{"id":40819734,"url":"https://github.com/cc-api/confidential-cluster","last_synced_at":"2026-01-21T21:46:49.407Z","repository":{"id":236030849,"uuid":"791737533","full_name":"cc-api/confidential-cluster","owner":"cc-api","description":"Trusted Kubernetes Cluster for Confidential Computing","archived":false,"fork":false,"pushed_at":"2024-07-23T01:19:45.000Z","size":159,"stargazers_count":1,"open_issues_count":1,"forks_count":2,"subscribers_count":4,"default_branch":"main","last_synced_at":"2024-07-30T17:51:58.376Z","etag":null,"topics":["confidential-computing","kubernetes","tdx"],"latest_commit_sha":null,"homepage":"","language":"Shell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/cc-api.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2024-04-25T09:18:46.000Z","updated_at":"2024-07-23T01:19:49.000Z","dependencies_parsed_at":"2024-07-23T04:15:00.239Z","dependency_job_id":"fbce2cbc-071f-4a0e-a86c-7e7a0a23aa75","html_url":"https://github.com/cc-api/confidential-cluster","commit_stats":null,"previous_names":["cc-api/confidential-cluster"],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/cc-api/confidential-cluster","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cc-api%2Fconfidential-cluster","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cc-api%2Fconfidential-cluster/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cc-api%2Fconfidential-cluster/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cc-api%2Fconfidential-cluster/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/cc-api","download_url":"https://codeload.github.com/cc-api/confidential-cluster/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cc-api%2Fconfidential-cluster/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":28644149,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-01-21T21:29:11.980Z","status":"ssl_error","status_checked_at":"2026-01-21T21:24:31.872Z","response_time":86,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.5:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["confidential-computing","kubernetes","tdx"],"created_at":"2026-01-21T21:46:48.593Z","updated_at":"2026-01-21T21:46:49.400Z","avatar_url":"https://github.com/cc-api.png","language":"Shell","funding_links":[],"categories":[],"sub_categories":[],"readme":"\n# Trusted Cluster enhanced by CC API \u0026 CCNP\n\n## 1. Definitions\n\n**Confidential Cluster** is defined by:\n\n- [Redhat](https://www.redhat.com/en/blog/confidential-computing-use-cases): A confidential cluster (CCl) is a cluster of confidential virtual machines, which are considered to be part of a single trust domain\n- [Google](https://cloud.google.com/kubernetes-engine/docs/how-to/confidential-gke-nodes): Confidential GKE Nodes is built on top of Compute Engine Confidential VM, which encrypts the memory contents of VMs in-use. Confidential GKE Nodes can be enabled as a cluster-level security setting or a node pool-level security setting.\n- [Edgeless](https://www.edgeless.systems/products/constellation/): Leverages confidential computing to isolate entire Kubernetes clusters from the infrastructure.\n\n**Trusted Cluster** is End-to-End measurement for Confidential Cluster:\n\n![](/docs/trusted_kubernetes_cluster.png)\n\nIn above diagram:\n\n- **CCNP** is used to calculate the measurement for node, namespace,\nPOD and cluster level.\n- **CC Trusted API** provides unified API to tenant to access measurement, event log\nand quote (report).\n\n## 2. Confidential Cluster\n\n### 2.1 Existing CSPs\n\n|          | Google GKE    | Azure AKS |\n| -------- | ------------- | --------- |\n| Resource | [N2D(AMD EPYC)](https://cloud.google.com/compute/docs/general-purpose-machines#n2d_machines)/[C3(Intel Sapphire Rapids)](https://cloud.google.com/compute/docs/general-purpose-machines#c3_series) | DCasv5/ECasv5(AMD), [DCesv5/ECesv5(Intel)](https://learn.microsoft.com/en-us/azure/virtual-machines/ecesv5-ecedsv5-series) |\n| OS       | [CentOS/ContainerOS/Debian/Fedora/RHEL/...](https://cloud.google.com/compute/docs/images/os-details#limited_operating_system_support) | Ubuntu Server 22.04 LTS/SUSE Linux Enterprise Server/Red Hat Enterprise Linux |\n| CPU Accelerator | [AMX](https://cloud.google.com/compute/docs/cpu-platforms#intel-amx) | AMX |\n| Full Disk Encryption | [Yes](https://cloud.google.com/compute/docs/disks/customer-managed-encryption) | [Yes](https://learn.microsoft.com/en-us/azure/virtual-machines/disk-encryption-overview) |\n| Key | customer-managed encryption keys (CMEK) | PMK (platform-managed key) and CMK (customer-managed key) |\n| Attestation | [Google Managed vTPM](https://cloud.google.com/confidential-computing/confidential-vm/docs/attestation) | [Microsoft Azure Attestation](https://azure.microsoft.com/en-us/products/azure-attestation/)/[Intel® Trust Authority](https://www.intel.com/content/www/us/en/security/trust-authority.html) |\n| Tutorial | [Here](https://cloud.google.com/kubernetes-engine/docs/how-to/confidential-gke-nodes#enabling_in_a_new_cluster) | [here](https://learn.microsoft.com/en-us/azure/confidential-computing/confidential-vm-overview)\n\n## 3. Deployment\n\nThere are 3 options creating a confidential cluster.\n\n- Create a few confidential VMs (CVMs) and deploy Kubernetes within them. The CVMs can be on local hosts if you have supported hardware. The CVMs can also be applied from CSP.\nThe document [csp_cvm.md](./deployment/csp_cvm.md) shows how to apply for a TD on Google Cloud or Azure and start a Kubernetes cluster in the single confidential node.\n- Create [Confidential GKE node](https://cloud.google.com/blog/products/identity-security/announcing-general-availability-of-confidential-gke-nodes) on Google cloud.\n- Create a Constellation based confidential cluster on top of a TDX machine. Follow the steps [here](./deployment/constellation.md) to deploy the cluster.\n\n\nFind details in [deployment guide](./deployment/Constellation/constellation.md).\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcc-api%2Fconfidential-cluster","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fcc-api%2Fconfidential-cluster","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcc-api%2Fconfidential-cluster/lists"}