Constellation is a Kubernetes engine that shields Kubernetes clusters from the rest of the cloud infrastructure using confidential computing and confidential VMs. This creates a confidential context This ensures data is always encrypted, both at rest and in storage.
Constellation is the first always-encrypted Kubernetes (K8s). That means a K8s with all your workloads and the control plane fully shielded, and you can verify this remotely with cryptographic certificates.
According to Edgeless Systems, creator of Constellation, Confidential Computing is the future of cloud computing as it brings security and confidentiality to data and workflows in the public cloud.
With Constellation, Kubernetes nodes run in confidential virtual machines. Confidential machines can be considered an evolution of the safe enclavesays Edgeless Systems, extending the three tenets of confidential computing—that is, runtime encryption, isolation, and remote acknowledgment—to the entire virtual machine.
Constellation is designed to always keep all data encrypted and prevent access from the infrastructure layer. This includes access from data center staff, privileged cloud administrators, and attackers coming through the infrastructure (e.g., malicious co-tenants escalating their privileges).
Sensitive VMs leverage specific confidential computing support provided by the underlying hardware, including AMD Secure Encrypted Virtualization (AEM) and SEV-Secure Nested Paging (SEV-SNP) and Intel Trust Domain Extensions (TDX). In addition, last year ARM announced its new V9 design with confidential VM functions called Realms.
In addition to “always-on” encryption, Constellation aims to make this possible Certificate, ie verification through the use of cryptographic certificates, at the cluster level. Confidential VMs in Constellation use Fedora CoreOS, which is optimized for containers and based on an immutable file system. Additionally, Constellation uses Sigstore to secure the DevOps chain of trust.
When creating constellation images, the process involves creating the ground truth time-of-flight measurements. Constellation image builds are reproducible and an image’s measurements can be recalculated and verified by anyone.
One problem that using confidential computing can create is performance. Encryption does affect performance, but according to a benchmark conducted jointly by AMD and Microsoft, this only means a small drop in performance of between 2% and 8%. According to Edgeless Systems, similar performance can be expected for intensive workloads on Constellation.
Constellation is compatible with all major clouds, including GCP and Azure, and is CNCF certified, which should ensure compatibility with other Kubernetes workloads and tools.