Title: dstack-capsule: Enabling Pod-Level Remote Attestation for Confidential Workloads in Kubernetes

Abstract

The growing adoption of LLM-as-a-Service and other sensitive cloud applications necessitates cryptographic verification that user data is handled within a secure, unaltered environment. Current approaches, such as Confidential Containers (CoCo), rely on a rigid "one Pod per VM" architecture. This model only attests the Guest OS stack, failing to verify individual container identities and resulting in unsustainable resource overhead per virtual machine. To address these limitations, we introduce dstack-capsule, a Kubernetes-based platform that facilitates Pod-level remote attestation using Intel TDX. This system allows multiple Pods to operate within a single Confidential VM while ensuring each maintains a distinct, hardware-backed identity proof.

Our approach relies on a novel two-layer attestation framework. Static platform measurements are permanently locked in RTMR[3] through an irreversible privilege fuse, whereas dynamic Pod identities—specifically pod_uid, pod_spec_hash, and workload_id—are embedded into the report_data field of the TDX Quote. These fields are signed by hardware for every request. dstack-capsule contributes four main components: (1) a Pod-level attestation protocol that links Pod spec digests to hardware-signed Quotes; (2) a privilege fuse that atomically switches a node from setup mode to secure mode; (3) a multi-layer sandbox providing isolation across storage, runtime, admission control, API, and network layers; and (4) a fully open-source implementation built on Kubernetes 1.32, Intel TDX, and Sysbox. Our evaluation of security properties, attestation accuracy, and performance demonstrates that dstack-capsule achieves granular Pod-level verification without the significant resource costs associated with per-VM isolation.

Source: arXiv Generated at: 2026-06-03 00:00:00 UTC