Implementing Kubernetes Pod-Level Remote Attestation for Confidential Workloads on dstack

Highlights

• Multiple Pods per Confidential VM, each independently attestable
• Privilege-fuse freezes platform measurements at boot
• Open-source on Kubernetes 1.32 + Intel TDX + Sysbox

Abstract

Cloud LLM services and confidential workloads need strong, verifiable isolation. Existing solutions such as Confidential Containers enforce a one-Pod-per-VM model with significant resource cost and incomplete container-level verification. We propose dstack-capsule, enabling Pod-level remote attestation on Intel TDX by allowing multiple Pods to share a single Confidential VM while each retains independent, hardware-backed proof of identity. The system uses a two-layer architecture: static platform measurements frozen via a privilege fuse, and dynamic Pod identities embedded in hardware-signed quotes. Contributions include a Pod-level attestation protocol, the privilege-fuse mechanism, a multi-layer sandbox spanning storage through network isolation, and an open-source implementation on Kubernetes 1.32, Intel TDX, and Sysbox — achieving pod-granularity verification without per-VM resource overhead.