Network and Service Integration#

To the rest of the platform, the confidential pod looks like an HTTPS inference service. HTTPS is the reference path. Other TLS-protected application protocols, such as gRPC over TLS or WebSockets over TLS (wss://), can fit the same boundary when authentication, routing, logging, and payload-handling controls are equivalent.

The service sits behind whatever gateway, inference router, model registry endpoint, route, Kubernetes Service, or load balancer the platform already uses.

The default pattern is simple: inbound HTTPS from approved callers, outbound HTTPS to attestation, key release, artifact storage, and approved application endpoints. No exec into the confidential guest. No privileged debug path that exposes model-provider secrets. Administrative recovery happens by replacing the pod, replacing the image, draining the node, or using a governed break-glass path that still preserves the confidentiality boundary.

Network policy permits:

  • Inbound inference traffic from the approved gateway, route, service mesh, or service subnet.

  • Outbound HTTPS/443 from the confidential pod to the attestation verifier.

  • Outbound HTTPS/443 from the confidential pod to the KBS, key broker, or KMS/HSM.

  • Optional outbound traffic to an approved registry or object store for artifact fetches.

  • Optional outbound traffic for model-provider licensing or telemetry, if contractually allowed.

Broad outbound internet access is denied. Anything that calls home does so as documented application traffic, not via hidden node, hardware, or BMC paths.

Service discovery can use standard Kubernetes mechanisms. Validation and early production can use fixed Services, Routes, or a small load-balanced pool. Larger deployments add automation for workload rollout, certificate issuance, health registration, node replacement, and runtime upgrades.

The surrounding platform treats the confidential pod as an HTTPS inference endpoint. Cluster administrators don’t enter the guest, install agents inside the confidential guest, tail application logs with payloads, or run commands inside the model server.