Constellation – The First Always-Encrypted Kubernetes Engine

Constellation is the first fully confidential Kubernetes, released as open source in September.

It leverages confidential computing technology to shield entire clusters and all workloads from cloud infrastructure. From the inside, it’s a fully-featured, CNCF-certified K8s engine. From the outside, it’s 100% confidential.

The term confidential Kubernetes refers to the concept of using confidential-computing technology to shield entire Kubernetes clusters from the infrastructure. This means:

Workload shielding: the confidentiality and integrity of all workload-related data and code are enforced.

Control plane shielding: the confidentiality and integrity of the cluster’s control plane, state, and workload configuration are enforced.

Attestation and verifiability: the two properties above can be verified remotely based on hardware-rooted cryptographic certificates.

Each of the above properties is equally important. Only with all three in conjunction, an entire cluster can be shielded without gaps.

How does it work

The building blocks for Constellation are confidential Kubernetes nodes. Instead of protecting individual workloads, we have put the K8s nodes inside Confidential Virtual Machines (CVMs) so that any workload that runs inside these VMs is automatically runtime encrypted. In addition, Constellation automatically encrypts all data that is sent over the network or written to storage, so basically data is not “only” encrypted at runtime, but that every single byte that goes on the wire or to cloud storage gets encrypted so that there are no gaps.

This doesn’t require any additional coding: nodes are created as in any other Kubernetes cluster with an easy CLI command, which will launch confidential VMs running a Linux image that is made to run containerized workloads.

Then the cluster is initialized: we have a component in the control plane which is connected to all the nodes, can verify them though remote attestation and bootstraps them all together in one confidential overlay.

Your cluster will still have all the properties and benefits that a normal Kubernetes clusters have.

Then, the integrity of the nodes cand be verified through a process of attestation, where only “good” nodes, meaning the ones that are running a signed Constellation image and are in the expected state, get the cryptographic keys required to access the network and storage of a cluster. Finally, a single hardware-rooted certificate is provided to the DevOps so that integrity can be verified.

Additional features

➤ Supply chain protection with Sigstore

➤ Automatic and config-free encryption of cloud storage

➤ All node-to-node networking is based on Cilium

Constellation Use Cases

Being able to fully shield your Kubernetes deployments has several different use cases. Here are a few of them:

• Increased security of your clusters
• Increased competitiveness of your SaaS offerings – there is no need to trust the cloud provider anymore, and additionally you can prove that the clusters are encrypted with a hardware rooted cryptographic attestation
• Meet compliance requirements (GDPR, HIPAA)
• You can get all the benefits of moving to the public cloud like improving cost-efficiency, reliability, and scalability of business applications, without the risks

Conclusion

As security continues to grow in priority for all industries, Constellation has the potential to provide you with the easiest and safest way to protect your data. As a developer it’s worthwhile to familiarize yourself with Constellation.

By Edgeless Systems
Source CNCF