C8s: A Confidential Kubernetes Architecture

TL;DR

C8s introduces a confidential Kubernetes architecture leveraging hardware TEEs to ensure cryptographically provable confidentiality, integrity, and verifiability for sensitive workloads across various cloud providers.

Contribution

The paper presents a novel architecture that integrates hardware TEEs with Kubernetes, enabling cryptographically verifiable confidentiality guarantees for third-party cloud environments.

Findings

Supports confidential workloads like AI inference and training.

Provides cryptographically rooted guarantees verifiable by third parties.

Compatible with major managed Kubernetes services.

Abstract

This paper presents C8s, a confidential computing architecture for Kubernetes that provides cryptographically rooted confidentiality, integrity, and verifiability guarantees for Kubernetes clusters from infrastructure operators. These guarantees are cryptographically provable to any independent third party verifier. The architecture is built on hardware Trusted Execution Environments (TEEs), specifically AMD SEV-SNP, Intel TDX, and NVIDIA Confidential Computing support, to establish an attestation-rooted trust boundary around confidential VMs. This design is compatible with managed Kubernetes services such as Amazon EKS, Google GKE, and Microsoft AKS, where the control plane cannot be attested. Under this boundary, three groups gain guarantees that are absent from conventional deployments. Data and artifact owners can deploy sensitive workloads and proprietary artifacts on third-party infrastructure without risking exfiltration. Compute providers can offer execution services without revealing workloads to cloud operators. End users can submit requests that remain opaque to all parties except the attested TEE processing them. Representative workloads include AI inference, securing AI model weights, and training or fine-tuning on sensitive data.