Sandbox to confidential containers: A brief on the evolution of container isolation - Akash Gautam

By default, the containers run as processes sharing the host’s kernel. This results in a potential security threat where all the containers on a host get compromised. Even if any one of the containers gets compromised, container sandboxing mitigates this threat by running each container inside a lightweight VM & thus creating an isolation layer between containers as well as between containers & the host kernel.

However, this doesn’t guarantee protection when the host itself is compromised, which leads us to confidential containers where containers get isolated at the hardware level providing protection from unauthorized access from the host, infra providers & other entities with privileged access & thus ensuring the integrity of the data & code even while they are in use.

In this talk, I will discuss the evolution of container isolation from sandboxing to confidential containers, the use cases & concerns that confidential container addresses & how it differs from sandboxing.

About the speaker:
Akash Gautam is a consultant at Kubermatic, focusing on helping customers get the best out of cloud-native adoption. He is also an open-source enthusiast and has contributed to various CNCF projects including Helm and Cluster API provider for AWS (CAPA).