The manifest is a JSON document that defines the essential properties of your deployment: allowed software packages, secrets, access control, update policy, etc.
Hardware-rooted remote attestation is a key ingredient for distributed confidential apps. MarbleRun relies on the Data Center Attestation Primitives (DCAP) of the latest SGX-enabled Intel Xeon processors.
📄️ State and recovery
Persistent storage for confidential applications in the cloud requires a bit of attention.
📄️ Secrets management
The generation and the management of cryptographic keys and certificates for Marbles (i.e., containers running enclaves) are central duties of the Coordinator. Keys and certificates are passed to Marbles on startup via placeholders defined in the manifest. You can learn more about this mechanism in the Secrets section from our manifest definition hands-on. Specifically, the Coordinator provides the following to Marbles.
📄️ Transparent TLS
Authenticated and encrypted connections between services are essential for the security and verifiability of confidential applications. These properties are provided by mutual TLS authentication (mTLS). Normally, the applications inside the Marbles must support mTLS, be configured correctly, and be provisioned with the necessary secrets.
📄️ Kubernetes integration
MarbleRun provides its data-plane configuration through Kubernetes resource definitions. For this, like regular service meshes, MarbleRun uses Kubernetes' admission controllers.
📄️ Supported runtimes
MarbleRun strives to be runtime-agnostic. Currently, supported runtimes are described below. More will follow in the future.