Facilitating the Spread of Knowledge and Innovation in Professional Software Development

Write for InfoQ


Choose your language

InfoQ Homepage News Open-Source Constellation K8 Engine Aims to Bring Confidential Computing to Kubernetes

Open-Source Constellation K8 Engine Aims to Bring Confidential Computing to Kubernetes

Constellation is a Kubernetes engine that shields Kubernetes clusters from the rest of the cloud infrastructure using confidential computing and confidential VMs. This creates a confidential context that ensures data is always encrypted, both at rest and in memory.

Constellation is the first always-encrypted Kubernetes (K8s). This means, a K8s where all your workloads and control plane are completely shielded, and you can remotely verify that they are so, with cryptographic certificates.

According to Edgeless Systems, creator of Constellation, confidential computing is the future of cloud computing since it brings security and confidentiality to data and workflows running in the public cloud.

With Constellation, Kubernetes nodes run inside confidential virtual machines. Confidential machines can be seen as an evolution of the secure enclave, says Edgeless Systems, extending the three tenets of confidential computing – that is, runtime encryption, isolation, and remote attestation – to the whole virtual machine.

Constellation is designed to keep all data always encrypted and to prevent access from the infrastructure layer. This includes access from datacenter employees, privileged cloud admins, and attackers coming through the infrastructure (e.g., malicious co-tenants escalating their privileges).

Confidential VMs leverage specific support for confidential computing provided by the underlying hardware, including AMD Secure Encrypted Virtualization (AEM) and SEV-Secure Nested Paging (SEV-SNP), and Intel Trust Domain Extensions (TDX). Furthermore, ARM announced its new V9 design including confidential VM features, called Realms, last year.

Besides "always-on" encryption, Constellation aims to enable attestation, i.e. verification through the use of cryptographic certificates, at the cluster-level. Confidential VMS in Constellation use Fedora CoreOS, which is optimized for containers and is based on an immutable file system. Additionally, Constellation uses Sigstore to secure the DevOps chain of trust.

When building Constellation images the process entails creating the ground truth runtime measurements. The builds of Constellation images are reproducible and the measurements of an image can be recalculated and verified by everyone.

One concern the use of confidential computing may generate is performance. Indeed, encryption has an impact on performance, but according to a benchmark carried through by AMD and Microsoft jointly, this only implies a small performance degradation between 2% and 8%. According to Edgeless Systems, a similar performance can be expected for intensive workloads on Constellation.

Constellation is compatible with all major clouds, including GCP and Azure and is CNCF-certified, which should ensure compatibility with other Kubernetes workloads and tools.

About the Author

Rate this Article