How Inclavare Containers Bring Confidential Computing to Kubernetes

As container‑based cloud‑native technologies gain adoption, data security becomes a critical barrier for many users, especially for protecting data in use.

Confidential Computing Overview

Confidential computing uses hardware Trusted Execution Environments (TEEs) to guarantee confidentiality, integrity, and security of data and code during execution. However, its complexity and high entry barrier hinder widespread adoption.

Alibaba open‑sourced Inclavare Containers to combine confidential computing with Kubernetes, allowing applications to run inside TEEs with minimal code changes while preserving the familiar container experience.

Inclavare Containers – Goals and Value

Inclavare Containers aims to lower the usage threshold of confidential computing, providing a container runtime that integrates Intel SGX‑based TEEs into the Kubernetes ecosystem. It supports multiple hardware security technologies, offers various Enclave forms, and balances security with cost.

Architecture

The stack includes several components:

kubelet : Node agent that communicates with the API server and manages Pods.

containerd : Standard container runtime handling image transfer, storage, execution, networking, etc.

shim‑rune : Manages container lifecycle and converts ordinary images into TEE images.

rune : CLI tool built on runc that can run both regular and Enclave containers.

SGX LibOS : Library OS (e.g., Occlum, Graphene‑SGX) enabling applications to run on Intel SGX with minimal changes.

Language Runtime : Provides runtime support for languages such as Go and Java.

PAL‑API : Interface between rune and LibOS (e.g., pal_init, pal_create_process).

liberpal.so : Linux dynamic library implementing PAL‑API.

Inclavare Containers Workflow

kubelet sends a CRI request to containerd to create a Pod.

containerd forwards the request to shim‑rune.

shim‑rune creates either a regular runc container or a rune container. For rune containers, it uses a LibOS to transform the image into a TEE image, creates an Enclave, and runs the application inside it.

rune loads liberpal.so for communication with the LibOS.

rune loads the Intel SGX driver inside the container, starts the init‑runelet process, which creates the Enclave containing the LibOS, language runtime, and the application.

shim‑rune Details

shim‑rune consists of a Core and a Carrier. It manages container lifecycle and uses a LibOS to convert ordinary images into TEE images.

Generate an unsigned Enclave shared library from the container image using a LibOS.

Extract signing material from the shared library.

Request a signature from a signing service, receiving a digest file and public key.

Produce a signed shared library.

rune loads the signed library, creates and starts the Enclave.

Client‑Side vs Server‑Side Signing

Two signing modes are supported:

Client‑side signing : Users obtain an Intel SGX commercial signing key and sign the Enclave locally; the signature is applied by the Docker runtime.

Server‑side signing : The service provider signs the Enclave; users do not need to obtain a key, and the signed Enclave can be run directly in Kubernetes via containerd.

Server‑side signing reduces the developer’s burden, eliminates the need for Intel key requests, and enables Kubernetes‑native deployment.

Note: Each LibOS has specific image requirements (e.g., Occlum only supports musl libc, not glibc).

ACK‑TEE Overview

ACK‑TEE is Alibaba Cloud’s cloud‑native confidential computing platform built on Intel SGX. It provides a managed Kubernetes cluster with SGX support, abstracts EPC memory management, and aims to simplify development, delivery, and management of trusted applications.

Key features include:

Hardware‑based TEE for strong security of algorithms, data, and code.

Lowering the entry barrier for confidential computing.

Standardized, open, cloud‑native design.

ACK‑TEE 1.0 launched in early 2020, targeting native SGX users. ACK‑TEE 2.0 (planned for late 2020) will extend support to users without SGX expertise by converting ordinary images into TEE images and providing secure services such as KMS‑Enclave‑Plugin.

Q&A

Q1: Why is an Intel key required?

A1: Intel guarantees that code runs inside a hardware Enclave, but signing with an Intel key ensures that only authorized entities can create Enclaves.

Q2: Is Inclavare Containers a full replacement for Docker?

A2: Inclavare Containers is a software stack that includes the rune runtime (based on runc). It can replace Docker for running Enclave containers, but its primary value lies in protecting code and data.

Q3: What is the performance impact?

A3: Intel SGX1 provides only 128 MiB of EPC memory, so performance will be lower than native containers.

Q4: Should it be used only for in‑use encryption?

A4: Yes, protecting in‑use code and data is the main value of confidential computing.

Q5: Are there samples for ACK‑TEE?

A5: Managed “encrypted computing” samples exist for ACK‑TEE 1.0. ACK‑TEE 2.0 is planned for later this year and will incorporate Inclavare Containers capabilities.