mirror of
https://github.com/edgelesssys/constellation.git
synced 2025-01-12 16:09:39 -05:00
docs: add s3proxy to features
This commit is contained in:
parent
ab8a17e535
commit
3255ce3e72
14
README.md
14
README.md
@ -34,7 +34,9 @@ Encrypting your K8s is good for:
|
|||||||
### 🔒 Everything always encrypted
|
### 🔒 Everything always encrypted
|
||||||
|
|
||||||
* Runtime encryption: All nodes run inside AMD SEV-based Confidential VMs (CVMs). Support for Intel TDX will be added in the future.
|
* Runtime encryption: All nodes run inside AMD SEV-based Confidential VMs (CVMs). Support for Intel TDX will be added in the future.
|
||||||
* Transparent encryption of network and storage: All pod-to-pod traffic and all writes to persistent storage are [automatically encrypted][network-encryption]
|
* Transparent encryption of network: All [pod-to-pod traffic is automatically encrypted][network-encryption]
|
||||||
|
* Transparent encryption of storage: All writes to persistent storage are automatically encrypted.
|
||||||
|
This includes [nodes' state disks][storage-encryption], [persistent volumes via CSI][csi], and [S3 object storage][s3proxy].
|
||||||
* Transparent key management: All cryptographic [keys are managed within the confidential context][key-management]
|
* Transparent key management: All cryptographic [keys are managed within the confidential context][key-management]
|
||||||
|
|
||||||
### 🔍 Everything verifiable
|
### 🔍 Everything verifiable
|
||||||
@ -72,8 +74,9 @@ If you're already familiar with Kubernetes, it's easy to get started with Conste
|
|||||||
## Live demos
|
## Live demos
|
||||||
|
|
||||||
We're running public instances of popular software on Constellation:
|
We're running public instances of popular software on Constellation:
|
||||||
* Rocket.Chat: https://rocket.edgeless.systems/ ([blog post](https://dev.to/flxflx/rocketchat-constellation-most-secure-chat-server-ever--50oa))
|
|
||||||
* GitLab: https://gitlab.edgeless.systems/ ([blog post](https://dev.to/flxflx/setting-up-a-confidential-gitlab-333h))
|
* Rocket.Chat: <https://rocket.edgeless.systems/> ([blog post](https://dev.to/flxflx/rocketchat-constellation-most-secure-chat-server-ever--50oa))
|
||||||
|
* GitLab: <https://gitlab.edgeless.systems/> ([blog post](https://dev.to/flxflx/setting-up-a-confidential-gitlab-333h))
|
||||||
|
|
||||||
These instances run on CVMs in Azure and Constellation keeps them end-to-end confidential.
|
These instances run on CVMs in Azure and Constellation keeps them end-to-end confidential.
|
||||||
|
|
||||||
@ -102,7 +105,7 @@ Refer to [`CONTRIBUTING.md`](CONTRIBUTING.md) on how to contribute. The most imp
|
|||||||
* Please follow the [Code of Conduct](/CODE_OF_CONDUCT.md).
|
* Please follow the [Code of Conduct](/CODE_OF_CONDUCT.md).
|
||||||
|
|
||||||
> **Warning**
|
> **Warning**
|
||||||
> Please report any security issue via a [private GitHub vulnerability report](https://github.com/edgelesssys/constellation/security/advisories/new) or write to security@edgeless.systems.
|
> Please report any security issue via a [private GitHub vulnerability report](https://github.com/edgelesssys/constellation/security/advisories/new) or write to <security@edgeless.systems>.
|
||||||
|
|
||||||
## License
|
## License
|
||||||
|
|
||||||
@ -126,6 +129,9 @@ The Constellation source code is licensed under the [GNU Affero General Public L
|
|||||||
[key-management]: https://docs.edgeless.systems/constellation/architecture/keys
|
[key-management]: https://docs.edgeless.systems/constellation/architecture/keys
|
||||||
[license]: https://docs.edgeless.systems/constellation/overview/license
|
[license]: https://docs.edgeless.systems/constellation/overview/license
|
||||||
[network-encryption]: https://docs.edgeless.systems/constellation/architecture/keys#network-encryption
|
[network-encryption]: https://docs.edgeless.systems/constellation/architecture/keys#network-encryption
|
||||||
|
[storage-encryption]: https://docs.edgeless.systems/constellation/architecture/keys#storage-encryption
|
||||||
|
[csi]: https://docs.edgeless.systems/constellation/workflows/storage
|
||||||
|
[s3proxy]: https://docs.edgeless.systems/constellation/workflows/s3proxy
|
||||||
[supply-chain]: https://docs.edgeless.systems/constellation/architecture/attestation#chain-of-trust
|
[supply-chain]: https://docs.edgeless.systems/constellation/architecture/attestation#chain-of-trust
|
||||||
[security-benefits]: https://docs.edgeless.systems/constellation/overview/security-benefits
|
[security-benefits]: https://docs.edgeless.systems/constellation/overview/security-benefits
|
||||||
[twitter]: https://twitter.com/EdgelessSystems
|
[twitter]: https://twitter.com/EdgelessSystems
|
||||||
|
@ -13,7 +13,7 @@ Each of the above properties is equally important. Only with all three in conjun
|
|||||||
Constellation implements the Confidential Kubernetes concept with the following security features.
|
Constellation implements the Confidential Kubernetes concept with the following security features.
|
||||||
|
|
||||||
* **Runtime encryption**: Constellation runs all Kubernetes nodes inside Confidential VMs (CVMs). This gives runtime encryption for the entire cluster.
|
* **Runtime encryption**: Constellation runs all Kubernetes nodes inside Confidential VMs (CVMs). This gives runtime encryption for the entire cluster.
|
||||||
* **Network and storage encryption**: Constellation augments this with transparent encryption of the [network](../architecture/networking.md) and [persistent storage](../architecture/encrypted-storage.md). Thus, workloads and control plane are truly end-to-end encrypted: at rest, in transit, and at runtime.
|
* **Network and storage encryption**: Constellation augments this with transparent encryption of the [network](../architecture/networking.md), [persistent storage](../architecture/encrypted-storage.md), and other managed storage like [AWS S3](../architecture/encrypted-storage.md#encrypted-s3-object-storage). Thus, workloads and control plane are truly end-to-end encrypted: at rest, in transit, and at runtime.
|
||||||
* **Transparent key management**: Constellation manages the corresponding [cryptographic keys](../architecture/keys.md) inside CVMs.
|
* **Transparent key management**: Constellation manages the corresponding [cryptographic keys](../architecture/keys.md) inside CVMs.
|
||||||
* **Node attestation and verification**: Constellation verifies the integrity of each new CVM-based node using [remote attestation](../architecture/attestation.md). Only "good" nodes receive the cryptographic keys required to access the network and storage of a cluster.
|
* **Node attestation and verification**: Constellation verifies the integrity of each new CVM-based node using [remote attestation](../architecture/attestation.md). Only "good" nodes receive the cryptographic keys required to access the network and storage of a cluster.
|
||||||
* **Confidential computing-optimized images**: A node is "good" if it's running a signed Constellation [node image](../architecture/images.md) inside a CVM and is in the expected state. (Node images are hardware-measured during boot. The measurements are reflected in the attestation statements that are produced by nodes and verified by Constellation.)
|
* **Confidential computing-optimized images**: A node is "good" if it's running a signed Constellation [node image](../architecture/images.md) inside a CVM and is in the expected state. (Node images are hardware-measured during boot. The measurements are reflected in the attestation statements that are produced by nodes and verified by Constellation.)
|
||||||
|
@ -13,7 +13,7 @@ Each of the above properties is equally important. Only with all three in conjun
|
|||||||
Constellation implements the Confidential Kubernetes concept with the following security features.
|
Constellation implements the Confidential Kubernetes concept with the following security features.
|
||||||
|
|
||||||
* **Runtime encryption**: Constellation runs all Kubernetes nodes inside Confidential VMs (CVMs). This gives runtime encryption for the entire cluster.
|
* **Runtime encryption**: Constellation runs all Kubernetes nodes inside Confidential VMs (CVMs). This gives runtime encryption for the entire cluster.
|
||||||
* **Network and storage encryption**: Constellation augments this with transparent encryption of the [network](../architecture/networking.md) and [persistent storage](../architecture/encrypted-storage.md). Thus, workloads and control plane are truly end-to-end encrypted: at rest, in transit, and at runtime.
|
* **Network and storage encryption**: Constellation augments this with transparent encryption of the [network](../architecture/networking.md), [persistent storage](../architecture/encrypted-storage.md), and other managed storage like [AWS S3](../architecture/encrypted-storage.md#encrypted-s3-object-storage). Thus, workloads and control plane are truly end-to-end encrypted: at rest, in transit, and at runtime.
|
||||||
* **Transparent key management**: Constellation manages the corresponding [cryptographic keys](../architecture/keys.md) inside CVMs.
|
* **Transparent key management**: Constellation manages the corresponding [cryptographic keys](../architecture/keys.md) inside CVMs.
|
||||||
* **Node attestation and verification**: Constellation verifies the integrity of each new CVM-based node using [remote attestation](../architecture/attestation.md). Only "good" nodes receive the cryptographic keys required to access the network and storage of a cluster.
|
* **Node attestation and verification**: Constellation verifies the integrity of each new CVM-based node using [remote attestation](../architecture/attestation.md). Only "good" nodes receive the cryptographic keys required to access the network and storage of a cluster.
|
||||||
* **Confidential computing-optimized images**: A node is "good" if it's running a signed Constellation [node image](../architecture/images.md) inside a CVM and is in the expected state. (Node images are hardware-measured during boot. The measurements are reflected in the attestation statements that are produced by nodes and verified by Constellation.)
|
* **Confidential computing-optimized images**: A node is "good" if it's running a signed Constellation [node image](../architecture/images.md) inside a CVM and is in the expected state. (Node images are hardware-measured during boot. The measurements are reflected in the attestation statements that are produced by nodes and verified by Constellation.)
|
||||||
|
Loading…
Reference in New Issue
Block a user