.handoff.enabled=true) — see CDS handoff. - Flipping
kata.enabledon a live cluster is disruptive. Node-as-CVM and pod-as-CVM move components between host and guest; switching in place is not a seamless toggle. - A small post-start kill window exists under Kata.
policy-monitorSIGKILLs a non-allowlisted container's init PID, but the init fork happens a few milliseconds before the kill lands.
Platform constraints
- Pod-as-CVM is unavailable on Azure. Azure does not expose nested virtualization, so AKS runs node-as-CVM only — all pods on a node share one confidential boundary. See Provisioning on Azure.
- One CPU TEE per cluster for confidential pods. The per-pod runtime (
--kata) supports AMD SEV-SNP and Intel TDX, but an install picks exactly one via--hardware-platform(renderingkata-qemu-snporkata-qemu-tdx), and the webhook promotes every confidential pod to that one class — mixed SNP + TDX clusters are not supported. On a host with neither TEE you can still runkata-qemu(isolation without confidentiality). - Browser verification is SEV-SNP only. The c8s-verify WASM verifier ships AMD ARK/ASK roots and verifies SEV-SNP evidence; TDX is reserved in the wire protocol but not yet implemented.
- Confidential GPU ships, with gaps. Kata clusters run GPU pods as confidential VMs with
the NVIDIA GPU passed through over VFIO (Blackwell-class, CC mode) — request an
nvidia.com/*resource and the webhook injects the confidential GPU RuntimeClass. Current gaps: the GPU's own attestation (SPDM) is not yet surfaced to the relying party (a non-CC GPU fails closed at guest boot, but there is no positive GPU evidence in the attestation result); the GPU guest boots kata's GPU kernel (measured, but not our hardened configuration); and on SEV-SNP each GPU pod is pinned to a single vCPU to keep the launch measurement stable. Host GPU provisioning (vfio-pci binding, GPU CC mode, BAR resize) is assumed done before install; the NVIDIA GPU Operator is not used on this path. - Don't run an external service mesh alongside c8s. c8s installs its own pod-to-pod RA-TLS mesh — transparent iptables redirection plus attestation-gated mTLS. A second service mesh (Istio, Linkerd, or any sidecar / mTLS plumbing) double-intercepts the same traffic, collides with the RA-TLS handshake, and injects un-attested proxies into the confidential path — breaking the trust model rather than adding to it. Run c8s without one; it already provides the mTLS layer, rooted in hardware attestation.
Out of scope for this milestone
- Pod-spec integrity checking beyond the image-digest allowlist.
- Attestation-gated release of application secrets (the CDS key-brokering path).
- Multi-tenant isolation between workloads on the same cluster beyond the CVM boundary, and federated multi-cluster control planes.
For the verification client's roadmap (binding the LB leaf into attestation, removing the pinned mesh CA PEM), see consumer verification.