Interview with Ant Group’s Trusted Native Team: Cloud‑Native Infrastructure, Service Mesh, Secure Containers, and Confidential Computing

Ant Group’s Trusted Native team aims to build a complete set of cloud‑native infrastructure components—PaaS, Service Mesh, and custom hardware—so that enterprises can focus on business development without worrying about underlying infrastructure.

Team members Wang Xu, Song Shun, and others discuss the evolution of Ant’s middleware from monolithic to cloud‑native architectures, the development of the financial‑grade distributed middleware SOFAStack, and its transition to a mesh‑centric fifth generation.

Key middleware requirements include high availability, scalability, strong consistency, and sub‑second monitoring, leading to the creation of SOFAMesh (a control‑plane fork of Istio) and MOSN, a Golang‑based data‑plane designed to replace the C++‑based Istio for large‑scale deployments.

The team also examines the challenges of adopting Serverless and the cautious approach taken within Ant Group.

In the security domain, the article covers the evolution of secure containers—from runV to Kata Containers—and the three major improvements in Kata 3.0: Rust‑based implementation, image acceleration via Nydus, and support for confidential computing.

Open‑source philosophy is emphasized as a way to gain developer trust, accelerate innovation, and improve product quality, with projects such as SOFAStack, Kata, and others being openly released.

Privacy‑enhancing technologies are addressed through Trusted Execution Environments (TEE). Ant’s Occlum project, written in Rust, provides a Linux‑like experience inside SGX enclaves and has been widely adopted, while HyperEnclave offers a China‑specific, SGX‑compatible TEE platform.

To extend confidential computing to large clusters, the team created KubeTEE, which integrates TEE with Kubernetes for distributed proof‑of‑work and key management.

These components—Occlum, HyperEnclave, and KubeTEE—form the SOFAEnclaves stack, solving major challenges in confidential computing deployment.

Hardware‑software co‑design is also highlighted: custom secure‑boot chips, cryptographic accelerators, and integrated appliances (e.g., privacy‑computing and blockchain appliances) provide a trusted foundation for the cloud‑native stack.

The team’s culture of openness, responsibility, and high standards drives the continuous evolution of the infrastructure, ensuring reliability, security, and performance for Ant Group’s diverse business lines.