diff --git a/docs/docs/architecture/networking.md b/docs/docs/architecture/networking.md index 1b9a2022d..bc887a0b1 100644 --- a/docs/docs/architecture/networking.md +++ b/docs/docs/architecture/networking.md @@ -1,22 +1,24 @@ # Network encryption Constellation encrypts all pod communication using the [container network interface (CNI)](https://github.com/containernetworking/cni). -To that end, Constellation deploys, configures, and operates the [Cilium](https://cilium.io/) CNI plugin. +For this, Constellation deploys, configures, and operates the [Cilium](https://cilium.io/) CNI plugin. Cilium provides [transparent encryption](https://docs.cilium.io/en/stable/gettingstarted/encryption) for all cluster traffic using either IPSec or [WireGuard](https://www.wireguard.com/). Currently, Constellation only supports WireGuard as the encryption engine. -You can read more about the cryptographic soundness of WireGuard [in their white paper](https://www.wireguard.com/papers/wireguard.pdf). +You can learn more about the cryptographic properties of WireGuard in their [white paper](https://www.wireguard.com/papers/wireguard.pdf). -Cilium is actively working on implementing a feature called [`host-to-host`](https://github.com/cilium/cilium/pull/19401) encryption mode for WireGuard. +Cilium is working on implementing a feature called [`host-to-host`](https://github.com/cilium/cilium/pull/19401) encryption mode for WireGuard. With `host-to-host`, all traffic between nodes will be tunneled via WireGuard (host-to-host, host-to-pod, pod-to-host, pod-to-pod). Until the `host-to-host` feature is released, Constellation enables `pod-to-pod` encryption. -This mode encrypts all traffic between Kubernetes pods using WireGuard tunnels. +This mode encrypts all traffic between Kubernetes pods using WireGuard tunnels. (**FS: what does this mean? Should this be followed by an alert box or anything?**) When using Cilium in the default setup but with encryption enabled, there is a [known issue](https://docs.cilium.io/en/v1.12/gettingstarted/encryption/#egress-traffic-to-not-yet-discovered-remote-endpoints-may-be-unencrypted) that can cause pod-to-pod traffic to be unencrypted. To mitigate this issue, Constellation adds a *strict* mode to Cilium's `pod-to-pod` encryption. -This mode changes the default behavior of traffic that's destined for an unknown endpoint to not be send out in plaintext, but instead being dropped. +This mode changes the default behavior of traffic that's destined for an unknown endpoint to not be send out in plaintext. Instead, the traffic is dropped. The strict mode distinguishes between traffic that's send to a pod from traffic that's destined for a cluster-external endpoint by considering the pod's CIDR range. +(**FS: what does this mean?**) Traffic originating from hosts isn't encrypted yet. This mainly includes health checks from Kubernetes API server. Also, traffic proxied over the API server via e.g. `kubectl port-forward` isn't encrypted. +(**FS: what does this mean???**) diff --git a/docs/docs/architecture/orchestration.md b/docs/docs/architecture/orchestration.md index 098c0b4f4..b523e8295 100644 --- a/docs/docs/architecture/orchestration.md +++ b/docs/docs/architecture/orchestration.md @@ -47,9 +47,9 @@ In addition, the cluster's [identifier](orchestration.md#post-installation-confi ## Post-installation configuration -Post-installation the CLI provides a configuration for [accessing the cluster using the Kubernetes API](https://kubernetes.io/docs/tasks/administer-cluster/access-cluster-api/). +Post installation, the CLI provides a configuration for [accessing the cluster using the Kubernetes API](https://kubernetes.io/docs/tasks/administer-cluster/access-cluster-api/). The `kubeconfig` file provides the credentials and configuration for connecting and authenticating to the API server. -Once configured, orchestrate the Kubernetes cluster via `kubectl`. +Once configured, you can orchestrate the Kubernetes cluster via `kubectl`. Make sure to keep the state files such as `terraform.tfstate` in the workspace directory to be able to manage your cluster later on. Without it, you won't be able to modify or terminate your cluster. diff --git a/docs/docs/architecture/versions.md b/docs/docs/architecture/versions.md index 6fa365f6c..cf26d65bf 100644 --- a/docs/docs/architecture/versions.md +++ b/docs/docs/architecture/versions.md @@ -1,7 +1,7 @@ # Versions and support policy All [components](components.md) of Constellation use a three-digit version number of the form `v..`. -The components are released in lock step, usually on the first Tuesday of every month. This release primarily introduces new features, but may also include security or performance improvements. The `MINOR` version will be incremented as part of this release. +The components are released in lock step, usually on the first Tuesday of every month. The monthly releases primarily introduce new features, but may also include security or performance improvements. The `MINOR` version is incremented with each monthly release. Additional `PATCH` releases may be created on demand, to fix security issues or bugs before the next `MINOR` release window.