Git-Mirrors/constellation
1
0
Fork 0
mirror of https://github.com/edgelesssys/constellation.git synced 2025-01-25 14:56:18 -05:00
Code Issues Packages Projects Releases Wiki Activity

docs: misc fixes and rewording

Browse Source
This commit is contained in:
Thomas Tendyck 2022-11-09 14:34:03 +01:00 committed by Thomas Tendyck
parent 0d12e37c96
commit 01fbfeebb9
10 changed files with 67 additions and 65 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
README.md
View File

@ -56,7 +56,7 @@ Encrypting your K8s is good for:
<a href="https://landscape.cncf.io/?selected=constellation"><img src="https://raw.githubusercontent.com/cncf/artwork/1c1a10d9cc7de24235e07c8831923874331ef233/projects/kubernetes/certified-kubernetes/versionless/color/certified-kubernetes-color.svg" align="right" width="100px"></a> <a href="https://landscape.cncf.io/?selected=constellation"><img src="https://raw.githubusercontent.com/cncf/artwork/1c1a10d9cc7de24235e07c8831923874331ef233/projects/kubernetes/certified-kubernetes/versionless/color/certified-kubernetes-color.svg" align="right" width="100px"></a>
* Constellation is a [CNCF-certified][certified] Kubernetes. It's aligned to Kubernetes' [version support policy][k8s-version-support] and will likely work with your existing workloads and tools. * Constellation is a [CNCF-certified][certified] Kubernetes. It's aligned to Kubernetes' [version support policy][k8s-version-support] and will likely work with your existing workloads and tools.
* Support for Azure and GCP (more to come). * Support for Azure, GCP, and AWS.
* Support for local installations with [MiniConstellation][first-steps-local]. * Support for local installations with [MiniConstellation][first-steps-local].
## Getting started ## Getting started

4
docs/docs/architecture/attestation.md
View File

@ -218,8 +218,8 @@ The last missing link is how the ground truth in the form of runtime measurement
The build process of Constellation images also creates the ground truth runtime measurements. <!-- soon: The builds of Constellation images are reproducible and the measurements of an image can be recalculated and verified by everyone. --> The build process of Constellation images also creates the ground truth runtime measurements. <!-- soon: The builds of Constellation images are reproducible and the measurements of an image can be recalculated and verified by everyone. -->
With every release, Edgeless Systems publishes signed runtime measurements. With every release, Edgeless Systems publishes signed runtime measurements.
The release binary is also signed by Edgeless Systems. The CLI executable is also signed by Edgeless Systems.
The [installation guide](../architecture/orchestration.md#verify-your-cli-installation) explains how you can verify this signature. You can [verify its signature](../workflows/verify-cli.md).
The CLI contains the public key required to verify signed runtime measurements from Edgeless Systems. The CLI contains the public key required to verify signed runtime measurements from Edgeless Systems.
When a cluster is [created](../workflows/create.md) or [upgraded](../workflows/upgrade.md), the CLI automatically verifies the measurements for the selected image. When a cluster is [created](../workflows/create.md) or [upgraded](../workflows/upgrade.md), the CLI automatically verifies the measurements for the selected image.

4
docs/docs/getting-started/first-steps.md
View File

@ -318,15 +318,13 @@ This action is irreversible and ALL DATA WILL BE LOST.
Do you want to continue? [y/n]: Do you want to continue? [y/n]:
``` ```
After confirming with either `y` or `yes`, the cluster will be terminated : Confirm with `y` to terminate the cluster:
```shell-session ```shell-session
Terminating ... Terminating ...
Your Constellation cluster was terminated successfully. Your Constellation cluster was terminated successfully.
``` ```
For automation purposes, you can skip the prompt by passing `--yes` as a flag to `constellation terminate`.
:::tip :::tip
On Azure, if you have used the `az` script, you can keep the prerequisite resources and reuse them for a new cluster. On Azure, if you have used the `az` script, you can keep the prerequisite resources and reuse them for a new cluster.

2
docs/docs/overview/clouds.md
View File

@ -32,7 +32,7 @@ The [CVMs available in GCP](https://cloud.google.com/compute/confidential-vm/doc
## Amazon Web Services (AWS) ## Amazon Web Services (AWS)
AWS currently doesn't offer CVMs. AWS proprietary Nitro Enclaves offer some related features but [are explicitly not designed to keep AWS itself out](https://aws.amazon.com/blogs/security/confidential-computing-an-aws-perspective/). Besides, they aren't suitable for running entire Kubernetes nodes inside them. Therefore, Constellation uses regular EC2 instances on AWS [Nitro](https://aws.amazon.com/ec2/nitro/) without runtime encryption. Attestation is based on the [NitroTPM], which is a vTPM managed by the Nitro hypervisor. Hence, the hypervisor is currently part of Constellation's TCB. AWS currently doesn't offer CVMs. AWS proprietary Nitro Enclaves offer some related features but [are explicitly not designed to keep AWS itself out](https://aws.amazon.com/blogs/security/confidential-computing-an-aws-perspective/). Besides, they aren't suitable for running entire Kubernetes nodes inside them. Therefore, Constellation uses regular EC2 instances on AWS [Nitro](https://aws.amazon.com/ec2/nitro/) without runtime encryption. Attestation is based on the [NitroTPM](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/nitrotpm.html), which is a vTPM managed by the Nitro hypervisor. Hence, the hypervisor is currently part of Constellation's TCB.
## OpenStack ## OpenStack

2
docs/docs/overview/product.md
View File

@ -6,6 +6,6 @@ From a security perspective, Constellation implements the [Confidential Kubernet
From an operational perspective, Constellation provides the following key features: From an operational perspective, Constellation provides the following key features:
* **Native support for different clouds**: Constellation works on Microsoft Azure and Google Cloud Platform (GCP). Support for Amazon Web Services (AWS) and OpenStack-based environments is coming with a future release. Constellation securely interfaces with the cloud infrastructure to provide [cluster autoscaling](https://github.com/kubernetes/autoscaler/tree/master/cluster-autoscaler), [dynamic persistent volumes](https://kubernetes.io/docs/concepts/storage/dynamic-provisioning/), and [service load balancing](https://kubernetes.io/docs/concepts/services-networking/service/#loadbalancer). * **Native support for different clouds**: Constellation works on Microsoft Azure, Google Cloud Platform (GCP), and Amazon Web Services (AWS). Support for OpenStack-based environments is coming with a future release. Constellation securely interfaces with the cloud infrastructure to provide [cluster autoscaling](https://github.com/kubernetes/autoscaler/tree/master/cluster-autoscaler), [dynamic persistent volumes](https://kubernetes.io/docs/concepts/storage/dynamic-provisioning/), and [service load balancing](https://kubernetes.io/docs/concepts/services-networking/service/#loadbalancer).
* **High availability**: Constellation uses a [multi-master architecture](https://kubernetes.io/docs/setup/production-environment/tools/kubeadm/high-availability/) with a [stacked etcd topology](https://kubernetes.io/docs/setup/production-environment/tools/kubeadm/ha-topology/#stacked-etcd-topology) to ensure high availability. * **High availability**: Constellation uses a [multi-master architecture](https://kubernetes.io/docs/setup/production-environment/tools/kubeadm/high-availability/) with a [stacked etcd topology](https://kubernetes.io/docs/setup/production-environment/tools/kubeadm/ha-topology/#stacked-etcd-topology) to ensure high availability.
* **Integrated Day-2 operations**: Constellation lets you securely [upgrade](../workflows/upgrade.md) your cluster to a new release. It also lets you securely [recover](../workflows/recovery.md) a failed cluster. Both with a single command. * **Integrated Day-2 operations**: Constellation lets you securely [upgrade](../workflows/upgrade.md) your cluster to a new release. It also lets you securely [recover](../workflows/recovery.md) a failed cluster. Both with a single command.

2
docs/docs/workflows/create.md
View File

@ -64,7 +64,7 @@ constellation create --control-plane-nodes 1 --worker-nodes 2
For details on the flags, consult the command help via `constellation create -h`. For details on the flags, consult the command help via `constellation create -h`.
*create* stores your cluster's state into a [`terraform.tfstate`](../architecture/orchestration.md#installation-process) file in your current directory. *create* stores your cluster's state into a [`terraform.tfstate`](../architecture/orchestration.md#cluster-creation-process) file in your current directory.
## The *init* step ## The *init* step

2
docs/docs/workflows/recovery.md
View File

@ -90,7 +90,7 @@ This means that you have to recover the node manually.
</tabItem> </tabItem>
<tabItem value="aws" label="AWS"> <tabItem value="aws" label="AWS">
First, open the AWS console to view all Auto Scaling Groups (ASGs) in the region of your Constellation. Select the ASG of the control-plane `<cluster-name>-<UID>-control-plane` and check that enough members are in a *Running* state. First, open the AWS console to view all Auto Scaling Groups (ASGs) in the region of your cluster. Select the ASG of the control plane `<cluster-name>-<UID>-control-plane` and check that enough members are in a *Running* state.
Second, check the boot logs of these *Instances*. In the ASG's *Instance management* view, select each desired instance. In the upper right corner, select **Action > Monitor and troubleshoot > Get system log**. Second, check the boot logs of these *Instances*. In the ASG's *Instance management* view, select each desired instance. In the upper right corner, select **Action > Monitor and troubleshoot > Get system log**.

6
docs/docs/workflows/terminate.md
View File

@ -14,6 +14,12 @@ Terminate the cluster by running:
constellation terminate constellation terminate
``` ```
Or without confirmation (e.g., for automation purposes):
```bash
constellation terminate --yes
```
This deletes all resources created by Constellation in your cloud environment. This deletes all resources created by Constellation in your cloud environment.
All local files created by the `create` and `init` commands are deleted as well, except for `constellation-mastersecret.json` and the configuration file. All local files created by the `create` and `init` commands are deleted as well, except for `constellation-mastersecret.json` and the configuration file.

10
docs/docs/workflows/trusted-launch.md
View File

@ -14,7 +14,7 @@ Constellation supports trusted launch VMs with instance types `Standard_D*_v4` a
Azure currently doesn't support [community galleries for trusted launch VMs](https://docs.microsoft.com/en-us/azure/virtual-machines/share-gallery-community). Thus, you need to manually import the Constellation node image into your cloud subscription. Azure currently doesn't support [community galleries for trusted launch VMs](https://docs.microsoft.com/en-us/azure/virtual-machines/share-gallery-community). Thus, you need to manually import the Constellation node image into your cloud subscription.
The latest image is available at [https://public-edgeless-constellation.s3.us-east-2.amazonaws.com/azure_image_exports/2.0.0](https://public-edgeless-constellation.s3.us-east-2.amazonaws.com/azure_image_exports/2.0.0). Simply adjust the last three digits to download a different version. The latest image is available at <https://cdn.confidential.cloud/constellation/images/azure/trusted-launch/v2.2.0/constellation.img>. Simply adjust the version number to download a newer version.
After you've downloaded the image, create a resource group `constellation-images` in your Azure subscription and import the image. After you've downloaded the image, create a resource group `constellation-images` in your Azure subscription and import the image.
You can use a script to do this: You can use a script to do this:
@ -22,21 +22,21 @@ You can use a script to do this:
```bash ```bash
wget https://raw.githubusercontent.com/edgelesssys/constellation/main/hack/importAzure.sh wget https://raw.githubusercontent.com/edgelesssys/constellation/main/hack/importAzure.sh
chmod +x importAzure.sh chmod +x importAzure.sh
AZURE_IMAGE_VERSION=2.0.0 AZURE_RESOURCE_GROUP_NAME=constellation-images AZURE_IMAGE_FILE=./2.0.0 ./importAzure.sh AZURE_IMAGE_VERSION=2.2.0 AZURE_RESOURCE_GROUP_NAME=constellation-images AZURE_IMAGE_FILE=./constellation.img ./importAzure.sh
``` ```
The script creates the following resources: The script creates the following resources:
1. A new image gallery with the default name `constellation-import` 1. A new image gallery with the default name `constellation-import`
2. A new image definition with the default name `constellation` 2. A new image definition with the default name `constellation`
3. The actual image with the provided version. In this case `2.0.0` 3. The actual image with the provided version. In this case `2.2.0`
Once the import is completed, use the `ID` of the image version in your `constellation-conf.yaml` for the `image` field. Set `confidentialVM` to `false`. Once the import is completed, use the `ID` of the image version in your `constellation-conf.yaml` for the `image` field. Set `confidentialVM` to `false`.
Fetch the image measurements: Fetch the image measurements:
```bash ```bash
IMAGE_VERSION=2.0.0 IMAGE_VERSION=2.2.0
URL=https://public-edgeless-constellation.s3.us-east-2.amazonaws.com//CommunityGalleries/ConstellationCVM-b3782fa0-0df7-4f2f-963e-fc7fc42663df/Images/constellation/Versions/$IMAGE_VERSION/measurements.yaml URL=https://public-edgeless-constellation.s3.us-east-2.amazonaws.com//communitygalleries/constellationcvm-b3782fa0-0df7-4f2f-963e-fc7fc42663df/images/constellation/versions/$IMAGE_VERSION/measurements.yaml
constellation config fetch-measurements -u$URL -s$URL.sig constellation config fetch-measurements -u$URL -s$URL.sig
``` ```

14
docs/docs/workflows/verify-cluster.md
View File

@ -15,15 +15,13 @@ This command performs the following steps:
2. Verify the signature of the measurements. This will use Edgeless Systems' [public key](https://edgeless.systems/es.pub). 2. Verify the signature of the measurements. This will use Edgeless Systems' [public key](https://edgeless.systems/es.pub).
3. Write measurements into configuration file. 3. Write measurements into configuration file.
After the command succeeded the configuration file will contain a list of key value pairs (index, hash) under the `measurements` key and a list of indices under `enforcedMeasurements`. The configuration file then contains a list of key-value pairs (index, hash) under the `measurements` key and a list of indices under `enforcedMeasurements`.
Not all keys under `measurements` will have a matching index under `enforcedMeasurements`. Not all keys under `measurements` will have a matching index under `enforcedMeasurements`.
This is because only a subset of the available measurements can be locally reproduced and verified. This is because only a subset of the [available measurements](../architecture/attestation.md#runtime-measurements) can be locally reproduced and verified.
These non-reproducible values typically measure parts of the boot process that are controlled by the CSP.
You can find a list with descriptions in the [runtime measurements](../architecture/attestation.md#runtime-measurements) section.
During attestation, the validating side (CLI or [join service](../architecture/components.md#joinservice)) will compare each [measurement](../architecture/attestation.md##runtime-measurement) reported by the issuing side (first node or joining node) individually. During attestation, the validating side (CLI or [join service](../architecture/components.md#joinservice)) compares each measurement reported by the issuing side (first node or joining node) individually.
For mismatching measurements that are set under the `measurements` key a warning will be emitted. For mismatching measurements that are only set under the `measurements` key a warning is emitted.
For mismatching measurements that are additionally set under `enforcedMeasurements` an error will be emitted and attestation fails. For mismatching measurements that are additionally set under `enforcedMeasurements` an error is emitted and attestation fails.
If attestation fails, the new node can't join the cluster. If attestation fails, the new node can't join the cluster.
## The *verify* command ## The *verify* command
@ -49,7 +47,7 @@ Once the above properties are verified, you know that you are talking to the rig
The `verify` command also allows you to verify any Constellation deployment that you have network access to. For this you need the following: The `verify` command also allows you to verify any Constellation deployment that you have network access to. For this you need the following:
* The IP address of a running Constellation cluster's [VerificationService](../architecture/components.md#verification-service). The `VerificationService` is exposed via a `NodePort` service using the external IP address of your cluster. Run `kubectl get nodes -o wide` and look for `EXTERNAL-IP`. * The IP address of a running Constellation cluster's [VerificationService](../architecture/components.md#verificationservice). The `VerificationService` is exposed via a `NodePort` service using the external IP address of your cluster. Run `kubectl get nodes -o wide` and look for `EXTERNAL-IP`.
* The cluster's *clusterID*. See [cluster identity](../architecture/keys.md#cluster-identity) for more details. * The cluster's *clusterID*. See [cluster identity](../architecture/keys.md#cluster-identity) for more details.
For example: For example: