Skip to content

Latest commit

 

History

History
54 lines (34 loc) · 3.06 KB

File metadata and controls

54 lines (34 loc) · 3.06 KB

Pyramid: A Secure, Resource-Efficient, and Pluggable Kubernetes for Multi-Tenancy

Welcome to the official repository of Pyramid, a novel, pluggable container orchestration architecture designed to bring Hardware Trusted Execution Environments (TEEs) into the cloud-native Kubernetes ecosystem seamlessly.

Pyramid achieves the best of both worlds: the rock-solid data processing security of hardware TEEs, and the high-efficiency container orchestration of commercial Kubernetes for multi-tenancy.

👉 Read the Full Paper: ACM Digital Library


💡 Motivation & Core Architecture

Modern multi-tenant cloud infrastructures face a critical conflict between confidential computing and resource utilization. Existing confidential Kubernetes solutions often introduce significant performance degradation or demand intrusive modifications to the standard K8s control plane.

Pyramid resolves this dilemma through a novel Dual-Layer Co-Orchestration design:

  1. The Untrusted Layer (Base K8s): Maximally preserves the standard, commercial K8s workflow. It manages cross-tenant global resource scheduling and optimization to maintain peak infrastructure utilization.
  2. The Trusted Layer (Top TEE K8s): Sits on top of the original cluster. It receives abstract resource information from the untrusted layer via carefully designed interfaces, and securely coordinates the actual workload execution shielded by Hardware TEEs.

By decoupling resource management from confidential execution, Pyramid achieves robust multi-tenancy protection with minimal intrusive modifications to standard K8s.

🚀 Performance Highlights

Compared to state-of-the-art confidential computing deployment frameworks:

  • Data Plane: Achieves 1.4X higher throughput during intense workloads.
  • Control Plane: Maintains fully comparable and agile scheduling performance.

📂 Repository Structure

This Monorepo aggregates all core subsystems, interfaces, and evaluation workloads for Pyramid:

  • containerd/: Modified Container Runtime Interface (CRI) shim tailored for secure TEE container instantiation under the dual-layer model. (Git Submodule)
  • shadowpod-validating-admission-webhook/: Kubernetes Validating Admission Webhook that intercepts Pod creation requests, enforcing tenant security invariants and facilitating multi-layer translation. (Git Submodule)
  • confidential-k8s/: The implementation of Pyramid's separate trusted/untrusted orchestration layers, interface protection mechanisms, and evaluation benchmarks.

🛠️ Quick Start

Prerequisites

  • Linux Kernel with hardware TEE extensions enabled (e.g., Intel SGX/TDX, AMD SEV)
  • Kubernetes Cluster v1.26+
  • Go & Rust toolchains for component compilation

Cloning the Repository

Since this project utilizes submodules for critical dependencies, ensure you clone recursively:

git clone git@github.com:StanPlatinum/pyramid.git
cd pyramid

# Initialize and pull all submodules
git submodule update --init --recursive