From 9e3d605cf26d24ded52256a25a993bce070de1d6 Mon Sep 17 00:00:00 2001 From: Thomas Tendyck <51411342+thomasten@users.noreply.github.com> Date: Fri, 15 Mar 2024 11:53:13 +0100 Subject: [PATCH] Add STACKIT to readme (#2988) * Add STACKIT to readme and sort CSPs alphabetically in sentences * fix links --- README.md | 3 +-- dev-docs/conventions.md | 4 ++-- docs/docs/architecture/keys.md | 2 +- docs/docs/getting-started/install.md | 5 ++++- docs/docs/overview/clouds.md | 5 ++--- docs/docs/overview/product.md | 2 +- docs/docs/workflows/config.md | 2 +- .../version-2.0/architecture/keys.md | 2 +- docs/versioned_docs/version-2.0/overview/clouds.md | 2 +- .../version-2.1/architecture/keys.md | 2 +- docs/versioned_docs/version-2.1/overview/clouds.md | 2 +- .../version-2.10/architecture/keys.md | 2 +- .../version-2.10/getting-started/install.md | 7 +------ .../versioned_docs/version-2.10/overview/clouds.md | 2 +- .../version-2.10/overview/performance/io.md | 2 +- .../version-2.10/overview/product.md | 2 +- .../version-2.11/architecture/keys.md | 2 +- .../version-2.11/getting-started/install.md | 7 +------ .../versioned_docs/version-2.11/overview/clouds.md | 2 +- .../version-2.11/overview/performance/io.md | 2 +- .../version-2.11/overview/product.md | 2 +- .../version-2.12/architecture/keys.md | 2 +- .../version-2.12/getting-started/install.md | 7 +------ .../versioned_docs/version-2.12/overview/clouds.md | 2 +- .../version-2.12/overview/performance/io.md | 2 +- .../version-2.12/overview/product.md | 2 +- .../version-2.13/architecture/keys.md | 2 +- .../version-2.13/getting-started/install.md | 7 +------ .../versioned_docs/version-2.13/overview/clouds.md | 2 +- .../version-2.13/overview/performance/io.md | 2 +- .../version-2.13/overview/product.md | 2 +- .../version-2.14/architecture/keys.md | 2 +- .../version-2.14/getting-started/install.md | 2 +- .../versioned_docs/version-2.14/overview/clouds.md | 2 +- .../version-2.14/overview/performance/io.md | 2 +- .../version-2.14/overview/product.md | 2 +- .../version-2.15/architecture/attestation.md | 2 +- .../version-2.15/architecture/keys.md | 2 +- .../version-2.15/getting-started/install.md | 2 +- .../versioned_docs/version-2.15/overview/clouds.md | 5 ++--- .../version-2.15/overview/product.md | 2 +- .../version-2.16/architecture/keys.md | 2 +- .../version-2.16/getting-started/install.md | 5 ++++- .../versioned_docs/version-2.16/overview/clouds.md | 5 ++--- .../version-2.16/overview/product.md | 2 +- .../version-2.16/workflows/config.md | 2 +- .../version-2.16/workflows/recovery.md | 2 +- .../version-2.2/architecture/keys.md | 2 +- .../version-2.2/getting-started/install.md | 6 +----- docs/versioned_docs/version-2.2/overview/clouds.md | 2 +- .../versioned_docs/version-2.2/overview/product.md | 2 +- .../version-2.3/architecture/keys.md | 2 +- .../version-2.3/getting-started/install.md | 6 +----- docs/versioned_docs/version-2.3/overview/clouds.md | 2 +- .../versioned_docs/version-2.3/overview/product.md | 2 +- .../version-2.4/architecture/keys.md | 2 +- .../version-2.4/getting-started/install.md | 6 +----- docs/versioned_docs/version-2.4/overview/clouds.md | 2 +- .../versioned_docs/version-2.4/overview/product.md | 2 +- .../version-2.5/architecture/keys.md | 2 +- .../version-2.5/getting-started/install.md | 6 +----- docs/versioned_docs/version-2.5/overview/clouds.md | 2 +- .../versioned_docs/version-2.5/overview/product.md | 2 +- .../version-2.6/architecture/keys.md | 2 +- .../version-2.6/getting-started/install.md | 6 +----- docs/versioned_docs/version-2.6/overview/clouds.md | 2 +- .../version-2.6/overview/performance.md | 14 ++++++++------ .../versioned_docs/version-2.6/overview/product.md | 2 +- .../version-2.7/architecture/keys.md | 2 +- .../version-2.7/getting-started/install.md | 6 +----- docs/versioned_docs/version-2.7/overview/clouds.md | 5 ++--- .../version-2.7/overview/performance.md | 14 ++++++++------ .../versioned_docs/version-2.7/overview/product.md | 2 +- .../version-2.8/architecture/keys.md | 2 +- .../version-2.8/getting-started/install.md | 6 +----- docs/versioned_docs/version-2.8/overview/clouds.md | 2 +- .../version-2.8/overview/performance.md | 14 ++++++++------ .../versioned_docs/version-2.8/overview/product.md | 2 +- .../version-2.9/architecture/keys.md | 2 +- .../version-2.9/getting-started/install.md | 6 +----- docs/versioned_docs/version-2.9/overview/clouds.md | 2 +- .../version-2.9/overview/performance.md | 2 +- .../versioned_docs/version-2.9/overview/product.md | 2 +- 83 files changed, 115 insertions(+), 160 deletions(-) diff --git a/README.md b/README.md index f48e71cb1..a0d4db3ad 100644 --- a/README.md +++ b/README.md @@ -58,7 +58,7 @@ Encrypting your K8s is good for: * Constellation is a [CNCF-certified][certified] Kubernetes. It's aligned to Kubernetes' [version support policy][k8s-version-support] and will likely work with your existing workloads and tools. -* Support for Azure, GCP, and AWS. +* Support for AWS, Azure, GCP, and STACKIT. * Support for local installations with [MiniConstellation][first-steps-local]. * Support for [Terraform][terraform-provider] @@ -120,7 +120,6 @@ The Constellation source code is licensed under the [GNU Affero General Public L [cla-assistant]: https://cla-assistant.io/edgelesssys/constellation [cluster-attestation]: https://docs.edgeless.systems/constellation/architecture/attestation#cluster-attestation [confidential-kubernetes]: https://docs.edgeless.systems/constellation/overview/confidential-kubernetes -[discord]: https://discord.gg/rH8QTH56JN [enterprise-support]: https://www.edgeless.systems/products/constellation/ [first-steps]: https://docs.edgeless.systems/constellation/getting-started/first-steps [first-steps-local]: https://docs.edgeless.systems/constellation/getting-started/first-steps-local diff --git a/dev-docs/conventions.md b/dev-docs/conventions.md index 02b08e1db..5f9e9c132 100644 --- a/dev-docs/conventions.md +++ b/dev-docs/conventions.md @@ -14,10 +14,10 @@ This project also aims to follow the [Go Proverbs](https://go-proverbs.github.io ## Linting This projects uses [golangci-lint](https://golangci-lint.run/) for linting. -You can [install golangci-lint](https://golangci-lint.run/usage/install/#linux-and-windows) locally, +You can [install golangci-lint](https://golangci-lint.run/welcome/install/#local-installation) locally, but there is also a CI action to ensure compliance. -It is also recommended to use golangci-lint (and [gofumpt](https://github.com/mvdan/gofumpt) as formatter) in your IDE, by adding the recommended VS Code Settings or by [configuring it yourself](https://golangci-lint.run/usage/integrations/#editor-integration) +It is also recommended to use golangci-lint (and [gofumpt](https://github.com/mvdan/gofumpt) as formatter) in your IDE, by adding the recommended VS Code Settings or by [configuring it yourself](https://golangci-lint.run/welcome/integrations/) ## Logging diff --git a/docs/docs/architecture/keys.md b/docs/docs/architecture/keys.md index f2c8c3fba..553d9d4e2 100644 --- a/docs/docs/architecture/keys.md +++ b/docs/docs/architecture/keys.md @@ -105,7 +105,7 @@ Initially, it will support the following KMSs: * [Azure Key Vault](https://azure.microsoft.com/en-us/services/key-vault/#product-overview) * [KMIP-compatible KMS](https://www.oasis-open.org/committees/tc_home.php?wg_abbrev=kmip) -Storing the keys in Cloud KMS of AWS, GCP, or Azure binds the key usage to the particular cloud identity access management (IAM). +Storing the keys in Cloud KMS of AWS, Azure, or GCP binds the key usage to the particular cloud identity access management (IAM). In the future, Constellation will support remote attestation-based access policies for Cloud KMS once available. Note that using a Cloud KMS limits the isolation and protection to the guarantees of the particular offering. diff --git a/docs/docs/getting-started/install.md b/docs/docs/getting-started/install.md index 999601b5b..99a8933e3 100644 --- a/docs/docs/getting-started/install.md +++ b/docs/docs/getting-started/install.md @@ -9,7 +9,7 @@ Make sure the following requirements are met: * Your machine is running Linux, macOS, or Windows * You have admin rights on your machine * [kubectl](https://kubernetes.io/docs/tasks/tools/) is installed -* Your CSP is Microsoft Azure, Google Cloud Platform (GCP), Amazon Web Services (AWS), or STACKIT +* Your CSP is Amazon Web Services (AWS), Microsoft Azure, Google Cloud Platform (GCP), or STACKIT ## Install the Constellation CLI @@ -398,6 +398,7 @@ You need to authenticate with the infrastructure API (OpenStack) and create a se 1. [Follow the STACKIT documentation](https://docs.stackit.cloud/stackit/en/step-1-generating-of-user-access-token-11763726.html) for obtaining a User Access Token (UAT) to use the infrastructure API 2. Create a configuration file under `~/.config/openstack/clouds.yaml` (`%AppData%\openstack\clouds.yaml` on Windows) with the credentials from the User Access Token + ```yaml clouds: stackit: @@ -412,9 +413,11 @@ You need to authenticate with the infrastructure API (OpenStack) and create a se region_name: RegionOne identity_api_version: 3 ``` + 3. [Follow the STACKIT documentation](https://docs.stackit.cloud/stackit/en/getting-started-in-service-accounts-134415831.html) for creating a service account and an access token 4. Assign the `editor` role to the service account by [following the documentation](https://docs.stackit.cloud/stackit/en/getting-started-in-service-accounts-134415831.html) 5. Create a configuration file under `~/.stackit/credentials.json` (`%USERPROFILE%\.stackit\credentials.json` on Windows) + ```json {"STACKIT_SERVICE_ACCOUNT_TOKEN":"REPLACE_WITH_TOKEN"} ``` diff --git a/docs/docs/overview/clouds.md b/docs/docs/overview/clouds.md index b2de81e4b..a7b1361e8 100644 --- a/docs/docs/overview/clouds.md +++ b/docs/docs/overview/clouds.md @@ -34,13 +34,12 @@ Thus, the Azure closed-source firmware becomes part of Constellation's trusted c ## Google Cloud Platform (GCP) -The [CVMs Generally Available in GCP](https://cloud.google.com/compute/confidential-vm/docs/create-confidential-vm-instance) are based on AMD SEV but don't have SNP features enabled. -CVMs with SEV-SNP enabled are currently in [public preview](https://cloud.google.com/blog/products/identity-security/rsa-snp-vm-more-confidential). Regarding (3), with their SEV-SNP offering Google provides direct access to remote-attestation statements. +The [CVMs Generally Available in GCP](https://cloud.google.com/confidential-computing/confidential-vm/docs/confidential-vm-overview#amd_sev) are based on AMD SEV but don't have SNP features enabled. +CVMs with [SEV-SNP enabled are in public preview](https://cloud.google.com/confidential-computing/confidential-vm/docs/confidential-vm-overview#amd_sev-snp). Regarding (3), with their SEV-SNP offering Google provides direct access to remote-attestation statements. However, regarding (5), attestation is partially based on the [Shielded VM vTPM](https://cloud.google.com/compute/shielded-vm/docs/shielded-vm#vtpm) for [measured boot](../architecture/attestation.md#measured-boot), which is a vTPM managed by Google's hypervisor. Hence, the hypervisor is currently part of Constellation's TCB. Regarding (4), the CVMs still include closed-source firmware. - In the past, Intel and Google have [collaborated](https://cloud.google.com/blog/products/identity-security/rsa-google-intel-confidential-computing-more-secure) to enhance the security of TDX. Recently, Google has announced a [private preview for TDX](https://cloud.google.com/blog/products/identity-security/confidential-vms-on-intel-cpus-your-datas-new-intelligent-defense?hl=en). With TDX on Google, Constellation has a similar TCB and attestation flow as with the current SEV-SNP offering. diff --git a/docs/docs/overview/product.md b/docs/docs/overview/product.md index 8e8ee6950..4b5d90706 100644 --- a/docs/docs/overview/product.md +++ b/docs/docs/overview/product.md @@ -6,7 +6,7 @@ From a security perspective, Constellation implements the [Confidential Kubernet From an operational perspective, Constellation provides the following key features: -* **Native support for different clouds**: Constellation works on Microsoft Azure, Google Cloud Platform (GCP), Amazon Web Services (AWS), and STACKIT. Support for OpenStack-based environments is coming with a future release. Constellation securely interfaces with the cloud infrastructure to provide [cluster autoscaling](https://github.com/kubernetes/autoscaler/tree/master/cluster-autoscaler), [dynamic persistent volumes](https://kubernetes.io/docs/concepts/storage/dynamic-provisioning/), and [service load balancing](https://kubernetes.io/docs/concepts/services-networking/service/#loadbalancer). +* **Native support for different clouds**: Constellation works on Amazon Web Services (AWS), Microsoft Azure, Google Cloud Platform (GCP), and STACKIT. Support for OpenStack-based environments is coming with a future release. Constellation securely interfaces with the cloud infrastructure to provide [cluster autoscaling](https://github.com/kubernetes/autoscaler/tree/master/cluster-autoscaler), [dynamic persistent volumes](https://kubernetes.io/docs/concepts/storage/dynamic-provisioning/), and [service load balancing](https://kubernetes.io/docs/concepts/services-networking/service/#loadbalancer). * **High availability**: Constellation uses a [multi-master architecture](https://kubernetes.io/docs/setup/production-environment/tools/kubeadm/high-availability/) with a [stacked etcd topology](https://kubernetes.io/docs/setup/production-environment/tools/kubeadm/ha-topology/#stacked-etcd-topology) to ensure high availability. * **Integrated Day-2 operations**: Constellation lets you securely [upgrade](../workflows/upgrade.md) your cluster to a new release. It also lets you securely [recover](../workflows/recovery.md) a failed cluster. Both with a single command. * **Support for Terraform**: Constellation includes a [Terraform provider](../workflows/terraform-provider.md) that lets you manage the full lifecycle of your cluster via Terraform. diff --git a/docs/docs/workflows/config.md b/docs/docs/workflows/config.md index edbffa8a6..c59207054 100644 --- a/docs/docs/workflows/config.md +++ b/docs/docs/workflows/config.md @@ -135,7 +135,7 @@ This configuration creates an additional node group `high_cpu` with a larger ins You can use the field `zone` to specify what availability zone nodes of the group are placed in. On Azure, this field is empty by default and nodes are automatically spread across availability zones. -STACKIT currently offers SEV-enabled CPUs in the `eu01-1`, `eu01-2` and `eu01-3` zone. +STACKIT currently offers SEV-enabled CPUs in the `eu01-1`, `eu01-2`, and `eu01-3` zones. Consult the documentation of your cloud provider for more information: * [AWS](https://aws.amazon.com/about-aws/global-infrastructure/regions_az/) diff --git a/docs/versioned_docs/version-2.0/architecture/keys.md b/docs/versioned_docs/version-2.0/architecture/keys.md index cb8c41768..ae6044862 100644 --- a/docs/versioned_docs/version-2.0/architecture/keys.md +++ b/docs/versioned_docs/version-2.0/architecture/keys.md @@ -101,7 +101,7 @@ Initially, it will support the following KMSs: * [Azure Key Vault](https://azure.microsoft.com/en-us/services/key-vault/#product-overview) * [KMIP-compatible KMS](https://www.oasis-open.org/committees/tc_home.php?wg_abbrev=kmip) -Storing the keys in Cloud KMS of AWS, GCP, or Azure binds the key usage to the particular cloud identity access management (IAM). +Storing the keys in Cloud KMS of AWS, Azure, or GCP binds the key usage to the particular cloud identity access management (IAM). In the future, Constellation will support remote attestation-based access policies for Cloud KMS once available. Note that using a Cloud KMS limits the isolation and protection to the guarantees of the particular offering. diff --git a/docs/versioned_docs/version-2.0/overview/clouds.md b/docs/versioned_docs/version-2.0/overview/clouds.md index c526d956b..2fd864945 100644 --- a/docs/versioned_docs/version-2.0/overview/clouds.md +++ b/docs/versioned_docs/version-2.0/overview/clouds.md @@ -28,7 +28,7 @@ Recently, Azure [announced](https://techcommunity.microsoft.com/t5/azure-confide ## Google Cloud Platform (GCP) -The [CVMs available in GCP](https://cloud.google.com/compute/confidential-vm/docs/create-confidential-vm-instance) are based on AMD SEV but don't have SNP features enabled. This impacts attestation capabilities. Currently, GCP doesn't offer CVM-based attestation at all. Instead, GCP provides attestation statements based on its regular [vTPM](https://cloud.google.com/blog/products/identity-security/virtual-trusted-platform-module-for-shielded-vms-security-in-plaintext), which is managed by the hypervisor. On GCP, the hypervisor is thus currently part of Constellation's TCB. +The [CVMs available in GCP](https://cloud.google.com/confidential-computing/confidential-vm/docs/confidential-vm-overview#amd_sev) are based on AMD SEV but don't have SNP features enabled. This impacts attestation capabilities. Currently, GCP doesn't offer CVM-based attestation at all. Instead, GCP provides attestation statements based on its regular [vTPM](https://cloud.google.com/blog/products/identity-security/virtual-trusted-platform-module-for-shielded-vms-security-in-plaintext), which is managed by the hypervisor. On GCP, the hypervisor is thus currently part of Constellation's TCB. ## Amazon Web Services (AWS) diff --git a/docs/versioned_docs/version-2.1/architecture/keys.md b/docs/versioned_docs/version-2.1/architecture/keys.md index cb8c41768..ae6044862 100644 --- a/docs/versioned_docs/version-2.1/architecture/keys.md +++ b/docs/versioned_docs/version-2.1/architecture/keys.md @@ -101,7 +101,7 @@ Initially, it will support the following KMSs: * [Azure Key Vault](https://azure.microsoft.com/en-us/services/key-vault/#product-overview) * [KMIP-compatible KMS](https://www.oasis-open.org/committees/tc_home.php?wg_abbrev=kmip) -Storing the keys in Cloud KMS of AWS, GCP, or Azure binds the key usage to the particular cloud identity access management (IAM). +Storing the keys in Cloud KMS of AWS, Azure, or GCP binds the key usage to the particular cloud identity access management (IAM). In the future, Constellation will support remote attestation-based access policies for Cloud KMS once available. Note that using a Cloud KMS limits the isolation and protection to the guarantees of the particular offering. diff --git a/docs/versioned_docs/version-2.1/overview/clouds.md b/docs/versioned_docs/version-2.1/overview/clouds.md index c526d956b..2fd864945 100644 --- a/docs/versioned_docs/version-2.1/overview/clouds.md +++ b/docs/versioned_docs/version-2.1/overview/clouds.md @@ -28,7 +28,7 @@ Recently, Azure [announced](https://techcommunity.microsoft.com/t5/azure-confide ## Google Cloud Platform (GCP) -The [CVMs available in GCP](https://cloud.google.com/compute/confidential-vm/docs/create-confidential-vm-instance) are based on AMD SEV but don't have SNP features enabled. This impacts attestation capabilities. Currently, GCP doesn't offer CVM-based attestation at all. Instead, GCP provides attestation statements based on its regular [vTPM](https://cloud.google.com/blog/products/identity-security/virtual-trusted-platform-module-for-shielded-vms-security-in-plaintext), which is managed by the hypervisor. On GCP, the hypervisor is thus currently part of Constellation's TCB. +The [CVMs available in GCP](https://cloud.google.com/confidential-computing/confidential-vm/docs/confidential-vm-overview#amd_sev) are based on AMD SEV but don't have SNP features enabled. This impacts attestation capabilities. Currently, GCP doesn't offer CVM-based attestation at all. Instead, GCP provides attestation statements based on its regular [vTPM](https://cloud.google.com/blog/products/identity-security/virtual-trusted-platform-module-for-shielded-vms-security-in-plaintext), which is managed by the hypervisor. On GCP, the hypervisor is thus currently part of Constellation's TCB. ## Amazon Web Services (AWS) diff --git a/docs/versioned_docs/version-2.10/architecture/keys.md b/docs/versioned_docs/version-2.10/architecture/keys.md index f2c8c3fba..553d9d4e2 100644 --- a/docs/versioned_docs/version-2.10/architecture/keys.md +++ b/docs/versioned_docs/version-2.10/architecture/keys.md @@ -105,7 +105,7 @@ Initially, it will support the following KMSs: * [Azure Key Vault](https://azure.microsoft.com/en-us/services/key-vault/#product-overview) * [KMIP-compatible KMS](https://www.oasis-open.org/committees/tc_home.php?wg_abbrev=kmip) -Storing the keys in Cloud KMS of AWS, GCP, or Azure binds the key usage to the particular cloud identity access management (IAM). +Storing the keys in Cloud KMS of AWS, Azure, or GCP binds the key usage to the particular cloud identity access management (IAM). In the future, Constellation will support remote attestation-based access policies for Cloud KMS once available. Note that using a Cloud KMS limits the isolation and protection to the guarantees of the particular offering. diff --git a/docs/versioned_docs/version-2.10/getting-started/install.md b/docs/versioned_docs/version-2.10/getting-started/install.md index 4debbca9a..da0c0a14b 100644 --- a/docs/versioned_docs/version-2.10/getting-started/install.md +++ b/docs/versioned_docs/version-2.10/getting-started/install.md @@ -11,7 +11,7 @@ Make sure the following requirements are met: - Your machine is running Linux or macOS - You have admin rights on your machine - [kubectl](https://kubernetes.io/docs/tasks/tools/) is installed -- Your CSP is Microsoft Azure, Google Cloud Platform (GCP), or Amazon Web Services (AWS) +- Your CSP is Amazon Web Services (AWS), Microsoft Azure, or Google Cloud Platform (GCP) ## Install the Constellation CLI @@ -52,7 +52,6 @@ curl -LO https://github.com/edgelesssys/constellation/releases/latest/download/c sudo install constellation-linux-arm64 /usr/local/bin/constellation ``` - @@ -71,8 +70,6 @@ curl -LO https://github.com/edgelesssys/constellation/releases/latest/download/c sudo install constellation-darwin-arm64 /usr/local/bin/constellation ``` - - @@ -278,7 +275,6 @@ The built-in `AdministratorAccess` policy is a superset of these permissions. To [create a Constellation cluster](../workflows/create.md#the-create-step), see the permissions of [main.tf](https://github.com/edgelesssys/constellation/blob/main/terraform/infrastructure/iam/aws/main.tf). - The built-in `PowerUserAccess` policy is a superset of these permissions. Follow Amazon's guide on [understanding](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html) and [managing policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html). @@ -354,7 +350,6 @@ Options and first steps are described in the [AWS CLI documentation](https://doc - ## Next steps diff --git a/docs/versioned_docs/version-2.10/overview/clouds.md b/docs/versioned_docs/version-2.10/overview/clouds.md index 3ccbb0d6d..c56a623b1 100644 --- a/docs/versioned_docs/version-2.10/overview/clouds.md +++ b/docs/versioned_docs/version-2.10/overview/clouds.md @@ -35,7 +35,7 @@ Thus, the Azure closed-source firmware becomes part of Constellation's trusted c ## Google Cloud Platform (GCP) -The [CVMs Generally Available in GCP](https://cloud.google.com/compute/confidential-vm/docs/create-confidential-vm-instance) are based on AMD SEV but don't have SNP features enabled. +The [CVMs Generally Available in GCP](https://cloud.google.com/confidential-computing/confidential-vm/docs/confidential-vm-overview#amd_sev) are based on AMD SEV but don't have SNP features enabled. CVMs with SEV-SNP enabled are currently in [private preview](https://cloud.google.com/blog/products/identity-security/rsa-snp-vm-more-confidential). Regarding (3), with their SEV-SNP offering Google provides direct access to remote-attestation statements. However, regarding (4), the CVMs still include closed-source firmware. diff --git a/docs/versioned_docs/version-2.10/overview/performance/io.md b/docs/versioned_docs/version-2.10/overview/performance/io.md index dc7cf3d8b..3ae796f8a 100644 --- a/docs/versioned_docs/version-2.10/overview/performance/io.md +++ b/docs/versioned_docs/version-2.10/overview/performance/io.md @@ -58,7 +58,7 @@ The following infrastructure configurations was used: This section gives a thorough analysis of the network performance of Constellation, specifically focusing on measuring TCP and UDP bandwidth. The benchmark measured the bandwidth of pod-to-pod and pod-to-service connections between two different nodes using [`iperf`](https://iperf.fr/). -GKE and Constellation on GCP had a maximum network bandwidth of [10 Gbps](https://cloud.google.com/compute/docs/general-purpose-machines#n2d_machineshttps://cloud.google.com/compute/docs/general-purpose-machines#n2d_machines). +GKE and Constellation on GCP had a maximum network bandwidth of [10 Gbps](https://cloud.google.com/compute/docs/general-purpose-machines#n2d_machines). AKS with `Standard_D4as_v5` machines a maximum network bandwidth of [12.5 Gbps](https://learn.microsoft.com/en-us/azure/virtual-machines/dasv5-dadsv5-series#dasv5-series). The Confidential VM equivalent `Standard_DC4as_v5` currently has a network bandwidth of [1.25 Gbps](https://learn.microsoft.com/en-us/azure/virtual-machines/dcasv5-dcadsv5-series#dcasv5-series-products). Therefore, to make the test comparable, both AKS and Constellation on Azure were running with `Standard_DC4as_v5` machines and 1.25 Gbps bandwidth. diff --git a/docs/versioned_docs/version-2.10/overview/product.md b/docs/versioned_docs/version-2.10/overview/product.md index ba7181aa9..e42596fcc 100644 --- a/docs/versioned_docs/version-2.10/overview/product.md +++ b/docs/versioned_docs/version-2.10/overview/product.md @@ -6,6 +6,6 @@ From a security perspective, Constellation implements the [Confidential Kubernet From an operational perspective, Constellation provides the following key features: -* **Native support for different clouds**: Constellation works on Microsoft Azure, Google Cloud Platform (GCP), and Amazon Web Services (AWS). Support for OpenStack-based environments is coming with a future release. Constellation securely interfaces with the cloud infrastructure to provide [cluster autoscaling](https://github.com/kubernetes/autoscaler/tree/master/cluster-autoscaler), [dynamic persistent volumes](https://kubernetes.io/docs/concepts/storage/dynamic-provisioning/), and [service load balancing](https://kubernetes.io/docs/concepts/services-networking/service/#loadbalancer). +* **Native support for different clouds**: Constellation works on Amazon Web Services (AWS), Microsoft Azure, and Google Cloud Platform (GCP). Support for OpenStack-based environments is coming with a future release. Constellation securely interfaces with the cloud infrastructure to provide [cluster autoscaling](https://github.com/kubernetes/autoscaler/tree/master/cluster-autoscaler), [dynamic persistent volumes](https://kubernetes.io/docs/concepts/storage/dynamic-provisioning/), and [service load balancing](https://kubernetes.io/docs/concepts/services-networking/service/#loadbalancer). * **High availability**: Constellation uses a [multi-master architecture](https://kubernetes.io/docs/setup/production-environment/tools/kubeadm/high-availability/) with a [stacked etcd topology](https://kubernetes.io/docs/setup/production-environment/tools/kubeadm/ha-topology/#stacked-etcd-topology) to ensure high availability. * **Integrated Day-2 operations**: Constellation lets you securely [upgrade](../workflows/upgrade.md) your cluster to a new release. It also lets you securely [recover](../workflows/recovery.md) a failed cluster. Both with a single command. diff --git a/docs/versioned_docs/version-2.11/architecture/keys.md b/docs/versioned_docs/version-2.11/architecture/keys.md index f2c8c3fba..553d9d4e2 100644 --- a/docs/versioned_docs/version-2.11/architecture/keys.md +++ b/docs/versioned_docs/version-2.11/architecture/keys.md @@ -105,7 +105,7 @@ Initially, it will support the following KMSs: * [Azure Key Vault](https://azure.microsoft.com/en-us/services/key-vault/#product-overview) * [KMIP-compatible KMS](https://www.oasis-open.org/committees/tc_home.php?wg_abbrev=kmip) -Storing the keys in Cloud KMS of AWS, GCP, or Azure binds the key usage to the particular cloud identity access management (IAM). +Storing the keys in Cloud KMS of AWS, Azure, or GCP binds the key usage to the particular cloud identity access management (IAM). In the future, Constellation will support remote attestation-based access policies for Cloud KMS once available. Note that using a Cloud KMS limits the isolation and protection to the guarantees of the particular offering. diff --git a/docs/versioned_docs/version-2.11/getting-started/install.md b/docs/versioned_docs/version-2.11/getting-started/install.md index 4debbca9a..da0c0a14b 100644 --- a/docs/versioned_docs/version-2.11/getting-started/install.md +++ b/docs/versioned_docs/version-2.11/getting-started/install.md @@ -11,7 +11,7 @@ Make sure the following requirements are met: - Your machine is running Linux or macOS - You have admin rights on your machine - [kubectl](https://kubernetes.io/docs/tasks/tools/) is installed -- Your CSP is Microsoft Azure, Google Cloud Platform (GCP), or Amazon Web Services (AWS) +- Your CSP is Amazon Web Services (AWS), Microsoft Azure, or Google Cloud Platform (GCP) ## Install the Constellation CLI @@ -52,7 +52,6 @@ curl -LO https://github.com/edgelesssys/constellation/releases/latest/download/c sudo install constellation-linux-arm64 /usr/local/bin/constellation ``` - @@ -71,8 +70,6 @@ curl -LO https://github.com/edgelesssys/constellation/releases/latest/download/c sudo install constellation-darwin-arm64 /usr/local/bin/constellation ``` - - @@ -278,7 +275,6 @@ The built-in `AdministratorAccess` policy is a superset of these permissions. To [create a Constellation cluster](../workflows/create.md#the-create-step), see the permissions of [main.tf](https://github.com/edgelesssys/constellation/blob/main/terraform/infrastructure/iam/aws/main.tf). - The built-in `PowerUserAccess` policy is a superset of these permissions. Follow Amazon's guide on [understanding](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html) and [managing policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html). @@ -354,7 +350,6 @@ Options and first steps are described in the [AWS CLI documentation](https://doc - ## Next steps diff --git a/docs/versioned_docs/version-2.11/overview/clouds.md b/docs/versioned_docs/version-2.11/overview/clouds.md index 3ccbb0d6d..c56a623b1 100644 --- a/docs/versioned_docs/version-2.11/overview/clouds.md +++ b/docs/versioned_docs/version-2.11/overview/clouds.md @@ -35,7 +35,7 @@ Thus, the Azure closed-source firmware becomes part of Constellation's trusted c ## Google Cloud Platform (GCP) -The [CVMs Generally Available in GCP](https://cloud.google.com/compute/confidential-vm/docs/create-confidential-vm-instance) are based on AMD SEV but don't have SNP features enabled. +The [CVMs Generally Available in GCP](https://cloud.google.com/confidential-computing/confidential-vm/docs/confidential-vm-overview#amd_sev) are based on AMD SEV but don't have SNP features enabled. CVMs with SEV-SNP enabled are currently in [private preview](https://cloud.google.com/blog/products/identity-security/rsa-snp-vm-more-confidential). Regarding (3), with their SEV-SNP offering Google provides direct access to remote-attestation statements. However, regarding (4), the CVMs still include closed-source firmware. diff --git a/docs/versioned_docs/version-2.11/overview/performance/io.md b/docs/versioned_docs/version-2.11/overview/performance/io.md index dc7cf3d8b..3ae796f8a 100644 --- a/docs/versioned_docs/version-2.11/overview/performance/io.md +++ b/docs/versioned_docs/version-2.11/overview/performance/io.md @@ -58,7 +58,7 @@ The following infrastructure configurations was used: This section gives a thorough analysis of the network performance of Constellation, specifically focusing on measuring TCP and UDP bandwidth. The benchmark measured the bandwidth of pod-to-pod and pod-to-service connections between two different nodes using [`iperf`](https://iperf.fr/). -GKE and Constellation on GCP had a maximum network bandwidth of [10 Gbps](https://cloud.google.com/compute/docs/general-purpose-machines#n2d_machineshttps://cloud.google.com/compute/docs/general-purpose-machines#n2d_machines). +GKE and Constellation on GCP had a maximum network bandwidth of [10 Gbps](https://cloud.google.com/compute/docs/general-purpose-machines#n2d_machines). AKS with `Standard_D4as_v5` machines a maximum network bandwidth of [12.5 Gbps](https://learn.microsoft.com/en-us/azure/virtual-machines/dasv5-dadsv5-series#dasv5-series). The Confidential VM equivalent `Standard_DC4as_v5` currently has a network bandwidth of [1.25 Gbps](https://learn.microsoft.com/en-us/azure/virtual-machines/dcasv5-dcadsv5-series#dcasv5-series-products). Therefore, to make the test comparable, both AKS and Constellation on Azure were running with `Standard_DC4as_v5` machines and 1.25 Gbps bandwidth. diff --git a/docs/versioned_docs/version-2.11/overview/product.md b/docs/versioned_docs/version-2.11/overview/product.md index ba7181aa9..e42596fcc 100644 --- a/docs/versioned_docs/version-2.11/overview/product.md +++ b/docs/versioned_docs/version-2.11/overview/product.md @@ -6,6 +6,6 @@ From a security perspective, Constellation implements the [Confidential Kubernet From an operational perspective, Constellation provides the following key features: -* **Native support for different clouds**: Constellation works on Microsoft Azure, Google Cloud Platform (GCP), and Amazon Web Services (AWS). Support for OpenStack-based environments is coming with a future release. Constellation securely interfaces with the cloud infrastructure to provide [cluster autoscaling](https://github.com/kubernetes/autoscaler/tree/master/cluster-autoscaler), [dynamic persistent volumes](https://kubernetes.io/docs/concepts/storage/dynamic-provisioning/), and [service load balancing](https://kubernetes.io/docs/concepts/services-networking/service/#loadbalancer). +* **Native support for different clouds**: Constellation works on Amazon Web Services (AWS), Microsoft Azure, and Google Cloud Platform (GCP). Support for OpenStack-based environments is coming with a future release. Constellation securely interfaces with the cloud infrastructure to provide [cluster autoscaling](https://github.com/kubernetes/autoscaler/tree/master/cluster-autoscaler), [dynamic persistent volumes](https://kubernetes.io/docs/concepts/storage/dynamic-provisioning/), and [service load balancing](https://kubernetes.io/docs/concepts/services-networking/service/#loadbalancer). * **High availability**: Constellation uses a [multi-master architecture](https://kubernetes.io/docs/setup/production-environment/tools/kubeadm/high-availability/) with a [stacked etcd topology](https://kubernetes.io/docs/setup/production-environment/tools/kubeadm/ha-topology/#stacked-etcd-topology) to ensure high availability. * **Integrated Day-2 operations**: Constellation lets you securely [upgrade](../workflows/upgrade.md) your cluster to a new release. It also lets you securely [recover](../workflows/recovery.md) a failed cluster. Both with a single command. diff --git a/docs/versioned_docs/version-2.12/architecture/keys.md b/docs/versioned_docs/version-2.12/architecture/keys.md index f2c8c3fba..553d9d4e2 100644 --- a/docs/versioned_docs/version-2.12/architecture/keys.md +++ b/docs/versioned_docs/version-2.12/architecture/keys.md @@ -105,7 +105,7 @@ Initially, it will support the following KMSs: * [Azure Key Vault](https://azure.microsoft.com/en-us/services/key-vault/#product-overview) * [KMIP-compatible KMS](https://www.oasis-open.org/committees/tc_home.php?wg_abbrev=kmip) -Storing the keys in Cloud KMS of AWS, GCP, or Azure binds the key usage to the particular cloud identity access management (IAM). +Storing the keys in Cloud KMS of AWS, Azure, or GCP binds the key usage to the particular cloud identity access management (IAM). In the future, Constellation will support remote attestation-based access policies for Cloud KMS once available. Note that using a Cloud KMS limits the isolation and protection to the guarantees of the particular offering. diff --git a/docs/versioned_docs/version-2.12/getting-started/install.md b/docs/versioned_docs/version-2.12/getting-started/install.md index 03848d23b..a1dc93cde 100644 --- a/docs/versioned_docs/version-2.12/getting-started/install.md +++ b/docs/versioned_docs/version-2.12/getting-started/install.md @@ -11,7 +11,7 @@ Make sure the following requirements are met: - Your machine is running Linux or macOS - You have admin rights on your machine - [kubectl](https://kubernetes.io/docs/tasks/tools/) is installed -- Your CSP is Microsoft Azure, Google Cloud Platform (GCP), or Amazon Web Services (AWS) +- Your CSP is Amazon Web Services (AWS), Microsoft Azure, or Google Cloud Platform (GCP) ## Install the Constellation CLI @@ -52,7 +52,6 @@ curl -LO https://github.com/edgelesssys/constellation/releases/latest/download/c sudo install constellation-linux-arm64 /usr/local/bin/constellation ``` - @@ -71,8 +70,6 @@ curl -LO https://github.com/edgelesssys/constellation/releases/latest/download/c sudo install constellation-darwin-arm64 /usr/local/bin/constellation ``` - - @@ -281,7 +278,6 @@ The built-in `AdministratorAccess` policy is a superset of these permissions. To [create a Constellation cluster](../workflows/create.md#the-create-step), see the permissions of [main.tf](https://github.com/edgelesssys/constellation/blob/main/terraform/infrastructure/iam/aws/main.tf). - The built-in `PowerUserAccess` policy is a superset of these permissions. Follow Amazon's guide on [understanding](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html) and [managing policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html). @@ -357,7 +353,6 @@ Options and first steps are described in the [AWS CLI documentation](https://doc - ## Next steps diff --git a/docs/versioned_docs/version-2.12/overview/clouds.md b/docs/versioned_docs/version-2.12/overview/clouds.md index 3ccbb0d6d..c56a623b1 100644 --- a/docs/versioned_docs/version-2.12/overview/clouds.md +++ b/docs/versioned_docs/version-2.12/overview/clouds.md @@ -35,7 +35,7 @@ Thus, the Azure closed-source firmware becomes part of Constellation's trusted c ## Google Cloud Platform (GCP) -The [CVMs Generally Available in GCP](https://cloud.google.com/compute/confidential-vm/docs/create-confidential-vm-instance) are based on AMD SEV but don't have SNP features enabled. +The [CVMs Generally Available in GCP](https://cloud.google.com/confidential-computing/confidential-vm/docs/confidential-vm-overview#amd_sev) are based on AMD SEV but don't have SNP features enabled. CVMs with SEV-SNP enabled are currently in [private preview](https://cloud.google.com/blog/products/identity-security/rsa-snp-vm-more-confidential). Regarding (3), with their SEV-SNP offering Google provides direct access to remote-attestation statements. However, regarding (4), the CVMs still include closed-source firmware. diff --git a/docs/versioned_docs/version-2.12/overview/performance/io.md b/docs/versioned_docs/version-2.12/overview/performance/io.md index dc7cf3d8b..3ae796f8a 100644 --- a/docs/versioned_docs/version-2.12/overview/performance/io.md +++ b/docs/versioned_docs/version-2.12/overview/performance/io.md @@ -58,7 +58,7 @@ The following infrastructure configurations was used: This section gives a thorough analysis of the network performance of Constellation, specifically focusing on measuring TCP and UDP bandwidth. The benchmark measured the bandwidth of pod-to-pod and pod-to-service connections between two different nodes using [`iperf`](https://iperf.fr/). -GKE and Constellation on GCP had a maximum network bandwidth of [10 Gbps](https://cloud.google.com/compute/docs/general-purpose-machines#n2d_machineshttps://cloud.google.com/compute/docs/general-purpose-machines#n2d_machines). +GKE and Constellation on GCP had a maximum network bandwidth of [10 Gbps](https://cloud.google.com/compute/docs/general-purpose-machines#n2d_machines). AKS with `Standard_D4as_v5` machines a maximum network bandwidth of [12.5 Gbps](https://learn.microsoft.com/en-us/azure/virtual-machines/dasv5-dadsv5-series#dasv5-series). The Confidential VM equivalent `Standard_DC4as_v5` currently has a network bandwidth of [1.25 Gbps](https://learn.microsoft.com/en-us/azure/virtual-machines/dcasv5-dcadsv5-series#dcasv5-series-products). Therefore, to make the test comparable, both AKS and Constellation on Azure were running with `Standard_DC4as_v5` machines and 1.25 Gbps bandwidth. diff --git a/docs/versioned_docs/version-2.12/overview/product.md b/docs/versioned_docs/version-2.12/overview/product.md index ba7181aa9..e42596fcc 100644 --- a/docs/versioned_docs/version-2.12/overview/product.md +++ b/docs/versioned_docs/version-2.12/overview/product.md @@ -6,6 +6,6 @@ From a security perspective, Constellation implements the [Confidential Kubernet From an operational perspective, Constellation provides the following key features: -* **Native support for different clouds**: Constellation works on Microsoft Azure, Google Cloud Platform (GCP), and Amazon Web Services (AWS). Support for OpenStack-based environments is coming with a future release. Constellation securely interfaces with the cloud infrastructure to provide [cluster autoscaling](https://github.com/kubernetes/autoscaler/tree/master/cluster-autoscaler), [dynamic persistent volumes](https://kubernetes.io/docs/concepts/storage/dynamic-provisioning/), and [service load balancing](https://kubernetes.io/docs/concepts/services-networking/service/#loadbalancer). +* **Native support for different clouds**: Constellation works on Amazon Web Services (AWS), Microsoft Azure, and Google Cloud Platform (GCP). Support for OpenStack-based environments is coming with a future release. Constellation securely interfaces with the cloud infrastructure to provide [cluster autoscaling](https://github.com/kubernetes/autoscaler/tree/master/cluster-autoscaler), [dynamic persistent volumes](https://kubernetes.io/docs/concepts/storage/dynamic-provisioning/), and [service load balancing](https://kubernetes.io/docs/concepts/services-networking/service/#loadbalancer). * **High availability**: Constellation uses a [multi-master architecture](https://kubernetes.io/docs/setup/production-environment/tools/kubeadm/high-availability/) with a [stacked etcd topology](https://kubernetes.io/docs/setup/production-environment/tools/kubeadm/ha-topology/#stacked-etcd-topology) to ensure high availability. * **Integrated Day-2 operations**: Constellation lets you securely [upgrade](../workflows/upgrade.md) your cluster to a new release. It also lets you securely [recover](../workflows/recovery.md) a failed cluster. Both with a single command. diff --git a/docs/versioned_docs/version-2.13/architecture/keys.md b/docs/versioned_docs/version-2.13/architecture/keys.md index f2c8c3fba..553d9d4e2 100644 --- a/docs/versioned_docs/version-2.13/architecture/keys.md +++ b/docs/versioned_docs/version-2.13/architecture/keys.md @@ -105,7 +105,7 @@ Initially, it will support the following KMSs: * [Azure Key Vault](https://azure.microsoft.com/en-us/services/key-vault/#product-overview) * [KMIP-compatible KMS](https://www.oasis-open.org/committees/tc_home.php?wg_abbrev=kmip) -Storing the keys in Cloud KMS of AWS, GCP, or Azure binds the key usage to the particular cloud identity access management (IAM). +Storing the keys in Cloud KMS of AWS, Azure, or GCP binds the key usage to the particular cloud identity access management (IAM). In the future, Constellation will support remote attestation-based access policies for Cloud KMS once available. Note that using a Cloud KMS limits the isolation and protection to the guarantees of the particular offering. diff --git a/docs/versioned_docs/version-2.13/getting-started/install.md b/docs/versioned_docs/version-2.13/getting-started/install.md index 03848d23b..a1dc93cde 100644 --- a/docs/versioned_docs/version-2.13/getting-started/install.md +++ b/docs/versioned_docs/version-2.13/getting-started/install.md @@ -11,7 +11,7 @@ Make sure the following requirements are met: - Your machine is running Linux or macOS - You have admin rights on your machine - [kubectl](https://kubernetes.io/docs/tasks/tools/) is installed -- Your CSP is Microsoft Azure, Google Cloud Platform (GCP), or Amazon Web Services (AWS) +- Your CSP is Amazon Web Services (AWS), Microsoft Azure, or Google Cloud Platform (GCP) ## Install the Constellation CLI @@ -52,7 +52,6 @@ curl -LO https://github.com/edgelesssys/constellation/releases/latest/download/c sudo install constellation-linux-arm64 /usr/local/bin/constellation ``` - @@ -71,8 +70,6 @@ curl -LO https://github.com/edgelesssys/constellation/releases/latest/download/c sudo install constellation-darwin-arm64 /usr/local/bin/constellation ``` - - @@ -281,7 +278,6 @@ The built-in `AdministratorAccess` policy is a superset of these permissions. To [create a Constellation cluster](../workflows/create.md#the-create-step), see the permissions of [main.tf](https://github.com/edgelesssys/constellation/blob/main/terraform/infrastructure/iam/aws/main.tf). - The built-in `PowerUserAccess` policy is a superset of these permissions. Follow Amazon's guide on [understanding](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html) and [managing policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html). @@ -357,7 +353,6 @@ Options and first steps are described in the [AWS CLI documentation](https://doc - ## Next steps diff --git a/docs/versioned_docs/version-2.13/overview/clouds.md b/docs/versioned_docs/version-2.13/overview/clouds.md index 3ccbb0d6d..c56a623b1 100644 --- a/docs/versioned_docs/version-2.13/overview/clouds.md +++ b/docs/versioned_docs/version-2.13/overview/clouds.md @@ -35,7 +35,7 @@ Thus, the Azure closed-source firmware becomes part of Constellation's trusted c ## Google Cloud Platform (GCP) -The [CVMs Generally Available in GCP](https://cloud.google.com/compute/confidential-vm/docs/create-confidential-vm-instance) are based on AMD SEV but don't have SNP features enabled. +The [CVMs Generally Available in GCP](https://cloud.google.com/confidential-computing/confidential-vm/docs/confidential-vm-overview#amd_sev) are based on AMD SEV but don't have SNP features enabled. CVMs with SEV-SNP enabled are currently in [private preview](https://cloud.google.com/blog/products/identity-security/rsa-snp-vm-more-confidential). Regarding (3), with their SEV-SNP offering Google provides direct access to remote-attestation statements. However, regarding (4), the CVMs still include closed-source firmware. diff --git a/docs/versioned_docs/version-2.13/overview/performance/io.md b/docs/versioned_docs/version-2.13/overview/performance/io.md index dc7cf3d8b..3ae796f8a 100644 --- a/docs/versioned_docs/version-2.13/overview/performance/io.md +++ b/docs/versioned_docs/version-2.13/overview/performance/io.md @@ -58,7 +58,7 @@ The following infrastructure configurations was used: This section gives a thorough analysis of the network performance of Constellation, specifically focusing on measuring TCP and UDP bandwidth. The benchmark measured the bandwidth of pod-to-pod and pod-to-service connections between two different nodes using [`iperf`](https://iperf.fr/). -GKE and Constellation on GCP had a maximum network bandwidth of [10 Gbps](https://cloud.google.com/compute/docs/general-purpose-machines#n2d_machineshttps://cloud.google.com/compute/docs/general-purpose-machines#n2d_machines). +GKE and Constellation on GCP had a maximum network bandwidth of [10 Gbps](https://cloud.google.com/compute/docs/general-purpose-machines#n2d_machines). AKS with `Standard_D4as_v5` machines a maximum network bandwidth of [12.5 Gbps](https://learn.microsoft.com/en-us/azure/virtual-machines/dasv5-dadsv5-series#dasv5-series). The Confidential VM equivalent `Standard_DC4as_v5` currently has a network bandwidth of [1.25 Gbps](https://learn.microsoft.com/en-us/azure/virtual-machines/dcasv5-dcadsv5-series#dcasv5-series-products). Therefore, to make the test comparable, both AKS and Constellation on Azure were running with `Standard_DC4as_v5` machines and 1.25 Gbps bandwidth. diff --git a/docs/versioned_docs/version-2.13/overview/product.md b/docs/versioned_docs/version-2.13/overview/product.md index ba7181aa9..e42596fcc 100644 --- a/docs/versioned_docs/version-2.13/overview/product.md +++ b/docs/versioned_docs/version-2.13/overview/product.md @@ -6,6 +6,6 @@ From a security perspective, Constellation implements the [Confidential Kubernet From an operational perspective, Constellation provides the following key features: -* **Native support for different clouds**: Constellation works on Microsoft Azure, Google Cloud Platform (GCP), and Amazon Web Services (AWS). Support for OpenStack-based environments is coming with a future release. Constellation securely interfaces with the cloud infrastructure to provide [cluster autoscaling](https://github.com/kubernetes/autoscaler/tree/master/cluster-autoscaler), [dynamic persistent volumes](https://kubernetes.io/docs/concepts/storage/dynamic-provisioning/), and [service load balancing](https://kubernetes.io/docs/concepts/services-networking/service/#loadbalancer). +* **Native support for different clouds**: Constellation works on Amazon Web Services (AWS), Microsoft Azure, and Google Cloud Platform (GCP). Support for OpenStack-based environments is coming with a future release. Constellation securely interfaces with the cloud infrastructure to provide [cluster autoscaling](https://github.com/kubernetes/autoscaler/tree/master/cluster-autoscaler), [dynamic persistent volumes](https://kubernetes.io/docs/concepts/storage/dynamic-provisioning/), and [service load balancing](https://kubernetes.io/docs/concepts/services-networking/service/#loadbalancer). * **High availability**: Constellation uses a [multi-master architecture](https://kubernetes.io/docs/setup/production-environment/tools/kubeadm/high-availability/) with a [stacked etcd topology](https://kubernetes.io/docs/setup/production-environment/tools/kubeadm/ha-topology/#stacked-etcd-topology) to ensure high availability. * **Integrated Day-2 operations**: Constellation lets you securely [upgrade](../workflows/upgrade.md) your cluster to a new release. It also lets you securely [recover](../workflows/recovery.md) a failed cluster. Both with a single command. diff --git a/docs/versioned_docs/version-2.14/architecture/keys.md b/docs/versioned_docs/version-2.14/architecture/keys.md index f2c8c3fba..553d9d4e2 100644 --- a/docs/versioned_docs/version-2.14/architecture/keys.md +++ b/docs/versioned_docs/version-2.14/architecture/keys.md @@ -105,7 +105,7 @@ Initially, it will support the following KMSs: * [Azure Key Vault](https://azure.microsoft.com/en-us/services/key-vault/#product-overview) * [KMIP-compatible KMS](https://www.oasis-open.org/committees/tc_home.php?wg_abbrev=kmip) -Storing the keys in Cloud KMS of AWS, GCP, or Azure binds the key usage to the particular cloud identity access management (IAM). +Storing the keys in Cloud KMS of AWS, Azure, or GCP binds the key usage to the particular cloud identity access management (IAM). In the future, Constellation will support remote attestation-based access policies for Cloud KMS once available. Note that using a Cloud KMS limits the isolation and protection to the guarantees of the particular offering. diff --git a/docs/versioned_docs/version-2.14/getting-started/install.md b/docs/versioned_docs/version-2.14/getting-started/install.md index f2cad8b02..01f9178ca 100644 --- a/docs/versioned_docs/version-2.14/getting-started/install.md +++ b/docs/versioned_docs/version-2.14/getting-started/install.md @@ -9,7 +9,7 @@ Make sure the following requirements are met: * Your machine is running Linux or macOS * You have admin rights on your machine * [kubectl](https://kubernetes.io/docs/tasks/tools/) is installed -* Your CSP is Microsoft Azure, Google Cloud Platform (GCP), or Amazon Web Services (AWS) +* Your CSP is Amazon Web Services (AWS), Microsoft Azure, or Google Cloud Platform (GCP) ## Install the Constellation CLI diff --git a/docs/versioned_docs/version-2.14/overview/clouds.md b/docs/versioned_docs/version-2.14/overview/clouds.md index 3ccbb0d6d..c56a623b1 100644 --- a/docs/versioned_docs/version-2.14/overview/clouds.md +++ b/docs/versioned_docs/version-2.14/overview/clouds.md @@ -35,7 +35,7 @@ Thus, the Azure closed-source firmware becomes part of Constellation's trusted c ## Google Cloud Platform (GCP) -The [CVMs Generally Available in GCP](https://cloud.google.com/compute/confidential-vm/docs/create-confidential-vm-instance) are based on AMD SEV but don't have SNP features enabled. +The [CVMs Generally Available in GCP](https://cloud.google.com/confidential-computing/confidential-vm/docs/confidential-vm-overview#amd_sev) are based on AMD SEV but don't have SNP features enabled. CVMs with SEV-SNP enabled are currently in [private preview](https://cloud.google.com/blog/products/identity-security/rsa-snp-vm-more-confidential). Regarding (3), with their SEV-SNP offering Google provides direct access to remote-attestation statements. However, regarding (4), the CVMs still include closed-source firmware. diff --git a/docs/versioned_docs/version-2.14/overview/performance/io.md b/docs/versioned_docs/version-2.14/overview/performance/io.md index dc7cf3d8b..3ae796f8a 100644 --- a/docs/versioned_docs/version-2.14/overview/performance/io.md +++ b/docs/versioned_docs/version-2.14/overview/performance/io.md @@ -58,7 +58,7 @@ The following infrastructure configurations was used: This section gives a thorough analysis of the network performance of Constellation, specifically focusing on measuring TCP and UDP bandwidth. The benchmark measured the bandwidth of pod-to-pod and pod-to-service connections between two different nodes using [`iperf`](https://iperf.fr/). -GKE and Constellation on GCP had a maximum network bandwidth of [10 Gbps](https://cloud.google.com/compute/docs/general-purpose-machines#n2d_machineshttps://cloud.google.com/compute/docs/general-purpose-machines#n2d_machines). +GKE and Constellation on GCP had a maximum network bandwidth of [10 Gbps](https://cloud.google.com/compute/docs/general-purpose-machines#n2d_machines). AKS with `Standard_D4as_v5` machines a maximum network bandwidth of [12.5 Gbps](https://learn.microsoft.com/en-us/azure/virtual-machines/dasv5-dadsv5-series#dasv5-series). The Confidential VM equivalent `Standard_DC4as_v5` currently has a network bandwidth of [1.25 Gbps](https://learn.microsoft.com/en-us/azure/virtual-machines/dcasv5-dcadsv5-series#dcasv5-series-products). Therefore, to make the test comparable, both AKS and Constellation on Azure were running with `Standard_DC4as_v5` machines and 1.25 Gbps bandwidth. diff --git a/docs/versioned_docs/version-2.14/overview/product.md b/docs/versioned_docs/version-2.14/overview/product.md index e31a4658f..02e12e2f3 100644 --- a/docs/versioned_docs/version-2.14/overview/product.md +++ b/docs/versioned_docs/version-2.14/overview/product.md @@ -6,7 +6,7 @@ From a security perspective, Constellation implements the [Confidential Kubernet From an operational perspective, Constellation provides the following key features: -* **Native support for different clouds**: Constellation works on Microsoft Azure, Google Cloud Platform (GCP), and Amazon Web Services (AWS). Support for OpenStack-based environments is coming with a future release. Constellation securely interfaces with the cloud infrastructure to provide [cluster autoscaling](https://github.com/kubernetes/autoscaler/tree/master/cluster-autoscaler), [dynamic persistent volumes](https://kubernetes.io/docs/concepts/storage/dynamic-provisioning/), and [service load balancing](https://kubernetes.io/docs/concepts/services-networking/service/#loadbalancer). +* **Native support for different clouds**: Constellation works on Amazon Web Services (AWS), Microsoft Azure, and Google Cloud Platform (GCP). Support for OpenStack-based environments is coming with a future release. Constellation securely interfaces with the cloud infrastructure to provide [cluster autoscaling](https://github.com/kubernetes/autoscaler/tree/master/cluster-autoscaler), [dynamic persistent volumes](https://kubernetes.io/docs/concepts/storage/dynamic-provisioning/), and [service load balancing](https://kubernetes.io/docs/concepts/services-networking/service/#loadbalancer). * **High availability**: Constellation uses a [multi-master architecture](https://kubernetes.io/docs/setup/production-environment/tools/kubeadm/high-availability/) with a [stacked etcd topology](https://kubernetes.io/docs/setup/production-environment/tools/kubeadm/ha-topology/#stacked-etcd-topology) to ensure high availability. * **Integrated Day-2 operations**: Constellation lets you securely [upgrade](../workflows/upgrade.md) your cluster to a new release. It also lets you securely [recover](../workflows/recovery.md) a failed cluster. Both with a single command. * **Support for Terraform**: Constellation includes a [Terraform provider](../workflows/terraform-provider.md) that lets you manage the full lifecycle of your cluster via Terraform. diff --git a/docs/versioned_docs/version-2.15/architecture/attestation.md b/docs/versioned_docs/version-2.15/architecture/attestation.md index 04b85d8ad..3e184fa03 100644 --- a/docs/versioned_docs/version-2.15/architecture/attestation.md +++ b/docs/versioned_docs/version-2.15/architecture/attestation.md @@ -305,7 +305,7 @@ A user can [verify](../workflows/verify-cluster.md) this statement and compare t So far, this page described how an entire Constellation cluster can be verified using hardware attestation capabilities and runtime measurements. The last missing link is how the ground truth in the form of runtime measurements can be securely distributed to the verifying party. -The build process of Constellation images also creates the ground truth runtime measurements. +The build process of Constellation images also creates the ground truth runtime measurements. The builds of Constellation images are reproducible and the measurements of an image can be recalculated and verified by everyone. With every release, Edgeless Systems publishes signed runtime measurements. The CLI executable is also signed by Edgeless Systems. diff --git a/docs/versioned_docs/version-2.15/architecture/keys.md b/docs/versioned_docs/version-2.15/architecture/keys.md index f2c8c3fba..553d9d4e2 100644 --- a/docs/versioned_docs/version-2.15/architecture/keys.md +++ b/docs/versioned_docs/version-2.15/architecture/keys.md @@ -105,7 +105,7 @@ Initially, it will support the following KMSs: * [Azure Key Vault](https://azure.microsoft.com/en-us/services/key-vault/#product-overview) * [KMIP-compatible KMS](https://www.oasis-open.org/committees/tc_home.php?wg_abbrev=kmip) -Storing the keys in Cloud KMS of AWS, GCP, or Azure binds the key usage to the particular cloud identity access management (IAM). +Storing the keys in Cloud KMS of AWS, Azure, or GCP binds the key usage to the particular cloud identity access management (IAM). In the future, Constellation will support remote attestation-based access policies for Cloud KMS once available. Note that using a Cloud KMS limits the isolation and protection to the guarantees of the particular offering. diff --git a/docs/versioned_docs/version-2.15/getting-started/install.md b/docs/versioned_docs/version-2.15/getting-started/install.md index f2cad8b02..01f9178ca 100644 --- a/docs/versioned_docs/version-2.15/getting-started/install.md +++ b/docs/versioned_docs/version-2.15/getting-started/install.md @@ -9,7 +9,7 @@ Make sure the following requirements are met: * Your machine is running Linux or macOS * You have admin rights on your machine * [kubectl](https://kubernetes.io/docs/tasks/tools/) is installed -* Your CSP is Microsoft Azure, Google Cloud Platform (GCP), or Amazon Web Services (AWS) +* Your CSP is Amazon Web Services (AWS), Microsoft Azure, or Google Cloud Platform (GCP) ## Install the Constellation CLI diff --git a/docs/versioned_docs/version-2.15/overview/clouds.md b/docs/versioned_docs/version-2.15/overview/clouds.md index 8cc42a990..75acd17cd 100644 --- a/docs/versioned_docs/version-2.15/overview/clouds.md +++ b/docs/versioned_docs/version-2.15/overview/clouds.md @@ -34,13 +34,12 @@ Thus, the Azure closed-source firmware becomes part of Constellation's trusted c ## Google Cloud Platform (GCP) -The [CVMs Generally Available in GCP](https://cloud.google.com/compute/confidential-vm/docs/create-confidential-vm-instance) are based on AMD SEV but don't have SNP features enabled. -CVMs with SEV-SNP enabled are currently in [public preview](https://cloud.google.com/blog/products/identity-security/rsa-snp-vm-more-confidential). Regarding (3), with their SEV-SNP offering Google provides direct access to remote-attestation statements. +The [CVMs Generally Available in GCP](https://cloud.google.com/confidential-computing/confidential-vm/docs/confidential-vm-overview#amd_sev) are based on AMD SEV but don't have SNP features enabled. +CVMs with [SEV-SNP enabled are in public preview](https://cloud.google.com/confidential-computing/confidential-vm/docs/confidential-vm-overview#amd_sev-snp). Regarding (3), with their SEV-SNP offering Google provides direct access to remote-attestation statements. However, regarding (5), attestation is partially based on the [Shielded VM vTPM](https://cloud.google.com/compute/shielded-vm/docs/shielded-vm#vtpm) for [measured boot](../architecture/attestation.md#measured-boot), which is a vTPM managed by Google's hypervisor. Hence, the hypervisor is currently part of Constellation's TCB. Regarding (4), the CVMs still include closed-source firmware. - In the past, Intel and Google have [collaborated](https://cloud.google.com/blog/products/identity-security/rsa-google-intel-confidential-computing-more-secure) to enhance the security of TDX. Recently, Google has announced a [private preview for TDX](https://cloud.google.com/blog/products/identity-security/confidential-vms-on-intel-cpus-your-datas-new-intelligent-defense?hl=en). With TDX on Google, Constellation has a similar TCB and attestation flow as with the current SEV-SNP offering. diff --git a/docs/versioned_docs/version-2.15/overview/product.md b/docs/versioned_docs/version-2.15/overview/product.md index e31a4658f..02e12e2f3 100644 --- a/docs/versioned_docs/version-2.15/overview/product.md +++ b/docs/versioned_docs/version-2.15/overview/product.md @@ -6,7 +6,7 @@ From a security perspective, Constellation implements the [Confidential Kubernet From an operational perspective, Constellation provides the following key features: -* **Native support for different clouds**: Constellation works on Microsoft Azure, Google Cloud Platform (GCP), and Amazon Web Services (AWS). Support for OpenStack-based environments is coming with a future release. Constellation securely interfaces with the cloud infrastructure to provide [cluster autoscaling](https://github.com/kubernetes/autoscaler/tree/master/cluster-autoscaler), [dynamic persistent volumes](https://kubernetes.io/docs/concepts/storage/dynamic-provisioning/), and [service load balancing](https://kubernetes.io/docs/concepts/services-networking/service/#loadbalancer). +* **Native support for different clouds**: Constellation works on Amazon Web Services (AWS), Microsoft Azure, and Google Cloud Platform (GCP). Support for OpenStack-based environments is coming with a future release. Constellation securely interfaces with the cloud infrastructure to provide [cluster autoscaling](https://github.com/kubernetes/autoscaler/tree/master/cluster-autoscaler), [dynamic persistent volumes](https://kubernetes.io/docs/concepts/storage/dynamic-provisioning/), and [service load balancing](https://kubernetes.io/docs/concepts/services-networking/service/#loadbalancer). * **High availability**: Constellation uses a [multi-master architecture](https://kubernetes.io/docs/setup/production-environment/tools/kubeadm/high-availability/) with a [stacked etcd topology](https://kubernetes.io/docs/setup/production-environment/tools/kubeadm/ha-topology/#stacked-etcd-topology) to ensure high availability. * **Integrated Day-2 operations**: Constellation lets you securely [upgrade](../workflows/upgrade.md) your cluster to a new release. It also lets you securely [recover](../workflows/recovery.md) a failed cluster. Both with a single command. * **Support for Terraform**: Constellation includes a [Terraform provider](../workflows/terraform-provider.md) that lets you manage the full lifecycle of your cluster via Terraform. diff --git a/docs/versioned_docs/version-2.16/architecture/keys.md b/docs/versioned_docs/version-2.16/architecture/keys.md index f2c8c3fba..553d9d4e2 100644 --- a/docs/versioned_docs/version-2.16/architecture/keys.md +++ b/docs/versioned_docs/version-2.16/architecture/keys.md @@ -105,7 +105,7 @@ Initially, it will support the following KMSs: * [Azure Key Vault](https://azure.microsoft.com/en-us/services/key-vault/#product-overview) * [KMIP-compatible KMS](https://www.oasis-open.org/committees/tc_home.php?wg_abbrev=kmip) -Storing the keys in Cloud KMS of AWS, GCP, or Azure binds the key usage to the particular cloud identity access management (IAM). +Storing the keys in Cloud KMS of AWS, Azure, or GCP binds the key usage to the particular cloud identity access management (IAM). In the future, Constellation will support remote attestation-based access policies for Cloud KMS once available. Note that using a Cloud KMS limits the isolation and protection to the guarantees of the particular offering. diff --git a/docs/versioned_docs/version-2.16/getting-started/install.md b/docs/versioned_docs/version-2.16/getting-started/install.md index 999601b5b..99a8933e3 100644 --- a/docs/versioned_docs/version-2.16/getting-started/install.md +++ b/docs/versioned_docs/version-2.16/getting-started/install.md @@ -9,7 +9,7 @@ Make sure the following requirements are met: * Your machine is running Linux, macOS, or Windows * You have admin rights on your machine * [kubectl](https://kubernetes.io/docs/tasks/tools/) is installed -* Your CSP is Microsoft Azure, Google Cloud Platform (GCP), Amazon Web Services (AWS), or STACKIT +* Your CSP is Amazon Web Services (AWS), Microsoft Azure, Google Cloud Platform (GCP), or STACKIT ## Install the Constellation CLI @@ -398,6 +398,7 @@ You need to authenticate with the infrastructure API (OpenStack) and create a se 1. [Follow the STACKIT documentation](https://docs.stackit.cloud/stackit/en/step-1-generating-of-user-access-token-11763726.html) for obtaining a User Access Token (UAT) to use the infrastructure API 2. Create a configuration file under `~/.config/openstack/clouds.yaml` (`%AppData%\openstack\clouds.yaml` on Windows) with the credentials from the User Access Token + ```yaml clouds: stackit: @@ -412,9 +413,11 @@ You need to authenticate with the infrastructure API (OpenStack) and create a se region_name: RegionOne identity_api_version: 3 ``` + 3. [Follow the STACKIT documentation](https://docs.stackit.cloud/stackit/en/getting-started-in-service-accounts-134415831.html) for creating a service account and an access token 4. Assign the `editor` role to the service account by [following the documentation](https://docs.stackit.cloud/stackit/en/getting-started-in-service-accounts-134415831.html) 5. Create a configuration file under `~/.stackit/credentials.json` (`%USERPROFILE%\.stackit\credentials.json` on Windows) + ```json {"STACKIT_SERVICE_ACCOUNT_TOKEN":"REPLACE_WITH_TOKEN"} ``` diff --git a/docs/versioned_docs/version-2.16/overview/clouds.md b/docs/versioned_docs/version-2.16/overview/clouds.md index b2de81e4b..a7b1361e8 100644 --- a/docs/versioned_docs/version-2.16/overview/clouds.md +++ b/docs/versioned_docs/version-2.16/overview/clouds.md @@ -34,13 +34,12 @@ Thus, the Azure closed-source firmware becomes part of Constellation's trusted c ## Google Cloud Platform (GCP) -The [CVMs Generally Available in GCP](https://cloud.google.com/compute/confidential-vm/docs/create-confidential-vm-instance) are based on AMD SEV but don't have SNP features enabled. -CVMs with SEV-SNP enabled are currently in [public preview](https://cloud.google.com/blog/products/identity-security/rsa-snp-vm-more-confidential). Regarding (3), with their SEV-SNP offering Google provides direct access to remote-attestation statements. +The [CVMs Generally Available in GCP](https://cloud.google.com/confidential-computing/confidential-vm/docs/confidential-vm-overview#amd_sev) are based on AMD SEV but don't have SNP features enabled. +CVMs with [SEV-SNP enabled are in public preview](https://cloud.google.com/confidential-computing/confidential-vm/docs/confidential-vm-overview#amd_sev-snp). Regarding (3), with their SEV-SNP offering Google provides direct access to remote-attestation statements. However, regarding (5), attestation is partially based on the [Shielded VM vTPM](https://cloud.google.com/compute/shielded-vm/docs/shielded-vm#vtpm) for [measured boot](../architecture/attestation.md#measured-boot), which is a vTPM managed by Google's hypervisor. Hence, the hypervisor is currently part of Constellation's TCB. Regarding (4), the CVMs still include closed-source firmware. - In the past, Intel and Google have [collaborated](https://cloud.google.com/blog/products/identity-security/rsa-google-intel-confidential-computing-more-secure) to enhance the security of TDX. Recently, Google has announced a [private preview for TDX](https://cloud.google.com/blog/products/identity-security/confidential-vms-on-intel-cpus-your-datas-new-intelligent-defense?hl=en). With TDX on Google, Constellation has a similar TCB and attestation flow as with the current SEV-SNP offering. diff --git a/docs/versioned_docs/version-2.16/overview/product.md b/docs/versioned_docs/version-2.16/overview/product.md index 8e8ee6950..4b5d90706 100644 --- a/docs/versioned_docs/version-2.16/overview/product.md +++ b/docs/versioned_docs/version-2.16/overview/product.md @@ -6,7 +6,7 @@ From a security perspective, Constellation implements the [Confidential Kubernet From an operational perspective, Constellation provides the following key features: -* **Native support for different clouds**: Constellation works on Microsoft Azure, Google Cloud Platform (GCP), Amazon Web Services (AWS), and STACKIT. Support for OpenStack-based environments is coming with a future release. Constellation securely interfaces with the cloud infrastructure to provide [cluster autoscaling](https://github.com/kubernetes/autoscaler/tree/master/cluster-autoscaler), [dynamic persistent volumes](https://kubernetes.io/docs/concepts/storage/dynamic-provisioning/), and [service load balancing](https://kubernetes.io/docs/concepts/services-networking/service/#loadbalancer). +* **Native support for different clouds**: Constellation works on Amazon Web Services (AWS), Microsoft Azure, Google Cloud Platform (GCP), and STACKIT. Support for OpenStack-based environments is coming with a future release. Constellation securely interfaces with the cloud infrastructure to provide [cluster autoscaling](https://github.com/kubernetes/autoscaler/tree/master/cluster-autoscaler), [dynamic persistent volumes](https://kubernetes.io/docs/concepts/storage/dynamic-provisioning/), and [service load balancing](https://kubernetes.io/docs/concepts/services-networking/service/#loadbalancer). * **High availability**: Constellation uses a [multi-master architecture](https://kubernetes.io/docs/setup/production-environment/tools/kubeadm/high-availability/) with a [stacked etcd topology](https://kubernetes.io/docs/setup/production-environment/tools/kubeadm/ha-topology/#stacked-etcd-topology) to ensure high availability. * **Integrated Day-2 operations**: Constellation lets you securely [upgrade](../workflows/upgrade.md) your cluster to a new release. It also lets you securely [recover](../workflows/recovery.md) a failed cluster. Both with a single command. * **Support for Terraform**: Constellation includes a [Terraform provider](../workflows/terraform-provider.md) that lets you manage the full lifecycle of your cluster via Terraform. diff --git a/docs/versioned_docs/version-2.16/workflows/config.md b/docs/versioned_docs/version-2.16/workflows/config.md index fe7886149..c59207054 100644 --- a/docs/versioned_docs/version-2.16/workflows/config.md +++ b/docs/versioned_docs/version-2.16/workflows/config.md @@ -135,7 +135,7 @@ This configuration creates an additional node group `high_cpu` with a larger ins You can use the field `zone` to specify what availability zone nodes of the group are placed in. On Azure, this field is empty by default and nodes are automatically spread across availability zones. -STACKIT currently offers SEV-enabled CPUs in the `eu01-1`, `eu01-2` and `eu01-3` zones. +STACKIT currently offers SEV-enabled CPUs in the `eu01-1`, `eu01-2`, and `eu01-3` zones. Consult the documentation of your cloud provider for more information: * [AWS](https://aws.amazon.com/about-aws/global-infrastructure/regions_az/) diff --git a/docs/versioned_docs/version-2.16/workflows/recovery.md b/docs/versioned_docs/version-2.16/workflows/recovery.md index 1bfb172aa..aea370e2f 100644 --- a/docs/versioned_docs/version-2.16/workflows/recovery.md +++ b/docs/versioned_docs/version-2.16/workflows/recovery.md @@ -123,7 +123,7 @@ This means that you have to recover the node manually. First, open the STACKIT portal to view all servers in your project. Select individual control plane nodes `--control-plane--` and check that enough members are in a *Running* state. -Second, check the boot logs of these *Servers*. Click on a server name and select **Overview**. Find the **Machine Setup** section and click on **Web console** > **Open console**. +Second, check the boot logs of these servers. Click on a server name and select **Overview**. Find the **Machine Setup** section and click on **Web console** > **Open console**. In the serial console output, search for `Waiting for decryption key`. Similar output to the following means your node was restarted and needs to decrypt the [state disk](../architecture/images.md#state-disk): diff --git a/docs/versioned_docs/version-2.2/architecture/keys.md b/docs/versioned_docs/version-2.2/architecture/keys.md index aa4e35496..b7d7ef6f5 100644 --- a/docs/versioned_docs/version-2.2/architecture/keys.md +++ b/docs/versioned_docs/version-2.2/architecture/keys.md @@ -105,7 +105,7 @@ Initially, it will support the following KMSs: * [Azure Key Vault](https://azure.microsoft.com/en-us/services/key-vault/#product-overview) * [KMIP-compatible KMS](https://www.oasis-open.org/committees/tc_home.php?wg_abbrev=kmip) -Storing the keys in Cloud KMS of AWS, GCP, or Azure binds the key usage to the particular cloud identity access management (IAM). +Storing the keys in Cloud KMS of AWS, Azure, or GCP binds the key usage to the particular cloud identity access management (IAM). In the future, Constellation will support remote attestation-based access policies for Cloud KMS once available. Note that using a Cloud KMS limits the isolation and protection to the guarantees of the particular offering. diff --git a/docs/versioned_docs/version-2.2/getting-started/install.md b/docs/versioned_docs/version-2.2/getting-started/install.md index d717dcb34..6bf421b16 100644 --- a/docs/versioned_docs/version-2.2/getting-started/install.md +++ b/docs/versioned_docs/version-2.2/getting-started/install.md @@ -11,7 +11,7 @@ Make sure the following requirements are met: - Your machine is running Linux or macOS - You have admin rights on your machine - [kubectl](https://kubernetes.io/docs/tasks/tools/) is installed -- Your CSP is Microsoft Azure, Google Cloud Platform (GCP), or Amazon Web Services (AWS) +- Your CSP is Amazon Web Services (AWS), Microsoft Azure, or Google Cloud Platform (GCP) ## Install the Constellation CLI @@ -52,7 +52,6 @@ curl -LO https://github.com/edgelesssys/constellation/releases/latest/download/c sudo install constellation-linux-arm64 /usr/local/bin/constellation ``` - @@ -71,8 +70,6 @@ curl -LO https://github.com/edgelesssys/constellation/releases/latest/download/c sudo install constellation-darwin-arm64 /usr/local/bin/constellation ``` - - @@ -343,7 +340,6 @@ Options and first steps are described in the [AWS CLI documentation](https://doc - ## Next steps diff --git a/docs/versioned_docs/version-2.2/overview/clouds.md b/docs/versioned_docs/version-2.2/overview/clouds.md index 01e7a00c5..745507c52 100644 --- a/docs/versioned_docs/version-2.2/overview/clouds.md +++ b/docs/versioned_docs/version-2.2/overview/clouds.md @@ -28,7 +28,7 @@ Recently, Azure [announced](https://techcommunity.microsoft.com/t5/azure-confide ## Google Cloud Platform (GCP) -The [CVMs available in GCP](https://cloud.google.com/compute/confidential-vm/docs/create-confidential-vm-instance) are based on AMD SEV but don't have SNP features enabled. This impacts attestation capabilities. Currently, GCP doesn't offer CVM-based attestation at all. Instead, GCP provides attestation statements based on its regular [vTPM](https://cloud.google.com/blog/products/identity-security/virtual-trusted-platform-module-for-shielded-vms-security-in-plaintext), which is managed by the hypervisor. On GCP, the hypervisor is thus currently part of Constellation's TCB. +The [CVMs available in GCP](https://cloud.google.com/confidential-computing/confidential-vm/docs/confidential-vm-overview#amd_sev) are based on AMD SEV but don't have SNP features enabled. This impacts attestation capabilities. Currently, GCP doesn't offer CVM-based attestation at all. Instead, GCP provides attestation statements based on its regular [vTPM](https://cloud.google.com/blog/products/identity-security/virtual-trusted-platform-module-for-shielded-vms-security-in-plaintext), which is managed by the hypervisor. On GCP, the hypervisor is thus currently part of Constellation's TCB. ## Amazon Web Services (AWS) diff --git a/docs/versioned_docs/version-2.2/overview/product.md b/docs/versioned_docs/version-2.2/overview/product.md index ba7181aa9..e42596fcc 100644 --- a/docs/versioned_docs/version-2.2/overview/product.md +++ b/docs/versioned_docs/version-2.2/overview/product.md @@ -6,6 +6,6 @@ From a security perspective, Constellation implements the [Confidential Kubernet From an operational perspective, Constellation provides the following key features: -* **Native support for different clouds**: Constellation works on Microsoft Azure, Google Cloud Platform (GCP), and Amazon Web Services (AWS). Support for OpenStack-based environments is coming with a future release. Constellation securely interfaces with the cloud infrastructure to provide [cluster autoscaling](https://github.com/kubernetes/autoscaler/tree/master/cluster-autoscaler), [dynamic persistent volumes](https://kubernetes.io/docs/concepts/storage/dynamic-provisioning/), and [service load balancing](https://kubernetes.io/docs/concepts/services-networking/service/#loadbalancer). +* **Native support for different clouds**: Constellation works on Amazon Web Services (AWS), Microsoft Azure, and Google Cloud Platform (GCP). Support for OpenStack-based environments is coming with a future release. Constellation securely interfaces with the cloud infrastructure to provide [cluster autoscaling](https://github.com/kubernetes/autoscaler/tree/master/cluster-autoscaler), [dynamic persistent volumes](https://kubernetes.io/docs/concepts/storage/dynamic-provisioning/), and [service load balancing](https://kubernetes.io/docs/concepts/services-networking/service/#loadbalancer). * **High availability**: Constellation uses a [multi-master architecture](https://kubernetes.io/docs/setup/production-environment/tools/kubeadm/high-availability/) with a [stacked etcd topology](https://kubernetes.io/docs/setup/production-environment/tools/kubeadm/ha-topology/#stacked-etcd-topology) to ensure high availability. * **Integrated Day-2 operations**: Constellation lets you securely [upgrade](../workflows/upgrade.md) your cluster to a new release. It also lets you securely [recover](../workflows/recovery.md) a failed cluster. Both with a single command. diff --git a/docs/versioned_docs/version-2.3/architecture/keys.md b/docs/versioned_docs/version-2.3/architecture/keys.md index aa4e35496..b7d7ef6f5 100644 --- a/docs/versioned_docs/version-2.3/architecture/keys.md +++ b/docs/versioned_docs/version-2.3/architecture/keys.md @@ -105,7 +105,7 @@ Initially, it will support the following KMSs: * [Azure Key Vault](https://azure.microsoft.com/en-us/services/key-vault/#product-overview) * [KMIP-compatible KMS](https://www.oasis-open.org/committees/tc_home.php?wg_abbrev=kmip) -Storing the keys in Cloud KMS of AWS, GCP, or Azure binds the key usage to the particular cloud identity access management (IAM). +Storing the keys in Cloud KMS of AWS, Azure, or GCP binds the key usage to the particular cloud identity access management (IAM). In the future, Constellation will support remote attestation-based access policies for Cloud KMS once available. Note that using a Cloud KMS limits the isolation and protection to the guarantees of the particular offering. diff --git a/docs/versioned_docs/version-2.3/getting-started/install.md b/docs/versioned_docs/version-2.3/getting-started/install.md index 91c4bb14e..d830c7792 100644 --- a/docs/versioned_docs/version-2.3/getting-started/install.md +++ b/docs/versioned_docs/version-2.3/getting-started/install.md @@ -11,7 +11,7 @@ Make sure the following requirements are met: - Your machine is running Linux or macOS - You have admin rights on your machine - [kubectl](https://kubernetes.io/docs/tasks/tools/) is installed -- Your CSP is Microsoft Azure, Google Cloud Platform (GCP), or Amazon Web Services (AWS) +- Your CSP is Amazon Web Services (AWS), Microsoft Azure, or Google Cloud Platform (GCP) ## Install the Constellation CLI @@ -52,7 +52,6 @@ curl -LO https://github.com/edgelesssys/constellation/releases/latest/download/c sudo install constellation-linux-arm64 /usr/local/bin/constellation ``` - @@ -71,8 +70,6 @@ curl -LO https://github.com/edgelesssys/constellation/releases/latest/download/c sudo install constellation-darwin-arm64 /usr/local/bin/constellation ``` - - @@ -343,7 +340,6 @@ Options and first steps are described in the [AWS CLI documentation](https://doc - ## Next steps diff --git a/docs/versioned_docs/version-2.3/overview/clouds.md b/docs/versioned_docs/version-2.3/overview/clouds.md index 01e7a00c5..745507c52 100644 --- a/docs/versioned_docs/version-2.3/overview/clouds.md +++ b/docs/versioned_docs/version-2.3/overview/clouds.md @@ -28,7 +28,7 @@ Recently, Azure [announced](https://techcommunity.microsoft.com/t5/azure-confide ## Google Cloud Platform (GCP) -The [CVMs available in GCP](https://cloud.google.com/compute/confidential-vm/docs/create-confidential-vm-instance) are based on AMD SEV but don't have SNP features enabled. This impacts attestation capabilities. Currently, GCP doesn't offer CVM-based attestation at all. Instead, GCP provides attestation statements based on its regular [vTPM](https://cloud.google.com/blog/products/identity-security/virtual-trusted-platform-module-for-shielded-vms-security-in-plaintext), which is managed by the hypervisor. On GCP, the hypervisor is thus currently part of Constellation's TCB. +The [CVMs available in GCP](https://cloud.google.com/confidential-computing/confidential-vm/docs/confidential-vm-overview#amd_sev) are based on AMD SEV but don't have SNP features enabled. This impacts attestation capabilities. Currently, GCP doesn't offer CVM-based attestation at all. Instead, GCP provides attestation statements based on its regular [vTPM](https://cloud.google.com/blog/products/identity-security/virtual-trusted-platform-module-for-shielded-vms-security-in-plaintext), which is managed by the hypervisor. On GCP, the hypervisor is thus currently part of Constellation's TCB. ## Amazon Web Services (AWS) diff --git a/docs/versioned_docs/version-2.3/overview/product.md b/docs/versioned_docs/version-2.3/overview/product.md index ba7181aa9..e42596fcc 100644 --- a/docs/versioned_docs/version-2.3/overview/product.md +++ b/docs/versioned_docs/version-2.3/overview/product.md @@ -6,6 +6,6 @@ From a security perspective, Constellation implements the [Confidential Kubernet From an operational perspective, Constellation provides the following key features: -* **Native support for different clouds**: Constellation works on Microsoft Azure, Google Cloud Platform (GCP), and Amazon Web Services (AWS). Support for OpenStack-based environments is coming with a future release. Constellation securely interfaces with the cloud infrastructure to provide [cluster autoscaling](https://github.com/kubernetes/autoscaler/tree/master/cluster-autoscaler), [dynamic persistent volumes](https://kubernetes.io/docs/concepts/storage/dynamic-provisioning/), and [service load balancing](https://kubernetes.io/docs/concepts/services-networking/service/#loadbalancer). +* **Native support for different clouds**: Constellation works on Amazon Web Services (AWS), Microsoft Azure, and Google Cloud Platform (GCP). Support for OpenStack-based environments is coming with a future release. Constellation securely interfaces with the cloud infrastructure to provide [cluster autoscaling](https://github.com/kubernetes/autoscaler/tree/master/cluster-autoscaler), [dynamic persistent volumes](https://kubernetes.io/docs/concepts/storage/dynamic-provisioning/), and [service load balancing](https://kubernetes.io/docs/concepts/services-networking/service/#loadbalancer). * **High availability**: Constellation uses a [multi-master architecture](https://kubernetes.io/docs/setup/production-environment/tools/kubeadm/high-availability/) with a [stacked etcd topology](https://kubernetes.io/docs/setup/production-environment/tools/kubeadm/ha-topology/#stacked-etcd-topology) to ensure high availability. * **Integrated Day-2 operations**: Constellation lets you securely [upgrade](../workflows/upgrade.md) your cluster to a new release. It also lets you securely [recover](../workflows/recovery.md) a failed cluster. Both with a single command. diff --git a/docs/versioned_docs/version-2.4/architecture/keys.md b/docs/versioned_docs/version-2.4/architecture/keys.md index aa4e35496..b7d7ef6f5 100644 --- a/docs/versioned_docs/version-2.4/architecture/keys.md +++ b/docs/versioned_docs/version-2.4/architecture/keys.md @@ -105,7 +105,7 @@ Initially, it will support the following KMSs: * [Azure Key Vault](https://azure.microsoft.com/en-us/services/key-vault/#product-overview) * [KMIP-compatible KMS](https://www.oasis-open.org/committees/tc_home.php?wg_abbrev=kmip) -Storing the keys in Cloud KMS of AWS, GCP, or Azure binds the key usage to the particular cloud identity access management (IAM). +Storing the keys in Cloud KMS of AWS, Azure, or GCP binds the key usage to the particular cloud identity access management (IAM). In the future, Constellation will support remote attestation-based access policies for Cloud KMS once available. Note that using a Cloud KMS limits the isolation and protection to the guarantees of the particular offering. diff --git a/docs/versioned_docs/version-2.4/getting-started/install.md b/docs/versioned_docs/version-2.4/getting-started/install.md index 91c4bb14e..d830c7792 100644 --- a/docs/versioned_docs/version-2.4/getting-started/install.md +++ b/docs/versioned_docs/version-2.4/getting-started/install.md @@ -11,7 +11,7 @@ Make sure the following requirements are met: - Your machine is running Linux or macOS - You have admin rights on your machine - [kubectl](https://kubernetes.io/docs/tasks/tools/) is installed -- Your CSP is Microsoft Azure, Google Cloud Platform (GCP), or Amazon Web Services (AWS) +- Your CSP is Amazon Web Services (AWS), Microsoft Azure, or Google Cloud Platform (GCP) ## Install the Constellation CLI @@ -52,7 +52,6 @@ curl -LO https://github.com/edgelesssys/constellation/releases/latest/download/c sudo install constellation-linux-arm64 /usr/local/bin/constellation ``` - @@ -71,8 +70,6 @@ curl -LO https://github.com/edgelesssys/constellation/releases/latest/download/c sudo install constellation-darwin-arm64 /usr/local/bin/constellation ``` - - @@ -343,7 +340,6 @@ Options and first steps are described in the [AWS CLI documentation](https://doc - ## Next steps diff --git a/docs/versioned_docs/version-2.4/overview/clouds.md b/docs/versioned_docs/version-2.4/overview/clouds.md index 01e7a00c5..745507c52 100644 --- a/docs/versioned_docs/version-2.4/overview/clouds.md +++ b/docs/versioned_docs/version-2.4/overview/clouds.md @@ -28,7 +28,7 @@ Recently, Azure [announced](https://techcommunity.microsoft.com/t5/azure-confide ## Google Cloud Platform (GCP) -The [CVMs available in GCP](https://cloud.google.com/compute/confidential-vm/docs/create-confidential-vm-instance) are based on AMD SEV but don't have SNP features enabled. This impacts attestation capabilities. Currently, GCP doesn't offer CVM-based attestation at all. Instead, GCP provides attestation statements based on its regular [vTPM](https://cloud.google.com/blog/products/identity-security/virtual-trusted-platform-module-for-shielded-vms-security-in-plaintext), which is managed by the hypervisor. On GCP, the hypervisor is thus currently part of Constellation's TCB. +The [CVMs available in GCP](https://cloud.google.com/confidential-computing/confidential-vm/docs/confidential-vm-overview#amd_sev) are based on AMD SEV but don't have SNP features enabled. This impacts attestation capabilities. Currently, GCP doesn't offer CVM-based attestation at all. Instead, GCP provides attestation statements based on its regular [vTPM](https://cloud.google.com/blog/products/identity-security/virtual-trusted-platform-module-for-shielded-vms-security-in-plaintext), which is managed by the hypervisor. On GCP, the hypervisor is thus currently part of Constellation's TCB. ## Amazon Web Services (AWS) diff --git a/docs/versioned_docs/version-2.4/overview/product.md b/docs/versioned_docs/version-2.4/overview/product.md index ba7181aa9..e42596fcc 100644 --- a/docs/versioned_docs/version-2.4/overview/product.md +++ b/docs/versioned_docs/version-2.4/overview/product.md @@ -6,6 +6,6 @@ From a security perspective, Constellation implements the [Confidential Kubernet From an operational perspective, Constellation provides the following key features: -* **Native support for different clouds**: Constellation works on Microsoft Azure, Google Cloud Platform (GCP), and Amazon Web Services (AWS). Support for OpenStack-based environments is coming with a future release. Constellation securely interfaces with the cloud infrastructure to provide [cluster autoscaling](https://github.com/kubernetes/autoscaler/tree/master/cluster-autoscaler), [dynamic persistent volumes](https://kubernetes.io/docs/concepts/storage/dynamic-provisioning/), and [service load balancing](https://kubernetes.io/docs/concepts/services-networking/service/#loadbalancer). +* **Native support for different clouds**: Constellation works on Amazon Web Services (AWS), Microsoft Azure, and Google Cloud Platform (GCP). Support for OpenStack-based environments is coming with a future release. Constellation securely interfaces with the cloud infrastructure to provide [cluster autoscaling](https://github.com/kubernetes/autoscaler/tree/master/cluster-autoscaler), [dynamic persistent volumes](https://kubernetes.io/docs/concepts/storage/dynamic-provisioning/), and [service load balancing](https://kubernetes.io/docs/concepts/services-networking/service/#loadbalancer). * **High availability**: Constellation uses a [multi-master architecture](https://kubernetes.io/docs/setup/production-environment/tools/kubeadm/high-availability/) with a [stacked etcd topology](https://kubernetes.io/docs/setup/production-environment/tools/kubeadm/ha-topology/#stacked-etcd-topology) to ensure high availability. * **Integrated Day-2 operations**: Constellation lets you securely [upgrade](../workflows/upgrade.md) your cluster to a new release. It also lets you securely [recover](../workflows/recovery.md) a failed cluster. Both with a single command. diff --git a/docs/versioned_docs/version-2.5/architecture/keys.md b/docs/versioned_docs/version-2.5/architecture/keys.md index aa4e35496..b7d7ef6f5 100644 --- a/docs/versioned_docs/version-2.5/architecture/keys.md +++ b/docs/versioned_docs/version-2.5/architecture/keys.md @@ -105,7 +105,7 @@ Initially, it will support the following KMSs: * [Azure Key Vault](https://azure.microsoft.com/en-us/services/key-vault/#product-overview) * [KMIP-compatible KMS](https://www.oasis-open.org/committees/tc_home.php?wg_abbrev=kmip) -Storing the keys in Cloud KMS of AWS, GCP, or Azure binds the key usage to the particular cloud identity access management (IAM). +Storing the keys in Cloud KMS of AWS, Azure, or GCP binds the key usage to the particular cloud identity access management (IAM). In the future, Constellation will support remote attestation-based access policies for Cloud KMS once available. Note that using a Cloud KMS limits the isolation and protection to the guarantees of the particular offering. diff --git a/docs/versioned_docs/version-2.5/getting-started/install.md b/docs/versioned_docs/version-2.5/getting-started/install.md index 91c4bb14e..d830c7792 100644 --- a/docs/versioned_docs/version-2.5/getting-started/install.md +++ b/docs/versioned_docs/version-2.5/getting-started/install.md @@ -11,7 +11,7 @@ Make sure the following requirements are met: - Your machine is running Linux or macOS - You have admin rights on your machine - [kubectl](https://kubernetes.io/docs/tasks/tools/) is installed -- Your CSP is Microsoft Azure, Google Cloud Platform (GCP), or Amazon Web Services (AWS) +- Your CSP is Amazon Web Services (AWS), Microsoft Azure, or Google Cloud Platform (GCP) ## Install the Constellation CLI @@ -52,7 +52,6 @@ curl -LO https://github.com/edgelesssys/constellation/releases/latest/download/c sudo install constellation-linux-arm64 /usr/local/bin/constellation ``` - @@ -71,8 +70,6 @@ curl -LO https://github.com/edgelesssys/constellation/releases/latest/download/c sudo install constellation-darwin-arm64 /usr/local/bin/constellation ``` - - @@ -343,7 +340,6 @@ Options and first steps are described in the [AWS CLI documentation](https://doc - ## Next steps diff --git a/docs/versioned_docs/version-2.5/overview/clouds.md b/docs/versioned_docs/version-2.5/overview/clouds.md index dd31f866f..3e4a50d27 100644 --- a/docs/versioned_docs/version-2.5/overview/clouds.md +++ b/docs/versioned_docs/version-2.5/overview/clouds.md @@ -28,7 +28,7 @@ With its [CVM offering](https://docs.microsoft.com/en-us/azure/confidential-comp ## Google Cloud Platform (GCP) -The [CVMs available in GCP](https://cloud.google.com/compute/confidential-vm/docs/create-confidential-vm-instance) are based on AMD SEV but don't have SNP features enabled. This impacts attestation capabilities. Currently, GCP doesn't offer CVM-based attestation at all. Instead, GCP provides attestation statements based on its regular [vTPM](https://cloud.google.com/blog/products/identity-security/virtual-trusted-platform-module-for-shielded-vms-security-in-plaintext), which is managed by the hypervisor. On GCP, the hypervisor is thus currently part of Constellation's TCB. +The [CVMs available in GCP](https://cloud.google.com/confidential-computing/confidential-vm/docs/confidential-vm-overview#amd_sev) are based on AMD SEV but don't have SNP features enabled. This impacts attestation capabilities. Currently, GCP doesn't offer CVM-based attestation at all. Instead, GCP provides attestation statements based on its regular [vTPM](https://cloud.google.com/blog/products/identity-security/virtual-trusted-platform-module-for-shielded-vms-security-in-plaintext), which is managed by the hypervisor. On GCP, the hypervisor is thus currently part of Constellation's TCB. ## Amazon Web Services (AWS) diff --git a/docs/versioned_docs/version-2.5/overview/product.md b/docs/versioned_docs/version-2.5/overview/product.md index ba7181aa9..e42596fcc 100644 --- a/docs/versioned_docs/version-2.5/overview/product.md +++ b/docs/versioned_docs/version-2.5/overview/product.md @@ -6,6 +6,6 @@ From a security perspective, Constellation implements the [Confidential Kubernet From an operational perspective, Constellation provides the following key features: -* **Native support for different clouds**: Constellation works on Microsoft Azure, Google Cloud Platform (GCP), and Amazon Web Services (AWS). Support for OpenStack-based environments is coming with a future release. Constellation securely interfaces with the cloud infrastructure to provide [cluster autoscaling](https://github.com/kubernetes/autoscaler/tree/master/cluster-autoscaler), [dynamic persistent volumes](https://kubernetes.io/docs/concepts/storage/dynamic-provisioning/), and [service load balancing](https://kubernetes.io/docs/concepts/services-networking/service/#loadbalancer). +* **Native support for different clouds**: Constellation works on Amazon Web Services (AWS), Microsoft Azure, and Google Cloud Platform (GCP). Support for OpenStack-based environments is coming with a future release. Constellation securely interfaces with the cloud infrastructure to provide [cluster autoscaling](https://github.com/kubernetes/autoscaler/tree/master/cluster-autoscaler), [dynamic persistent volumes](https://kubernetes.io/docs/concepts/storage/dynamic-provisioning/), and [service load balancing](https://kubernetes.io/docs/concepts/services-networking/service/#loadbalancer). * **High availability**: Constellation uses a [multi-master architecture](https://kubernetes.io/docs/setup/production-environment/tools/kubeadm/high-availability/) with a [stacked etcd topology](https://kubernetes.io/docs/setup/production-environment/tools/kubeadm/ha-topology/#stacked-etcd-topology) to ensure high availability. * **Integrated Day-2 operations**: Constellation lets you securely [upgrade](../workflows/upgrade.md) your cluster to a new release. It also lets you securely [recover](../workflows/recovery.md) a failed cluster. Both with a single command. diff --git a/docs/versioned_docs/version-2.6/architecture/keys.md b/docs/versioned_docs/version-2.6/architecture/keys.md index f2c8c3fba..553d9d4e2 100644 --- a/docs/versioned_docs/version-2.6/architecture/keys.md +++ b/docs/versioned_docs/version-2.6/architecture/keys.md @@ -105,7 +105,7 @@ Initially, it will support the following KMSs: * [Azure Key Vault](https://azure.microsoft.com/en-us/services/key-vault/#product-overview) * [KMIP-compatible KMS](https://www.oasis-open.org/committees/tc_home.php?wg_abbrev=kmip) -Storing the keys in Cloud KMS of AWS, GCP, or Azure binds the key usage to the particular cloud identity access management (IAM). +Storing the keys in Cloud KMS of AWS, Azure, or GCP binds the key usage to the particular cloud identity access management (IAM). In the future, Constellation will support remote attestation-based access policies for Cloud KMS once available. Note that using a Cloud KMS limits the isolation and protection to the guarantees of the particular offering. diff --git a/docs/versioned_docs/version-2.6/getting-started/install.md b/docs/versioned_docs/version-2.6/getting-started/install.md index 91c4bb14e..d830c7792 100644 --- a/docs/versioned_docs/version-2.6/getting-started/install.md +++ b/docs/versioned_docs/version-2.6/getting-started/install.md @@ -11,7 +11,7 @@ Make sure the following requirements are met: - Your machine is running Linux or macOS - You have admin rights on your machine - [kubectl](https://kubernetes.io/docs/tasks/tools/) is installed -- Your CSP is Microsoft Azure, Google Cloud Platform (GCP), or Amazon Web Services (AWS) +- Your CSP is Amazon Web Services (AWS), Microsoft Azure, or Google Cloud Platform (GCP) ## Install the Constellation CLI @@ -52,7 +52,6 @@ curl -LO https://github.com/edgelesssys/constellation/releases/latest/download/c sudo install constellation-linux-arm64 /usr/local/bin/constellation ``` - @@ -71,8 +70,6 @@ curl -LO https://github.com/edgelesssys/constellation/releases/latest/download/c sudo install constellation-darwin-arm64 /usr/local/bin/constellation ``` - - @@ -343,7 +340,6 @@ Options and first steps are described in the [AWS CLI documentation](https://doc - ## Next steps diff --git a/docs/versioned_docs/version-2.6/overview/clouds.md b/docs/versioned_docs/version-2.6/overview/clouds.md index dd31f866f..3e4a50d27 100644 --- a/docs/versioned_docs/version-2.6/overview/clouds.md +++ b/docs/versioned_docs/version-2.6/overview/clouds.md @@ -28,7 +28,7 @@ With its [CVM offering](https://docs.microsoft.com/en-us/azure/confidential-comp ## Google Cloud Platform (GCP) -The [CVMs available in GCP](https://cloud.google.com/compute/confidential-vm/docs/create-confidential-vm-instance) are based on AMD SEV but don't have SNP features enabled. This impacts attestation capabilities. Currently, GCP doesn't offer CVM-based attestation at all. Instead, GCP provides attestation statements based on its regular [vTPM](https://cloud.google.com/blog/products/identity-security/virtual-trusted-platform-module-for-shielded-vms-security-in-plaintext), which is managed by the hypervisor. On GCP, the hypervisor is thus currently part of Constellation's TCB. +The [CVMs available in GCP](https://cloud.google.com/confidential-computing/confidential-vm/docs/confidential-vm-overview#amd_sev) are based on AMD SEV but don't have SNP features enabled. This impacts attestation capabilities. Currently, GCP doesn't offer CVM-based attestation at all. Instead, GCP provides attestation statements based on its regular [vTPM](https://cloud.google.com/blog/products/identity-security/virtual-trusted-platform-module-for-shielded-vms-security-in-plaintext), which is managed by the hypervisor. On GCP, the hypervisor is thus currently part of Constellation's TCB. ## Amazon Web Services (AWS) diff --git a/docs/versioned_docs/version-2.6/overview/performance.md b/docs/versioned_docs/version-2.6/overview/performance.md index 54f31019a..8be5b7952 100644 --- a/docs/versioned_docs/version-2.6/overview/performance.md +++ b/docs/versioned_docs/version-2.6/overview/performance.md @@ -63,7 +63,6 @@ The following infrastructure configurations was used: - CVM: `false` - Zone: `europe-west3-b` - ### Results #### Network @@ -71,7 +70,7 @@ The following infrastructure configurations was used: This section gives a thorough analysis of the network performance of Constellation, specifically focusing on measuring TCP and UDP bandwidth. The benchmark measured the bandwidth of pod-to-pod and pod-to-service connections between two different nodes using [`iperf`](https://iperf.fr/). -GKE and Constellation on GCP had a maximum network bandwidth of [10 Gbps](https://cloud.google.com/compute/docs/general-purpose-machines#n2d_machineshttps://cloud.google.com/compute/docs/general-purpose-machines#n2d_machines). +GKE and Constellation on GCP had a maximum network bandwidth of [10 Gbps](https://cloud.google.com/compute/docs/general-purpose-machines#n2d_machines). AKS with `Standard_D4as_v5` machines a maximum network bandwidth of [12.5 Gbps](https://learn.microsoft.com/en-us/azure/virtual-machines/dasv5-dadsv5-series#dasv5-series). The Confidential VM equivalent `Standard_DC4as_v5` currently has a network bandwidth of [1.25 Gbps](https://learn.microsoft.com/en-us/azure/virtual-machines/dcasv5-dcadsv5-series#dcasv5-series-products). Therefore, to make the test comparable, both AKS and Constellation on Azure were running with `Standard_DC4as_v5` machines and 1.25 Gbps bandwidth. @@ -79,11 +78,10 @@ Therefore, to make the test comparable, both AKS and Constellation on Azure were Constellation on Azure and AKS used an MTU of 1500. Constellation on GCP used an MTU of 8896. GKE used an MTU of 1450. - The difference in network bandwidth can largely be attributed to two factors. -* Constellation's [network encryption](../architecture/networking.md) via Cilium and WireGuard, which protects data in-transit. -* [AMD SEV using SWIOTLB bounce buffers](https://lore.kernel.org/all/20200204193500.GA15564@ashkalra_ubuntu_server/T/) for all DMA including network I/O. +- Constellation's [network encryption](../architecture/networking.md) via Cilium and WireGuard, which protects data in-transit. +- [AMD SEV using SWIOTLB bounce buffers](https://lore.kernel.org/all/20200204193500.GA15564@ashkalra_ubuntu_server/T/) for all DMA including network I/O. ##### Pod-to-Pod @@ -134,6 +132,7 @@ The results for "Pod-to-Pod" on GCP are as follows: In our recent comparison of Constellation on GCP with GKE, Constellation has 58% less TCP bandwidth. However, UDP bandwidth was slightly better with Constellation, thanks to its higher MTU. Similarly, when comparing Constellation on Azure with AKS using CVMs, Constellation achieved approximately 10% less TCP and 40% less UDP bandwidth. + #### Storage I/O Azure and GCP offer persistent storage for their Kubernetes services AKS and GKE via the Container Storage Interface (CSI). CSI storage in Kubernetes is available via `PersistentVolumes` (PV) and consumed via `PersistentVolumeClaims` (PVC). @@ -143,21 +142,25 @@ Similarly, upon a PVC request, Constellation will provision a PV via a default s For Constellation on Azure and AKS, the benchmark ran with Azure Disk storage [Standard SSD](https://learn.microsoft.com/en-us/azure/virtual-machines/disks-types#standard-ssds) of 400 GiB size. The [DC4as machine type](https://learn.microsoft.com/en-us/azure/virtual-machines/dasv5-dadsv5-series#dasv5-series) with four cores provides the following maximum performance: + - 6400 (20000 burst) IOPS - 144 MB/s (600 MB/s burst) throughput However, the performance is bound by the capabilities of the [512 GiB Standard SSD size](https://learn.microsoft.com/en-us/azure/virtual-machines/disks-types#standard-ssds) (the size class of 400 GiB volumes): + - 500 (600 burst) IOPS - 60 MB/s (150 MB/s burst) throughput For Constellation on GCP and GKE, the benchmark ran with Compute Engine Persistent Disk Storage [pd-balanced](https://cloud.google.com/compute/docs/disks) of 400 GiB size. The N2D machine type with four cores and pd-balanced provides the following [maximum performance](https://cloud.google.com/compute/docs/disks/performance#n2d_vms): + - 3,000 read IOPS - 15,000 write IOPS - 240 MB/s read throughput - 240 MB/s write throughput However, the performance is bound by the capabilities of a [`Zonal balanced PD`](https://cloud.google.com/compute/docs/disks/performance#zonal-persistent-disks) with 400 GiB size: + - 2400 read IOPS - 2400 write IOPS - 112 MB/s read throughput @@ -180,7 +183,6 @@ The following `fio` settings were used: For more details, see the [`fio` test configuration](../../../../.github/actions/e2e_benchmark/fio.ini). - The results for IOPS on Azure are as follows: ![I/O IOPS Azure benchmark graph](../_media/benchmark_fio_azure_iops.png) diff --git a/docs/versioned_docs/version-2.6/overview/product.md b/docs/versioned_docs/version-2.6/overview/product.md index ba7181aa9..e42596fcc 100644 --- a/docs/versioned_docs/version-2.6/overview/product.md +++ b/docs/versioned_docs/version-2.6/overview/product.md @@ -6,6 +6,6 @@ From a security perspective, Constellation implements the [Confidential Kubernet From an operational perspective, Constellation provides the following key features: -* **Native support for different clouds**: Constellation works on Microsoft Azure, Google Cloud Platform (GCP), and Amazon Web Services (AWS). Support for OpenStack-based environments is coming with a future release. Constellation securely interfaces with the cloud infrastructure to provide [cluster autoscaling](https://github.com/kubernetes/autoscaler/tree/master/cluster-autoscaler), [dynamic persistent volumes](https://kubernetes.io/docs/concepts/storage/dynamic-provisioning/), and [service load balancing](https://kubernetes.io/docs/concepts/services-networking/service/#loadbalancer). +* **Native support for different clouds**: Constellation works on Amazon Web Services (AWS), Microsoft Azure, and Google Cloud Platform (GCP). Support for OpenStack-based environments is coming with a future release. Constellation securely interfaces with the cloud infrastructure to provide [cluster autoscaling](https://github.com/kubernetes/autoscaler/tree/master/cluster-autoscaler), [dynamic persistent volumes](https://kubernetes.io/docs/concepts/storage/dynamic-provisioning/), and [service load balancing](https://kubernetes.io/docs/concepts/services-networking/service/#loadbalancer). * **High availability**: Constellation uses a [multi-master architecture](https://kubernetes.io/docs/setup/production-environment/tools/kubeadm/high-availability/) with a [stacked etcd topology](https://kubernetes.io/docs/setup/production-environment/tools/kubeadm/ha-topology/#stacked-etcd-topology) to ensure high availability. * **Integrated Day-2 operations**: Constellation lets you securely [upgrade](../workflows/upgrade.md) your cluster to a new release. It also lets you securely [recover](../workflows/recovery.md) a failed cluster. Both with a single command. diff --git a/docs/versioned_docs/version-2.7/architecture/keys.md b/docs/versioned_docs/version-2.7/architecture/keys.md index f2c8c3fba..553d9d4e2 100644 --- a/docs/versioned_docs/version-2.7/architecture/keys.md +++ b/docs/versioned_docs/version-2.7/architecture/keys.md @@ -105,7 +105,7 @@ Initially, it will support the following KMSs: * [Azure Key Vault](https://azure.microsoft.com/en-us/services/key-vault/#product-overview) * [KMIP-compatible KMS](https://www.oasis-open.org/committees/tc_home.php?wg_abbrev=kmip) -Storing the keys in Cloud KMS of AWS, GCP, or Azure binds the key usage to the particular cloud identity access management (IAM). +Storing the keys in Cloud KMS of AWS, Azure, or GCP binds the key usage to the particular cloud identity access management (IAM). In the future, Constellation will support remote attestation-based access policies for Cloud KMS once available. Note that using a Cloud KMS limits the isolation and protection to the guarantees of the particular offering. diff --git a/docs/versioned_docs/version-2.7/getting-started/install.md b/docs/versioned_docs/version-2.7/getting-started/install.md index 9ba727d81..5975008a2 100644 --- a/docs/versioned_docs/version-2.7/getting-started/install.md +++ b/docs/versioned_docs/version-2.7/getting-started/install.md @@ -11,7 +11,7 @@ Make sure the following requirements are met: - Your machine is running Linux or macOS - You have admin rights on your machine - [kubectl](https://kubernetes.io/docs/tasks/tools/) is installed -- Your CSP is Microsoft Azure, Google Cloud Platform (GCP), or Amazon Web Services (AWS) +- Your CSP is Amazon Web Services (AWS), Microsoft Azure, or Google Cloud Platform (GCP) ## Install the Constellation CLI @@ -52,7 +52,6 @@ curl -LO https://github.com/edgelesssys/constellation/releases/latest/download/c sudo install constellation-linux-arm64 /usr/local/bin/constellation ``` - @@ -71,8 +70,6 @@ curl -LO https://github.com/edgelesssys/constellation/releases/latest/download/c sudo install constellation-darwin-arm64 /usr/local/bin/constellation ``` - - @@ -437,7 +434,6 @@ Options and first steps are described in the [AWS CLI documentation](https://doc - ## Next steps diff --git a/docs/versioned_docs/version-2.7/overview/clouds.md b/docs/versioned_docs/version-2.7/overview/clouds.md index c95b3508a..847c888df 100644 --- a/docs/versioned_docs/version-2.7/overview/clouds.md +++ b/docs/versioned_docs/version-2.7/overview/clouds.md @@ -28,20 +28,19 @@ With its [CVM offering](https://docs.microsoft.com/en-us/azure/confidential-comp ## Google Cloud Platform (GCP) -The [CVMs Generally Available in GCP](https://cloud.google.com/compute/confidential-vm/docs/create-confidential-vm-instance) are based on AMD SEV but don't have SNP features enabled. +The [CVMs Generally Available in GCP](https://cloud.google.com/confidential-computing/confidential-vm/docs/confidential-vm-overview#amd_sev) are based on AMD SEV but don't have SNP features enabled. CVMs with SEV-SNP enabled are currently in [private preview](https://cloud.google.com/blog/products/identity-security/rsa-snp-vm-more-confidential). Regarding (3), with their SEV-SNP offering Google provides direct access to remote-attestation statements. However, regarding (4), the CVMs still include closed-source firmware. Intel and Google have [collaborated](https://cloud.google.com/blog/products/identity-security/rsa-google-intel-confidential-computing-more-secure) to enhance the security of TDX, and have recently [revealed](https://venturebeat.com/security/intel-launches-confidential-computing-solution-for-virtual-machines/) their plans to make TDX compatible with Google Cloud. ## Amazon Web Services (AWS) + Amazon EC2 [supports AMD SEV-SNP](https://aws.amazon.com/de/about-aws/whats-new/2023/04/amazon-ec2-amd-sev-snp/). Regarding (3), AWS provides direct access to remote-attestation statements. However, attestation is partially based on the [NitroTPM](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/nitrotpm.html) for [measured boot](../architecture/attestation.md#measured-boot), which is a vTPM managed by the Nitro hypervisor. Hence, the hypervisor is currently part of Constellation's TCB. \* Regarding (4), the CVMs include initial firmware inside the CVM based on [OVMF](https://github.com/tianocore/tianocore.github.io/wiki/OVMF). Once this firmware will be reproducible and therefore verifiable, (4) switches from *No* to *Yes*. - - ## OpenStack OpenStack is an open-source cloud and infrastructure management software. It's used by many smaller CSPs and datacenters. In the latest *Yoga* version, OpenStack has basic support for CVMs. However, much depends on the employed kernel and hypervisor. Features (2)--(4) are likely to be a *Yes* with Linux kernel version 6.2. Thus, going forward, OpenStack on corresponding AMD or Intel hardware will be a viable underpinning for Constellation. diff --git a/docs/versioned_docs/version-2.7/overview/performance.md b/docs/versioned_docs/version-2.7/overview/performance.md index 54f31019a..8be5b7952 100644 --- a/docs/versioned_docs/version-2.7/overview/performance.md +++ b/docs/versioned_docs/version-2.7/overview/performance.md @@ -63,7 +63,6 @@ The following infrastructure configurations was used: - CVM: `false` - Zone: `europe-west3-b` - ### Results #### Network @@ -71,7 +70,7 @@ The following infrastructure configurations was used: This section gives a thorough analysis of the network performance of Constellation, specifically focusing on measuring TCP and UDP bandwidth. The benchmark measured the bandwidth of pod-to-pod and pod-to-service connections between two different nodes using [`iperf`](https://iperf.fr/). -GKE and Constellation on GCP had a maximum network bandwidth of [10 Gbps](https://cloud.google.com/compute/docs/general-purpose-machines#n2d_machineshttps://cloud.google.com/compute/docs/general-purpose-machines#n2d_machines). +GKE and Constellation on GCP had a maximum network bandwidth of [10 Gbps](https://cloud.google.com/compute/docs/general-purpose-machines#n2d_machines). AKS with `Standard_D4as_v5` machines a maximum network bandwidth of [12.5 Gbps](https://learn.microsoft.com/en-us/azure/virtual-machines/dasv5-dadsv5-series#dasv5-series). The Confidential VM equivalent `Standard_DC4as_v5` currently has a network bandwidth of [1.25 Gbps](https://learn.microsoft.com/en-us/azure/virtual-machines/dcasv5-dcadsv5-series#dcasv5-series-products). Therefore, to make the test comparable, both AKS and Constellation on Azure were running with `Standard_DC4as_v5` machines and 1.25 Gbps bandwidth. @@ -79,11 +78,10 @@ Therefore, to make the test comparable, both AKS and Constellation on Azure were Constellation on Azure and AKS used an MTU of 1500. Constellation on GCP used an MTU of 8896. GKE used an MTU of 1450. - The difference in network bandwidth can largely be attributed to two factors. -* Constellation's [network encryption](../architecture/networking.md) via Cilium and WireGuard, which protects data in-transit. -* [AMD SEV using SWIOTLB bounce buffers](https://lore.kernel.org/all/20200204193500.GA15564@ashkalra_ubuntu_server/T/) for all DMA including network I/O. +- Constellation's [network encryption](../architecture/networking.md) via Cilium and WireGuard, which protects data in-transit. +- [AMD SEV using SWIOTLB bounce buffers](https://lore.kernel.org/all/20200204193500.GA15564@ashkalra_ubuntu_server/T/) for all DMA including network I/O. ##### Pod-to-Pod @@ -134,6 +132,7 @@ The results for "Pod-to-Pod" on GCP are as follows: In our recent comparison of Constellation on GCP with GKE, Constellation has 58% less TCP bandwidth. However, UDP bandwidth was slightly better with Constellation, thanks to its higher MTU. Similarly, when comparing Constellation on Azure with AKS using CVMs, Constellation achieved approximately 10% less TCP and 40% less UDP bandwidth. + #### Storage I/O Azure and GCP offer persistent storage for their Kubernetes services AKS and GKE via the Container Storage Interface (CSI). CSI storage in Kubernetes is available via `PersistentVolumes` (PV) and consumed via `PersistentVolumeClaims` (PVC). @@ -143,21 +142,25 @@ Similarly, upon a PVC request, Constellation will provision a PV via a default s For Constellation on Azure and AKS, the benchmark ran with Azure Disk storage [Standard SSD](https://learn.microsoft.com/en-us/azure/virtual-machines/disks-types#standard-ssds) of 400 GiB size. The [DC4as machine type](https://learn.microsoft.com/en-us/azure/virtual-machines/dasv5-dadsv5-series#dasv5-series) with four cores provides the following maximum performance: + - 6400 (20000 burst) IOPS - 144 MB/s (600 MB/s burst) throughput However, the performance is bound by the capabilities of the [512 GiB Standard SSD size](https://learn.microsoft.com/en-us/azure/virtual-machines/disks-types#standard-ssds) (the size class of 400 GiB volumes): + - 500 (600 burst) IOPS - 60 MB/s (150 MB/s burst) throughput For Constellation on GCP and GKE, the benchmark ran with Compute Engine Persistent Disk Storage [pd-balanced](https://cloud.google.com/compute/docs/disks) of 400 GiB size. The N2D machine type with four cores and pd-balanced provides the following [maximum performance](https://cloud.google.com/compute/docs/disks/performance#n2d_vms): + - 3,000 read IOPS - 15,000 write IOPS - 240 MB/s read throughput - 240 MB/s write throughput However, the performance is bound by the capabilities of a [`Zonal balanced PD`](https://cloud.google.com/compute/docs/disks/performance#zonal-persistent-disks) with 400 GiB size: + - 2400 read IOPS - 2400 write IOPS - 112 MB/s read throughput @@ -180,7 +183,6 @@ The following `fio` settings were used: For more details, see the [`fio` test configuration](../../../../.github/actions/e2e_benchmark/fio.ini). - The results for IOPS on Azure are as follows: ![I/O IOPS Azure benchmark graph](../_media/benchmark_fio_azure_iops.png) diff --git a/docs/versioned_docs/version-2.7/overview/product.md b/docs/versioned_docs/version-2.7/overview/product.md index ba7181aa9..e42596fcc 100644 --- a/docs/versioned_docs/version-2.7/overview/product.md +++ b/docs/versioned_docs/version-2.7/overview/product.md @@ -6,6 +6,6 @@ From a security perspective, Constellation implements the [Confidential Kubernet From an operational perspective, Constellation provides the following key features: -* **Native support for different clouds**: Constellation works on Microsoft Azure, Google Cloud Platform (GCP), and Amazon Web Services (AWS). Support for OpenStack-based environments is coming with a future release. Constellation securely interfaces with the cloud infrastructure to provide [cluster autoscaling](https://github.com/kubernetes/autoscaler/tree/master/cluster-autoscaler), [dynamic persistent volumes](https://kubernetes.io/docs/concepts/storage/dynamic-provisioning/), and [service load balancing](https://kubernetes.io/docs/concepts/services-networking/service/#loadbalancer). +* **Native support for different clouds**: Constellation works on Amazon Web Services (AWS), Microsoft Azure, and Google Cloud Platform (GCP). Support for OpenStack-based environments is coming with a future release. Constellation securely interfaces with the cloud infrastructure to provide [cluster autoscaling](https://github.com/kubernetes/autoscaler/tree/master/cluster-autoscaler), [dynamic persistent volumes](https://kubernetes.io/docs/concepts/storage/dynamic-provisioning/), and [service load balancing](https://kubernetes.io/docs/concepts/services-networking/service/#loadbalancer). * **High availability**: Constellation uses a [multi-master architecture](https://kubernetes.io/docs/setup/production-environment/tools/kubeadm/high-availability/) with a [stacked etcd topology](https://kubernetes.io/docs/setup/production-environment/tools/kubeadm/ha-topology/#stacked-etcd-topology) to ensure high availability. * **Integrated Day-2 operations**: Constellation lets you securely [upgrade](../workflows/upgrade.md) your cluster to a new release. It also lets you securely [recover](../workflows/recovery.md) a failed cluster. Both with a single command. diff --git a/docs/versioned_docs/version-2.8/architecture/keys.md b/docs/versioned_docs/version-2.8/architecture/keys.md index f2c8c3fba..553d9d4e2 100644 --- a/docs/versioned_docs/version-2.8/architecture/keys.md +++ b/docs/versioned_docs/version-2.8/architecture/keys.md @@ -105,7 +105,7 @@ Initially, it will support the following KMSs: * [Azure Key Vault](https://azure.microsoft.com/en-us/services/key-vault/#product-overview) * [KMIP-compatible KMS](https://www.oasis-open.org/committees/tc_home.php?wg_abbrev=kmip) -Storing the keys in Cloud KMS of AWS, GCP, or Azure binds the key usage to the particular cloud identity access management (IAM). +Storing the keys in Cloud KMS of AWS, Azure, or GCP binds the key usage to the particular cloud identity access management (IAM). In the future, Constellation will support remote attestation-based access policies for Cloud KMS once available. Note that using a Cloud KMS limits the isolation and protection to the guarantees of the particular offering. diff --git a/docs/versioned_docs/version-2.8/getting-started/install.md b/docs/versioned_docs/version-2.8/getting-started/install.md index 37940d0a2..0575192af 100644 --- a/docs/versioned_docs/version-2.8/getting-started/install.md +++ b/docs/versioned_docs/version-2.8/getting-started/install.md @@ -11,7 +11,7 @@ Make sure the following requirements are met: - Your machine is running Linux or macOS - You have admin rights on your machine - [kubectl](https://kubernetes.io/docs/tasks/tools/) is installed -- Your CSP is Microsoft Azure, Google Cloud Platform (GCP), or Amazon Web Services (AWS) +- Your CSP is Amazon Web Services (AWS), Microsoft Azure, or Google Cloud Platform (GCP) ## Install the Constellation CLI @@ -52,7 +52,6 @@ curl -LO https://github.com/edgelesssys/constellation/releases/latest/download/c sudo install constellation-linux-arm64 /usr/local/bin/constellation ``` - @@ -71,8 +70,6 @@ curl -LO https://github.com/edgelesssys/constellation/releases/latest/download/c sudo install constellation-darwin-arm64 /usr/local/bin/constellation ``` - - @@ -438,7 +435,6 @@ Options and first steps are described in the [AWS CLI documentation](https://doc - ## Next steps diff --git a/docs/versioned_docs/version-2.8/overview/clouds.md b/docs/versioned_docs/version-2.8/overview/clouds.md index 3ccbb0d6d..c56a623b1 100644 --- a/docs/versioned_docs/version-2.8/overview/clouds.md +++ b/docs/versioned_docs/version-2.8/overview/clouds.md @@ -35,7 +35,7 @@ Thus, the Azure closed-source firmware becomes part of Constellation's trusted c ## Google Cloud Platform (GCP) -The [CVMs Generally Available in GCP](https://cloud.google.com/compute/confidential-vm/docs/create-confidential-vm-instance) are based on AMD SEV but don't have SNP features enabled. +The [CVMs Generally Available in GCP](https://cloud.google.com/confidential-computing/confidential-vm/docs/confidential-vm-overview#amd_sev) are based on AMD SEV but don't have SNP features enabled. CVMs with SEV-SNP enabled are currently in [private preview](https://cloud.google.com/blog/products/identity-security/rsa-snp-vm-more-confidential). Regarding (3), with their SEV-SNP offering Google provides direct access to remote-attestation statements. However, regarding (4), the CVMs still include closed-source firmware. diff --git a/docs/versioned_docs/version-2.8/overview/performance.md b/docs/versioned_docs/version-2.8/overview/performance.md index 54f31019a..8be5b7952 100644 --- a/docs/versioned_docs/version-2.8/overview/performance.md +++ b/docs/versioned_docs/version-2.8/overview/performance.md @@ -63,7 +63,6 @@ The following infrastructure configurations was used: - CVM: `false` - Zone: `europe-west3-b` - ### Results #### Network @@ -71,7 +70,7 @@ The following infrastructure configurations was used: This section gives a thorough analysis of the network performance of Constellation, specifically focusing on measuring TCP and UDP bandwidth. The benchmark measured the bandwidth of pod-to-pod and pod-to-service connections between two different nodes using [`iperf`](https://iperf.fr/). -GKE and Constellation on GCP had a maximum network bandwidth of [10 Gbps](https://cloud.google.com/compute/docs/general-purpose-machines#n2d_machineshttps://cloud.google.com/compute/docs/general-purpose-machines#n2d_machines). +GKE and Constellation on GCP had a maximum network bandwidth of [10 Gbps](https://cloud.google.com/compute/docs/general-purpose-machines#n2d_machines). AKS with `Standard_D4as_v5` machines a maximum network bandwidth of [12.5 Gbps](https://learn.microsoft.com/en-us/azure/virtual-machines/dasv5-dadsv5-series#dasv5-series). The Confidential VM equivalent `Standard_DC4as_v5` currently has a network bandwidth of [1.25 Gbps](https://learn.microsoft.com/en-us/azure/virtual-machines/dcasv5-dcadsv5-series#dcasv5-series-products). Therefore, to make the test comparable, both AKS and Constellation on Azure were running with `Standard_DC4as_v5` machines and 1.25 Gbps bandwidth. @@ -79,11 +78,10 @@ Therefore, to make the test comparable, both AKS and Constellation on Azure were Constellation on Azure and AKS used an MTU of 1500. Constellation on GCP used an MTU of 8896. GKE used an MTU of 1450. - The difference in network bandwidth can largely be attributed to two factors. -* Constellation's [network encryption](../architecture/networking.md) via Cilium and WireGuard, which protects data in-transit. -* [AMD SEV using SWIOTLB bounce buffers](https://lore.kernel.org/all/20200204193500.GA15564@ashkalra_ubuntu_server/T/) for all DMA including network I/O. +- Constellation's [network encryption](../architecture/networking.md) via Cilium and WireGuard, which protects data in-transit. +- [AMD SEV using SWIOTLB bounce buffers](https://lore.kernel.org/all/20200204193500.GA15564@ashkalra_ubuntu_server/T/) for all DMA including network I/O. ##### Pod-to-Pod @@ -134,6 +132,7 @@ The results for "Pod-to-Pod" on GCP are as follows: In our recent comparison of Constellation on GCP with GKE, Constellation has 58% less TCP bandwidth. However, UDP bandwidth was slightly better with Constellation, thanks to its higher MTU. Similarly, when comparing Constellation on Azure with AKS using CVMs, Constellation achieved approximately 10% less TCP and 40% less UDP bandwidth. + #### Storage I/O Azure and GCP offer persistent storage for their Kubernetes services AKS and GKE via the Container Storage Interface (CSI). CSI storage in Kubernetes is available via `PersistentVolumes` (PV) and consumed via `PersistentVolumeClaims` (PVC). @@ -143,21 +142,25 @@ Similarly, upon a PVC request, Constellation will provision a PV via a default s For Constellation on Azure and AKS, the benchmark ran with Azure Disk storage [Standard SSD](https://learn.microsoft.com/en-us/azure/virtual-machines/disks-types#standard-ssds) of 400 GiB size. The [DC4as machine type](https://learn.microsoft.com/en-us/azure/virtual-machines/dasv5-dadsv5-series#dasv5-series) with four cores provides the following maximum performance: + - 6400 (20000 burst) IOPS - 144 MB/s (600 MB/s burst) throughput However, the performance is bound by the capabilities of the [512 GiB Standard SSD size](https://learn.microsoft.com/en-us/azure/virtual-machines/disks-types#standard-ssds) (the size class of 400 GiB volumes): + - 500 (600 burst) IOPS - 60 MB/s (150 MB/s burst) throughput For Constellation on GCP and GKE, the benchmark ran with Compute Engine Persistent Disk Storage [pd-balanced](https://cloud.google.com/compute/docs/disks) of 400 GiB size. The N2D machine type with four cores and pd-balanced provides the following [maximum performance](https://cloud.google.com/compute/docs/disks/performance#n2d_vms): + - 3,000 read IOPS - 15,000 write IOPS - 240 MB/s read throughput - 240 MB/s write throughput However, the performance is bound by the capabilities of a [`Zonal balanced PD`](https://cloud.google.com/compute/docs/disks/performance#zonal-persistent-disks) with 400 GiB size: + - 2400 read IOPS - 2400 write IOPS - 112 MB/s read throughput @@ -180,7 +183,6 @@ The following `fio` settings were used: For more details, see the [`fio` test configuration](../../../../.github/actions/e2e_benchmark/fio.ini). - The results for IOPS on Azure are as follows: ![I/O IOPS Azure benchmark graph](../_media/benchmark_fio_azure_iops.png) diff --git a/docs/versioned_docs/version-2.8/overview/product.md b/docs/versioned_docs/version-2.8/overview/product.md index ba7181aa9..e42596fcc 100644 --- a/docs/versioned_docs/version-2.8/overview/product.md +++ b/docs/versioned_docs/version-2.8/overview/product.md @@ -6,6 +6,6 @@ From a security perspective, Constellation implements the [Confidential Kubernet From an operational perspective, Constellation provides the following key features: -* **Native support for different clouds**: Constellation works on Microsoft Azure, Google Cloud Platform (GCP), and Amazon Web Services (AWS). Support for OpenStack-based environments is coming with a future release. Constellation securely interfaces with the cloud infrastructure to provide [cluster autoscaling](https://github.com/kubernetes/autoscaler/tree/master/cluster-autoscaler), [dynamic persistent volumes](https://kubernetes.io/docs/concepts/storage/dynamic-provisioning/), and [service load balancing](https://kubernetes.io/docs/concepts/services-networking/service/#loadbalancer). +* **Native support for different clouds**: Constellation works on Amazon Web Services (AWS), Microsoft Azure, and Google Cloud Platform (GCP). Support for OpenStack-based environments is coming with a future release. Constellation securely interfaces with the cloud infrastructure to provide [cluster autoscaling](https://github.com/kubernetes/autoscaler/tree/master/cluster-autoscaler), [dynamic persistent volumes](https://kubernetes.io/docs/concepts/storage/dynamic-provisioning/), and [service load balancing](https://kubernetes.io/docs/concepts/services-networking/service/#loadbalancer). * **High availability**: Constellation uses a [multi-master architecture](https://kubernetes.io/docs/setup/production-environment/tools/kubeadm/high-availability/) with a [stacked etcd topology](https://kubernetes.io/docs/setup/production-environment/tools/kubeadm/ha-topology/#stacked-etcd-topology) to ensure high availability. * **Integrated Day-2 operations**: Constellation lets you securely [upgrade](../workflows/upgrade.md) your cluster to a new release. It also lets you securely [recover](../workflows/recovery.md) a failed cluster. Both with a single command. diff --git a/docs/versioned_docs/version-2.9/architecture/keys.md b/docs/versioned_docs/version-2.9/architecture/keys.md index f2c8c3fba..553d9d4e2 100644 --- a/docs/versioned_docs/version-2.9/architecture/keys.md +++ b/docs/versioned_docs/version-2.9/architecture/keys.md @@ -105,7 +105,7 @@ Initially, it will support the following KMSs: * [Azure Key Vault](https://azure.microsoft.com/en-us/services/key-vault/#product-overview) * [KMIP-compatible KMS](https://www.oasis-open.org/committees/tc_home.php?wg_abbrev=kmip) -Storing the keys in Cloud KMS of AWS, GCP, or Azure binds the key usage to the particular cloud identity access management (IAM). +Storing the keys in Cloud KMS of AWS, Azure, or GCP binds the key usage to the particular cloud identity access management (IAM). In the future, Constellation will support remote attestation-based access policies for Cloud KMS once available. Note that using a Cloud KMS limits the isolation and protection to the guarantees of the particular offering. diff --git a/docs/versioned_docs/version-2.9/getting-started/install.md b/docs/versioned_docs/version-2.9/getting-started/install.md index 37940d0a2..0575192af 100644 --- a/docs/versioned_docs/version-2.9/getting-started/install.md +++ b/docs/versioned_docs/version-2.9/getting-started/install.md @@ -11,7 +11,7 @@ Make sure the following requirements are met: - Your machine is running Linux or macOS - You have admin rights on your machine - [kubectl](https://kubernetes.io/docs/tasks/tools/) is installed -- Your CSP is Microsoft Azure, Google Cloud Platform (GCP), or Amazon Web Services (AWS) +- Your CSP is Amazon Web Services (AWS), Microsoft Azure, or Google Cloud Platform (GCP) ## Install the Constellation CLI @@ -52,7 +52,6 @@ curl -LO https://github.com/edgelesssys/constellation/releases/latest/download/c sudo install constellation-linux-arm64 /usr/local/bin/constellation ``` - @@ -71,8 +70,6 @@ curl -LO https://github.com/edgelesssys/constellation/releases/latest/download/c sudo install constellation-darwin-arm64 /usr/local/bin/constellation ``` - - @@ -438,7 +435,6 @@ Options and first steps are described in the [AWS CLI documentation](https://doc - ## Next steps diff --git a/docs/versioned_docs/version-2.9/overview/clouds.md b/docs/versioned_docs/version-2.9/overview/clouds.md index 3ccbb0d6d..c56a623b1 100644 --- a/docs/versioned_docs/version-2.9/overview/clouds.md +++ b/docs/versioned_docs/version-2.9/overview/clouds.md @@ -35,7 +35,7 @@ Thus, the Azure closed-source firmware becomes part of Constellation's trusted c ## Google Cloud Platform (GCP) -The [CVMs Generally Available in GCP](https://cloud.google.com/compute/confidential-vm/docs/create-confidential-vm-instance) are based on AMD SEV but don't have SNP features enabled. +The [CVMs Generally Available in GCP](https://cloud.google.com/confidential-computing/confidential-vm/docs/confidential-vm-overview#amd_sev) are based on AMD SEV but don't have SNP features enabled. CVMs with SEV-SNP enabled are currently in [private preview](https://cloud.google.com/blog/products/identity-security/rsa-snp-vm-more-confidential). Regarding (3), with their SEV-SNP offering Google provides direct access to remote-attestation statements. However, regarding (4), the CVMs still include closed-source firmware. diff --git a/docs/versioned_docs/version-2.9/overview/performance.md b/docs/versioned_docs/version-2.9/overview/performance.md index 9518ad538..aef594c46 100644 --- a/docs/versioned_docs/version-2.9/overview/performance.md +++ b/docs/versioned_docs/version-2.9/overview/performance.md @@ -70,7 +70,7 @@ The following infrastructure configurations was used: This section gives a thorough analysis of the network performance of Constellation, specifically focusing on measuring TCP and UDP bandwidth. The benchmark measured the bandwidth of pod-to-pod and pod-to-service connections between two different nodes using [`iperf`](https://iperf.fr/). -GKE and Constellation on GCP had a maximum network bandwidth of [10 Gbps](https://cloud.google.com/compute/docs/general-purpose-machines#n2d_machineshttps://cloud.google.com/compute/docs/general-purpose-machines#n2d_machines). +GKE and Constellation on GCP had a maximum network bandwidth of [10 Gbps](https://cloud.google.com/compute/docs/general-purpose-machines#n2d_machines). AKS with `Standard_D4as_v5` machines a maximum network bandwidth of [12.5 Gbps](https://learn.microsoft.com/en-us/azure/virtual-machines/dasv5-dadsv5-series#dasv5-series). The Confidential VM equivalent `Standard_DC4as_v5` currently has a network bandwidth of [1.25 Gbps](https://learn.microsoft.com/en-us/azure/virtual-machines/dcasv5-dcadsv5-series#dcasv5-series-products). Therefore, to make the test comparable, both AKS and Constellation on Azure were running with `Standard_DC4as_v5` machines and 1.25 Gbps bandwidth. diff --git a/docs/versioned_docs/version-2.9/overview/product.md b/docs/versioned_docs/version-2.9/overview/product.md index ba7181aa9..e42596fcc 100644 --- a/docs/versioned_docs/version-2.9/overview/product.md +++ b/docs/versioned_docs/version-2.9/overview/product.md @@ -6,6 +6,6 @@ From a security perspective, Constellation implements the [Confidential Kubernet From an operational perspective, Constellation provides the following key features: -* **Native support for different clouds**: Constellation works on Microsoft Azure, Google Cloud Platform (GCP), and Amazon Web Services (AWS). Support for OpenStack-based environments is coming with a future release. Constellation securely interfaces with the cloud infrastructure to provide [cluster autoscaling](https://github.com/kubernetes/autoscaler/tree/master/cluster-autoscaler), [dynamic persistent volumes](https://kubernetes.io/docs/concepts/storage/dynamic-provisioning/), and [service load balancing](https://kubernetes.io/docs/concepts/services-networking/service/#loadbalancer). +* **Native support for different clouds**: Constellation works on Amazon Web Services (AWS), Microsoft Azure, and Google Cloud Platform (GCP). Support for OpenStack-based environments is coming with a future release. Constellation securely interfaces with the cloud infrastructure to provide [cluster autoscaling](https://github.com/kubernetes/autoscaler/tree/master/cluster-autoscaler), [dynamic persistent volumes](https://kubernetes.io/docs/concepts/storage/dynamic-provisioning/), and [service load balancing](https://kubernetes.io/docs/concepts/services-networking/service/#loadbalancer). * **High availability**: Constellation uses a [multi-master architecture](https://kubernetes.io/docs/setup/production-environment/tools/kubeadm/high-availability/) with a [stacked etcd topology](https://kubernetes.io/docs/setup/production-environment/tools/kubeadm/ha-topology/#stacked-etcd-topology) to ensure high availability. * **Integrated Day-2 operations**: Constellation lets you securely [upgrade](../workflows/upgrade.md) your cluster to a new release. It also lets you securely [recover](../workflows/recovery.md) a failed cluster. Both with a single command.