Red Hat SummitEste contenido no está disponible en el idioma seleccionado.
Chapter 2. New features and enhancements
This section describes new features and enhancements introduced in OpenShift sandboxed containers 1.12.
- Confidential containers on bare metal
In this update, OpenShift sandboxed containers on bare-metal servers now support encrypted persistent volumes, providing a secure, durable storage solution for sensitive workloads. This enhancement addresses the demand for data persistence within sandboxed environments while ensuring that data remains encrypted at rest.
Key enhancements in this release include:
- Encrypted block volumes: You can now encrypt, decrypt and mount block volumes directly within the confidential container using raw block volumes. This ensures that encryption and decryption happen inside the Trusted Execution Environment (TEE) rather than at the worker node level, maintaining data confidentiality throughout the storage lifecycle.
- Red Hat build of Trustee 1.1.0 is now generally available and is the recommended version for use with OpenShift sandboxed containers 1.12.
Simplified Trustee configuration: Deployment of Red Hat build of Trustee is significantly simplified through the new
TrusteeConfigcustom resource. Key features include:-
Automated resource generation: Automatically generates required secrets, config maps, and the
KbsConfigresource. - Profile-based configuration: Offers a Permissive profile for quick-start development and a Restricted profile for production-grade security.
-
Service exposure options: Support for
ClusterIP,NodePort, andLoadBalancerby using thekbsServiceTypefield. - Platform-specific extensions: Native support for IBM Secure Execution, Intel TDX, and disconnected (air-gapped) environments.
-
Automated resource generation: Automatically generates required secrets, config maps, and the
Pre-built
initramfs: Initial RAM File System (initramfs) images are now pre-built and provide known Measurement Hashes. Hardware evaluatesinitramfscontents before booting the confidential virtual machine, makinginitramfsa critical link in the chain of trust. Pre-built images eliminate the need for runtime builds that could be compromised.These improvements aim at simplifying the deployment and management of storage and security resources so that end users can manage their confidential container workloads on bare metal more effectively.
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}