Fluorite is an open-source, transparent Kubernetes distribution designed for deploying attested, unalterable workloads in trusted computing and confidential computing environments. It enables organizations to run end-user-verifiable applications on their infrastructure (cloud or on-premise).
Built on top of Kubernetes distribution K3s, Fluorite provides a framework for running distributed enclave applications where both the infrastructure operator and end users can cryptographically verify the integrity and authenticity of deployed workloads.
In this framework we consider two actors:
- Operator: The person or entity in charge of creating and provisioning the cluster with a particular application of choice. The operator has a one-time opportunity to provision the cluster. Once it’s provisioned he loses access to it and can’t modify it anymore.
- Application User: Interacts with the service running on the cluster. Once the cluster has been provisioned by the Operator, the user must be able at any time to retrieve and verify the attestation returned by the cluster thereby verifying its integrity, and be able to establish a secure communication channel with the service running on the cluster.
Key features
- Cluster-wide attestation: Both the operator and users can request and verify the cryptographic attestation of the entire cluster.
- Ephemeral cluster: Clusters are meant to be short-lived and disposable—destroy and re-provision rather than update in-place.
- Zero privileged access post-bootstrap: Once provisioning is complete, the operator (Ops and dev team) retains no privileged access to the cluster.
- Build transparency: All artifacts are built with verifiable provenance using SLSA framework to guarantee supply chain security and the transparency of the build artifact we provide
- Secure inter-node communication: Nodes communicate securely via WireGuard encrypted tunnels.
- Multiple cloud support: Deploy on Microsoft Azure (Trusted Launch VMs and Confidential VMs), Google Cloud Platform (Shielded VMs), or bare-metal using AMD SEV-SNP hardware.
- GPU support: Support for NVIDIA GPUs including H100 with confidential computing mode. This enables Fluorite to be used for AI workload. For instance, our demo is a confidential chat web app.
By eliminating privileged access after deployment, Fluorite enables the creation of unalterable secure services. These services guarantee the integrity and confidentiality of both computation and user data, provide protection against insider threats by allowing their functionality to be remotely verified.
Ultimately, building an unalterable and secure service is a shared responsibility between the confidential Kubernetes distribution (this project) and the bundle/application developer. Auditors must carefully review both the provisioning bundle and provisioning configuration to ensure that the application does not introduce any administrative access points or backdoors. Also, relying parties must appraise the attestation evidence, and only accept attestation from cluster provisioned with a trusted bundle and config.
Security
We have developed Fluorite so that you are free to between deploying confidential workloads on public cloud providers such as Microsoft Azure and Google Cloud and even baremetal with AMD SEV-SNP hardware support.