Skip to content

confidential-containers/trustee

Trusted Components for Attestation and Secret Management

FOSSA Status

This repository contains tools and components for attesting confidential guests and providing secrets to them. Collectively, these components are known as Trustee. Trustee typically operates on behalf of the guest owner and interact remotely with guest components.

Trustee was developed for the Confidential Containers project, but can be used with a wide variety of applications and hardware platforms.

Components

For further information, see documentation of individual components.

Architecture

Trustee is flexible and can be deployed in several different configurations. This figure shows one common way to deploy these components in conjunction with certain guest components.

flowchart LR
    AA -- attests guest ----> KBS
    CDH -- requests resource --> KBS
    subgraph Guest
        CDH <.-> AA
    end
    subgraph Trustee
        AS -- verifies evidence --> KBS
        RVPS -- provides reference values--> AS
    end
    client-tool -- configures --> KBS
Loading

Deployment

There are two main ways to deploy Trustee.

Docker Compose

One simple way to get started with Trustee is with Docker compose, which can be used to quickly setup a cluster matching the diagram above.

Please refer to the cluster setup guide.

This cluster could be run inside a VM or as part of a managed service.

Kubernetes

There are two supported ways of deploying Trustee on Kubernetes. One is via the KBS Operator, which deploys the KBS components. The second option is to use the KBS' provided Kubernetes tooling here.

License

FOSSA Status