Confidential Computing at Scale with Open-Source Confidential Kubernetes
Published Oct 21 2022 03:05 PM 5,157 Views
Regular Visitor

With the number of data breaches increasing and the average cost per breach having been as high as $4.24 million in 2021, it is imperative for companies to ensure state-of-the-art protection for their data. Encryption of data at rest and in transit is already standard today and oftentimes even a regulatory requirement. Data in use, however, is posing a bigger challenge, but confidential computing is here to solve this. “It protects data when in use, as well as at rest and in transit, thanks to the enclaves that encrypt and isolate code and data in a zero-trust environment, where even Azure as the cloud provider does not have access”, said Microsoft CEO Satya Nadella in his keynote at MS Build, highlighting new infrastructure offerings available in Azure.


But how to deploy, manage, and scale workloads securely on confidential-computing infrastructure?


Introducing Constellation, the world’s first Confidential Kubernetes


Kubernetes is a popular framework for managing and scaling containerized applications in the cloud and elsewhere.


Constellation from Edgeless Systems brings confidential computing and Kubernetes together. It is the first Kubernetes engine designed for confidential computing and was released as open source just earlier this month.


Constellation concept


Constellation keeps all data in a Kubernetes deployment encrypted---at rest, in transit, and during processing in memory. Constellation protects the integrity of the control plane and the workload. Finally, Constellation makes these properties easily verifiable.


With Constellation, your Kubernetes cluster is shielded as a whole from the cloud environment and is protected against both hackers and insider threat.


How it works


Azure offers AMD SEV-SNP based Confidential VMs (CVMs) and Constellation takes full advantage of their features. Fundamentally, Constellation runs all nodes of a Kubernetes cluster inside CVMs. This gives runtime encryption for the entire cluster. Constellation augments this with transparent encryption of the network and cloud storage. The cryptographic keys for this are managed by Constellation inside CVMs.


To ensure that only legitimate nodes get access to data, Constellation verifies their integrity using the remote attestation feature of CVMs. This way, Constellation ensures that all nodes run the same official Constellation images. These images are based on Fedora CoreOS. They are minimal and purpose-built for confidential computing and Kubernetes. If a given image is “official” or not is checked based on the Sigstore public ledger, to which we (Edgeless Systems) publish hashes for each new release.


Towards the DevOps engineer, Constellation provides a single confidential computing-based certificate from which all of the above can be verified.


Use cases


There are three big use cases for Constellation and the Confidential Kubernetes concept in general. The first one is straightforward: increasing the security of existing cloud-based apps reduces the risk of data breaches. The second use case is closely related: increasing the security of SaaS applications attracts security-conscious and regulated customers. And finally, the third one: moving sensitive or regulated workloads from on-prem to the cloud saves costs and increase flexibility and scale. The last one is particularly relevant in our native Germany and Europe in general, where companies and institutions are oftentimes still not able to move certain workloads to the cloud.


How to get started with Constellation (from a DevOps engineer’s perspective)


Constellation is a CNCF-certified Kubernetes. This means you can expect it to work with your existing Kubernetes workloads and tooling. The best way to get started is to install the Constellation CLI tool and connect it to your Microsoft Azure subscription.


Constellation CLI


After this, you can get your Constellation cluster running within minutes using the three simple commands create, init, and verify. The verify command fetches the cluster’s certificate (see above) and automatically verifies it.


The cluster is now ready, and end-to-end encrypted. The final step is to load the auto-generated kubeconfig file and use your existing tooling like kubectl to drive the cluster.


Final thoughts


We’re tremendously proud that we released Constellation as open source this month, making it the first available Confidential Kubernetes. The whole team and I are keen to get your feedback and learn about your use cases. Please feel free to reach out to me directly via LinkedIn or Twitter! You can find code and the docs on GitHub. Looking forward to your stars, issues, and pull requests.



Version history
Last update:
‎Oct 21 2022 11:05 AM
Updated by: