Kubermatic branding element

Sandbox to confidential containers: A brief on the evolution of container isolation

Video

Watch Akash Gautam's talk at ContainerDays Conference 2024

By default, the containers run as processes sharing the host’s kernel. This results in a potential security threat where all the containers on a host get compromised. Even if any one of the containers gets compromised, container sandboxing mitigates this threat by running each container inside a lightweight VM & thus creating an isolation layer between containers as well as between containers & the host kernel.

However, this doesn’t guarantee protection when the host itself is compromised, which leads us to confidential containers where containers get isolated at the hardware level providing protection from unauthorized access from the host, infra providers & other entities with privileged access & thus ensuring the integrity of the data & code even while they are in use.

In this talk, I will discuss the evolution of container isolation from sandboxing to confidential containers, the use cases & concerns that confidential container addresses & how it differs from sandboxing.

Speaker: Akash Gautam, consultant at Kubermatic

Leading Companies Choose Kubermatic