Confidential Computing Summit 2026

GKE Hypercluster brings large-scale operation of Trusted Execution Environments to Kubernetes, and was co-designed with Anthropic to meet their security and scale. In this talk we explain the linked runner architecture that drastically reduces the Trusted Compute Base (TCB) by completely separating high-value workload execution from the standard container orchestration control plane. In this model, sensitive AI workloads are offloaded to a dedicated, “sealed” virtual machine. The Kubernetes scheduling and orchestration remains on a non-sealed "parent" node, preserving Kubernetes primitives (ie. Pods, Network Policy) and operational familiarity while achieving workload isolation. The execution environment is built on a hardened and attested OS, removing non-essential services and preventing administrative shell access. Integrity is guaranteed through attestation and container signature verification.

This design establishes a strict chain of trust, offers isolation from the Kubernetes operator and Cloud Service Provider, supports high-performance AI accelerators within the sealed boundary, and enhances scalability by managing isolated environments with a reduced system footprint.