Skip to content

enclaive/portainerCC

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

3,592 Commits

.github

.github

 
 

.storybook

.storybook

 
 

.vscode.example

.vscode.example

 
 

api

api

 
 

app

app

 
 

build

build

 
 

coordinator

coordinator

 
 

distribution

distribution

 
 

pcc-agent

pcc-agent

 
 

plop-templates

plop-templates

 
 

translations/en

translations/en

 
 

webpack

webpack

 
 

.codeclimate.yml

.codeclimate.yml

 
 

.dockerignore

.dockerignore

 
 

.env.defaults

.env.defaults

 
 

.eslintignore

.eslintignore

 
 

.eslintrc.yml

.eslintrc.yml

 
 

.git-blame-ignore-revs

.git-blame-ignore-revs

 
 

.gitignore

.gitignore

 
 

.godir

.godir

 
 

.prettierignore

.prettierignore

 
 

.prettierrc

.prettierrc

 
 

ATTRIBUTIONS.md

ATTRIBUTIONS.md

 
 

CODE_OF_CONDUCT.md

CODE_OF_CONDUCT.md

 
 

CONTRIBUTING.md

CONTRIBUTING.md

 
 

Dockerfile.graminehello

Dockerfile.graminehello

 
 

Dockerfile.lable

Dockerfile.lable

 
 

Dockerfile.portainercc

Dockerfile.portainercc

 
 

Dockerfile.test

Dockerfile.test

 
 

LICENSE

LICENSE

 
 

README.md

README.md

 
 

babel.config.js

babel.config.js

 
 

build.sh

build.sh

 
 

confidential-templates.json

confidential-templates.json

 
 

configmaps_and_secrets.go

configmaps_and_secrets.go

 
 

docker-compose.pull-dog.yml

docker-compose.pull-dog.yml

 
 

example_pf.key

example_pf.key

 
 

extensions.json

extensions.json

 
 

go.work

go.work

 
 

go.work.sum

go.work.sum

 
 

gruntfile.js

gruntfile.js

 
 

ingresses.go

ingresses.go

 
 

jest.config.js

jest.config.js

 
 

jsconfig.json

jsconfig.json

 
 

lint-staged.config.js

lint-staged.config.js

 
 

namespaces.go

namespaces.go

 
 

package.json

package.json

 
 

pcc_logo_only.png

pcc_logo_only.png

 
 

plopfile.js

plopfile.js

 
 

postcss.config.js

postcss.config.js

 
 

pull-dog.json

pull-dog.json

 
 

services.go

services.go

 
 

tailwind.config.js

tailwind.config.js

 
 

tool-versions.json

tool-versions.json

 
 

tsconfig.json

tsconfig.json

 
 

webpack.config.js

webpack.config.js

 
 

wip-screens.gif

wip-screens.gif

 
 

yarn-error.log

yarn-error.log

 
 

yarn.lock

yarn.lock

 
 

Repository files navigation

Portainer.cc - Building and Deploying Runtime Encrypted Workloads leveraging Confidential Compute

Table of Contents

About The Project

In view of the ever increasing shift of applications to the cloud, new mechanisms need to be developed to protect the workload. In contrast to on-prem, physical resources are no more isolated in the cloud. Rather virtual machines, kubernetes clusters and serverless functions, share physical resources. Moreover, the resources are maintained by a third party known as the cloud provider who has root access to the resources. For decades it is well known that the application isolation provided by hypervisors and operating systems is weak. A vast amount of exploits have been demonstrated how to escapte the present security and trust model.

Confidential Computing, for short CC, is a new, promising technology addressing the problem. CC makes it for the very first time practically possible to encrypt data during runtime in such a way that only the CPU has access to it. This makes it possible to protect application code and data in the light of vertical and horizontal exploits.

Portainer.cc is a project extending the promiment community tool Portainer.io with confidential computing capabilities. to make it easy to run application-containers confidentially in the cloud. PortainerCC builds upon Gramine OS and Marblerun to run and remotely attest containerized Gramine-applications.

Features (v.0.1.0-beta)

Portainer.cc offers these features:

  • Build and deploy any application in an Intel SGX enclave supporting Gramine libOS Gramine
  • Key managmement for container authentication and file/volume encryption
  • Authenticated container provisioning of secrets, environment variables, files and keys supporting Marblerun
  • Example template to build, deploy and securely provision MariaDB

Getting Started

Prerequisites

For Portainer.cc to work, you need to make sure that all environments you want to use are Intel SGX compatible and can use Intel SGX Datacenter Attestation Primitives for Remote Attestation and meet these requirements:

Install Portainer.cc

To install Portainer.cc, run the following command:

docker run -d -p 8000:8000 -p 9000:9000 -p 9443:9443 \
-v /var/run/docker.sock:/var/run/docker.sock:z \
-v /var/run/docker.sock:/var/run/alternative.sock:z \
-v /tmp:/tmp \
-v pccdata:/data \
--name portainerCC \
marcely0/pcc

The Portainer.cc Image comes with some predefined confidential templates. You can mount your own templates with the following parameter when you start your Container:

-v ./temps.json:/confidential-templates.json

How-Tos

You can check out some of the How-Tos:

Step by Step guide to set up PortainerCC with an PortainerCC Agent

Create a confidential Application for Portainer.cc

Remote Attestation and Secret Provisioning

Deprecated - Step by Step guide to run MariaDB in PortainerCC

Licence

Distributed under the zlib licence. See LICENCE for reference.

About

Making confidential compute docker, docker swarm and kubernetes management simple

Topics

docker kubernetes docker-compose docker-container portainer docker-ui kubernetes-ui intel-sgx dockerswarm confidential-computing amd-sev-snp intel-tdx

Resources

Readme

License

Zlib license

Code of conduct

Code of conduct
Activity
Custom properties

Stars

8 stars

Watchers

2 watching

Forks

2 forks
Report repository

Releases

115 tags

Packages

No packages published

Contributors 217

+ 203 contributors

Languages