Unlocking Secure Cloud Workloads with STACKIT Confidential Kubernetes and Terraform

In an increasingly regulated and security-conscious digital world, traditional cloud services often reach their limits when it comes to securely hosting highly sensitive workloads. For organizations handling confidential data such as personal health records, financial transactions, industrial IP, or government services, the need for verifiable runtime security and data isolation is paramount. This is where STACKIT Confidential Kubernetes sets a new standard.

Developed by STACKIT, the cloud and digital services arm of the Schwarz Group (owners of Lidl and Kaufland), STACKIT Confidential Kubernetes brings together the full power of cloud-native Kubernetes with a new generation of Confidential Computing technologies. This service is designed for organizations that not only require strong data protection but also need to prove compliance and trust in their cloud infrastructure.

The Benefits of STACKIT Confidential Kubernetes

The core appeal of STACKIT Confidential Kubernetes lies in its ability to isolate workloads not just at rest and in transit, but also during execution—the point at which most cloud environments are vulnerable. Using Confidential Virtual Machines (CVMs) and runtime encryption tools, all data and compute processes remain encrypted even when running in memory. This approach dramatically reduces the attack surface and helps organizations comply with GDPR, ISO 27001, BSI C5, and other data sovereignty requirements.

Unlike traditional Kubernetes platforms, workloads deployed with STACKIT Confidential Kubernetes are protected from hosts, cloud providers, and any third-party components. This is not just a theoretical benefit—integrity is measurable and provable through remote attestation mechanisms. Enterprises can verify that cluster nodes are running only approved and unmodified software images in a secure, hardware-backed environment. With this level of verification, STACKIT Confidential Kubernetes transforms the public cloud into a de facto private cloud—with the elasticity and scalability your teams expect.

For SaaS providers and regulated industries alike, this means greater user trust, the freedom to move sensitive data to the cloud, and verifiable security that aligns with the most stringent corporate policies.

How STACKIT Confidential Kubernetes Works

Built on the Constellation project by Edgeless Systems, STACKIT Confidential Kubernetes wraps Kubernetes nodes in Confidential Virtual Machines that run in trusted execution environments (TEE) such as AMD SEV (Secure Encrypted Virtualization). These hardware-backed layers ensure that sensitive data is shielded from the rest of the cloud stack, including the hypervisor and other guest systems.

Each node is validated via Node Attestation, an automatic process that confirms the integrity of the instance before allowing cluster participation. This is combined with Cluster Attestation, enabling DevOps teams and compliance officers to check the security posture of the entire cluster using a single certificate. The system orchestrates keys and encryption with no manual intervention thanks to built-in automatic key management, tightly integrated into the Kubernetes runtime.

Importantly, all internal services, communications, and storage volumes within the Confidential Kubernetes cluster are encrypted by default. The system supports features like failover, automated upgrades, and recovery—so teams don’t compromise on reliability while securing their workloads.

Automating Deployment with Terraform

One of the most powerful features of STACKIT Confidential Kubernetes is its seamless integration with Terraform, the popular Infrastructure-as-Code (IaC) tool. This allows DevOps engineers to provision, manage, and scale clusters in a repeatable, declarative manner—ideal for large teams, CI/CD pipelines, and disaster recovery planning.

To get started, users simply configure the STACKIT provider in their Terraform setup and declare the relevant resources such as Kubernetes clusters, node pools, and configurations. Once the definitions are applied, Terraform interacts with the STACKIT APIs to spin up fully attested Confidential Kubernetes clusters—ready for secure workload deployment.

Credentials for accessing the Kubernetes cluster (kubeconfig) can be fetched programmatically, and sensitive information such as environment-specific configurations or secrets can be preloaded as Kubernetes Secrets or ConfigMaps. Since everything is version-controlled and auditable, this approach ensures compliance and repeatability across environments and teams.

This infrastructure-as-code approach also enables teams to:

• Reuse configurations across multiple environments
• Ensure changes are peer-reviewed and documented via Git workflows
• Automate provisioning, teardown, and updates of infrastructure stacks

STACKIT's official Terraform provider is maintained actively and published on the public Terraform Registry—offering up-to-date modules, examples, and community support.

Final Thoughts

STACKIT Confidential Kubernetes marks a significant step forward in the evolution of secure cloud-native computing. By combining trusted execution environments, verifiable runtime security, and automation-friendly deployment tools like Terraform, it offers a compelling platform for companies looking to protect their most valuable digital assets.

Whether you're modernizing a legacy system, building the next generation of privacy-first SaaS applications, or simply trying to meet regulatory requirements in your cloud strategy, STACKIT delivers a trusted, enterprise-ready foundation with Confidential Kubernetes.

Organizations no longer have to choose between the flexibility of the public cloud and the control of an on-premise environment. With STACKIT Confidential Kubernetes, they can have both—without compromise.

Ready to get started?
You can find more technical documentation and Terraform examples in STACKIT’s official GitHub and Terraform Registry.

Let your workloads live safely in the cloud—confidential by default.