TNS
VOXPOP
Where are you using WebAssembly?
Wasm promises to let developers build once and run anywhere. Are you using it yet?
At work, for production apps
0%
At work, but not for production apps
0%
I don’t use WebAssembly but expect to when the technology matures
0%
I have no plans to use WebAssembly
0%
No plans and I get mad whenever I see the buzzword
0%
Cloud Services / Kubernetes / Security

Microsoft Adopts OpenInfra Kata Containers Security on Azure

Microsoft's customers want more security on Azure, so Microsoft turned to Kata containers to deliver it to them.
Jun 29th, 2023 10:14am by
Featued image for: Microsoft Adopts OpenInfra Kata Containers Security on Azure

Everyone wants more security for their cloud processes and data. So, to deliver this, Microsoft announced at the recent OpenInfra Summit that it’s closer to delivering it to its Azure customers. The means? Confidential containers on Azure Kubernetes Service (AKS) within open source Kata Containers. This development aims to strengthen cloud security and offer enhanced protection for sensitive data and applications.

Kata Containers provide a secure container runtime with lightweight VMs. These feel and act like containers but come with VM’s stronger workload isolation. It relies on AMD SVM and Intel VT-x CPU-based virtualization technology for this extra level of protection.

Azure’s Implementation

In Azure’s implementation, Azure leverages AMD’s SEV-SNP hardware-backed Trusted Execution Environments (TEEs) to provide confidential Kara Containers. These offer integrity for code and data in use, protect data in memory from Azure operators, and enable remote cryptographic verification through attestation. And with all this, existing unmodified applications can continue to run seamlessly on these containers.

To achieve this level of isolation, similar to application enclaves and enhance protection from VM administrators, these containers run in dedicated “child virtual machines (VMs)” on each pod. Each container possesses its own memory encryption key with AMD SEV-SNP protections, and its lifecycle is associated with the lifecycle of the confidential Kubernetes pod.

By running Kubernetes pods with this level of isolation, using nested virtualization, customers benefit from application isolation from the parent VM and the tenant OS admin, while still enjoying the ability to run any Linux Open Container Initiative (OCI)-compliant container natively.

Kata and AKS

Michael Withrow, Microsoft’s AKS Product Manager, explained that not only had customers been demanding more security — that goes without saying these days — they’d specifically been asking for Kata. This OpenInfra Foundation technology has been getting a reputation for being easy to work with, easy to implement, and extremely secure.

In the field, this marriage of Kata and AKS can be used for workload isolation from a shared host, untrusted container isolation, aka sandboxing, and multi-tenancy with shared clusters. Practically speaking, Microsoft sees large markets for this in consumer: banking, healthcare, the public sector, and the defense markets.

While this isn’t quite ready for production yet, it’s now in public preview. Microsoft hopes to have it available for customers’ commercial use within the next few months. I expect many users to flock to it once it opens up for business.

Group Created with Sketch.
THE NEW STACK UPDATE A newsletter digest of the week’s most important stories & analyses.