All Products
Search

This Product

    Container Service for Kubernetes:Secure confidential container environments with remote attestation

    Document Center

    Container Service for Kubernetes:Secure confidential container environments with remote attestation

    Last Updated:Dec 26, 2025

    PeerPod remote attestation ensures that confidential containers run in an authentic and untampered confidential computing environment, such as Intel TDX. By automatically verifying the node's integrity before deployment and allowing applications to fetch environment attestations on demand at runtime, it provides an end-to-end security guarantee for sensitive workloads.

    How it works

    Confidential computing remote attestation creates a verifiable and hardware-protected runtime environment for PeerPod containers, protecting them from external attacks. This mechanism uses a remote attestation service (referred to as the Trustee) as its trust anchor to check the integrity of the environment at two critical stages of the pod lifecycle: at deployment and during runtime.

    Use case 1: Pre-launch environment verification

    This process is designed for cluster administrators to ensure that pods are only launched in authentic and trusted confidential environments. The entire workflow is automated and requires no manual intervention.

    1. Initiate deployment: An administrator creates a workload by submitting a pod manifest to the cluster's API server. The kubelet on the node then requests the creation of a pod sandbox from containerd via the Container Runtime Interface (CRI). containerd checks the pod's runtimeClassName and invokes the underlying Kata Remote runtime kata-runtime.

    2. Create confidential VM: Kata Remote responds to the request by calling the Alibaba Cloud OpenAPI to launch a lightweight and hardware-isolated ECS TDX confidential VM, which serves as the Kubernetes pod.

    3. Mandatory remote attestation: Before the image is pulled, the Attestation Agent inside the VM automatically generates evidence of the runtime environment, including hardware signatures, and send it to the Trustee service for verification.

    4. Validation and workload execution: Only after the Trustee confirms that the evidence is valid does the guest's control logic proceed with subsequent operations, including pulling the application image and starting the container.

    Use case 2: Runtime remote attestation

    This capability is for running containerized applications, allowing them to proactively prove the security of their own environment to external services, thereby building a chain of trust across systems.

    1. Application fetch evidence: The application inside the container requests a real-time remote attestation report by calling a local API operation at http://127.0.0.1:8006/aa/evidence.

    2. External service verification: The application sends this evidence to an external service (the consumer). The service consumer then forwards the evidence to its own trusted Trustee service for validation. A successful validation proves that the communicating party is running in a protected confidential environment, thus establishing trust dynamically.

    image

    Prerequisites

    1. The CAA solution is enabled in your cluster. For details, see Use CAA to deploy confidential containers on confidential VMs.

    2. Install the Trustee service in a trusted environment and record its IP address (this will be your Trustee service endpoint). You can use the following command to install Trustee.

      PeerPods in the cluster must be able to access this IP address to complete remote attestation. Ensure that the Trustee's network is routable from the CAA cluster's pod VPC.

      Run the following command to install the Trustee. This topic uses Alibaba Cloud Linux 3, and the example Trustee IP is 1.2.3.4.

      yum install trustee -y

    3. On the Trustee server, add a security group rule to allow inbound traffic on TCP port 8080. The source of this rule should be the egress IP address used by the CAA cluster pods to access the Trustee.

      • If the CAA cluster and Trustee are in the same VPC, allow traffic from the VPC's CIDR block.

      • If they communicate across VPCs or over the Internet, allow traffic from the public egress IP address of the cluster's NAT Gateway.

    Use case 1: Verify and deploy a container to a trusted environment

    This procedure performs remote attestation during the container deployment phase to ensure the workload only runs on verified and trusted nodes.

    1. Configure the Trustee

    On the Trustee server, configure policies to define which environment characteristics are considered trustworthy.

    1. Configure the container security launch policy.

      This policy file is treated as a confidential resource and is read during the TDX pod's startup process to trigger the remote attestation flow.

      # Create a directory to store policies
mkdir -p /opt/trustee/kbs/repository/default/container-policy

# Write a policy file that allows all images (for demo purposes only)
cat << EOF > /opt/trustee/kbs/repository/default/container-policy/insecure-accept-all
{
    "default": [{"type": "insecureAcceptAnything"}],
    "transports": {}
}
EOF

    2. Configure the remote attestation policy.

      This policy defines the specific standards for trusted hardware and software environments. For example, it can require the environment to run on the Intel TDX platform.

      # Modify the policy file /opt/trustee/attestation-service/policies/opa/default.rego
# Replace the content with the remote attestation policy for ECS TDX PeerPods
cat << EOF > /opt/trustee/attestation-service/policies/opa/default.rego
package policy

import rego.v1

default executables := 32
default hardware := 97
default configuration := 32
default file_system := 32

##### ECS TDX PeerPod
executables := 3 if {
	input.tdx
}

hardware := 2 if {
	# Verify that the evidence is of the Intel TDX type
	input.tdx.quote.header.tee_type == "81000000"
	# Verify the vendor ID
	input.tdx.quote.header.vendor_id == "939a7233f79c4ca9940a0db3957f0607"
}

configuration := 2 if {
	input.tdx
}

file_system := 2 if {
	input.tdx
}
EOF

    3. Restart the Trustee service to apply the policy.

      service as restart

    2. Deploy a pod with remote attestation enabled

    1. Prepare the initdata and deploy the pod.

      initdata is used to pass configuration information to the PeerPod, including the Trustee service address.

      # Replace with the actual Trustee IP address
TRUSTEE_SERVICE_ENDPOINT=1.2.3.4

# Generate the initdata.toml file
cat <<EOF > initdata.toml
version = "0.1.0"
algorithm = "sha256"
[data]
"aa.toml" = '''
[eventlog_config]
enable_eventlog = true
[token_configs]
[token_configs.kbs]
url = "http://${TRUSTEE_SERVICE_ENDPOINT}:8080"
'''
"cdh.toml" = '''
[kbc]
name = "cc_kbc"
url = "http://${TRUSTEE_SERVICE_ENDPOINT}:8080"
[image]
image_security_policy_uri = "kbs:///default/container-policy/insecure-accept-all"
'''
EOF

# Compress the initdata with gzip and encode it with Base64
initdata=$(cat initdata.toml | gzip | base64 -w0)
      Run echo $initdata to view the encoded content of initdata.

    2. Create the pod YAML file.

      Write the initdata string generated in the previous step to the annotations field of the pod's metadata.

      # Create a file named pod.yaml
cat << EOF > pod.yaml
apiVersion: v1
kind: Pod
metadata:
  name: pod-caa-demo
  annotations:
    io.katacontainers.config.hypervisor.cc_init_data: ${initdata}
spec:
  runtimeClassName: kata-remote
  containers:
    - image: alibaba-cloud-linux-3-registry.cn-hangzhou.cr.aliyuncs.com/alinux3/alinux3:latest
      name: hello
      command: ["sh", "-c", "echo hello && sleep infinity"]
EOF

    3. Deploy the pod.

      kubectl apply -f pod.yaml

      After deployment, run kubectl get po pod-caa-demo to check the pod status.

    4. Verify the remote attestation status on the Trustee server.

      Check the logs of the remote attestation service to confirm that the environment validation was successful.

      journalctl -u as -f

      If you see the message Tdx Verifier/endorsement check passed in the logs, it indicates that the remote attestation was successful and the pod has started in a trusted environment.

    Use case 2: Fetch and verify environment trustworthiness at container runtime

    This use case shows the complete workflow for an application already running inside a PeerPod to dynamically obtain an attestation report of its execution environment and have it verified by an independent external service.

    This process involves three distinct execution environments:

    • Local terminal: The machine you use to interact with the cluster.

    • Inside the pod container: Where the confidential application runs and generates the attestation report. You can run kubectl exec -it pod-caa-demo -- sh to enter the container.

    • Verifier server: An independent and trusted server node where the Trustee service is deployed. This server is responsible for validating the evidence it receives. You can either reuse an existing Trustee or deploy a new one for this purpose.

    1. Get remote attestation evidence from within the container

    (Optional) Step 1: Add dynamic measurements

    Dynamic measurements allow an application to embed custom runtime information into the remote attestation report, which enhances auditing and compliance capabilities.

    While a standard remote attestation verifies the security of the "safe" itself, a dynamic measurement further proves that the "contents of the safe" are also in the expected state.

    From inside the pod container, send an HTTP POST request to the API at http://127.0.0.1:8006/aa/aael to dynamically record information. This information is saved to the Eventlog of the underlying TDX pod and bound to the final attestation report to prevent tampering.

    • Request body:

      The domain, operation, and content field are all customizable and printable strings. They cannot contain spaces.
      {
  "domain": "<DOMAIN>",
  "operation": "<OPERATION>",
  "content": "<CONTENT>"
}

    • Example: Record a configuration loading event

      # Run this command inside the container
curl -X POST http://127.0.0.1:8006/aa/aael \
     -H "Content-Type: application/json" \
     -d '{"domain":"test","operation":"test","content":"test"}'

    Step 2: Get remote attestation evidence

    From inside the pod container, send an HTTP GET request to retrieve the remote attestation evidence of the current Trusted Execution Environment (TEE) for verification by an external party.

    Send a GET request to http://127.0.0.1:8006/aa/evidence.

    The runtime_data parameter should contain a Base64-encoded challenge value (Nonce) provided by the verifier to protect against replay attacks.
    curl 127.0.0.1:8006/aa/evidence?runtime_data=AAAA

    The command will output a long JSON string, which is the remote attestation evidence for the current TEE. Copy this entire string (from the opening { to the closing }) and save it to a temporary file for the next steps.

    2. Prepare the verification environment

    The verification process relies on an independent and trusted Trustee instance.

    1. (Optional) Run yum install trustee -y to install the Trustee on your verifier server.

    2. Configure the client-side validation policy.

      On the verifier node, create a new policy file /opt/trustee/attestation-service/policies/opa/client.rego in the Trustee service.

      # Create the client.rego file with the following content
cat <<EOF > /opt/trustee/attestation-service/policies/opa/client.rego

# Policy to verify the evidence obtained from the confidential container (TEE)
package policy
import rego.v1

# --- Default scores ---
default executables := 32
default hardware := 97
default configuration := 32
default file_system := 32

# --- Validation rules for Alibaba Cloud ECS TDX PeerPods ---
# For example: score of 2 = "trustworthy", 3 = "affirming"
# If the input evidence contains a "tdx" field, the software stack is considered "affirming"
executables := 3 if {
    input.tdx
}

# Hardware scoring rule: If both of the following conditions are met, the hardware environment is rated as "trustworthy" (score of 2).
hardware := 2 if {
    # Check the TEE type field. It must be the Intel TDX identifier "81000000"
    input.tdx.quote.header.tee_type == "81000000"

    # Check the vendor ID field. It must be the official Intel UUID
    input.tdx.quote.header.vendor_id == "939a7233f79c4ca9940a0db3957f0607"
}

# If the input is TDX evidence, its configuration is considered "trustworthy".
configuration := 2 if {
    input.tdx
}

# If the input is TDX evidence, its file system is considered "trustworthy".
file_system := 2 if {
    input.tdx
}
EOF

    3. Restart the Trustee to apply the client.rego policy.

      service as-restful restart

    3. Prepare and send the verification request

    Submit the evidence obtained from the container to the verification service.

    1. (Recommended) Securely store the original evidence.

      To avoid errors from special characters, we recommend that you save the evidence to a file.

      # Create a temporary file named evidence.json
cat > evidence.json

      After running the command, paste the complete JSON string. Then, save the file and exit edit mode.

    2. Read the evidence from the file and prepare the request.

      # Read the content from the file into a variable
EVIDENCE=$(cat evidence.json)

# Base64-encode the evidence and make it URL-safe
BASE64EVIDENCE=$(echo ${EVIDENCE} | base64 -w 0 2>/dev/null | tr '+/' '-_' | tr -d '=' )

# Create a request body file that contains the encoded evidence
cat << EOF > request.json
{
    "verification_requests": [
        {
            "tee": "tdx",
            "evidence": "${BASE64EVIDENCE}"
        }
    ],
    "policy_ids": ["client"]
}
EOF

    3. Send the verification request.
      Send a POST request to the /attestation endpoint of your local verification service on the default port 50005.

      curl -k -X POST http://127.0.0.1:50005/attestation \     -i \     -H 'Content-Type: application/json' \     -d @request.json

      The response body will contain a token field, which is a JWT string. This is your verification token. Copy the token.

    4. Parse and evaluate the verification result

    Parse the JWT token to retrieve the trustworthiness scores for each sub-state of the current environment.

    1. Store the verification token.

      # Replace '<...>' with the actual JWT string you obtained (without the quotes)
TOKEN='<Paste the JWT token here>'

    2. Parse the token and view the scores.

      echo $TOKEN | cut -d'.' -f2 | base64 -d |  jq '.submods.cpu0."ear.trustworthiness-vector"'

      Expected output:

      base64: invalid input
{
  "configuration": 2,
  "executables": 3,
  "file-system": 2,
  "hardware": 2
}

      • The base64: invalid input message can be safely ignored.

      • The JSON content shows the verification result. The scores match the values defined in your policy file, confirming that the container is running in a compliant and trusted TDX environment. The verification is successful.

    Apply in production

    • Refine attestation policies: The examples use a loose policy. In a production environment, you must create precise Rego policies that match your specific hardware platform and software stack. These policies should be managed in a version control system for auditing and change tracking.

    • Manage credentials and keys: The initdata.toml file can contain sensitive configuration. Strictly control its generation, distribution, and storage to prevent information leakage.