Invisible Shield on Kubernetes Secrets Kailun Qin, Ant Group ## Agenda • K8s Secrets: Overview • TEE-based K8s Secrets Protection: Solution • Production Experience @ Ant Group • Demo • Summary & Plan management => crucial! security hardening • Financial-grade security certificate/token rotation ## TEE-based Secrets Protection: Solution ## Confidential Computing ## A Trusted Execution Environment (TEE) APP OPERATING SYSTEM HARDWARE VIRTUAL MACHINE MANAGER Intel SGX AMD SEV Arm TZ Hacker ## TEE-based KMS Plugin $ ^{[1]} $ ## • Address performance & latency concerns • Reduce / minimize remote