You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: confidential-containers/overview.rst
+43-43Lines changed: 43 additions & 43 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -31,7 +31,7 @@ Overview
31
31
========
32
32
NVIDIA GPUs power the training and deployment of Frontier Models—world-class Large Language Models (LLMs) that define the state of the art in AI reasoning and capability.
33
33
34
-
As organizations adopt these models in regulated industries such as financial services, healthcare, and the public sector, protecting model intellectual property and sensitive user data becomes essential. Additionally, the model deployment landscape is evolving to include public clouds, enterprise on-premises, and edge. A zero-trust posture on cloud-native platforms such as Kubernetes is essential to secure assets (model IP and enterprise private data) from untrusted infrastructure with privileged user access.
34
+
As organizations adopt these models in regulated industries such as financial services, healthcare, and the public sector, protecting model intellectual property and sensitive user data becomes essential. Additionally, the model deployment landscape is evolving to include public clouds, enterprise on-premises, and edge. A zero-trust posture on cloud-native platforms such as Kubernetes is essential to secure assets (model IP and enterprise private data) from untrusted infrastructure with privileged user access.
35
35
36
36
Securing data at rest and in transit is standard. Protecting data in-use remains a critical gap. Confidential Computing (CC) addresses this gap by providing isolation, encryption, and integrity verification of proprietary application code and sensitive data during processing. CC uses hardware-based Trusted Execution Environments (TEEs), such as AMD SEV-SNP / Intel TDX technologies, and NVIDIA Confidential Computing capabilities to create trusted enclaves.
37
37
@@ -66,7 +66,7 @@ Use Cases
66
66
67
67
The target for Confidential Containers is to enable model providers (Closed and Open source) and Enterprises to leverage the advancements of Gen AI, agnostic to the deployment model (Cloud, Enterprise, or Edge). Some of the key use cases that CC and Confidential Containers enable are:
68
68
69
-
* **Zero-Trust AI & IP Protection:** You can deploy proprietary models (like LLMs) on third-party or private infrastructure. The model weights remain encrypted and are only decrypted inside the hardware-protected enclave, ensuring absolute IP protection from the host.
69
+
* **Zero-Trust AI & IP Protection:** You can deploy proprietary models (like LLMs) on third-party or private infrastructure. The model weights remain encrypted and are only decrypted inside the hardware-protected enclave, ensuring absolute IP protection from the host.
70
70
* **Data Clean Rooms:** This allows you to process sensitive enterprise data (like financial analytics or healthcare records) securely. Neither the infrastructure provider nor the model builder can see the raw data.
71
71
72
72
.. image:: graphics/CoCo-Sample-Workflow.png
@@ -81,7 +81,7 @@ Software Components for Confidential Containers
81
81
82
82
The following is a brief overview of the software components for Confidential Containers.
83
83
84
-
**Kata Containers**
84
+
**Kata Containers**
85
85
86
86
Acts as the secure isolation layer by running standard Kubernetes Pods inside lightweight, hardware-isolated Utility VMs (UVMs) rather than sharing the untrusted host kernel. Kata containers are integrated with the Kubernetes `Agent Sandbox <https://github.com/kubernetes-sigs/agent-sandbox>`_ project to deliver sandboxing capabilities.
87
87
@@ -127,9 +127,9 @@ A minimal, chiseled and hardened init system that securely bootstraps the guest
127
127
Software Stack and Component Versions
128
128
--------------------------------------
129
129
130
-
The following is the component stack to support the open Reference Architecture (RA) along with the proposed versions of different SW components.
130
+
The following is the component stack to support the open Reference Architecture (RA) along with the proposed versions of different SW components.
131
131
132
-
.. flat-table::
132
+
.. flat-table::
133
133
:header-rows: 1
134
134
135
135
* - Category
@@ -142,39 +142,39 @@ The following is the component stack to support the open Reference Architecture
|- NVIDIA Confidential Computing Manager for Kubernetes
170
170
|- NVIDIA Kata Manager for Kubernetes
171
-
- v25.10.0 and higher
172
-
* - CoCo release (EA)
173
-
|- Kata 3.25 (w/ kata-deploy helm)
174
-
|- Trustee/Guest components 0.17.0
175
-
|- KBS protocol 0.4.0
176
-
- v0.18.0
177
-
171
+
- v25.10.0 and higher
172
+
* - CoCo release (EA)
173
+
|- Kata 3.25 (w/ kata-deploy helm)
174
+
|- Trustee/Guest components 0.17.0
175
+
|- KBS protocol 0.4.0
176
+
- v0.18.0
177
+
178
178
179
179
Cluster Topology Considerations
180
180
-------------------------------
@@ -227,19 +227,19 @@ Refer to the *Confidential Computing Deployment Guide* at the `Confidential Comp
227
227
228
228
The following topics in the deployment guide apply to a cloud-native environment:
229
229
230
-
* Hardware selection and initial hardware configuration, such as BIOS settings.
230
+
* Hardware selection and initial hardware configuration, such as BIOS settings.
231
231
* Host operating system selection, initial configuration, and validation.
232
232
233
233
When following the cloud-native sections in the deployment guide linked above, use Ubuntu 25.10 as the host OS with its default kernel version and configuration.
234
234
235
235
The remaining configuration topics in the deployment guide do not apply to a cloud-native environment. NVIDIA GPU Operator performs the actions that are described in these topics.
236
236
237
237
Limitations and Restrictions for CoCo EA
238
-
----------------------------------------
238
+
----------------------------------------
239
239
240
-
* Only the AMD platform using SEV-SNP is supported for Confidential Containers Early Access.
241
-
* GPUs are available to containers as a single GPU in passthrough mode only. Multi-GPU passthrough and vGPU are not supported.
242
-
* Support is limited to initial installation and configuration only. Upgrade and configuration of existing clusters to configure confidential computing is not supported.
243
-
* Support for confidential computing environments is limited to the implementation described on this page.
244
-
* NVIDIA supports the GPU Operator and confidential computing with the containerd runtime only.
240
+
* Only the AMD platform using SEV-SNP is supported for Confidential Containers Early Access.
241
+
* GPUs are available to containers as a single GPU in passthrough mode only. Multi-GPU passthrough and vGPU are not supported.
242
+
* Support is limited to initial installation and configuration only. Upgrade and configuration of existing clusters to configure confidential computing is not supported.
243
+
* Support for confidential computing environments is limited to the implementation described on this page.
244
+
* NVIDIA supports the GPU Operator and confidential computing with the containerd runtime only.
245
245
* NFD doesn't label all Confidential Container capable nodes as such automatically. In some cases, users must manually label nodes to deploy the NVIDIA Confidential Computing Manager for Kubernetes operand onto these nodes as described in the deployment guide.
0 commit comments