Confidential Containers for vSphere Pods on AMD

March 19, 2021

With the advent of vSphere 7 Update 2 a new capability to further secure Kubernetes and applications under vSphere with Tanzu is available. This capability uses AMD’s SEV-ES functionality in second- and the recently announced third-generation AMD EPYC CPUs to create what we've called "Confidential Containers."

AMD SEV-ES support was announced as part of vSphere 7 Update 1 in October 2020, and provides deep hardware-based data-in-use security protections for workloads running inside vSphere. For more information about SEV-ES watch the introduction video on the vSphere YouTube channel.

With a simple annotation to a Kubernetes YAML file, you can now run a vSphere Pod that uses AMD SEV-ES to encrypt its memory and CPU register contents. SEV-ES ensures the memory used by each Pod is uniquely encrypted and undecipherable by the hypervisor or any other process or method. This enhances the security of vSphere Pods and the containers that they run by helping to protect CPU registers and memory from leaking guest information into the hypervisor. 

You’ll see in the image below how this works:

Confidential Containers for vSphere Pods on AMD

A link to the full documentation on how to configure and use this capability is under "Deploy a Confidential Container." Pay attention to the prerequisites! You will need a second- or third-generation AMD EPYC based system (code name "Rome" or “Milan”), as well as some BIOS configurations to set up the hardware to run the number of vSphere Pods and VMs you plan to enable AMD SEV-ES on.

If you’d like to see how this works in a demo, check out this video:

This feature is just another way of how vSphere continues to address the security needs of our customers. Incorporating this into vSphere with Tanzu means customers using Kubernetes to run modern workloads can easily extend their applications to take advantage of these new & advanced security capabilities on their AMD EPYC-based servers.

Filter Tags

Security ESXi ESXi 7 vCenter Server vCenter Server 7 vSphere vSphere 7 vSphere with Tanzu AMD EPYC AMD SEV-ES Confidential Containers Blog What's New Overview

Mike Foley

Read More from the Author

Mike Foley is a Staff Technical Marketing Architect in the vSphere Group at VMware. His current focus is on enabling vSphere Administrators to navigate the world of vSphere with Tanzu. He is the author of numerous whitepapers on vSphere, hypervisor security, and virtual machine encryption. Mike was awarded a patent (8,601,544) in December 2013 for “Dual-band authentication using the virtual infrastructure" and has two additional patents pending.