Confidential Containers (CoCo) secures containerized workloads by treating the Kubernetes control plane as untrusted, relying on remote attestation to verify pod specifications. However, this model pushes complex infrastructure concerns onto application teams. Using Kyverno as a Policy as Code engine, platform teams can automate the injection of required CoCo configuration (runtimeClass, initdata, sealed secrets) and validate inputs at admission time. This separates duties between platform, security, and development teams while preserving the zero-trust model — Kyverno handles operational automation, while CoCo attestation remains the actual security enforcement point. The result is fewer deployment failures and a smoother developer experience for confidential workloads.
Table of contents
Understanding Confidential Containers (CoCo)What a CoCo-Enabled workload typically needsPractical deployment challengesThe Solution: Automating CoCo infrastructure with KyvernoThe trust paradox: Kyverno in an untrusted control planeDeployment and attestation processConclusionSort: