The Red Hat Ecosystem Catalog is the official source for discovering and learning more about the Red Hat Ecosystem of both Red Hat and certified third-party products and services.
We’re the world’s leading provider of enterprise open source solutions—including Linux, cloud, container, and Kubernetes. We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.
The Anjuna Seaglass Operator for OpenShift allows running any Pod in OpenShift in a Confidential Pod leveraging the full power of the Confidential Computing technology.
Anjuna Seaglass™ is the Universal Confidential Computing Platform to run applications in any cloud, and on-premises, with complete data security and privacy. It isolates workloads in a hardware-backed environment that creates a zero-trust model for code and data.
The Anjuna Seaglass platform allows users to leverage the power of Confidential Computing:
Running a Confidential Pod with Anjuna Seaglass protects the Pod’s memory with hardware-enforced encryption and integrity protection, and enables you to authenticate and trust the workload using Remote Attestation.
When protecting sensitive data managed by a Pod in OpenShift, one can protect the data at rest by encrypting the data written to the persistent storage, and protecting the data in transit when sending data over the network.
However, when the data is used in the Pod’s memory, it cannot be both encrypted and used at the same time.
This means that if a malicious insider (either human or software) had access to the OpenShift Node, they could dump the Pod's memory and access all of its sensitive data. This includes accessing the secrets used to encrypt the data at rest and in transit.
Running the Pod in a Confidential Pod with the Anjuna Seaglass platform solves this problem. Anjuna Seaglass runs the Pod inside a Trusted Execution Environment, where the Pod memory is encrypted by the hardware so that no privileged human or software on the Pod can access this memory in the clear.
When running a Pod in OpenShift, the Pod may need to create trust with other Pods or with software running outside of the OpenShift cluster.
The standard way to create this trust is to identify with a token or credentials that could be easily read and stolen from the Pod disk or by providing a machine identity, a process name, or an IP that could be spoofed or reused.
Confidential Computing technology provides a mechanism called Remote Attestation, which provides an identity to the software via the Hardware—the Software Measurement.
When running a Pod as a Confidential Pod with the Anjuna Seaglass platform, a user can leverage the Remote Attestation to perform trusted authentication with the Confidential Pod, in a way that cannot be spoofed.
The Anjuna Policy Manager allows you to protect the first secret of a Confidential Pod and remove any secret from the Pod image or Kubernetes control plane that could be read by malicious insiders.
Red Hat certified products are tested to meet Red Hat’s criteria and supported as defined in the Red Hat Collaborative Support Process.
Partner validated products are tested by Red Hat Partners and supported as defined in the Red Hat Third Party Component Policy.
Red Hat OpenShift 4.14, 4.16, 4.17
To run a Pod as a Confidential Pod with the Anjuna Seaglass Operator for OpenShift, you first need to deploy the Anjuna Seaglass Operator for OpenShift into your OpenShift cluster. This is a one-time activity per OpenShift cluster.
You can then build the Confidential Pod image for each Pod you want to run as a Confidential Pod and launch it in the OpenShift cluster.
More details can be found in the Anjuna documentation here.
The Anjuna Seaglass Operator for OpenShift is currently supported for AMD SEV on GCP.
The Anjuna roadmap includes adding support for the Anjuna Seaglass Operator for OpenShift on the following:
If you are interested in a platform or CSP that is not yet supported, please contact sales@anjuna.io