|
|
|
|
Show HN: Constellation – An always encrypted Kubernetes engine
(github.com)
|
|
14 points
by flxflx
1377 days ago
|
|
|
Hey HN, my colleagues and I have been working on Constellation for 1.5+ years. We open sourced it today under AGPLv3. It's a standalone Kubernetes engine/distribution that operations-wise is very much vanilla K8s (v1.24). Security-wise, it comes with some new concepts: It's designed to shield K8s clusters as a whole from the cloud. The goal is that not even the cloud provider and its employees can access any data in a cluster. Constellation basically ensures that all nodes in a cluster (1) run inside verified "Confidential VMs" and (2) encrypt all network traffic and storage. Confidential VMs are VMs that have the AMD SEV feature. Intel TDX and Arm Realms are similar. CVMs protect workloads against a compromised host and malicious admins. For this, CVMs remain encrypted at runtime in memory, are strongly isolated, and have cool remote attestation capabilities. This is also often referred to as "confidential computing". CVMs are currently available in Azure and GCP. Constellation comes with a Fedora CoreOS-based node image that is optimized for CVMs and protected with Sigstore. More info in the README/docs. What do you think? -Felix |
|
|
Are there any downsides - for example performance or operational overhead - of using Constellation over vanilla K8s?