Skip to content
/ portainerCC Public

Making confidential compute docker, docker swarm and kubernetes management simple

License

Zlib license
11 stars 2 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

enclaive/portainerCC

387 Branches115 Tags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

marcely0marcely0
runyourcode frontend
Jul 13, 2023
7a8166e · Jul 13, 2023

History

3,592 Commits
.github
.github
May 2, 2022
.storybook
.storybook
May 29, 2022
.vscode.example
.vscode.example
Jan 14, 2023
api
api
Jul 13, 2023
app
app
Jul 13, 2023
build
build
May 8, 2023
coordinator
coordinator
Jul 7, 2023
distribution
distribution
Aug 27, 2020
pcc-agent
pcc-agent
May 8, 2023
plop-templates
plop-templates
Mar 18, 2021
translations/en
translations/en
Jan 17, 2022
webpack
webpack
Jun 28, 2022
.codeclimate.yml
.codeclimate.yml
Jul 5, 2020
.dockerignore
.dockerignore
May 8, 2023
.env.defaults
.env.defaults
Jan 24, 2022
.eslintignore
.eslintignore
Mar 21, 2019
.eslintrc.yml
.eslintrc.yml
Jun 23, 2022
.git-blame-ignore-revs
.git-blame-ignore-revs
Feb 22, 2022
.gitignore
.gitignore
Aug 9, 2022
.godir
.godir
Sep 4, 2016
.prettierignore
.prettierignore
Apr 14, 2022
.prettierrc
.prettierrc
Jan 17, 2022
ATTRIBUTIONS.md
ATTRIBUTIONS.md
Mar 22, 2021
CODE_OF_CONDUCT.md
CODE_OF_CONDUCT.md
Jun 22, 2017
CONTRIBUTING.md
CONTRIBUTING.md
Nov 30, 2021
Dockerfile.graminehello
Dockerfile.graminehello
Jan 8, 2023
Dockerfile.lable
Dockerfile.lable
May 24, 2023
Dockerfile.portainercc
Dockerfile.portainercc
Nov 30, 2022
Dockerfile.test
Dockerfile.test
Jan 15, 2023
LICENSE
LICENSE
May 23, 2018
README.md
README.md
May 8, 2023
babel.config.js
babel.config.js
Mar 8, 2022
build.sh
build.sh
Sep 16, 2018
confidential-templates.json
confidential-templates.json
May 24, 2023
configmaps_and_secrets.go
configmaps_and_secrets.go
Sep 21, 2022
docker-compose.pull-dog.yml
docker-compose.pull-dog.yml
Dec 1, 2020
example_pf.key
example_pf.key
Oct 22, 2022
extensions.json
extensions.json
Dec 2, 2019
go.work
go.work
May 8, 2023
go.work.sum
go.work.sum
May 8, 2023
gruntfile.js
gruntfile.js
May 24, 2023
ingresses.go
ingresses.go
Sep 21, 2022
jest.config.js
jest.config.js
Jul 26, 2022
jsconfig.json
jsconfig.json
Jan 17, 2022
lint-staged.config.js
lint-staged.config.js
Jan 17, 2022
namespaces.go
namespaces.go
Sep 21, 2022
package.json
package.json
May 8, 2023
pcc_logo_only.png
pcc_logo_only.png
Jun 16, 2023
plopfile.js
plopfile.js
Mar 18, 2021
postcss.config.js
postcss.config.js
Apr 26, 2022
pull-dog.json
pull-dog.json
Jul 20, 2020
services.go
services.go
Sep 21, 2022
tailwind.config.js
tailwind.config.js
Aug 10, 2022
tool-versions.json
tool-versions.json
Jan 17, 2022
tsconfig.json
tsconfig.json
Sep 23, 2022
webpack.config.js
webpack.config.js
Mar 21, 2019
wip-screens.gif
wip-screens.gif
Dec 13, 2022
yarn-error.log
yarn-error.log
Oct 24, 2022
yarn.lock
yarn.lock
Oct 7, 2022

Repository files navigation

Portainer.cc - Building and Deploying Runtime Encrypted Workloads leveraging Confidential Compute

Table of Contents

About The Project

In view of the ever increasing shift of applications to the cloud, new mechanisms need to be developed to protect the workload. In contrast to on-prem, physical resources are no more isolated in the cloud. Rather virtual machines, kubernetes clusters and serverless functions, share physical resources. Moreover, the resources are maintained by a third party known as the cloud provider who has root access to the resources. For decades it is well known that the application isolation provided by hypervisors and operating systems is weak. A vast amount of exploits have been demonstrated how to escapte the present security and trust model.

Confidential Computing, for short CC, is a new, promising technology addressing the problem. CC makes it for the very first time practically possible to encrypt data during runtime in such a way that only the CPU has access to it. This makes it possible to protect application code and data in the light of vertical and horizontal exploits.

Portainer.cc is a project extending the promiment community tool Portainer.io with confidential computing capabilities. to make it easy to run application-containers confidentially in the cloud. PortainerCC builds upon Gramine OS and Marblerun to run and remotely attest containerized Gramine-applications.

Features (v.0.1.0-beta)

Portainer.cc offers these features:

  • Build and deploy any application in an Intel SGX enclave supporting Gramine libOS Gramine
  • Key managmement for container authentication and file/volume encryption
  • Authenticated container provisioning of secrets, environment variables, files and keys supporting Marblerun
  • Example template to build, deploy and securely provision MariaDB

Getting Started

Prerequisites

For Portainer.cc to work, you need to make sure that all environments you want to use are Intel SGX compatible and can use Intel SGX Datacenter Attestation Primitives for Remote Attestation and meet these requirements:

Install Portainer.cc

To install Portainer.cc, run the following command:

docker run -d -p 8000:8000 -p 9000:9000 -p 9443:9443 \
-v /var/run/docker.sock:/var/run/docker.sock:z \
-v /var/run/docker.sock:/var/run/alternative.sock:z \
-v /tmp:/tmp \
-v pccdata:/data \
--name portainerCC \
marcely0/pcc

The Portainer.cc Image comes with some predefined confidential templates. You can mount your own templates with the following parameter when you start your Container:

-v ./temps.json:/confidential-templates.json

How-Tos

You can check out some of the How-Tos:

Step by Step guide to set up PortainerCC with an PortainerCC Agent

Create a confidential Application for Portainer.cc

Remote Attestation and Secret Provisioning

Deprecated - Step by Step guide to run MariaDB in PortainerCC

Licence

Distributed under the zlib licence. See LICENCE for reference.

About

Making confidential compute docker, docker swarm and kubernetes management simple

Topics

docker kubernetes docker-compose docker-container portainer docker-ui kubernetes-ui intel-sgx dockerswarm confidential-computing amd-sev-snp intel-tdx

Resources

Readme

License

Zlib license

Code of conduct

Code of conduct
Activity
Custom properties

Stars

11 stars

Watchers

2 watching

Forks

2 forks
Report repository

Releases

115 tags

Packages

No packages published

Contributors 216

+ 202 contributors

Languages