Contrast is a confidential containers platform that integrates with managed Kubernetes environments to provide hardware-based workload isolation without requiring application code changes. It runs containers inside confidential micro VMs using AMD SEV-SNP or Intel TDX hardware technologies, keeping data encrypted during processing (runtime encryption). Contrast installs as a day-2 operation into existing Kubernetes clusters via a CLI, and does not require modifications to existing workloads beyond adjustments to Kubernetes deployment YAML files. Core mechanisms include: - Remote attestation: Contrast generates a single attestation statement for an entire deployment, verifying that the running environment matches a defined manifest. - Identity and key management: Contrast manages cryptographic keys for containers, provisions certificates, and establishes mutual TLS (mTLS) connections between containers. - Runtime policy enforcement: Access control policies are enforced via cryptographic verification, enabling multi-party scenarios and restricting even cluster administrators from accessing application data. Contrast is licensed under the Business Source License 1.1 (BSL). It is source-available and free to test, but requires a commercial license for production use. Supported platforms include managed Kubernetes on AWS (EKS), OVH, Scaleway, and Google Cloud (GKE, preview), as well as Microsoft Azure (AKS, preview for nested virtualization). Production deployments are recommended on bare metal nodes with AMD SEV-SNP or Intel TDX support. Contrast is distinct from Edgeless Systems' other product, Constellation, which isolates entire Kubernetes clusters rather than individual workloads.