diff --git a/docs/docs/basics/confidential-containers.md b/docs/docs/basics/confidential-containers.md
index e69de29bb2..850ff6b8f3 100644
--- a/docs/docs/basics/confidential-containers.md
+++ b/docs/docs/basics/confidential-containers.md
@@ -0,0 +1,30 @@
+# Confidential Containers
+
+Contrast uses some building blocks from [Confidential Containers](https://confidentialcontainers.org) (CoCo), a [CNCF Sandbox project](https://www.cncf.io/projects/confidential-containers/) that aims to standardize confidential computing at the pod level.
+The project is under active development and many of the high-level features are still in flux.
+Contrast uses the more stable, core primitive provided by CoCo: its Kubernetes runtime.
+
+## Kubernetes Runtimes
+
+Kubernetes can be extended to use more than one container runtime with [`RuntimeClass`](https://kubernetes.io/docs/concepts/containers/runtime-class/) objects.
+The [Container Runtime Interface](https://kubernetes.io/docs/concepts/architecture/cri/) (CRI) implementation, e.g. containerd, dispatches pod management API calls to the appropriate `RuntimeClass`.
+`RuntimeClass` implementations are usually based on an [OCI runtime](https://github.com/opencontainers/runtime-spec), such as `runc`, `runsc` or `crun`.
+In CoCo's case, the runtime is Kata Containers with added confidential computing capabilities.
+
+## Kata Containers
+
+[Kata Containers](https://katacontainers.io/) is an OCI runtime that runs pods in VMs.
+Inside the guest VM, an agent process spawns a ttRPC service and accepts commands from the host, such as `StartContainer` or `ExecProcess`.
+In confidential mode, the guest agent is configured with an [Open Policy Agent](https://www.openpolicyagent.org/) (OPA) policy to authorize API calls from the host.
+This policy also contains checksums for the expected container images.
+It is derived from Kubernetes resource definitions and its checksum is included in the attestation report.
+
+Kata Containers operates in one of two modes: VMs local to the Kubernetes node, or remote VMs.
+Using local VMs requires either bare metal servers or VMs with support for nested virtualization.
+Remote VMs, also known as peer pods, are spawned through cloud provider APIs, their ttRPC API is forwarded over the cloud network.
+
+## AKS CoCo Preview
+
+[Azure Kubernetes Service](https://learn.microsoft.com/en-us/azure/aks/) (AKS) provides CoCo-enabled node pools as a [preview offering](https://learn.microsoft.com/en-us/azure/aks/confidential-containers-overview).
+These node pools leverage Azure VM types capable of nested virtualization and the CoCo stack is pre-installed.
+Contrast can be deployed directly into a CoCo-enabled AKS cluster.