Google Announces Confidential GKE Nodes, General Availability of Confidential VMs
Google on Tuesday announced an expansion of its Confidential Computing portfolio, with the general availability of Confidential VMs and the addition of Confidential GKE (Google Kubernetes Engine) Nodes.
Introduced in July in beta, Confidential VMs were the first product in the Google Cloud Confidential Computing portfolio, and Google is making them available to all Google Cloud customers in the coming weeks. The product will include all of the features that were introduced during the beta stage.
Confidential GKE Nodes, the second product in Google’s Confidential Computing portfolio, will arrive in beta when GKE 1.18 is released and should provide organizations with more options for confidential workloads when looking to use Kubernetes clusters with GKE.
Built using the same technology foundation as Confidential VMs, Confidential GKE Nodes help organizations keep data encrypted in memory using a dedicated key that is node-specific. The AMD EPYC processor generates and manages the key, Google explains.
The new product will provide organizations with the ability to configure a GKE cluster so that only node pools that have Confidential VM capabilities are deployed. Thus, the use of Confidential VMs is automatically enforced for all worker nodes on clusters that use Confidential GKE Nodes.
According to Google, hardware memory encryption that uses AMD EPYC processors’ Secure Encrypted Virtualization feature is employed by Confidential GKE Nodes, so that all workloads on these nodes are encrypted when in use.
Confidential VMs too leverage memory encryption to isolate workloads and tenants, offering an easy-to-use option to ensure that the memory of workloads in Google Compute Engine is protected.
According to Google, Confidential VMs also provide high performance, even for demanding computational tasks, and ensure that VM memory remains encrypted (using a per-VM key that the secure processor within AMD EPYC chips generates and manages).
New capabilities that the Internet giant is introducing for Confidential VMs include audit reports for compliance (with detailed logs on the integrity of the firmware responsible for key generation), new policy controls for confidential computing resources, integration with other enforcement mechanisms, and the ability to share secrets securely with Confidential VMs.
Organizations can now define specific access privileges for Confidential VMs, through the IAM Org Policy, and can disable non-confidential VMs within the project. Moreover, they can combine Shared VPCs, policy constraints, and firewall rules, so that only interaction between Confidential VMs is allowed, or to define a perimeter of GCP resources for the VMs.
Now, Confidential VMs ensure that sharing of secrets is done securely, through the virtual Trusted Platform Module (vTPM). Furthermore, the go-tpm open source library allows organizations to use APIs to bind secrets to the vTPM of the Confidential VM.