Loading...

XML

Word

Printable

Type: Feature
Resolution: Unresolved
Priority: Major
Fix Version/s: None
Affects Version/s: None
Component/s: None
Labels:

Activity Type:
Product / Portfolio Work
Parent Link:
OCPSTRAT-2023OpenShift Confidential Clusters
Blocked:
False
Blocked Reason:

Hide

None

Show
None
Ready:
False
Size:
None

Target Version:
None
Release Blocker:
None

SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

PX Review Complete:
None
PX Priority Data:
None
PX Impact Score:
PX Technical Impact:
None
PX Impact Range:
None
PX Scheduling Request:
None
PX Technical Impact Notes:
None

Intelligence Requested:
Market:

Feature Overview (aka. Goal Summary)

Deploy OpenShift clusters with all nodes running in hardware-based Trusted Execution Environments using Confidential Computing. Each node supports remote attestation, allowing verification of its confidential state before joining the cluster

Goals (aka. expected user outcomes)

With this feature, security-conscious platform administrators can:

Deploy OpenShift clusters where every node runs in a Confidential Computing TEE, ensuring all compute resources operate in a protected, isolated state.
Perform remote attestation of each node, verifying its confidential state and integrity before it joins or operates in the cluster.

This extends existing OpenShift node lifecycle and security features to support confidential hardware and attestation workflows at scale.

Requirements (aka. Acceptance Criteria):

For this first phase, we will demonstrate how to enable a Confidential Node in an existing OpenShift cluster, using remote attestation with a custom RHCOS image and the Red Hat Build of Trustee. This will be published as a blog post showcasing the step-by-step process. In the next phase, we plan to automate this process as part of the cluster installation.