I am developing a product around confidential computing with kubernetes.
My cluster has nodes running in an AMD-SEV Virtual Machine on an AKS cluster. AMD-SEV guarantee that all the things happening in the VM are secured and confidential.
I’d like to make some pod on the cluster (executed on that confidential node) to be fully confidential…
But so far, my strategy doesn’t work because it’s always possible to “kubectl exec” inside this confidential pod. I know I can restrict the exec to only selected service account thanks to RBAC policies, but I would like to make sure that even the k8s admin role can’t even exec into those pod.
Is that possible ?
Similarly is it possible to create a namespace secret that can be accessed by those confidential pods but could never be seen otherwise ?
Thanks in advance
Loic