docs: add s3proxy to features

This commit is contained in:
Thomas Tendyck 2023-10-12 14:07:58 +02:00 committed by Thomas Tendyck
parent ab8a17e535
commit 3255ce3e72
3 changed files with 12 additions and 6 deletions

View File

@ -34,7 +34,9 @@ Encrypting your K8s is good for:
### 🔒 Everything always encrypted
* Runtime encryption: All nodes run inside AMD SEV-based Confidential VMs (CVMs). Support for Intel TDX will be added in the future.
* Transparent encryption of network and storage: All pod-to-pod traffic and all writes to persistent storage are [automatically encrypted][network-encryption]
* Transparent encryption of network: All [pod-to-pod traffic is automatically encrypted][network-encryption]
* Transparent encryption of storage: All writes to persistent storage are automatically encrypted.
This includes [nodes' state disks][storage-encryption], [persistent volumes via CSI][csi], and [S3 object storage][s3proxy].
* Transparent key management: All cryptographic [keys are managed within the confidential context][key-management]
### 🔍 Everything verifiable
@ -72,8 +74,9 @@ If you're already familiar with Kubernetes, it's easy to get started with Conste
## Live demos
We're running public instances of popular software on Constellation:
* Rocket.Chat: https://rocket.edgeless.systems/ ([blog post](https://dev.to/flxflx/rocketchat-constellation-most-secure-chat-server-ever--50oa))
* GitLab: https://gitlab.edgeless.systems/ ([blog post](https://dev.to/flxflx/setting-up-a-confidential-gitlab-333h))
* Rocket.Chat: <https://rocket.edgeless.systems/> ([blog post](https://dev.to/flxflx/rocketchat-constellation-most-secure-chat-server-ever--50oa))
* GitLab: <https://gitlab.edgeless.systems/> ([blog post](https://dev.to/flxflx/setting-up-a-confidential-gitlab-333h))
These instances run on CVMs in Azure and Constellation keeps them end-to-end confidential.
@ -102,7 +105,7 @@ Refer to [`CONTRIBUTING.md`](CONTRIBUTING.md) on how to contribute. The most imp
* Please follow the [Code of Conduct](/CODE_OF_CONDUCT.md).
> **Warning**
> Please report any security issue via a [private GitHub vulnerability report](https://github.com/edgelesssys/constellation/security/advisories/new) or write to security@edgeless.systems.
> Please report any security issue via a [private GitHub vulnerability report](https://github.com/edgelesssys/constellation/security/advisories/new) or write to <security@edgeless.systems>.
## License
@ -126,6 +129,9 @@ The Constellation source code is licensed under the [GNU Affero General Public L
[key-management]: https://docs.edgeless.systems/constellation/architecture/keys
[license]: https://docs.edgeless.systems/constellation/overview/license
[network-encryption]: https://docs.edgeless.systems/constellation/architecture/keys#network-encryption
[storage-encryption]: https://docs.edgeless.systems/constellation/architecture/keys#storage-encryption
[csi]: https://docs.edgeless.systems/constellation/workflows/storage
[s3proxy]: https://docs.edgeless.systems/constellation/workflows/s3proxy
[supply-chain]: https://docs.edgeless.systems/constellation/architecture/attestation#chain-of-trust
[security-benefits]: https://docs.edgeless.systems/constellation/overview/security-benefits
[twitter]: https://twitter.com/EdgelessSystems

View File

@ -13,7 +13,7 @@ Each of the above properties is equally important. Only with all three in conjun
Constellation implements the Confidential Kubernetes concept with the following security features.
* **Runtime encryption**: Constellation runs all Kubernetes nodes inside Confidential VMs (CVMs). This gives runtime encryption for the entire cluster.
* **Network and storage encryption**: Constellation augments this with transparent encryption of the [network](../architecture/networking.md) and [persistent storage](../architecture/encrypted-storage.md). Thus, workloads and control plane are truly end-to-end encrypted: at rest, in transit, and at runtime.
* **Network and storage encryption**: Constellation augments this with transparent encryption of the [network](../architecture/networking.md), [persistent storage](../architecture/encrypted-storage.md), and other managed storage like [AWS S3](../architecture/encrypted-storage.md#encrypted-s3-object-storage). Thus, workloads and control plane are truly end-to-end encrypted: at rest, in transit, and at runtime.
* **Transparent key management**: Constellation manages the corresponding [cryptographic keys](../architecture/keys.md) inside CVMs.
* **Node attestation and verification**: Constellation verifies the integrity of each new CVM-based node using [remote attestation](../architecture/attestation.md). Only "good" nodes receive the cryptographic keys required to access the network and storage of a cluster.
* **Confidential computing-optimized images**: A node is "good" if it's running a signed Constellation [node image](../architecture/images.md) inside a CVM and is in the expected state. (Node images are hardware-measured during boot. The measurements are reflected in the attestation statements that are produced by nodes and verified by Constellation.)

View File

@ -13,7 +13,7 @@ Each of the above properties is equally important. Only with all three in conjun
Constellation implements the Confidential Kubernetes concept with the following security features.
* **Runtime encryption**: Constellation runs all Kubernetes nodes inside Confidential VMs (CVMs). This gives runtime encryption for the entire cluster.
* **Network and storage encryption**: Constellation augments this with transparent encryption of the [network](../architecture/networking.md) and [persistent storage](../architecture/encrypted-storage.md). Thus, workloads and control plane are truly end-to-end encrypted: at rest, in transit, and at runtime.
* **Network and storage encryption**: Constellation augments this with transparent encryption of the [network](../architecture/networking.md), [persistent storage](../architecture/encrypted-storage.md), and other managed storage like [AWS S3](../architecture/encrypted-storage.md#encrypted-s3-object-storage). Thus, workloads and control plane are truly end-to-end encrypted: at rest, in transit, and at runtime.
* **Transparent key management**: Constellation manages the corresponding [cryptographic keys](../architecture/keys.md) inside CVMs.
* **Node attestation and verification**: Constellation verifies the integrity of each new CVM-based node using [remote attestation](../architecture/attestation.md). Only "good" nodes receive the cryptographic keys required to access the network and storage of a cluster.
* **Confidential computing-optimized images**: A node is "good" if it's running a signed Constellation [node image](../architecture/images.md) inside a CVM and is in the expected state. (Node images are hardware-measured during boot. The measurements are reflected in the attestation statements that are produced by nodes and verified by Constellation.)