Unlocking Secure Cloud Workloads with STACKIT Confidential Kubernetes

The Benefits of STACKIT Confidential Kubernetes

The core appeal of STACKIT Confidential Kubernetes lies in its ability to isolate workloads not just at rest and in transit, but also during execution - the point at which most cloud environments are vulnerable. Using Confidential Virtual Machines (CVMs) and runtime encryption tools, all data and compute processes remain encrypted even when running in memory. This approach dramatically reduces the attack surface and helps organizations comply with GDPR, ISO 27001, BSI C5, and other data sovereignty requirements.

Unlike traditional Kubernetes platforms, workloads deployed with STACKIT Confidential Kubernetes are protected from hosts, cloud providers, and any third-party components. This is not just a theoretical benefit - integrity is measurable and provable through remote attestation mechanisms. Enterprises can verify that cluster nodes are running only approved and unmodified software images in a secure, hardware-backed environment. With this level of verification, STACKIT Confidential Kubernetes transforms the public cloud into a de facto private cloud - with the elasticity and scalability your teams expect.

For SaaS providers and regulated industries alike, this means greater user trust, the freedom to move sensitive data to the cloud, and verifiable security that aligns with the most stringent corporate policies.

How STACKIT Confidential Kubernetes Works

Built on the Constellation project by Edgeless Systems, STACKIT Confidential Kubernetes wraps Kubernetes nodes in Confidential Virtual Machines that run in trusted execution environments (TEE) such as AMD SEV (Secure Encrypted Virtualization). These hardware-backed layers ensure that sensitive data is shielded from the rest of the cloud stack, including the hypervisor and other guest systems.

Each node is validated via Node Attestation, an automatic process that confirms the integrity of the instance before allowing cluster participation. This is combined with Cluster Attestation, enabling DevOps teams and compliance officers to check the security posture of the entire cluster using a single certificate. The system orchestrates keys and encryption with no manual intervention thanks to built-in automatic key management, tightly integrated into the Kubernetes runtime.

Importantly, all internal services, communications, and storage volumes within the Confidential Kubernetes cluster are encrypted by default. The system supports features like failover, automated upgrades, and recovery - so teams don’t compromise on reliability while securing their workloads.

How Constellation protects your Workloads

In a standard Kubernetes setup on a public cloud, the provider ultimately controls the underlying infrastructure. Administrators at the provider could, in theory, gain access to your workloads by attaching a debugger to the VM, dumping the memory, or even snapshotting the disk of a running node. While these actions are rarely malicious, they highlight that the trust boundary stops at the cloud provider.

Edgeless Systems Constellation changes this model by running Kubernetes nodes entirely inside hardware-backed Trusted Execution Environments (TEEs).
Within a TEE, all memory contents are transparently encrypted and isolated by the CPU itself, so even a privileged cloud administrator cannot inspect or alter what’s running inside. 
On top of that, Constellation integrates remote attestation, allowing you to verify that your cluster is indeed running inside genuine TEEs with the expected configuration before you deploy sensitive workloads. This ensures that critical applications and data remain protected not just from external attackers, but also from the cloud provider itself.

Automating Deployment with Terraform

One of the most powerful features of STACKIT Confidential Kubernetes is its seamless integration with Terraform. This allows DevOps engineers to provision, manage, and scale clusters in a repeatable, declarative manner - ideal for large teams, CI/CD pipelines, and disaster recovery planning.

To get started, users simply configure the STACKIT provider in their Terraform setup and declare the relevant resources such as Kubernetes clusters, node pools, and configurations. Once the definitions are applied, Terraform interacts with the STACKIT APIs to spin up fully attested Confidential Kubernetes clusters - ready for secure workload deployment.

Credentials for accessing the Kubernetes cluster (kubeconfig) can be fetched programmatically, and sensitive information such as environment-specific configurations or secrets can be preloaded as Kubernetes Secrets or ConfigMaps. Since everything is version-controlled and auditable, this approach ensures compliance and repeatability across environments and teams.

This infrastructure-as-code approach also enables teams to:

• Reuse configurations across multiple environments
• Ensure changes are peer-reviewed and documented via Git workflows
• Automate provisioning, teardown, and updates of infrastructure stacks

STACKIT's official Terraform provider is maintained actively and published on the public Terraform Registry - offering up-to-date modules, examples, and community support.

Final Thoughts

STACKIT Confidential Kubernetes marks a significant step forward in the evolution of secure cloud-native computing. By combining trusted execution environments, verifiable runtime security, and automation-friendly deployment tools like Terraform, it offers a compelling platform for companies looking to protect their most valuable digital assets.

Whether you're modernizing a legacy system, building the next generation of privacy-first SaaS applications, or simply trying to meet regulatory requirements in your cloud strategy, STACKIT delivers a trusted, enterprise-ready foundation with Confidential Kubernetes.

Organizations no longer have to choose between the flexibility of the public cloud and the control of an on-premise environment. With STACKIT Confidential Kubernetes, they can have both - without compromise.

Ready to get started?
You can find more documentation and a Terraform examples on setting up STACKIT Confidential Kubernetes in our GitHub Repository.

Update

Edgeless Systems, in parallel to our Blog, announced the discontinuation of Constellation and the prioritization of Contrast.