Author | Yanrong

Inclavare Containers became an official CNCF sandbox project on September 15, 2021 after a TOC vote by the Cloud Native Computing Foundation (CNCF). Inclavare Containers is the industry’s first open source container runtime project for confidential computing scenarios, which was originally developed by Ali Cloud OS security team and Cloud Native Container Platform team, in collaboration with Intel.

Inclavare Containers project address: github.com/alibaba/inc…

The first open source container runtime for confidential computing – Inclavare Containers

In the cloud native environment, confidential computing technology is based on the hardware executable environment, and provides the protection of confidentiality and integrity for the sensitive data of users in the process of using (computing). But at the same time, it also faces a series of problems such as high threshold of development, use and deployment, complex container operation of sensitive applications, Kubernetes does not provide native support, and lack of unified cross-cloud deployment scheme. Inclavare Containers are designed to solve these problems.

Inclavare Containers system architecture diagram

Inclavare Containers, which can integrate with Kubernetes and Docker, is the industry’s first open source container runtime for confidential computing scenarios. Its goal is to provide the industry and open source community with confidential container technology for cloud native scenarios, confidential clustering technology and a common remote proof security architecture. And strive to be the de facto standard in the field. The project was opened in May 2020 and has grown rapidly in just over a year, attracting the attention and contributions of experts and engineers in many fields.

Five features for the user data escort

Inclavare Containers takes a novel approach to starting protected Containers in a hardware-based trusted execution environment to prevent entities that are not trusted by the user from accessing the user’s sensitive data. Its core functions and features include:

  • ** Remove trust to cloud service providers and implement zero-trust model: ** The security threat model of Inclavare Containers assumes that users do not need to trust cloud service providers, that is, the security of user workloads is no longer dependent on privileged components controlled by cloud service providers.
  • ** Provides a common remote proof security architecture: ** By building a common and cross-platform remote proof security architecture, it is possible to prove to users that their sensitive workloads are running in a truly trusted hardware-based trusted execution environment that can be based on different confidential computing technologies.
  • ** Defines a general Enclave Runtime API specification: ** The standard API specification for interfacing with various Enclave Runtime forms simplifies the interfacing of a particular Enclave Runtime with the native ecosystem of the cloud and provides users with more technical choices. At present, Occlum, Graphene and WAMR all provide support for the running of Enclave for Inclavare Containers.
  • **OCI compatibility: ** The Inclavare Containers project designs and implements a new OCI runtime RUNE that complies with THE OCI runtime specification in order to be aligned with the existing cloud native ecosystem and achieve confidential container form. The user’s sensitive applications are deployed and run as confidential containers and retain the same sense of use as normal containers.
  • ** Seamless integration with the Kubernetes ecosystem: **Inclavare Containers can be deployed on any public cloud Kubernetes platform, enabling a unified confidential container deployment approach.

Accelerate cloud native infrastructure’s embrace of confidential computing

Inclavare Containers Open source project aims to accelerate the embrace of confidential computing by cloud native infrastructure through a combination of original research from academia and on-ground practical capabilities from industry, building a cloud native confidential computing security technology architecture through a neutral community. In addition to the existing cooperation with Intel, we plan to establish similar cooperation with other chip manufacturers in the future. In addition, we have started new partnerships with universities and academia to unlock more of the potential of Inclavare Containers in confidential computing.

As the industry’s first open source container runtime for confidential computing scenarios, Inclavare Containers will evolve into a secure, easy-to-use, intelligent and scalable architecture. At the same time of deepening the implementation of zero-trust model principle, the user experience of developers and users will be constantly improved, and finally completely eliminate the difference in the use of motion sensation between normal container and operation. In the future, Inclavare Containers will continue to work side by side with the community and with the ecosystem to advance the ecological construction and adoption of cloud native technology in the confidential computing system space, and expand the boundaries of cloud native with global developers.

At present, Inclavare Containers is one of the projects of Dragon Dragon Community Cloud Native Confidential Computing SIG: dedicated to providing open source and standardized confidential computing technology and security architecture to the industry through open source community cooperation and co-construction, promoting the development of confidential computing technology in cloud native scenarios.

The link below goes directly to the Cloud Native Confidential Computing SIG: openanolis.cn/sig/coco