mirror of
https://github.com/edgelesssys/constellation.git
synced 2024-12-24 06:59:40 -05:00
Add STACKIT to readme (#2988)
* Add STACKIT to readme and sort CSPs alphabetically in sentences * fix links
This commit is contained in:
parent
912575eb31
commit
9e3d605cf2
@ -58,7 +58,7 @@ Encrypting your K8s is good for:
|
|||||||
<a href="https://landscape.cncf.io/?selected=constellation"><img src="https://raw.githubusercontent.com/cncf/artwork/1c1a10d9cc7de24235e07c8831923874331ef233/projects/kubernetes/certified-kubernetes/versionless/color/certified-kubernetes-color.svg" align="right" width="100px"></a>
|
<a href="https://landscape.cncf.io/?selected=constellation"><img src="https://raw.githubusercontent.com/cncf/artwork/1c1a10d9cc7de24235e07c8831923874331ef233/projects/kubernetes/certified-kubernetes/versionless/color/certified-kubernetes-color.svg" align="right" width="100px"></a>
|
||||||
|
|
||||||
* Constellation is a [CNCF-certified][certified] Kubernetes. It's aligned to Kubernetes' [version support policy][k8s-version-support] and will likely work with your existing workloads and tools.
|
* Constellation is a [CNCF-certified][certified] Kubernetes. It's aligned to Kubernetes' [version support policy][k8s-version-support] and will likely work with your existing workloads and tools.
|
||||||
* Support for Azure, GCP, and AWS.
|
* Support for AWS, Azure, GCP, and STACKIT.
|
||||||
* Support for local installations with [MiniConstellation][first-steps-local].
|
* Support for local installations with [MiniConstellation][first-steps-local].
|
||||||
* Support for [Terraform][terraform-provider]
|
* Support for [Terraform][terraform-provider]
|
||||||
|
|
||||||
@ -120,7 +120,6 @@ The Constellation source code is licensed under the [GNU Affero General Public L
|
|||||||
[cla-assistant]: https://cla-assistant.io/edgelesssys/constellation
|
[cla-assistant]: https://cla-assistant.io/edgelesssys/constellation
|
||||||
[cluster-attestation]: https://docs.edgeless.systems/constellation/architecture/attestation#cluster-attestation
|
[cluster-attestation]: https://docs.edgeless.systems/constellation/architecture/attestation#cluster-attestation
|
||||||
[confidential-kubernetes]: https://docs.edgeless.systems/constellation/overview/confidential-kubernetes
|
[confidential-kubernetes]: https://docs.edgeless.systems/constellation/overview/confidential-kubernetes
|
||||||
[discord]: https://discord.gg/rH8QTH56JN
|
|
||||||
[enterprise-support]: https://www.edgeless.systems/products/constellation/
|
[enterprise-support]: https://www.edgeless.systems/products/constellation/
|
||||||
[first-steps]: https://docs.edgeless.systems/constellation/getting-started/first-steps
|
[first-steps]: https://docs.edgeless.systems/constellation/getting-started/first-steps
|
||||||
[first-steps-local]: https://docs.edgeless.systems/constellation/getting-started/first-steps-local
|
[first-steps-local]: https://docs.edgeless.systems/constellation/getting-started/first-steps-local
|
||||||
|
@ -14,10 +14,10 @@ This project also aims to follow the [Go Proverbs](https://go-proverbs.github.io
|
|||||||
## Linting
|
## Linting
|
||||||
|
|
||||||
This projects uses [golangci-lint](https://golangci-lint.run/) for linting.
|
This projects uses [golangci-lint](https://golangci-lint.run/) for linting.
|
||||||
You can [install golangci-lint](https://golangci-lint.run/usage/install/#linux-and-windows) locally,
|
You can [install golangci-lint](https://golangci-lint.run/welcome/install/#local-installation) locally,
|
||||||
but there is also a CI action to ensure compliance.
|
but there is also a CI action to ensure compliance.
|
||||||
|
|
||||||
It is also recommended to use golangci-lint (and [gofumpt](https://github.com/mvdan/gofumpt) as formatter) in your IDE, by adding the recommended VS Code Settings or by [configuring it yourself](https://golangci-lint.run/usage/integrations/#editor-integration)
|
It is also recommended to use golangci-lint (and [gofumpt](https://github.com/mvdan/gofumpt) as formatter) in your IDE, by adding the recommended VS Code Settings or by [configuring it yourself](https://golangci-lint.run/welcome/integrations/)
|
||||||
|
|
||||||
## Logging
|
## Logging
|
||||||
|
|
||||||
|
@ -105,7 +105,7 @@ Initially, it will support the following KMSs:
|
|||||||
* [Azure Key Vault](https://azure.microsoft.com/en-us/services/key-vault/#product-overview)
|
* [Azure Key Vault](https://azure.microsoft.com/en-us/services/key-vault/#product-overview)
|
||||||
* [KMIP-compatible KMS](https://www.oasis-open.org/committees/tc_home.php?wg_abbrev=kmip)
|
* [KMIP-compatible KMS](https://www.oasis-open.org/committees/tc_home.php?wg_abbrev=kmip)
|
||||||
|
|
||||||
Storing the keys in Cloud KMS of AWS, GCP, or Azure binds the key usage to the particular cloud identity access management (IAM).
|
Storing the keys in Cloud KMS of AWS, Azure, or GCP binds the key usage to the particular cloud identity access management (IAM).
|
||||||
In the future, Constellation will support remote attestation-based access policies for Cloud KMS once available.
|
In the future, Constellation will support remote attestation-based access policies for Cloud KMS once available.
|
||||||
Note that using a Cloud KMS limits the isolation and protection to the guarantees of the particular offering.
|
Note that using a Cloud KMS limits the isolation and protection to the guarantees of the particular offering.
|
||||||
|
|
||||||
|
@ -9,7 +9,7 @@ Make sure the following requirements are met:
|
|||||||
* Your machine is running Linux, macOS, or Windows
|
* Your machine is running Linux, macOS, or Windows
|
||||||
* You have admin rights on your machine
|
* You have admin rights on your machine
|
||||||
* [kubectl](https://kubernetes.io/docs/tasks/tools/) is installed
|
* [kubectl](https://kubernetes.io/docs/tasks/tools/) is installed
|
||||||
* Your CSP is Microsoft Azure, Google Cloud Platform (GCP), Amazon Web Services (AWS), or STACKIT
|
* Your CSP is Amazon Web Services (AWS), Microsoft Azure, Google Cloud Platform (GCP), or STACKIT
|
||||||
|
|
||||||
## Install the Constellation CLI
|
## Install the Constellation CLI
|
||||||
|
|
||||||
@ -398,6 +398,7 @@ You need to authenticate with the infrastructure API (OpenStack) and create a se
|
|||||||
|
|
||||||
1. [Follow the STACKIT documentation](https://docs.stackit.cloud/stackit/en/step-1-generating-of-user-access-token-11763726.html) for obtaining a User Access Token (UAT) to use the infrastructure API
|
1. [Follow the STACKIT documentation](https://docs.stackit.cloud/stackit/en/step-1-generating-of-user-access-token-11763726.html) for obtaining a User Access Token (UAT) to use the infrastructure API
|
||||||
2. Create a configuration file under `~/.config/openstack/clouds.yaml` (`%AppData%\openstack\clouds.yaml` on Windows) with the credentials from the User Access Token
|
2. Create a configuration file under `~/.config/openstack/clouds.yaml` (`%AppData%\openstack\clouds.yaml` on Windows) with the credentials from the User Access Token
|
||||||
|
|
||||||
```yaml
|
```yaml
|
||||||
clouds:
|
clouds:
|
||||||
stackit:
|
stackit:
|
||||||
@ -412,9 +413,11 @@ You need to authenticate with the infrastructure API (OpenStack) and create a se
|
|||||||
region_name: RegionOne
|
region_name: RegionOne
|
||||||
identity_api_version: 3
|
identity_api_version: 3
|
||||||
```
|
```
|
||||||
|
|
||||||
3. [Follow the STACKIT documentation](https://docs.stackit.cloud/stackit/en/getting-started-in-service-accounts-134415831.html) for creating a service account and an access token
|
3. [Follow the STACKIT documentation](https://docs.stackit.cloud/stackit/en/getting-started-in-service-accounts-134415831.html) for creating a service account and an access token
|
||||||
4. Assign the `editor` role to the service account by [following the documentation](https://docs.stackit.cloud/stackit/en/getting-started-in-service-accounts-134415831.html)
|
4. Assign the `editor` role to the service account by [following the documentation](https://docs.stackit.cloud/stackit/en/getting-started-in-service-accounts-134415831.html)
|
||||||
5. Create a configuration file under `~/.stackit/credentials.json` (`%USERPROFILE%\.stackit\credentials.json` on Windows)
|
5. Create a configuration file under `~/.stackit/credentials.json` (`%USERPROFILE%\.stackit\credentials.json` on Windows)
|
||||||
|
|
||||||
```json
|
```json
|
||||||
{"STACKIT_SERVICE_ACCOUNT_TOKEN":"REPLACE_WITH_TOKEN"}
|
{"STACKIT_SERVICE_ACCOUNT_TOKEN":"REPLACE_WITH_TOKEN"}
|
||||||
```
|
```
|
||||||
|
@ -34,13 +34,12 @@ Thus, the Azure closed-source firmware becomes part of Constellation's trusted c
|
|||||||
|
|
||||||
## Google Cloud Platform (GCP)
|
## Google Cloud Platform (GCP)
|
||||||
|
|
||||||
The [CVMs Generally Available in GCP](https://cloud.google.com/compute/confidential-vm/docs/create-confidential-vm-instance) are based on AMD SEV but don't have SNP features enabled.
|
The [CVMs Generally Available in GCP](https://cloud.google.com/confidential-computing/confidential-vm/docs/confidential-vm-overview#amd_sev) are based on AMD SEV but don't have SNP features enabled.
|
||||||
CVMs with SEV-SNP enabled are currently in [public preview](https://cloud.google.com/blog/products/identity-security/rsa-snp-vm-more-confidential). Regarding (3), with their SEV-SNP offering Google provides direct access to remote-attestation statements.
|
CVMs with [SEV-SNP enabled are in public preview](https://cloud.google.com/confidential-computing/confidential-vm/docs/confidential-vm-overview#amd_sev-snp). Regarding (3), with their SEV-SNP offering Google provides direct access to remote-attestation statements.
|
||||||
However, regarding (5), attestation is partially based on the [Shielded VM vTPM](https://cloud.google.com/compute/shielded-vm/docs/shielded-vm#vtpm) for [measured boot](../architecture/attestation.md#measured-boot), which is a vTPM managed by Google's hypervisor.
|
However, regarding (5), attestation is partially based on the [Shielded VM vTPM](https://cloud.google.com/compute/shielded-vm/docs/shielded-vm#vtpm) for [measured boot](../architecture/attestation.md#measured-boot), which is a vTPM managed by Google's hypervisor.
|
||||||
Hence, the hypervisor is currently part of Constellation's TCB.
|
Hence, the hypervisor is currently part of Constellation's TCB.
|
||||||
Regarding (4), the CVMs still include closed-source firmware.
|
Regarding (4), the CVMs still include closed-source firmware.
|
||||||
|
|
||||||
|
|
||||||
In the past, Intel and Google have [collaborated](https://cloud.google.com/blog/products/identity-security/rsa-google-intel-confidential-computing-more-secure) to enhance the security of TDX.
|
In the past, Intel and Google have [collaborated](https://cloud.google.com/blog/products/identity-security/rsa-google-intel-confidential-computing-more-secure) to enhance the security of TDX.
|
||||||
Recently, Google has announced a [private preview for TDX](https://cloud.google.com/blog/products/identity-security/confidential-vms-on-intel-cpus-your-datas-new-intelligent-defense?hl=en).
|
Recently, Google has announced a [private preview for TDX](https://cloud.google.com/blog/products/identity-security/confidential-vms-on-intel-cpus-your-datas-new-intelligent-defense?hl=en).
|
||||||
With TDX on Google, Constellation has a similar TCB and attestation flow as with the current SEV-SNP offering.
|
With TDX on Google, Constellation has a similar TCB and attestation flow as with the current SEV-SNP offering.
|
||||||
|
@ -6,7 +6,7 @@ From a security perspective, Constellation implements the [Confidential Kubernet
|
|||||||
|
|
||||||
From an operational perspective, Constellation provides the following key features:
|
From an operational perspective, Constellation provides the following key features:
|
||||||
|
|
||||||
* **Native support for different clouds**: Constellation works on Microsoft Azure, Google Cloud Platform (GCP), Amazon Web Services (AWS), and STACKIT. Support for OpenStack-based environments is coming with a future release. Constellation securely interfaces with the cloud infrastructure to provide [cluster autoscaling](https://github.com/kubernetes/autoscaler/tree/master/cluster-autoscaler), [dynamic persistent volumes](https://kubernetes.io/docs/concepts/storage/dynamic-provisioning/), and [service load balancing](https://kubernetes.io/docs/concepts/services-networking/service/#loadbalancer).
|
* **Native support for different clouds**: Constellation works on Amazon Web Services (AWS), Microsoft Azure, Google Cloud Platform (GCP), and STACKIT. Support for OpenStack-based environments is coming with a future release. Constellation securely interfaces with the cloud infrastructure to provide [cluster autoscaling](https://github.com/kubernetes/autoscaler/tree/master/cluster-autoscaler), [dynamic persistent volumes](https://kubernetes.io/docs/concepts/storage/dynamic-provisioning/), and [service load balancing](https://kubernetes.io/docs/concepts/services-networking/service/#loadbalancer).
|
||||||
* **High availability**: Constellation uses a [multi-master architecture](https://kubernetes.io/docs/setup/production-environment/tools/kubeadm/high-availability/) with a [stacked etcd topology](https://kubernetes.io/docs/setup/production-environment/tools/kubeadm/ha-topology/#stacked-etcd-topology) to ensure high availability.
|
* **High availability**: Constellation uses a [multi-master architecture](https://kubernetes.io/docs/setup/production-environment/tools/kubeadm/high-availability/) with a [stacked etcd topology](https://kubernetes.io/docs/setup/production-environment/tools/kubeadm/ha-topology/#stacked-etcd-topology) to ensure high availability.
|
||||||
* **Integrated Day-2 operations**: Constellation lets you securely [upgrade](../workflows/upgrade.md) your cluster to a new release. It also lets you securely [recover](../workflows/recovery.md) a failed cluster. Both with a single command.
|
* **Integrated Day-2 operations**: Constellation lets you securely [upgrade](../workflows/upgrade.md) your cluster to a new release. It also lets you securely [recover](../workflows/recovery.md) a failed cluster. Both with a single command.
|
||||||
* **Support for Terraform**: Constellation includes a [Terraform provider](../workflows/terraform-provider.md) that lets you manage the full lifecycle of your cluster via Terraform.
|
* **Support for Terraform**: Constellation includes a [Terraform provider](../workflows/terraform-provider.md) that lets you manage the full lifecycle of your cluster via Terraform.
|
||||||
|
@ -135,7 +135,7 @@ This configuration creates an additional node group `high_cpu` with a larger ins
|
|||||||
|
|
||||||
You can use the field `zone` to specify what availability zone nodes of the group are placed in.
|
You can use the field `zone` to specify what availability zone nodes of the group are placed in.
|
||||||
On Azure, this field is empty by default and nodes are automatically spread across availability zones.
|
On Azure, this field is empty by default and nodes are automatically spread across availability zones.
|
||||||
STACKIT currently offers SEV-enabled CPUs in the `eu01-1`, `eu01-2` and `eu01-3` zone.
|
STACKIT currently offers SEV-enabled CPUs in the `eu01-1`, `eu01-2`, and `eu01-3` zones.
|
||||||
Consult the documentation of your cloud provider for more information:
|
Consult the documentation of your cloud provider for more information:
|
||||||
|
|
||||||
* [AWS](https://aws.amazon.com/about-aws/global-infrastructure/regions_az/)
|
* [AWS](https://aws.amazon.com/about-aws/global-infrastructure/regions_az/)
|
||||||
|
@ -101,7 +101,7 @@ Initially, it will support the following KMSs:
|
|||||||
* [Azure Key Vault](https://azure.microsoft.com/en-us/services/key-vault/#product-overview)
|
* [Azure Key Vault](https://azure.microsoft.com/en-us/services/key-vault/#product-overview)
|
||||||
* [KMIP-compatible KMS](https://www.oasis-open.org/committees/tc_home.php?wg_abbrev=kmip)
|
* [KMIP-compatible KMS](https://www.oasis-open.org/committees/tc_home.php?wg_abbrev=kmip)
|
||||||
|
|
||||||
Storing the keys in Cloud KMS of AWS, GCP, or Azure binds the key usage to the particular cloud identity access management (IAM).
|
Storing the keys in Cloud KMS of AWS, Azure, or GCP binds the key usage to the particular cloud identity access management (IAM).
|
||||||
In the future, Constellation will support remote attestation-based access policies for Cloud KMS once available.
|
In the future, Constellation will support remote attestation-based access policies for Cloud KMS once available.
|
||||||
Note that using a Cloud KMS limits the isolation and protection to the guarantees of the particular offering.
|
Note that using a Cloud KMS limits the isolation and protection to the guarantees of the particular offering.
|
||||||
|
|
||||||
|
@ -28,7 +28,7 @@ Recently, Azure [announced](https://techcommunity.microsoft.com/t5/azure-confide
|
|||||||
|
|
||||||
## Google Cloud Platform (GCP)
|
## Google Cloud Platform (GCP)
|
||||||
|
|
||||||
The [CVMs available in GCP](https://cloud.google.com/compute/confidential-vm/docs/create-confidential-vm-instance) are based on AMD SEV but don't have SNP features enabled. This impacts attestation capabilities. Currently, GCP doesn't offer CVM-based attestation at all. Instead, GCP provides attestation statements based on its regular [vTPM](https://cloud.google.com/blog/products/identity-security/virtual-trusted-platform-module-for-shielded-vms-security-in-plaintext), which is managed by the hypervisor. On GCP, the hypervisor is thus currently part of Constellation's TCB.
|
The [CVMs available in GCP](https://cloud.google.com/confidential-computing/confidential-vm/docs/confidential-vm-overview#amd_sev) are based on AMD SEV but don't have SNP features enabled. This impacts attestation capabilities. Currently, GCP doesn't offer CVM-based attestation at all. Instead, GCP provides attestation statements based on its regular [vTPM](https://cloud.google.com/blog/products/identity-security/virtual-trusted-platform-module-for-shielded-vms-security-in-plaintext), which is managed by the hypervisor. On GCP, the hypervisor is thus currently part of Constellation's TCB.
|
||||||
|
|
||||||
## Amazon Web Services (AWS)
|
## Amazon Web Services (AWS)
|
||||||
|
|
||||||
|
@ -101,7 +101,7 @@ Initially, it will support the following KMSs:
|
|||||||
* [Azure Key Vault](https://azure.microsoft.com/en-us/services/key-vault/#product-overview)
|
* [Azure Key Vault](https://azure.microsoft.com/en-us/services/key-vault/#product-overview)
|
||||||
* [KMIP-compatible KMS](https://www.oasis-open.org/committees/tc_home.php?wg_abbrev=kmip)
|
* [KMIP-compatible KMS](https://www.oasis-open.org/committees/tc_home.php?wg_abbrev=kmip)
|
||||||
|
|
||||||
Storing the keys in Cloud KMS of AWS, GCP, or Azure binds the key usage to the particular cloud identity access management (IAM).
|
Storing the keys in Cloud KMS of AWS, Azure, or GCP binds the key usage to the particular cloud identity access management (IAM).
|
||||||
In the future, Constellation will support remote attestation-based access policies for Cloud KMS once available.
|
In the future, Constellation will support remote attestation-based access policies for Cloud KMS once available.
|
||||||
Note that using a Cloud KMS limits the isolation and protection to the guarantees of the particular offering.
|
Note that using a Cloud KMS limits the isolation and protection to the guarantees of the particular offering.
|
||||||
|
|
||||||
|
@ -28,7 +28,7 @@ Recently, Azure [announced](https://techcommunity.microsoft.com/t5/azure-confide
|
|||||||
|
|
||||||
## Google Cloud Platform (GCP)
|
## Google Cloud Platform (GCP)
|
||||||
|
|
||||||
The [CVMs available in GCP](https://cloud.google.com/compute/confidential-vm/docs/create-confidential-vm-instance) are based on AMD SEV but don't have SNP features enabled. This impacts attestation capabilities. Currently, GCP doesn't offer CVM-based attestation at all. Instead, GCP provides attestation statements based on its regular [vTPM](https://cloud.google.com/blog/products/identity-security/virtual-trusted-platform-module-for-shielded-vms-security-in-plaintext), which is managed by the hypervisor. On GCP, the hypervisor is thus currently part of Constellation's TCB.
|
The [CVMs available in GCP](https://cloud.google.com/confidential-computing/confidential-vm/docs/confidential-vm-overview#amd_sev) are based on AMD SEV but don't have SNP features enabled. This impacts attestation capabilities. Currently, GCP doesn't offer CVM-based attestation at all. Instead, GCP provides attestation statements based on its regular [vTPM](https://cloud.google.com/blog/products/identity-security/virtual-trusted-platform-module-for-shielded-vms-security-in-plaintext), which is managed by the hypervisor. On GCP, the hypervisor is thus currently part of Constellation's TCB.
|
||||||
|
|
||||||
## Amazon Web Services (AWS)
|
## Amazon Web Services (AWS)
|
||||||
|
|
||||||
|
@ -105,7 +105,7 @@ Initially, it will support the following KMSs:
|
|||||||
* [Azure Key Vault](https://azure.microsoft.com/en-us/services/key-vault/#product-overview)
|
* [Azure Key Vault](https://azure.microsoft.com/en-us/services/key-vault/#product-overview)
|
||||||
* [KMIP-compatible KMS](https://www.oasis-open.org/committees/tc_home.php?wg_abbrev=kmip)
|
* [KMIP-compatible KMS](https://www.oasis-open.org/committees/tc_home.php?wg_abbrev=kmip)
|
||||||
|
|
||||||
Storing the keys in Cloud KMS of AWS, GCP, or Azure binds the key usage to the particular cloud identity access management (IAM).
|
Storing the keys in Cloud KMS of AWS, Azure, or GCP binds the key usage to the particular cloud identity access management (IAM).
|
||||||
In the future, Constellation will support remote attestation-based access policies for Cloud KMS once available.
|
In the future, Constellation will support remote attestation-based access policies for Cloud KMS once available.
|
||||||
Note that using a Cloud KMS limits the isolation and protection to the guarantees of the particular offering.
|
Note that using a Cloud KMS limits the isolation and protection to the guarantees of the particular offering.
|
||||||
|
|
||||||
|
@ -11,7 +11,7 @@ Make sure the following requirements are met:
|
|||||||
- Your machine is running Linux or macOS
|
- Your machine is running Linux or macOS
|
||||||
- You have admin rights on your machine
|
- You have admin rights on your machine
|
||||||
- [kubectl](https://kubernetes.io/docs/tasks/tools/) is installed
|
- [kubectl](https://kubernetes.io/docs/tasks/tools/) is installed
|
||||||
- Your CSP is Microsoft Azure, Google Cloud Platform (GCP), or Amazon Web Services (AWS)
|
- Your CSP is Amazon Web Services (AWS), Microsoft Azure, or Google Cloud Platform (GCP)
|
||||||
|
|
||||||
## Install the Constellation CLI
|
## Install the Constellation CLI
|
||||||
|
|
||||||
@ -52,7 +52,6 @@ curl -LO https://github.com/edgelesssys/constellation/releases/latest/download/c
|
|||||||
sudo install constellation-linux-arm64 /usr/local/bin/constellation
|
sudo install constellation-linux-arm64 /usr/local/bin/constellation
|
||||||
```
|
```
|
||||||
|
|
||||||
|
|
||||||
</tabItem>
|
</tabItem>
|
||||||
|
|
||||||
<tabItem value="darwin-arm64" label="macOS (Apple Silicon)">
|
<tabItem value="darwin-arm64" label="macOS (Apple Silicon)">
|
||||||
@ -71,8 +70,6 @@ curl -LO https://github.com/edgelesssys/constellation/releases/latest/download/c
|
|||||||
sudo install constellation-darwin-arm64 /usr/local/bin/constellation
|
sudo install constellation-darwin-arm64 /usr/local/bin/constellation
|
||||||
```
|
```
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
</tabItem>
|
</tabItem>
|
||||||
|
|
||||||
<tabItem value="darwin-amd64" label="macOS (Intel)">
|
<tabItem value="darwin-amd64" label="macOS (Intel)">
|
||||||
@ -278,7 +275,6 @@ The built-in `AdministratorAccess` policy is a superset of these permissions.
|
|||||||
|
|
||||||
To [create a Constellation cluster](../workflows/create.md#the-create-step), see the permissions of [main.tf](https://github.com/edgelesssys/constellation/blob/main/terraform/infrastructure/iam/aws/main.tf).
|
To [create a Constellation cluster](../workflows/create.md#the-create-step), see the permissions of [main.tf](https://github.com/edgelesssys/constellation/blob/main/terraform/infrastructure/iam/aws/main.tf).
|
||||||
|
|
||||||
|
|
||||||
The built-in `PowerUserAccess` policy is a superset of these permissions.
|
The built-in `PowerUserAccess` policy is a superset of these permissions.
|
||||||
|
|
||||||
Follow Amazon's guide on [understanding](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html) and [managing policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html).
|
Follow Amazon's guide on [understanding](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html) and [managing policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html).
|
||||||
@ -354,7 +350,6 @@ Options and first steps are described in the [AWS CLI documentation](https://doc
|
|||||||
|
|
||||||
</tabItem>
|
</tabItem>
|
||||||
|
|
||||||
|
|
||||||
</tabs>
|
</tabs>
|
||||||
|
|
||||||
## Next steps
|
## Next steps
|
||||||
|
@ -35,7 +35,7 @@ Thus, the Azure closed-source firmware becomes part of Constellation's trusted c
|
|||||||
|
|
||||||
## Google Cloud Platform (GCP)
|
## Google Cloud Platform (GCP)
|
||||||
|
|
||||||
The [CVMs Generally Available in GCP](https://cloud.google.com/compute/confidential-vm/docs/create-confidential-vm-instance) are based on AMD SEV but don't have SNP features enabled.
|
The [CVMs Generally Available in GCP](https://cloud.google.com/confidential-computing/confidential-vm/docs/confidential-vm-overview#amd_sev) are based on AMD SEV but don't have SNP features enabled.
|
||||||
CVMs with SEV-SNP enabled are currently in [private preview](https://cloud.google.com/blog/products/identity-security/rsa-snp-vm-more-confidential). Regarding (3), with their SEV-SNP offering Google provides direct access to remote-attestation statements.
|
CVMs with SEV-SNP enabled are currently in [private preview](https://cloud.google.com/blog/products/identity-security/rsa-snp-vm-more-confidential). Regarding (3), with their SEV-SNP offering Google provides direct access to remote-attestation statements.
|
||||||
However, regarding (4), the CVMs still include closed-source firmware.
|
However, regarding (4), the CVMs still include closed-source firmware.
|
||||||
|
|
||||||
|
@ -58,7 +58,7 @@ The following infrastructure configurations was used:
|
|||||||
This section gives a thorough analysis of the network performance of Constellation, specifically focusing on measuring TCP and UDP bandwidth.
|
This section gives a thorough analysis of the network performance of Constellation, specifically focusing on measuring TCP and UDP bandwidth.
|
||||||
The benchmark measured the bandwidth of pod-to-pod and pod-to-service connections between two different nodes using [`iperf`](https://iperf.fr/).
|
The benchmark measured the bandwidth of pod-to-pod and pod-to-service connections between two different nodes using [`iperf`](https://iperf.fr/).
|
||||||
|
|
||||||
GKE and Constellation on GCP had a maximum network bandwidth of [10 Gbps](https://cloud.google.com/compute/docs/general-purpose-machines#n2d_machineshttps://cloud.google.com/compute/docs/general-purpose-machines#n2d_machines).
|
GKE and Constellation on GCP had a maximum network bandwidth of [10 Gbps](https://cloud.google.com/compute/docs/general-purpose-machines#n2d_machines).
|
||||||
AKS with `Standard_D4as_v5` machines a maximum network bandwidth of [12.5 Gbps](https://learn.microsoft.com/en-us/azure/virtual-machines/dasv5-dadsv5-series#dasv5-series).
|
AKS with `Standard_D4as_v5` machines a maximum network bandwidth of [12.5 Gbps](https://learn.microsoft.com/en-us/azure/virtual-machines/dasv5-dadsv5-series#dasv5-series).
|
||||||
The Confidential VM equivalent `Standard_DC4as_v5` currently has a network bandwidth of [1.25 Gbps](https://learn.microsoft.com/en-us/azure/virtual-machines/dcasv5-dcadsv5-series#dcasv5-series-products).
|
The Confidential VM equivalent `Standard_DC4as_v5` currently has a network bandwidth of [1.25 Gbps](https://learn.microsoft.com/en-us/azure/virtual-machines/dcasv5-dcadsv5-series#dcasv5-series-products).
|
||||||
Therefore, to make the test comparable, both AKS and Constellation on Azure were running with `Standard_DC4as_v5` machines and 1.25 Gbps bandwidth.
|
Therefore, to make the test comparable, both AKS and Constellation on Azure were running with `Standard_DC4as_v5` machines and 1.25 Gbps bandwidth.
|
||||||
|
@ -6,6 +6,6 @@ From a security perspective, Constellation implements the [Confidential Kubernet
|
|||||||
|
|
||||||
From an operational perspective, Constellation provides the following key features:
|
From an operational perspective, Constellation provides the following key features:
|
||||||
|
|
||||||
* **Native support for different clouds**: Constellation works on Microsoft Azure, Google Cloud Platform (GCP), and Amazon Web Services (AWS). Support for OpenStack-based environments is coming with a future release. Constellation securely interfaces with the cloud infrastructure to provide [cluster autoscaling](https://github.com/kubernetes/autoscaler/tree/master/cluster-autoscaler), [dynamic persistent volumes](https://kubernetes.io/docs/concepts/storage/dynamic-provisioning/), and [service load balancing](https://kubernetes.io/docs/concepts/services-networking/service/#loadbalancer).
|
* **Native support for different clouds**: Constellation works on Amazon Web Services (AWS), Microsoft Azure, and Google Cloud Platform (GCP). Support for OpenStack-based environments is coming with a future release. Constellation securely interfaces with the cloud infrastructure to provide [cluster autoscaling](https://github.com/kubernetes/autoscaler/tree/master/cluster-autoscaler), [dynamic persistent volumes](https://kubernetes.io/docs/concepts/storage/dynamic-provisioning/), and [service load balancing](https://kubernetes.io/docs/concepts/services-networking/service/#loadbalancer).
|
||||||
* **High availability**: Constellation uses a [multi-master architecture](https://kubernetes.io/docs/setup/production-environment/tools/kubeadm/high-availability/) with a [stacked etcd topology](https://kubernetes.io/docs/setup/production-environment/tools/kubeadm/ha-topology/#stacked-etcd-topology) to ensure high availability.
|
* **High availability**: Constellation uses a [multi-master architecture](https://kubernetes.io/docs/setup/production-environment/tools/kubeadm/high-availability/) with a [stacked etcd topology](https://kubernetes.io/docs/setup/production-environment/tools/kubeadm/ha-topology/#stacked-etcd-topology) to ensure high availability.
|
||||||
* **Integrated Day-2 operations**: Constellation lets you securely [upgrade](../workflows/upgrade.md) your cluster to a new release. It also lets you securely [recover](../workflows/recovery.md) a failed cluster. Both with a single command.
|
* **Integrated Day-2 operations**: Constellation lets you securely [upgrade](../workflows/upgrade.md) your cluster to a new release. It also lets you securely [recover](../workflows/recovery.md) a failed cluster. Both with a single command.
|
||||||
|
@ -105,7 +105,7 @@ Initially, it will support the following KMSs:
|
|||||||
* [Azure Key Vault](https://azure.microsoft.com/en-us/services/key-vault/#product-overview)
|
* [Azure Key Vault](https://azure.microsoft.com/en-us/services/key-vault/#product-overview)
|
||||||
* [KMIP-compatible KMS](https://www.oasis-open.org/committees/tc_home.php?wg_abbrev=kmip)
|
* [KMIP-compatible KMS](https://www.oasis-open.org/committees/tc_home.php?wg_abbrev=kmip)
|
||||||
|
|
||||||
Storing the keys in Cloud KMS of AWS, GCP, or Azure binds the key usage to the particular cloud identity access management (IAM).
|
Storing the keys in Cloud KMS of AWS, Azure, or GCP binds the key usage to the particular cloud identity access management (IAM).
|
||||||
In the future, Constellation will support remote attestation-based access policies for Cloud KMS once available.
|
In the future, Constellation will support remote attestation-based access policies for Cloud KMS once available.
|
||||||
Note that using a Cloud KMS limits the isolation and protection to the guarantees of the particular offering.
|
Note that using a Cloud KMS limits the isolation and protection to the guarantees of the particular offering.
|
||||||
|
|
||||||
|
@ -11,7 +11,7 @@ Make sure the following requirements are met:
|
|||||||
- Your machine is running Linux or macOS
|
- Your machine is running Linux or macOS
|
||||||
- You have admin rights on your machine
|
- You have admin rights on your machine
|
||||||
- [kubectl](https://kubernetes.io/docs/tasks/tools/) is installed
|
- [kubectl](https://kubernetes.io/docs/tasks/tools/) is installed
|
||||||
- Your CSP is Microsoft Azure, Google Cloud Platform (GCP), or Amazon Web Services (AWS)
|
- Your CSP is Amazon Web Services (AWS), Microsoft Azure, or Google Cloud Platform (GCP)
|
||||||
|
|
||||||
## Install the Constellation CLI
|
## Install the Constellation CLI
|
||||||
|
|
||||||
@ -52,7 +52,6 @@ curl -LO https://github.com/edgelesssys/constellation/releases/latest/download/c
|
|||||||
sudo install constellation-linux-arm64 /usr/local/bin/constellation
|
sudo install constellation-linux-arm64 /usr/local/bin/constellation
|
||||||
```
|
```
|
||||||
|
|
||||||
|
|
||||||
</tabItem>
|
</tabItem>
|
||||||
|
|
||||||
<tabItem value="darwin-arm64" label="macOS (Apple Silicon)">
|
<tabItem value="darwin-arm64" label="macOS (Apple Silicon)">
|
||||||
@ -71,8 +70,6 @@ curl -LO https://github.com/edgelesssys/constellation/releases/latest/download/c
|
|||||||
sudo install constellation-darwin-arm64 /usr/local/bin/constellation
|
sudo install constellation-darwin-arm64 /usr/local/bin/constellation
|
||||||
```
|
```
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
</tabItem>
|
</tabItem>
|
||||||
|
|
||||||
<tabItem value="darwin-amd64" label="macOS (Intel)">
|
<tabItem value="darwin-amd64" label="macOS (Intel)">
|
||||||
@ -278,7 +275,6 @@ The built-in `AdministratorAccess` policy is a superset of these permissions.
|
|||||||
|
|
||||||
To [create a Constellation cluster](../workflows/create.md#the-create-step), see the permissions of [main.tf](https://github.com/edgelesssys/constellation/blob/main/terraform/infrastructure/iam/aws/main.tf).
|
To [create a Constellation cluster](../workflows/create.md#the-create-step), see the permissions of [main.tf](https://github.com/edgelesssys/constellation/blob/main/terraform/infrastructure/iam/aws/main.tf).
|
||||||
|
|
||||||
|
|
||||||
The built-in `PowerUserAccess` policy is a superset of these permissions.
|
The built-in `PowerUserAccess` policy is a superset of these permissions.
|
||||||
|
|
||||||
Follow Amazon's guide on [understanding](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html) and [managing policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html).
|
Follow Amazon's guide on [understanding](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html) and [managing policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html).
|
||||||
@ -354,7 +350,6 @@ Options and first steps are described in the [AWS CLI documentation](https://doc
|
|||||||
|
|
||||||
</tabItem>
|
</tabItem>
|
||||||
|
|
||||||
|
|
||||||
</tabs>
|
</tabs>
|
||||||
|
|
||||||
## Next steps
|
## Next steps
|
||||||
|
@ -35,7 +35,7 @@ Thus, the Azure closed-source firmware becomes part of Constellation's trusted c
|
|||||||
|
|
||||||
## Google Cloud Platform (GCP)
|
## Google Cloud Platform (GCP)
|
||||||
|
|
||||||
The [CVMs Generally Available in GCP](https://cloud.google.com/compute/confidential-vm/docs/create-confidential-vm-instance) are based on AMD SEV but don't have SNP features enabled.
|
The [CVMs Generally Available in GCP](https://cloud.google.com/confidential-computing/confidential-vm/docs/confidential-vm-overview#amd_sev) are based on AMD SEV but don't have SNP features enabled.
|
||||||
CVMs with SEV-SNP enabled are currently in [private preview](https://cloud.google.com/blog/products/identity-security/rsa-snp-vm-more-confidential). Regarding (3), with their SEV-SNP offering Google provides direct access to remote-attestation statements.
|
CVMs with SEV-SNP enabled are currently in [private preview](https://cloud.google.com/blog/products/identity-security/rsa-snp-vm-more-confidential). Regarding (3), with their SEV-SNP offering Google provides direct access to remote-attestation statements.
|
||||||
However, regarding (4), the CVMs still include closed-source firmware.
|
However, regarding (4), the CVMs still include closed-source firmware.
|
||||||
|
|
||||||
|
@ -58,7 +58,7 @@ The following infrastructure configurations was used:
|
|||||||
This section gives a thorough analysis of the network performance of Constellation, specifically focusing on measuring TCP and UDP bandwidth.
|
This section gives a thorough analysis of the network performance of Constellation, specifically focusing on measuring TCP and UDP bandwidth.
|
||||||
The benchmark measured the bandwidth of pod-to-pod and pod-to-service connections between two different nodes using [`iperf`](https://iperf.fr/).
|
The benchmark measured the bandwidth of pod-to-pod and pod-to-service connections between two different nodes using [`iperf`](https://iperf.fr/).
|
||||||
|
|
||||||
GKE and Constellation on GCP had a maximum network bandwidth of [10 Gbps](https://cloud.google.com/compute/docs/general-purpose-machines#n2d_machineshttps://cloud.google.com/compute/docs/general-purpose-machines#n2d_machines).
|
GKE and Constellation on GCP had a maximum network bandwidth of [10 Gbps](https://cloud.google.com/compute/docs/general-purpose-machines#n2d_machines).
|
||||||
AKS with `Standard_D4as_v5` machines a maximum network bandwidth of [12.5 Gbps](https://learn.microsoft.com/en-us/azure/virtual-machines/dasv5-dadsv5-series#dasv5-series).
|
AKS with `Standard_D4as_v5` machines a maximum network bandwidth of [12.5 Gbps](https://learn.microsoft.com/en-us/azure/virtual-machines/dasv5-dadsv5-series#dasv5-series).
|
||||||
The Confidential VM equivalent `Standard_DC4as_v5` currently has a network bandwidth of [1.25 Gbps](https://learn.microsoft.com/en-us/azure/virtual-machines/dcasv5-dcadsv5-series#dcasv5-series-products).
|
The Confidential VM equivalent `Standard_DC4as_v5` currently has a network bandwidth of [1.25 Gbps](https://learn.microsoft.com/en-us/azure/virtual-machines/dcasv5-dcadsv5-series#dcasv5-series-products).
|
||||||
Therefore, to make the test comparable, both AKS and Constellation on Azure were running with `Standard_DC4as_v5` machines and 1.25 Gbps bandwidth.
|
Therefore, to make the test comparable, both AKS and Constellation on Azure were running with `Standard_DC4as_v5` machines and 1.25 Gbps bandwidth.
|
||||||
|
@ -6,6 +6,6 @@ From a security perspective, Constellation implements the [Confidential Kubernet
|
|||||||
|
|
||||||
From an operational perspective, Constellation provides the following key features:
|
From an operational perspective, Constellation provides the following key features:
|
||||||
|
|
||||||
* **Native support for different clouds**: Constellation works on Microsoft Azure, Google Cloud Platform (GCP), and Amazon Web Services (AWS). Support for OpenStack-based environments is coming with a future release. Constellation securely interfaces with the cloud infrastructure to provide [cluster autoscaling](https://github.com/kubernetes/autoscaler/tree/master/cluster-autoscaler), [dynamic persistent volumes](https://kubernetes.io/docs/concepts/storage/dynamic-provisioning/), and [service load balancing](https://kubernetes.io/docs/concepts/services-networking/service/#loadbalancer).
|
* **Native support for different clouds**: Constellation works on Amazon Web Services (AWS), Microsoft Azure, and Google Cloud Platform (GCP). Support for OpenStack-based environments is coming with a future release. Constellation securely interfaces with the cloud infrastructure to provide [cluster autoscaling](https://github.com/kubernetes/autoscaler/tree/master/cluster-autoscaler), [dynamic persistent volumes](https://kubernetes.io/docs/concepts/storage/dynamic-provisioning/), and [service load balancing](https://kubernetes.io/docs/concepts/services-networking/service/#loadbalancer).
|
||||||
* **High availability**: Constellation uses a [multi-master architecture](https://kubernetes.io/docs/setup/production-environment/tools/kubeadm/high-availability/) with a [stacked etcd topology](https://kubernetes.io/docs/setup/production-environment/tools/kubeadm/ha-topology/#stacked-etcd-topology) to ensure high availability.
|
* **High availability**: Constellation uses a [multi-master architecture](https://kubernetes.io/docs/setup/production-environment/tools/kubeadm/high-availability/) with a [stacked etcd topology](https://kubernetes.io/docs/setup/production-environment/tools/kubeadm/ha-topology/#stacked-etcd-topology) to ensure high availability.
|
||||||
* **Integrated Day-2 operations**: Constellation lets you securely [upgrade](../workflows/upgrade.md) your cluster to a new release. It also lets you securely [recover](../workflows/recovery.md) a failed cluster. Both with a single command.
|
* **Integrated Day-2 operations**: Constellation lets you securely [upgrade](../workflows/upgrade.md) your cluster to a new release. It also lets you securely [recover](../workflows/recovery.md) a failed cluster. Both with a single command.
|
||||||
|
@ -105,7 +105,7 @@ Initially, it will support the following KMSs:
|
|||||||
* [Azure Key Vault](https://azure.microsoft.com/en-us/services/key-vault/#product-overview)
|
* [Azure Key Vault](https://azure.microsoft.com/en-us/services/key-vault/#product-overview)
|
||||||
* [KMIP-compatible KMS](https://www.oasis-open.org/committees/tc_home.php?wg_abbrev=kmip)
|
* [KMIP-compatible KMS](https://www.oasis-open.org/committees/tc_home.php?wg_abbrev=kmip)
|
||||||
|
|
||||||
Storing the keys in Cloud KMS of AWS, GCP, or Azure binds the key usage to the particular cloud identity access management (IAM).
|
Storing the keys in Cloud KMS of AWS, Azure, or GCP binds the key usage to the particular cloud identity access management (IAM).
|
||||||
In the future, Constellation will support remote attestation-based access policies for Cloud KMS once available.
|
In the future, Constellation will support remote attestation-based access policies for Cloud KMS once available.
|
||||||
Note that using a Cloud KMS limits the isolation and protection to the guarantees of the particular offering.
|
Note that using a Cloud KMS limits the isolation and protection to the guarantees of the particular offering.
|
||||||
|
|
||||||
|
@ -11,7 +11,7 @@ Make sure the following requirements are met:
|
|||||||
- Your machine is running Linux or macOS
|
- Your machine is running Linux or macOS
|
||||||
- You have admin rights on your machine
|
- You have admin rights on your machine
|
||||||
- [kubectl](https://kubernetes.io/docs/tasks/tools/) is installed
|
- [kubectl](https://kubernetes.io/docs/tasks/tools/) is installed
|
||||||
- Your CSP is Microsoft Azure, Google Cloud Platform (GCP), or Amazon Web Services (AWS)
|
- Your CSP is Amazon Web Services (AWS), Microsoft Azure, or Google Cloud Platform (GCP)
|
||||||
|
|
||||||
## Install the Constellation CLI
|
## Install the Constellation CLI
|
||||||
|
|
||||||
@ -52,7 +52,6 @@ curl -LO https://github.com/edgelesssys/constellation/releases/latest/download/c
|
|||||||
sudo install constellation-linux-arm64 /usr/local/bin/constellation
|
sudo install constellation-linux-arm64 /usr/local/bin/constellation
|
||||||
```
|
```
|
||||||
|
|
||||||
|
|
||||||
</tabItem>
|
</tabItem>
|
||||||
|
|
||||||
<tabItem value="darwin-arm64" label="macOS (Apple Silicon)">
|
<tabItem value="darwin-arm64" label="macOS (Apple Silicon)">
|
||||||
@ -71,8 +70,6 @@ curl -LO https://github.com/edgelesssys/constellation/releases/latest/download/c
|
|||||||
sudo install constellation-darwin-arm64 /usr/local/bin/constellation
|
sudo install constellation-darwin-arm64 /usr/local/bin/constellation
|
||||||
```
|
```
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
</tabItem>
|
</tabItem>
|
||||||
|
|
||||||
<tabItem value="darwin-amd64" label="macOS (Intel)">
|
<tabItem value="darwin-amd64" label="macOS (Intel)">
|
||||||
@ -281,7 +278,6 @@ The built-in `AdministratorAccess` policy is a superset of these permissions.
|
|||||||
|
|
||||||
To [create a Constellation cluster](../workflows/create.md#the-create-step), see the permissions of [main.tf](https://github.com/edgelesssys/constellation/blob/main/terraform/infrastructure/iam/aws/main.tf).
|
To [create a Constellation cluster](../workflows/create.md#the-create-step), see the permissions of [main.tf](https://github.com/edgelesssys/constellation/blob/main/terraform/infrastructure/iam/aws/main.tf).
|
||||||
|
|
||||||
|
|
||||||
The built-in `PowerUserAccess` policy is a superset of these permissions.
|
The built-in `PowerUserAccess` policy is a superset of these permissions.
|
||||||
|
|
||||||
Follow Amazon's guide on [understanding](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html) and [managing policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html).
|
Follow Amazon's guide on [understanding](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html) and [managing policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html).
|
||||||
@ -357,7 +353,6 @@ Options and first steps are described in the [AWS CLI documentation](https://doc
|
|||||||
|
|
||||||
</tabItem>
|
</tabItem>
|
||||||
|
|
||||||
|
|
||||||
</tabs>
|
</tabs>
|
||||||
|
|
||||||
## Next steps
|
## Next steps
|
||||||
|
@ -35,7 +35,7 @@ Thus, the Azure closed-source firmware becomes part of Constellation's trusted c
|
|||||||
|
|
||||||
## Google Cloud Platform (GCP)
|
## Google Cloud Platform (GCP)
|
||||||
|
|
||||||
The [CVMs Generally Available in GCP](https://cloud.google.com/compute/confidential-vm/docs/create-confidential-vm-instance) are based on AMD SEV but don't have SNP features enabled.
|
The [CVMs Generally Available in GCP](https://cloud.google.com/confidential-computing/confidential-vm/docs/confidential-vm-overview#amd_sev) are based on AMD SEV but don't have SNP features enabled.
|
||||||
CVMs with SEV-SNP enabled are currently in [private preview](https://cloud.google.com/blog/products/identity-security/rsa-snp-vm-more-confidential). Regarding (3), with their SEV-SNP offering Google provides direct access to remote-attestation statements.
|
CVMs with SEV-SNP enabled are currently in [private preview](https://cloud.google.com/blog/products/identity-security/rsa-snp-vm-more-confidential). Regarding (3), with their SEV-SNP offering Google provides direct access to remote-attestation statements.
|
||||||
However, regarding (4), the CVMs still include closed-source firmware.
|
However, regarding (4), the CVMs still include closed-source firmware.
|
||||||
|
|
||||||
|
@ -58,7 +58,7 @@ The following infrastructure configurations was used:
|
|||||||
This section gives a thorough analysis of the network performance of Constellation, specifically focusing on measuring TCP and UDP bandwidth.
|
This section gives a thorough analysis of the network performance of Constellation, specifically focusing on measuring TCP and UDP bandwidth.
|
||||||
The benchmark measured the bandwidth of pod-to-pod and pod-to-service connections between two different nodes using [`iperf`](https://iperf.fr/).
|
The benchmark measured the bandwidth of pod-to-pod and pod-to-service connections between two different nodes using [`iperf`](https://iperf.fr/).
|
||||||
|
|
||||||
GKE and Constellation on GCP had a maximum network bandwidth of [10 Gbps](https://cloud.google.com/compute/docs/general-purpose-machines#n2d_machineshttps://cloud.google.com/compute/docs/general-purpose-machines#n2d_machines).
|
GKE and Constellation on GCP had a maximum network bandwidth of [10 Gbps](https://cloud.google.com/compute/docs/general-purpose-machines#n2d_machines).
|
||||||
AKS with `Standard_D4as_v5` machines a maximum network bandwidth of [12.5 Gbps](https://learn.microsoft.com/en-us/azure/virtual-machines/dasv5-dadsv5-series#dasv5-series).
|
AKS with `Standard_D4as_v5` machines a maximum network bandwidth of [12.5 Gbps](https://learn.microsoft.com/en-us/azure/virtual-machines/dasv5-dadsv5-series#dasv5-series).
|
||||||
The Confidential VM equivalent `Standard_DC4as_v5` currently has a network bandwidth of [1.25 Gbps](https://learn.microsoft.com/en-us/azure/virtual-machines/dcasv5-dcadsv5-series#dcasv5-series-products).
|
The Confidential VM equivalent `Standard_DC4as_v5` currently has a network bandwidth of [1.25 Gbps](https://learn.microsoft.com/en-us/azure/virtual-machines/dcasv5-dcadsv5-series#dcasv5-series-products).
|
||||||
Therefore, to make the test comparable, both AKS and Constellation on Azure were running with `Standard_DC4as_v5` machines and 1.25 Gbps bandwidth.
|
Therefore, to make the test comparable, both AKS and Constellation on Azure were running with `Standard_DC4as_v5` machines and 1.25 Gbps bandwidth.
|
||||||
|
@ -6,6 +6,6 @@ From a security perspective, Constellation implements the [Confidential Kubernet
|
|||||||
|
|
||||||
From an operational perspective, Constellation provides the following key features:
|
From an operational perspective, Constellation provides the following key features:
|
||||||
|
|
||||||
* **Native support for different clouds**: Constellation works on Microsoft Azure, Google Cloud Platform (GCP), and Amazon Web Services (AWS). Support for OpenStack-based environments is coming with a future release. Constellation securely interfaces with the cloud infrastructure to provide [cluster autoscaling](https://github.com/kubernetes/autoscaler/tree/master/cluster-autoscaler), [dynamic persistent volumes](https://kubernetes.io/docs/concepts/storage/dynamic-provisioning/), and [service load balancing](https://kubernetes.io/docs/concepts/services-networking/service/#loadbalancer).
|
* **Native support for different clouds**: Constellation works on Amazon Web Services (AWS), Microsoft Azure, and Google Cloud Platform (GCP). Support for OpenStack-based environments is coming with a future release. Constellation securely interfaces with the cloud infrastructure to provide [cluster autoscaling](https://github.com/kubernetes/autoscaler/tree/master/cluster-autoscaler), [dynamic persistent volumes](https://kubernetes.io/docs/concepts/storage/dynamic-provisioning/), and [service load balancing](https://kubernetes.io/docs/concepts/services-networking/service/#loadbalancer).
|
||||||
* **High availability**: Constellation uses a [multi-master architecture](https://kubernetes.io/docs/setup/production-environment/tools/kubeadm/high-availability/) with a [stacked etcd topology](https://kubernetes.io/docs/setup/production-environment/tools/kubeadm/ha-topology/#stacked-etcd-topology) to ensure high availability.
|
* **High availability**: Constellation uses a [multi-master architecture](https://kubernetes.io/docs/setup/production-environment/tools/kubeadm/high-availability/) with a [stacked etcd topology](https://kubernetes.io/docs/setup/production-environment/tools/kubeadm/ha-topology/#stacked-etcd-topology) to ensure high availability.
|
||||||
* **Integrated Day-2 operations**: Constellation lets you securely [upgrade](../workflows/upgrade.md) your cluster to a new release. It also lets you securely [recover](../workflows/recovery.md) a failed cluster. Both with a single command.
|
* **Integrated Day-2 operations**: Constellation lets you securely [upgrade](../workflows/upgrade.md) your cluster to a new release. It also lets you securely [recover](../workflows/recovery.md) a failed cluster. Both with a single command.
|
||||||
|
@ -105,7 +105,7 @@ Initially, it will support the following KMSs:
|
|||||||
* [Azure Key Vault](https://azure.microsoft.com/en-us/services/key-vault/#product-overview)
|
* [Azure Key Vault](https://azure.microsoft.com/en-us/services/key-vault/#product-overview)
|
||||||
* [KMIP-compatible KMS](https://www.oasis-open.org/committees/tc_home.php?wg_abbrev=kmip)
|
* [KMIP-compatible KMS](https://www.oasis-open.org/committees/tc_home.php?wg_abbrev=kmip)
|
||||||
|
|
||||||
Storing the keys in Cloud KMS of AWS, GCP, or Azure binds the key usage to the particular cloud identity access management (IAM).
|
Storing the keys in Cloud KMS of AWS, Azure, or GCP binds the key usage to the particular cloud identity access management (IAM).
|
||||||
In the future, Constellation will support remote attestation-based access policies for Cloud KMS once available.
|
In the future, Constellation will support remote attestation-based access policies for Cloud KMS once available.
|
||||||
Note that using a Cloud KMS limits the isolation and protection to the guarantees of the particular offering.
|
Note that using a Cloud KMS limits the isolation and protection to the guarantees of the particular offering.
|
||||||
|
|
||||||
|
@ -11,7 +11,7 @@ Make sure the following requirements are met:
|
|||||||
- Your machine is running Linux or macOS
|
- Your machine is running Linux or macOS
|
||||||
- You have admin rights on your machine
|
- You have admin rights on your machine
|
||||||
- [kubectl](https://kubernetes.io/docs/tasks/tools/) is installed
|
- [kubectl](https://kubernetes.io/docs/tasks/tools/) is installed
|
||||||
- Your CSP is Microsoft Azure, Google Cloud Platform (GCP), or Amazon Web Services (AWS)
|
- Your CSP is Amazon Web Services (AWS), Microsoft Azure, or Google Cloud Platform (GCP)
|
||||||
|
|
||||||
## Install the Constellation CLI
|
## Install the Constellation CLI
|
||||||
|
|
||||||
@ -52,7 +52,6 @@ curl -LO https://github.com/edgelesssys/constellation/releases/latest/download/c
|
|||||||
sudo install constellation-linux-arm64 /usr/local/bin/constellation
|
sudo install constellation-linux-arm64 /usr/local/bin/constellation
|
||||||
```
|
```
|
||||||
|
|
||||||
|
|
||||||
</tabItem>
|
</tabItem>
|
||||||
|
|
||||||
<tabItem value="darwin-arm64" label="macOS (Apple Silicon)">
|
<tabItem value="darwin-arm64" label="macOS (Apple Silicon)">
|
||||||
@ -71,8 +70,6 @@ curl -LO https://github.com/edgelesssys/constellation/releases/latest/download/c
|
|||||||
sudo install constellation-darwin-arm64 /usr/local/bin/constellation
|
sudo install constellation-darwin-arm64 /usr/local/bin/constellation
|
||||||
```
|
```
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
</tabItem>
|
</tabItem>
|
||||||
|
|
||||||
<tabItem value="darwin-amd64" label="macOS (Intel)">
|
<tabItem value="darwin-amd64" label="macOS (Intel)">
|
||||||
@ -281,7 +278,6 @@ The built-in `AdministratorAccess` policy is a superset of these permissions.
|
|||||||
|
|
||||||
To [create a Constellation cluster](../workflows/create.md#the-create-step), see the permissions of [main.tf](https://github.com/edgelesssys/constellation/blob/main/terraform/infrastructure/iam/aws/main.tf).
|
To [create a Constellation cluster](../workflows/create.md#the-create-step), see the permissions of [main.tf](https://github.com/edgelesssys/constellation/blob/main/terraform/infrastructure/iam/aws/main.tf).
|
||||||
|
|
||||||
|
|
||||||
The built-in `PowerUserAccess` policy is a superset of these permissions.
|
The built-in `PowerUserAccess` policy is a superset of these permissions.
|
||||||
|
|
||||||
Follow Amazon's guide on [understanding](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html) and [managing policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html).
|
Follow Amazon's guide on [understanding](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html) and [managing policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html).
|
||||||
@ -357,7 +353,6 @@ Options and first steps are described in the [AWS CLI documentation](https://doc
|
|||||||
|
|
||||||
</tabItem>
|
</tabItem>
|
||||||
|
|
||||||
|
|
||||||
</tabs>
|
</tabs>
|
||||||
|
|
||||||
## Next steps
|
## Next steps
|
||||||
|
@ -35,7 +35,7 @@ Thus, the Azure closed-source firmware becomes part of Constellation's trusted c
|
|||||||
|
|
||||||
## Google Cloud Platform (GCP)
|
## Google Cloud Platform (GCP)
|
||||||
|
|
||||||
The [CVMs Generally Available in GCP](https://cloud.google.com/compute/confidential-vm/docs/create-confidential-vm-instance) are based on AMD SEV but don't have SNP features enabled.
|
The [CVMs Generally Available in GCP](https://cloud.google.com/confidential-computing/confidential-vm/docs/confidential-vm-overview#amd_sev) are based on AMD SEV but don't have SNP features enabled.
|
||||||
CVMs with SEV-SNP enabled are currently in [private preview](https://cloud.google.com/blog/products/identity-security/rsa-snp-vm-more-confidential). Regarding (3), with their SEV-SNP offering Google provides direct access to remote-attestation statements.
|
CVMs with SEV-SNP enabled are currently in [private preview](https://cloud.google.com/blog/products/identity-security/rsa-snp-vm-more-confidential). Regarding (3), with their SEV-SNP offering Google provides direct access to remote-attestation statements.
|
||||||
However, regarding (4), the CVMs still include closed-source firmware.
|
However, regarding (4), the CVMs still include closed-source firmware.
|
||||||
|
|
||||||
|
@ -58,7 +58,7 @@ The following infrastructure configurations was used:
|
|||||||
This section gives a thorough analysis of the network performance of Constellation, specifically focusing on measuring TCP and UDP bandwidth.
|
This section gives a thorough analysis of the network performance of Constellation, specifically focusing on measuring TCP and UDP bandwidth.
|
||||||
The benchmark measured the bandwidth of pod-to-pod and pod-to-service connections between two different nodes using [`iperf`](https://iperf.fr/).
|
The benchmark measured the bandwidth of pod-to-pod and pod-to-service connections between two different nodes using [`iperf`](https://iperf.fr/).
|
||||||
|
|
||||||
GKE and Constellation on GCP had a maximum network bandwidth of [10 Gbps](https://cloud.google.com/compute/docs/general-purpose-machines#n2d_machineshttps://cloud.google.com/compute/docs/general-purpose-machines#n2d_machines).
|
GKE and Constellation on GCP had a maximum network bandwidth of [10 Gbps](https://cloud.google.com/compute/docs/general-purpose-machines#n2d_machines).
|
||||||
AKS with `Standard_D4as_v5` machines a maximum network bandwidth of [12.5 Gbps](https://learn.microsoft.com/en-us/azure/virtual-machines/dasv5-dadsv5-series#dasv5-series).
|
AKS with `Standard_D4as_v5` machines a maximum network bandwidth of [12.5 Gbps](https://learn.microsoft.com/en-us/azure/virtual-machines/dasv5-dadsv5-series#dasv5-series).
|
||||||
The Confidential VM equivalent `Standard_DC4as_v5` currently has a network bandwidth of [1.25 Gbps](https://learn.microsoft.com/en-us/azure/virtual-machines/dcasv5-dcadsv5-series#dcasv5-series-products).
|
The Confidential VM equivalent `Standard_DC4as_v5` currently has a network bandwidth of [1.25 Gbps](https://learn.microsoft.com/en-us/azure/virtual-machines/dcasv5-dcadsv5-series#dcasv5-series-products).
|
||||||
Therefore, to make the test comparable, both AKS and Constellation on Azure were running with `Standard_DC4as_v5` machines and 1.25 Gbps bandwidth.
|
Therefore, to make the test comparable, both AKS and Constellation on Azure were running with `Standard_DC4as_v5` machines and 1.25 Gbps bandwidth.
|
||||||
|
@ -6,6 +6,6 @@ From a security perspective, Constellation implements the [Confidential Kubernet
|
|||||||
|
|
||||||
From an operational perspective, Constellation provides the following key features:
|
From an operational perspective, Constellation provides the following key features:
|
||||||
|
|
||||||
* **Native support for different clouds**: Constellation works on Microsoft Azure, Google Cloud Platform (GCP), and Amazon Web Services (AWS). Support for OpenStack-based environments is coming with a future release. Constellation securely interfaces with the cloud infrastructure to provide [cluster autoscaling](https://github.com/kubernetes/autoscaler/tree/master/cluster-autoscaler), [dynamic persistent volumes](https://kubernetes.io/docs/concepts/storage/dynamic-provisioning/), and [service load balancing](https://kubernetes.io/docs/concepts/services-networking/service/#loadbalancer).
|
* **Native support for different clouds**: Constellation works on Amazon Web Services (AWS), Microsoft Azure, and Google Cloud Platform (GCP). Support for OpenStack-based environments is coming with a future release. Constellation securely interfaces with the cloud infrastructure to provide [cluster autoscaling](https://github.com/kubernetes/autoscaler/tree/master/cluster-autoscaler), [dynamic persistent volumes](https://kubernetes.io/docs/concepts/storage/dynamic-provisioning/), and [service load balancing](https://kubernetes.io/docs/concepts/services-networking/service/#loadbalancer).
|
||||||
* **High availability**: Constellation uses a [multi-master architecture](https://kubernetes.io/docs/setup/production-environment/tools/kubeadm/high-availability/) with a [stacked etcd topology](https://kubernetes.io/docs/setup/production-environment/tools/kubeadm/ha-topology/#stacked-etcd-topology) to ensure high availability.
|
* **High availability**: Constellation uses a [multi-master architecture](https://kubernetes.io/docs/setup/production-environment/tools/kubeadm/high-availability/) with a [stacked etcd topology](https://kubernetes.io/docs/setup/production-environment/tools/kubeadm/ha-topology/#stacked-etcd-topology) to ensure high availability.
|
||||||
* **Integrated Day-2 operations**: Constellation lets you securely [upgrade](../workflows/upgrade.md) your cluster to a new release. It also lets you securely [recover](../workflows/recovery.md) a failed cluster. Both with a single command.
|
* **Integrated Day-2 operations**: Constellation lets you securely [upgrade](../workflows/upgrade.md) your cluster to a new release. It also lets you securely [recover](../workflows/recovery.md) a failed cluster. Both with a single command.
|
||||||
|
@ -105,7 +105,7 @@ Initially, it will support the following KMSs:
|
|||||||
* [Azure Key Vault](https://azure.microsoft.com/en-us/services/key-vault/#product-overview)
|
* [Azure Key Vault](https://azure.microsoft.com/en-us/services/key-vault/#product-overview)
|
||||||
* [KMIP-compatible KMS](https://www.oasis-open.org/committees/tc_home.php?wg_abbrev=kmip)
|
* [KMIP-compatible KMS](https://www.oasis-open.org/committees/tc_home.php?wg_abbrev=kmip)
|
||||||
|
|
||||||
Storing the keys in Cloud KMS of AWS, GCP, or Azure binds the key usage to the particular cloud identity access management (IAM).
|
Storing the keys in Cloud KMS of AWS, Azure, or GCP binds the key usage to the particular cloud identity access management (IAM).
|
||||||
In the future, Constellation will support remote attestation-based access policies for Cloud KMS once available.
|
In the future, Constellation will support remote attestation-based access policies for Cloud KMS once available.
|
||||||
Note that using a Cloud KMS limits the isolation and protection to the guarantees of the particular offering.
|
Note that using a Cloud KMS limits the isolation and protection to the guarantees of the particular offering.
|
||||||
|
|
||||||
|
@ -9,7 +9,7 @@ Make sure the following requirements are met:
|
|||||||
* Your machine is running Linux or macOS
|
* Your machine is running Linux or macOS
|
||||||
* You have admin rights on your machine
|
* You have admin rights on your machine
|
||||||
* [kubectl](https://kubernetes.io/docs/tasks/tools/) is installed
|
* [kubectl](https://kubernetes.io/docs/tasks/tools/) is installed
|
||||||
* Your CSP is Microsoft Azure, Google Cloud Platform (GCP), or Amazon Web Services (AWS)
|
* Your CSP is Amazon Web Services (AWS), Microsoft Azure, or Google Cloud Platform (GCP)
|
||||||
|
|
||||||
## Install the Constellation CLI
|
## Install the Constellation CLI
|
||||||
|
|
||||||
|
@ -35,7 +35,7 @@ Thus, the Azure closed-source firmware becomes part of Constellation's trusted c
|
|||||||
|
|
||||||
## Google Cloud Platform (GCP)
|
## Google Cloud Platform (GCP)
|
||||||
|
|
||||||
The [CVMs Generally Available in GCP](https://cloud.google.com/compute/confidential-vm/docs/create-confidential-vm-instance) are based on AMD SEV but don't have SNP features enabled.
|
The [CVMs Generally Available in GCP](https://cloud.google.com/confidential-computing/confidential-vm/docs/confidential-vm-overview#amd_sev) are based on AMD SEV but don't have SNP features enabled.
|
||||||
CVMs with SEV-SNP enabled are currently in [private preview](https://cloud.google.com/blog/products/identity-security/rsa-snp-vm-more-confidential). Regarding (3), with their SEV-SNP offering Google provides direct access to remote-attestation statements.
|
CVMs with SEV-SNP enabled are currently in [private preview](https://cloud.google.com/blog/products/identity-security/rsa-snp-vm-more-confidential). Regarding (3), with their SEV-SNP offering Google provides direct access to remote-attestation statements.
|
||||||
However, regarding (4), the CVMs still include closed-source firmware.
|
However, regarding (4), the CVMs still include closed-source firmware.
|
||||||
|
|
||||||
|
@ -58,7 +58,7 @@ The following infrastructure configurations was used:
|
|||||||
This section gives a thorough analysis of the network performance of Constellation, specifically focusing on measuring TCP and UDP bandwidth.
|
This section gives a thorough analysis of the network performance of Constellation, specifically focusing on measuring TCP and UDP bandwidth.
|
||||||
The benchmark measured the bandwidth of pod-to-pod and pod-to-service connections between two different nodes using [`iperf`](https://iperf.fr/).
|
The benchmark measured the bandwidth of pod-to-pod and pod-to-service connections between two different nodes using [`iperf`](https://iperf.fr/).
|
||||||
|
|
||||||
GKE and Constellation on GCP had a maximum network bandwidth of [10 Gbps](https://cloud.google.com/compute/docs/general-purpose-machines#n2d_machineshttps://cloud.google.com/compute/docs/general-purpose-machines#n2d_machines).
|
GKE and Constellation on GCP had a maximum network bandwidth of [10 Gbps](https://cloud.google.com/compute/docs/general-purpose-machines#n2d_machines).
|
||||||
AKS with `Standard_D4as_v5` machines a maximum network bandwidth of [12.5 Gbps](https://learn.microsoft.com/en-us/azure/virtual-machines/dasv5-dadsv5-series#dasv5-series).
|
AKS with `Standard_D4as_v5` machines a maximum network bandwidth of [12.5 Gbps](https://learn.microsoft.com/en-us/azure/virtual-machines/dasv5-dadsv5-series#dasv5-series).
|
||||||
The Confidential VM equivalent `Standard_DC4as_v5` currently has a network bandwidth of [1.25 Gbps](https://learn.microsoft.com/en-us/azure/virtual-machines/dcasv5-dcadsv5-series#dcasv5-series-products).
|
The Confidential VM equivalent `Standard_DC4as_v5` currently has a network bandwidth of [1.25 Gbps](https://learn.microsoft.com/en-us/azure/virtual-machines/dcasv5-dcadsv5-series#dcasv5-series-products).
|
||||||
Therefore, to make the test comparable, both AKS and Constellation on Azure were running with `Standard_DC4as_v5` machines and 1.25 Gbps bandwidth.
|
Therefore, to make the test comparable, both AKS and Constellation on Azure were running with `Standard_DC4as_v5` machines and 1.25 Gbps bandwidth.
|
||||||
|
@ -6,7 +6,7 @@ From a security perspective, Constellation implements the [Confidential Kubernet
|
|||||||
|
|
||||||
From an operational perspective, Constellation provides the following key features:
|
From an operational perspective, Constellation provides the following key features:
|
||||||
|
|
||||||
* **Native support for different clouds**: Constellation works on Microsoft Azure, Google Cloud Platform (GCP), and Amazon Web Services (AWS). Support for OpenStack-based environments is coming with a future release. Constellation securely interfaces with the cloud infrastructure to provide [cluster autoscaling](https://github.com/kubernetes/autoscaler/tree/master/cluster-autoscaler), [dynamic persistent volumes](https://kubernetes.io/docs/concepts/storage/dynamic-provisioning/), and [service load balancing](https://kubernetes.io/docs/concepts/services-networking/service/#loadbalancer).
|
* **Native support for different clouds**: Constellation works on Amazon Web Services (AWS), Microsoft Azure, and Google Cloud Platform (GCP). Support for OpenStack-based environments is coming with a future release. Constellation securely interfaces with the cloud infrastructure to provide [cluster autoscaling](https://github.com/kubernetes/autoscaler/tree/master/cluster-autoscaler), [dynamic persistent volumes](https://kubernetes.io/docs/concepts/storage/dynamic-provisioning/), and [service load balancing](https://kubernetes.io/docs/concepts/services-networking/service/#loadbalancer).
|
||||||
* **High availability**: Constellation uses a [multi-master architecture](https://kubernetes.io/docs/setup/production-environment/tools/kubeadm/high-availability/) with a [stacked etcd topology](https://kubernetes.io/docs/setup/production-environment/tools/kubeadm/ha-topology/#stacked-etcd-topology) to ensure high availability.
|
* **High availability**: Constellation uses a [multi-master architecture](https://kubernetes.io/docs/setup/production-environment/tools/kubeadm/high-availability/) with a [stacked etcd topology](https://kubernetes.io/docs/setup/production-environment/tools/kubeadm/ha-topology/#stacked-etcd-topology) to ensure high availability.
|
||||||
* **Integrated Day-2 operations**: Constellation lets you securely [upgrade](../workflows/upgrade.md) your cluster to a new release. It also lets you securely [recover](../workflows/recovery.md) a failed cluster. Both with a single command.
|
* **Integrated Day-2 operations**: Constellation lets you securely [upgrade](../workflows/upgrade.md) your cluster to a new release. It also lets you securely [recover](../workflows/recovery.md) a failed cluster. Both with a single command.
|
||||||
* **Support for Terraform**: Constellation includes a [Terraform provider](../workflows/terraform-provider.md) that lets you manage the full lifecycle of your cluster via Terraform.
|
* **Support for Terraform**: Constellation includes a [Terraform provider](../workflows/terraform-provider.md) that lets you manage the full lifecycle of your cluster via Terraform.
|
||||||
|
@ -305,7 +305,7 @@ A user can [verify](../workflows/verify-cluster.md) this statement and compare t
|
|||||||
So far, this page described how an entire Constellation cluster can be verified using hardware attestation capabilities and runtime measurements.
|
So far, this page described how an entire Constellation cluster can be verified using hardware attestation capabilities and runtime measurements.
|
||||||
The last missing link is how the ground truth in the form of runtime measurements can be securely distributed to the verifying party.
|
The last missing link is how the ground truth in the form of runtime measurements can be securely distributed to the verifying party.
|
||||||
|
|
||||||
The build process of Constellation images also creates the ground truth runtime measurements. <!-- soon: The builds of Constellation images are reproducible and the measurements of an image can be recalculated and verified by everyone. -->
|
The build process of Constellation images also creates the ground truth runtime measurements. The builds of Constellation images are reproducible and the measurements of an image can be recalculated and verified by everyone.
|
||||||
With every release, Edgeless Systems publishes signed runtime measurements.
|
With every release, Edgeless Systems publishes signed runtime measurements.
|
||||||
|
|
||||||
The CLI executable is also signed by Edgeless Systems.
|
The CLI executable is also signed by Edgeless Systems.
|
||||||
|
@ -105,7 +105,7 @@ Initially, it will support the following KMSs:
|
|||||||
* [Azure Key Vault](https://azure.microsoft.com/en-us/services/key-vault/#product-overview)
|
* [Azure Key Vault](https://azure.microsoft.com/en-us/services/key-vault/#product-overview)
|
||||||
* [KMIP-compatible KMS](https://www.oasis-open.org/committees/tc_home.php?wg_abbrev=kmip)
|
* [KMIP-compatible KMS](https://www.oasis-open.org/committees/tc_home.php?wg_abbrev=kmip)
|
||||||
|
|
||||||
Storing the keys in Cloud KMS of AWS, GCP, or Azure binds the key usage to the particular cloud identity access management (IAM).
|
Storing the keys in Cloud KMS of AWS, Azure, or GCP binds the key usage to the particular cloud identity access management (IAM).
|
||||||
In the future, Constellation will support remote attestation-based access policies for Cloud KMS once available.
|
In the future, Constellation will support remote attestation-based access policies for Cloud KMS once available.
|
||||||
Note that using a Cloud KMS limits the isolation and protection to the guarantees of the particular offering.
|
Note that using a Cloud KMS limits the isolation and protection to the guarantees of the particular offering.
|
||||||
|
|
||||||
|
@ -9,7 +9,7 @@ Make sure the following requirements are met:
|
|||||||
* Your machine is running Linux or macOS
|
* Your machine is running Linux or macOS
|
||||||
* You have admin rights on your machine
|
* You have admin rights on your machine
|
||||||
* [kubectl](https://kubernetes.io/docs/tasks/tools/) is installed
|
* [kubectl](https://kubernetes.io/docs/tasks/tools/) is installed
|
||||||
* Your CSP is Microsoft Azure, Google Cloud Platform (GCP), or Amazon Web Services (AWS)
|
* Your CSP is Amazon Web Services (AWS), Microsoft Azure, or Google Cloud Platform (GCP)
|
||||||
|
|
||||||
## Install the Constellation CLI
|
## Install the Constellation CLI
|
||||||
|
|
||||||
|
@ -34,13 +34,12 @@ Thus, the Azure closed-source firmware becomes part of Constellation's trusted c
|
|||||||
|
|
||||||
## Google Cloud Platform (GCP)
|
## Google Cloud Platform (GCP)
|
||||||
|
|
||||||
The [CVMs Generally Available in GCP](https://cloud.google.com/compute/confidential-vm/docs/create-confidential-vm-instance) are based on AMD SEV but don't have SNP features enabled.
|
The [CVMs Generally Available in GCP](https://cloud.google.com/confidential-computing/confidential-vm/docs/confidential-vm-overview#amd_sev) are based on AMD SEV but don't have SNP features enabled.
|
||||||
CVMs with SEV-SNP enabled are currently in [public preview](https://cloud.google.com/blog/products/identity-security/rsa-snp-vm-more-confidential). Regarding (3), with their SEV-SNP offering Google provides direct access to remote-attestation statements.
|
CVMs with [SEV-SNP enabled are in public preview](https://cloud.google.com/confidential-computing/confidential-vm/docs/confidential-vm-overview#amd_sev-snp). Regarding (3), with their SEV-SNP offering Google provides direct access to remote-attestation statements.
|
||||||
However, regarding (5), attestation is partially based on the [Shielded VM vTPM](https://cloud.google.com/compute/shielded-vm/docs/shielded-vm#vtpm) for [measured boot](../architecture/attestation.md#measured-boot), which is a vTPM managed by Google's hypervisor.
|
However, regarding (5), attestation is partially based on the [Shielded VM vTPM](https://cloud.google.com/compute/shielded-vm/docs/shielded-vm#vtpm) for [measured boot](../architecture/attestation.md#measured-boot), which is a vTPM managed by Google's hypervisor.
|
||||||
Hence, the hypervisor is currently part of Constellation's TCB.
|
Hence, the hypervisor is currently part of Constellation's TCB.
|
||||||
Regarding (4), the CVMs still include closed-source firmware.
|
Regarding (4), the CVMs still include closed-source firmware.
|
||||||
|
|
||||||
|
|
||||||
In the past, Intel and Google have [collaborated](https://cloud.google.com/blog/products/identity-security/rsa-google-intel-confidential-computing-more-secure) to enhance the security of TDX.
|
In the past, Intel and Google have [collaborated](https://cloud.google.com/blog/products/identity-security/rsa-google-intel-confidential-computing-more-secure) to enhance the security of TDX.
|
||||||
Recently, Google has announced a [private preview for TDX](https://cloud.google.com/blog/products/identity-security/confidential-vms-on-intel-cpus-your-datas-new-intelligent-defense?hl=en).
|
Recently, Google has announced a [private preview for TDX](https://cloud.google.com/blog/products/identity-security/confidential-vms-on-intel-cpus-your-datas-new-intelligent-defense?hl=en).
|
||||||
With TDX on Google, Constellation has a similar TCB and attestation flow as with the current SEV-SNP offering.
|
With TDX on Google, Constellation has a similar TCB and attestation flow as with the current SEV-SNP offering.
|
||||||
|
@ -6,7 +6,7 @@ From a security perspective, Constellation implements the [Confidential Kubernet
|
|||||||
|
|
||||||
From an operational perspective, Constellation provides the following key features:
|
From an operational perspective, Constellation provides the following key features:
|
||||||
|
|
||||||
* **Native support for different clouds**: Constellation works on Microsoft Azure, Google Cloud Platform (GCP), and Amazon Web Services (AWS). Support for OpenStack-based environments is coming with a future release. Constellation securely interfaces with the cloud infrastructure to provide [cluster autoscaling](https://github.com/kubernetes/autoscaler/tree/master/cluster-autoscaler), [dynamic persistent volumes](https://kubernetes.io/docs/concepts/storage/dynamic-provisioning/), and [service load balancing](https://kubernetes.io/docs/concepts/services-networking/service/#loadbalancer).
|
* **Native support for different clouds**: Constellation works on Amazon Web Services (AWS), Microsoft Azure, and Google Cloud Platform (GCP). Support for OpenStack-based environments is coming with a future release. Constellation securely interfaces with the cloud infrastructure to provide [cluster autoscaling](https://github.com/kubernetes/autoscaler/tree/master/cluster-autoscaler), [dynamic persistent volumes](https://kubernetes.io/docs/concepts/storage/dynamic-provisioning/), and [service load balancing](https://kubernetes.io/docs/concepts/services-networking/service/#loadbalancer).
|
||||||
* **High availability**: Constellation uses a [multi-master architecture](https://kubernetes.io/docs/setup/production-environment/tools/kubeadm/high-availability/) with a [stacked etcd topology](https://kubernetes.io/docs/setup/production-environment/tools/kubeadm/ha-topology/#stacked-etcd-topology) to ensure high availability.
|
* **High availability**: Constellation uses a [multi-master architecture](https://kubernetes.io/docs/setup/production-environment/tools/kubeadm/high-availability/) with a [stacked etcd topology](https://kubernetes.io/docs/setup/production-environment/tools/kubeadm/ha-topology/#stacked-etcd-topology) to ensure high availability.
|
||||||
* **Integrated Day-2 operations**: Constellation lets you securely [upgrade](../workflows/upgrade.md) your cluster to a new release. It also lets you securely [recover](../workflows/recovery.md) a failed cluster. Both with a single command.
|
* **Integrated Day-2 operations**: Constellation lets you securely [upgrade](../workflows/upgrade.md) your cluster to a new release. It also lets you securely [recover](../workflows/recovery.md) a failed cluster. Both with a single command.
|
||||||
* **Support for Terraform**: Constellation includes a [Terraform provider](../workflows/terraform-provider.md) that lets you manage the full lifecycle of your cluster via Terraform.
|
* **Support for Terraform**: Constellation includes a [Terraform provider](../workflows/terraform-provider.md) that lets you manage the full lifecycle of your cluster via Terraform.
|
||||||
|
@ -105,7 +105,7 @@ Initially, it will support the following KMSs:
|
|||||||
* [Azure Key Vault](https://azure.microsoft.com/en-us/services/key-vault/#product-overview)
|
* [Azure Key Vault](https://azure.microsoft.com/en-us/services/key-vault/#product-overview)
|
||||||
* [KMIP-compatible KMS](https://www.oasis-open.org/committees/tc_home.php?wg_abbrev=kmip)
|
* [KMIP-compatible KMS](https://www.oasis-open.org/committees/tc_home.php?wg_abbrev=kmip)
|
||||||
|
|
||||||
Storing the keys in Cloud KMS of AWS, GCP, or Azure binds the key usage to the particular cloud identity access management (IAM).
|
Storing the keys in Cloud KMS of AWS, Azure, or GCP binds the key usage to the particular cloud identity access management (IAM).
|
||||||
In the future, Constellation will support remote attestation-based access policies for Cloud KMS once available.
|
In the future, Constellation will support remote attestation-based access policies for Cloud KMS once available.
|
||||||
Note that using a Cloud KMS limits the isolation and protection to the guarantees of the particular offering.
|
Note that using a Cloud KMS limits the isolation and protection to the guarantees of the particular offering.
|
||||||
|
|
||||||
|
@ -9,7 +9,7 @@ Make sure the following requirements are met:
|
|||||||
* Your machine is running Linux, macOS, or Windows
|
* Your machine is running Linux, macOS, or Windows
|
||||||
* You have admin rights on your machine
|
* You have admin rights on your machine
|
||||||
* [kubectl](https://kubernetes.io/docs/tasks/tools/) is installed
|
* [kubectl](https://kubernetes.io/docs/tasks/tools/) is installed
|
||||||
* Your CSP is Microsoft Azure, Google Cloud Platform (GCP), Amazon Web Services (AWS), or STACKIT
|
* Your CSP is Amazon Web Services (AWS), Microsoft Azure, Google Cloud Platform (GCP), or STACKIT
|
||||||
|
|
||||||
## Install the Constellation CLI
|
## Install the Constellation CLI
|
||||||
|
|
||||||
@ -398,6 +398,7 @@ You need to authenticate with the infrastructure API (OpenStack) and create a se
|
|||||||
|
|
||||||
1. [Follow the STACKIT documentation](https://docs.stackit.cloud/stackit/en/step-1-generating-of-user-access-token-11763726.html) for obtaining a User Access Token (UAT) to use the infrastructure API
|
1. [Follow the STACKIT documentation](https://docs.stackit.cloud/stackit/en/step-1-generating-of-user-access-token-11763726.html) for obtaining a User Access Token (UAT) to use the infrastructure API
|
||||||
2. Create a configuration file under `~/.config/openstack/clouds.yaml` (`%AppData%\openstack\clouds.yaml` on Windows) with the credentials from the User Access Token
|
2. Create a configuration file under `~/.config/openstack/clouds.yaml` (`%AppData%\openstack\clouds.yaml` on Windows) with the credentials from the User Access Token
|
||||||
|
|
||||||
```yaml
|
```yaml
|
||||||
clouds:
|
clouds:
|
||||||
stackit:
|
stackit:
|
||||||
@ -412,9 +413,11 @@ You need to authenticate with the infrastructure API (OpenStack) and create a se
|
|||||||
region_name: RegionOne
|
region_name: RegionOne
|
||||||
identity_api_version: 3
|
identity_api_version: 3
|
||||||
```
|
```
|
||||||
|
|
||||||
3. [Follow the STACKIT documentation](https://docs.stackit.cloud/stackit/en/getting-started-in-service-accounts-134415831.html) for creating a service account and an access token
|
3. [Follow the STACKIT documentation](https://docs.stackit.cloud/stackit/en/getting-started-in-service-accounts-134415831.html) for creating a service account and an access token
|
||||||
4. Assign the `editor` role to the service account by [following the documentation](https://docs.stackit.cloud/stackit/en/getting-started-in-service-accounts-134415831.html)
|
4. Assign the `editor` role to the service account by [following the documentation](https://docs.stackit.cloud/stackit/en/getting-started-in-service-accounts-134415831.html)
|
||||||
5. Create a configuration file under `~/.stackit/credentials.json` (`%USERPROFILE%\.stackit\credentials.json` on Windows)
|
5. Create a configuration file under `~/.stackit/credentials.json` (`%USERPROFILE%\.stackit\credentials.json` on Windows)
|
||||||
|
|
||||||
```json
|
```json
|
||||||
{"STACKIT_SERVICE_ACCOUNT_TOKEN":"REPLACE_WITH_TOKEN"}
|
{"STACKIT_SERVICE_ACCOUNT_TOKEN":"REPLACE_WITH_TOKEN"}
|
||||||
```
|
```
|
||||||
|
@ -34,13 +34,12 @@ Thus, the Azure closed-source firmware becomes part of Constellation's trusted c
|
|||||||
|
|
||||||
## Google Cloud Platform (GCP)
|
## Google Cloud Platform (GCP)
|
||||||
|
|
||||||
The [CVMs Generally Available in GCP](https://cloud.google.com/compute/confidential-vm/docs/create-confidential-vm-instance) are based on AMD SEV but don't have SNP features enabled.
|
The [CVMs Generally Available in GCP](https://cloud.google.com/confidential-computing/confidential-vm/docs/confidential-vm-overview#amd_sev) are based on AMD SEV but don't have SNP features enabled.
|
||||||
CVMs with SEV-SNP enabled are currently in [public preview](https://cloud.google.com/blog/products/identity-security/rsa-snp-vm-more-confidential). Regarding (3), with their SEV-SNP offering Google provides direct access to remote-attestation statements.
|
CVMs with [SEV-SNP enabled are in public preview](https://cloud.google.com/confidential-computing/confidential-vm/docs/confidential-vm-overview#amd_sev-snp). Regarding (3), with their SEV-SNP offering Google provides direct access to remote-attestation statements.
|
||||||
However, regarding (5), attestation is partially based on the [Shielded VM vTPM](https://cloud.google.com/compute/shielded-vm/docs/shielded-vm#vtpm) for [measured boot](../architecture/attestation.md#measured-boot), which is a vTPM managed by Google's hypervisor.
|
However, regarding (5), attestation is partially based on the [Shielded VM vTPM](https://cloud.google.com/compute/shielded-vm/docs/shielded-vm#vtpm) for [measured boot](../architecture/attestation.md#measured-boot), which is a vTPM managed by Google's hypervisor.
|
||||||
Hence, the hypervisor is currently part of Constellation's TCB.
|
Hence, the hypervisor is currently part of Constellation's TCB.
|
||||||
Regarding (4), the CVMs still include closed-source firmware.
|
Regarding (4), the CVMs still include closed-source firmware.
|
||||||
|
|
||||||
|
|
||||||
In the past, Intel and Google have [collaborated](https://cloud.google.com/blog/products/identity-security/rsa-google-intel-confidential-computing-more-secure) to enhance the security of TDX.
|
In the past, Intel and Google have [collaborated](https://cloud.google.com/blog/products/identity-security/rsa-google-intel-confidential-computing-more-secure) to enhance the security of TDX.
|
||||||
Recently, Google has announced a [private preview for TDX](https://cloud.google.com/blog/products/identity-security/confidential-vms-on-intel-cpus-your-datas-new-intelligent-defense?hl=en).
|
Recently, Google has announced a [private preview for TDX](https://cloud.google.com/blog/products/identity-security/confidential-vms-on-intel-cpus-your-datas-new-intelligent-defense?hl=en).
|
||||||
With TDX on Google, Constellation has a similar TCB and attestation flow as with the current SEV-SNP offering.
|
With TDX on Google, Constellation has a similar TCB and attestation flow as with the current SEV-SNP offering.
|
||||||
|
@ -6,7 +6,7 @@ From a security perspective, Constellation implements the [Confidential Kubernet
|
|||||||
|
|
||||||
From an operational perspective, Constellation provides the following key features:
|
From an operational perspective, Constellation provides the following key features:
|
||||||
|
|
||||||
* **Native support for different clouds**: Constellation works on Microsoft Azure, Google Cloud Platform (GCP), Amazon Web Services (AWS), and STACKIT. Support for OpenStack-based environments is coming with a future release. Constellation securely interfaces with the cloud infrastructure to provide [cluster autoscaling](https://github.com/kubernetes/autoscaler/tree/master/cluster-autoscaler), [dynamic persistent volumes](https://kubernetes.io/docs/concepts/storage/dynamic-provisioning/), and [service load balancing](https://kubernetes.io/docs/concepts/services-networking/service/#loadbalancer).
|
* **Native support for different clouds**: Constellation works on Amazon Web Services (AWS), Microsoft Azure, Google Cloud Platform (GCP), and STACKIT. Support for OpenStack-based environments is coming with a future release. Constellation securely interfaces with the cloud infrastructure to provide [cluster autoscaling](https://github.com/kubernetes/autoscaler/tree/master/cluster-autoscaler), [dynamic persistent volumes](https://kubernetes.io/docs/concepts/storage/dynamic-provisioning/), and [service load balancing](https://kubernetes.io/docs/concepts/services-networking/service/#loadbalancer).
|
||||||
* **High availability**: Constellation uses a [multi-master architecture](https://kubernetes.io/docs/setup/production-environment/tools/kubeadm/high-availability/) with a [stacked etcd topology](https://kubernetes.io/docs/setup/production-environment/tools/kubeadm/ha-topology/#stacked-etcd-topology) to ensure high availability.
|
* **High availability**: Constellation uses a [multi-master architecture](https://kubernetes.io/docs/setup/production-environment/tools/kubeadm/high-availability/) with a [stacked etcd topology](https://kubernetes.io/docs/setup/production-environment/tools/kubeadm/ha-topology/#stacked-etcd-topology) to ensure high availability.
|
||||||
* **Integrated Day-2 operations**: Constellation lets you securely [upgrade](../workflows/upgrade.md) your cluster to a new release. It also lets you securely [recover](../workflows/recovery.md) a failed cluster. Both with a single command.
|
* **Integrated Day-2 operations**: Constellation lets you securely [upgrade](../workflows/upgrade.md) your cluster to a new release. It also lets you securely [recover](../workflows/recovery.md) a failed cluster. Both with a single command.
|
||||||
* **Support for Terraform**: Constellation includes a [Terraform provider](../workflows/terraform-provider.md) that lets you manage the full lifecycle of your cluster via Terraform.
|
* **Support for Terraform**: Constellation includes a [Terraform provider](../workflows/terraform-provider.md) that lets you manage the full lifecycle of your cluster via Terraform.
|
||||||
|
@ -135,7 +135,7 @@ This configuration creates an additional node group `high_cpu` with a larger ins
|
|||||||
|
|
||||||
You can use the field `zone` to specify what availability zone nodes of the group are placed in.
|
You can use the field `zone` to specify what availability zone nodes of the group are placed in.
|
||||||
On Azure, this field is empty by default and nodes are automatically spread across availability zones.
|
On Azure, this field is empty by default and nodes are automatically spread across availability zones.
|
||||||
STACKIT currently offers SEV-enabled CPUs in the `eu01-1`, `eu01-2` and `eu01-3` zones.
|
STACKIT currently offers SEV-enabled CPUs in the `eu01-1`, `eu01-2`, and `eu01-3` zones.
|
||||||
Consult the documentation of your cloud provider for more information:
|
Consult the documentation of your cloud provider for more information:
|
||||||
|
|
||||||
* [AWS](https://aws.amazon.com/about-aws/global-infrastructure/regions_az/)
|
* [AWS](https://aws.amazon.com/about-aws/global-infrastructure/regions_az/)
|
||||||
|
@ -123,7 +123,7 @@ This means that you have to recover the node manually.
|
|||||||
|
|
||||||
First, open the STACKIT portal to view all servers in your project. Select individual control plane nodes `<cluster-name>-<UID>-control-plane-<UID>-<index>` and check that enough members are in a *Running* state.
|
First, open the STACKIT portal to view all servers in your project. Select individual control plane nodes `<cluster-name>-<UID>-control-plane-<UID>-<index>` and check that enough members are in a *Running* state.
|
||||||
|
|
||||||
Second, check the boot logs of these *Servers*. Click on a server name and select **Overview**. Find the **Machine Setup** section and click on **Web console** > **Open console**.
|
Second, check the boot logs of these servers. Click on a server name and select **Overview**. Find the **Machine Setup** section and click on **Web console** > **Open console**.
|
||||||
|
|
||||||
In the serial console output, search for `Waiting for decryption key`.
|
In the serial console output, search for `Waiting for decryption key`.
|
||||||
Similar output to the following means your node was restarted and needs to decrypt the [state disk](../architecture/images.md#state-disk):
|
Similar output to the following means your node was restarted and needs to decrypt the [state disk](../architecture/images.md#state-disk):
|
||||||
|
@ -105,7 +105,7 @@ Initially, it will support the following KMSs:
|
|||||||
* [Azure Key Vault](https://azure.microsoft.com/en-us/services/key-vault/#product-overview)
|
* [Azure Key Vault](https://azure.microsoft.com/en-us/services/key-vault/#product-overview)
|
||||||
* [KMIP-compatible KMS](https://www.oasis-open.org/committees/tc_home.php?wg_abbrev=kmip)
|
* [KMIP-compatible KMS](https://www.oasis-open.org/committees/tc_home.php?wg_abbrev=kmip)
|
||||||
|
|
||||||
Storing the keys in Cloud KMS of AWS, GCP, or Azure binds the key usage to the particular cloud identity access management (IAM).
|
Storing the keys in Cloud KMS of AWS, Azure, or GCP binds the key usage to the particular cloud identity access management (IAM).
|
||||||
In the future, Constellation will support remote attestation-based access policies for Cloud KMS once available.
|
In the future, Constellation will support remote attestation-based access policies for Cloud KMS once available.
|
||||||
Note that using a Cloud KMS limits the isolation and protection to the guarantees of the particular offering.
|
Note that using a Cloud KMS limits the isolation and protection to the guarantees of the particular offering.
|
||||||
|
|
||||||
|
@ -11,7 +11,7 @@ Make sure the following requirements are met:
|
|||||||
- Your machine is running Linux or macOS
|
- Your machine is running Linux or macOS
|
||||||
- You have admin rights on your machine
|
- You have admin rights on your machine
|
||||||
- [kubectl](https://kubernetes.io/docs/tasks/tools/) is installed
|
- [kubectl](https://kubernetes.io/docs/tasks/tools/) is installed
|
||||||
- Your CSP is Microsoft Azure, Google Cloud Platform (GCP), or Amazon Web Services (AWS)
|
- Your CSP is Amazon Web Services (AWS), Microsoft Azure, or Google Cloud Platform (GCP)
|
||||||
|
|
||||||
## Install the Constellation CLI
|
## Install the Constellation CLI
|
||||||
|
|
||||||
@ -52,7 +52,6 @@ curl -LO https://github.com/edgelesssys/constellation/releases/latest/download/c
|
|||||||
sudo install constellation-linux-arm64 /usr/local/bin/constellation
|
sudo install constellation-linux-arm64 /usr/local/bin/constellation
|
||||||
```
|
```
|
||||||
|
|
||||||
|
|
||||||
</tabItem>
|
</tabItem>
|
||||||
|
|
||||||
<tabItem value="darwin-arm64" label="macOS (Apple Silicon)">
|
<tabItem value="darwin-arm64" label="macOS (Apple Silicon)">
|
||||||
@ -71,8 +70,6 @@ curl -LO https://github.com/edgelesssys/constellation/releases/latest/download/c
|
|||||||
sudo install constellation-darwin-arm64 /usr/local/bin/constellation
|
sudo install constellation-darwin-arm64 /usr/local/bin/constellation
|
||||||
```
|
```
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
</tabItem>
|
</tabItem>
|
||||||
|
|
||||||
<tabItem value="darwin-amd64" label="macOS (Intel)">
|
<tabItem value="darwin-amd64" label="macOS (Intel)">
|
||||||
@ -343,7 +340,6 @@ Options and first steps are described in the [AWS CLI documentation](https://doc
|
|||||||
|
|
||||||
</tabItem>
|
</tabItem>
|
||||||
|
|
||||||
|
|
||||||
</tabs>
|
</tabs>
|
||||||
|
|
||||||
## Next steps
|
## Next steps
|
||||||
|
@ -28,7 +28,7 @@ Recently, Azure [announced](https://techcommunity.microsoft.com/t5/azure-confide
|
|||||||
|
|
||||||
## Google Cloud Platform (GCP)
|
## Google Cloud Platform (GCP)
|
||||||
|
|
||||||
The [CVMs available in GCP](https://cloud.google.com/compute/confidential-vm/docs/create-confidential-vm-instance) are based on AMD SEV but don't have SNP features enabled. This impacts attestation capabilities. Currently, GCP doesn't offer CVM-based attestation at all. Instead, GCP provides attestation statements based on its regular [vTPM](https://cloud.google.com/blog/products/identity-security/virtual-trusted-platform-module-for-shielded-vms-security-in-plaintext), which is managed by the hypervisor. On GCP, the hypervisor is thus currently part of Constellation's TCB.
|
The [CVMs available in GCP](https://cloud.google.com/confidential-computing/confidential-vm/docs/confidential-vm-overview#amd_sev) are based on AMD SEV but don't have SNP features enabled. This impacts attestation capabilities. Currently, GCP doesn't offer CVM-based attestation at all. Instead, GCP provides attestation statements based on its regular [vTPM](https://cloud.google.com/blog/products/identity-security/virtual-trusted-platform-module-for-shielded-vms-security-in-plaintext), which is managed by the hypervisor. On GCP, the hypervisor is thus currently part of Constellation's TCB.
|
||||||
|
|
||||||
## Amazon Web Services (AWS)
|
## Amazon Web Services (AWS)
|
||||||
|
|
||||||
|
@ -6,6 +6,6 @@ From a security perspective, Constellation implements the [Confidential Kubernet
|
|||||||
|
|
||||||
From an operational perspective, Constellation provides the following key features:
|
From an operational perspective, Constellation provides the following key features:
|
||||||
|
|
||||||
* **Native support for different clouds**: Constellation works on Microsoft Azure, Google Cloud Platform (GCP), and Amazon Web Services (AWS). Support for OpenStack-based environments is coming with a future release. Constellation securely interfaces with the cloud infrastructure to provide [cluster autoscaling](https://github.com/kubernetes/autoscaler/tree/master/cluster-autoscaler), [dynamic persistent volumes](https://kubernetes.io/docs/concepts/storage/dynamic-provisioning/), and [service load balancing](https://kubernetes.io/docs/concepts/services-networking/service/#loadbalancer).
|
* **Native support for different clouds**: Constellation works on Amazon Web Services (AWS), Microsoft Azure, and Google Cloud Platform (GCP). Support for OpenStack-based environments is coming with a future release. Constellation securely interfaces with the cloud infrastructure to provide [cluster autoscaling](https://github.com/kubernetes/autoscaler/tree/master/cluster-autoscaler), [dynamic persistent volumes](https://kubernetes.io/docs/concepts/storage/dynamic-provisioning/), and [service load balancing](https://kubernetes.io/docs/concepts/services-networking/service/#loadbalancer).
|
||||||
* **High availability**: Constellation uses a [multi-master architecture](https://kubernetes.io/docs/setup/production-environment/tools/kubeadm/high-availability/) with a [stacked etcd topology](https://kubernetes.io/docs/setup/production-environment/tools/kubeadm/ha-topology/#stacked-etcd-topology) to ensure high availability.
|
* **High availability**: Constellation uses a [multi-master architecture](https://kubernetes.io/docs/setup/production-environment/tools/kubeadm/high-availability/) with a [stacked etcd topology](https://kubernetes.io/docs/setup/production-environment/tools/kubeadm/ha-topology/#stacked-etcd-topology) to ensure high availability.
|
||||||
* **Integrated Day-2 operations**: Constellation lets you securely [upgrade](../workflows/upgrade.md) your cluster to a new release. It also lets you securely [recover](../workflows/recovery.md) a failed cluster. Both with a single command.
|
* **Integrated Day-2 operations**: Constellation lets you securely [upgrade](../workflows/upgrade.md) your cluster to a new release. It also lets you securely [recover](../workflows/recovery.md) a failed cluster. Both with a single command.
|
||||||
|
@ -105,7 +105,7 @@ Initially, it will support the following KMSs:
|
|||||||
* [Azure Key Vault](https://azure.microsoft.com/en-us/services/key-vault/#product-overview)
|
* [Azure Key Vault](https://azure.microsoft.com/en-us/services/key-vault/#product-overview)
|
||||||
* [KMIP-compatible KMS](https://www.oasis-open.org/committees/tc_home.php?wg_abbrev=kmip)
|
* [KMIP-compatible KMS](https://www.oasis-open.org/committees/tc_home.php?wg_abbrev=kmip)
|
||||||
|
|
||||||
Storing the keys in Cloud KMS of AWS, GCP, or Azure binds the key usage to the particular cloud identity access management (IAM).
|
Storing the keys in Cloud KMS of AWS, Azure, or GCP binds the key usage to the particular cloud identity access management (IAM).
|
||||||
In the future, Constellation will support remote attestation-based access policies for Cloud KMS once available.
|
In the future, Constellation will support remote attestation-based access policies for Cloud KMS once available.
|
||||||
Note that using a Cloud KMS limits the isolation and protection to the guarantees of the particular offering.
|
Note that using a Cloud KMS limits the isolation and protection to the guarantees of the particular offering.
|
||||||
|
|
||||||
|
@ -11,7 +11,7 @@ Make sure the following requirements are met:
|
|||||||
- Your machine is running Linux or macOS
|
- Your machine is running Linux or macOS
|
||||||
- You have admin rights on your machine
|
- You have admin rights on your machine
|
||||||
- [kubectl](https://kubernetes.io/docs/tasks/tools/) is installed
|
- [kubectl](https://kubernetes.io/docs/tasks/tools/) is installed
|
||||||
- Your CSP is Microsoft Azure, Google Cloud Platform (GCP), or Amazon Web Services (AWS)
|
- Your CSP is Amazon Web Services (AWS), Microsoft Azure, or Google Cloud Platform (GCP)
|
||||||
|
|
||||||
## Install the Constellation CLI
|
## Install the Constellation CLI
|
||||||
|
|
||||||
@ -52,7 +52,6 @@ curl -LO https://github.com/edgelesssys/constellation/releases/latest/download/c
|
|||||||
sudo install constellation-linux-arm64 /usr/local/bin/constellation
|
sudo install constellation-linux-arm64 /usr/local/bin/constellation
|
||||||
```
|
```
|
||||||
|
|
||||||
|
|
||||||
</tabItem>
|
</tabItem>
|
||||||
|
|
||||||
<tabItem value="darwin-arm64" label="macOS (Apple Silicon)">
|
<tabItem value="darwin-arm64" label="macOS (Apple Silicon)">
|
||||||
@ -71,8 +70,6 @@ curl -LO https://github.com/edgelesssys/constellation/releases/latest/download/c
|
|||||||
sudo install constellation-darwin-arm64 /usr/local/bin/constellation
|
sudo install constellation-darwin-arm64 /usr/local/bin/constellation
|
||||||
```
|
```
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
</tabItem>
|
</tabItem>
|
||||||
|
|
||||||
<tabItem value="darwin-amd64" label="macOS (Intel)">
|
<tabItem value="darwin-amd64" label="macOS (Intel)">
|
||||||
@ -343,7 +340,6 @@ Options and first steps are described in the [AWS CLI documentation](https://doc
|
|||||||
|
|
||||||
</tabItem>
|
</tabItem>
|
||||||
|
|
||||||
|
|
||||||
</tabs>
|
</tabs>
|
||||||
|
|
||||||
## Next steps
|
## Next steps
|
||||||
|
@ -28,7 +28,7 @@ Recently, Azure [announced](https://techcommunity.microsoft.com/t5/azure-confide
|
|||||||
|
|
||||||
## Google Cloud Platform (GCP)
|
## Google Cloud Platform (GCP)
|
||||||
|
|
||||||
The [CVMs available in GCP](https://cloud.google.com/compute/confidential-vm/docs/create-confidential-vm-instance) are based on AMD SEV but don't have SNP features enabled. This impacts attestation capabilities. Currently, GCP doesn't offer CVM-based attestation at all. Instead, GCP provides attestation statements based on its regular [vTPM](https://cloud.google.com/blog/products/identity-security/virtual-trusted-platform-module-for-shielded-vms-security-in-plaintext), which is managed by the hypervisor. On GCP, the hypervisor is thus currently part of Constellation's TCB.
|
The [CVMs available in GCP](https://cloud.google.com/confidential-computing/confidential-vm/docs/confidential-vm-overview#amd_sev) are based on AMD SEV but don't have SNP features enabled. This impacts attestation capabilities. Currently, GCP doesn't offer CVM-based attestation at all. Instead, GCP provides attestation statements based on its regular [vTPM](https://cloud.google.com/blog/products/identity-security/virtual-trusted-platform-module-for-shielded-vms-security-in-plaintext), which is managed by the hypervisor. On GCP, the hypervisor is thus currently part of Constellation's TCB.
|
||||||
|
|
||||||
## Amazon Web Services (AWS)
|
## Amazon Web Services (AWS)
|
||||||
|
|
||||||
|
@ -6,6 +6,6 @@ From a security perspective, Constellation implements the [Confidential Kubernet
|
|||||||
|
|
||||||
From an operational perspective, Constellation provides the following key features:
|
From an operational perspective, Constellation provides the following key features:
|
||||||
|
|
||||||
* **Native support for different clouds**: Constellation works on Microsoft Azure, Google Cloud Platform (GCP), and Amazon Web Services (AWS). Support for OpenStack-based environments is coming with a future release. Constellation securely interfaces with the cloud infrastructure to provide [cluster autoscaling](https://github.com/kubernetes/autoscaler/tree/master/cluster-autoscaler), [dynamic persistent volumes](https://kubernetes.io/docs/concepts/storage/dynamic-provisioning/), and [service load balancing](https://kubernetes.io/docs/concepts/services-networking/service/#loadbalancer).
|
* **Native support for different clouds**: Constellation works on Amazon Web Services (AWS), Microsoft Azure, and Google Cloud Platform (GCP). Support for OpenStack-based environments is coming with a future release. Constellation securely interfaces with the cloud infrastructure to provide [cluster autoscaling](https://github.com/kubernetes/autoscaler/tree/master/cluster-autoscaler), [dynamic persistent volumes](https://kubernetes.io/docs/concepts/storage/dynamic-provisioning/), and [service load balancing](https://kubernetes.io/docs/concepts/services-networking/service/#loadbalancer).
|
||||||
* **High availability**: Constellation uses a [multi-master architecture](https://kubernetes.io/docs/setup/production-environment/tools/kubeadm/high-availability/) with a [stacked etcd topology](https://kubernetes.io/docs/setup/production-environment/tools/kubeadm/ha-topology/#stacked-etcd-topology) to ensure high availability.
|
* **High availability**: Constellation uses a [multi-master architecture](https://kubernetes.io/docs/setup/production-environment/tools/kubeadm/high-availability/) with a [stacked etcd topology](https://kubernetes.io/docs/setup/production-environment/tools/kubeadm/ha-topology/#stacked-etcd-topology) to ensure high availability.
|
||||||
* **Integrated Day-2 operations**: Constellation lets you securely [upgrade](../workflows/upgrade.md) your cluster to a new release. It also lets you securely [recover](../workflows/recovery.md) a failed cluster. Both with a single command.
|
* **Integrated Day-2 operations**: Constellation lets you securely [upgrade](../workflows/upgrade.md) your cluster to a new release. It also lets you securely [recover](../workflows/recovery.md) a failed cluster. Both with a single command.
|
||||||
|
@ -105,7 +105,7 @@ Initially, it will support the following KMSs:
|
|||||||
* [Azure Key Vault](https://azure.microsoft.com/en-us/services/key-vault/#product-overview)
|
* [Azure Key Vault](https://azure.microsoft.com/en-us/services/key-vault/#product-overview)
|
||||||
* [KMIP-compatible KMS](https://www.oasis-open.org/committees/tc_home.php?wg_abbrev=kmip)
|
* [KMIP-compatible KMS](https://www.oasis-open.org/committees/tc_home.php?wg_abbrev=kmip)
|
||||||
|
|
||||||
Storing the keys in Cloud KMS of AWS, GCP, or Azure binds the key usage to the particular cloud identity access management (IAM).
|
Storing the keys in Cloud KMS of AWS, Azure, or GCP binds the key usage to the particular cloud identity access management (IAM).
|
||||||
In the future, Constellation will support remote attestation-based access policies for Cloud KMS once available.
|
In the future, Constellation will support remote attestation-based access policies for Cloud KMS once available.
|
||||||
Note that using a Cloud KMS limits the isolation and protection to the guarantees of the particular offering.
|
Note that using a Cloud KMS limits the isolation and protection to the guarantees of the particular offering.
|
||||||
|
|
||||||
|
@ -11,7 +11,7 @@ Make sure the following requirements are met:
|
|||||||
- Your machine is running Linux or macOS
|
- Your machine is running Linux or macOS
|
||||||
- You have admin rights on your machine
|
- You have admin rights on your machine
|
||||||
- [kubectl](https://kubernetes.io/docs/tasks/tools/) is installed
|
- [kubectl](https://kubernetes.io/docs/tasks/tools/) is installed
|
||||||
- Your CSP is Microsoft Azure, Google Cloud Platform (GCP), or Amazon Web Services (AWS)
|
- Your CSP is Amazon Web Services (AWS), Microsoft Azure, or Google Cloud Platform (GCP)
|
||||||
|
|
||||||
## Install the Constellation CLI
|
## Install the Constellation CLI
|
||||||
|
|
||||||
@ -52,7 +52,6 @@ curl -LO https://github.com/edgelesssys/constellation/releases/latest/download/c
|
|||||||
sudo install constellation-linux-arm64 /usr/local/bin/constellation
|
sudo install constellation-linux-arm64 /usr/local/bin/constellation
|
||||||
```
|
```
|
||||||
|
|
||||||
|
|
||||||
</tabItem>
|
</tabItem>
|
||||||
|
|
||||||
<tabItem value="darwin-arm64" label="macOS (Apple Silicon)">
|
<tabItem value="darwin-arm64" label="macOS (Apple Silicon)">
|
||||||
@ -71,8 +70,6 @@ curl -LO https://github.com/edgelesssys/constellation/releases/latest/download/c
|
|||||||
sudo install constellation-darwin-arm64 /usr/local/bin/constellation
|
sudo install constellation-darwin-arm64 /usr/local/bin/constellation
|
||||||
```
|
```
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
</tabItem>
|
</tabItem>
|
||||||
|
|
||||||
<tabItem value="darwin-amd64" label="macOS (Intel)">
|
<tabItem value="darwin-amd64" label="macOS (Intel)">
|
||||||
@ -343,7 +340,6 @@ Options and first steps are described in the [AWS CLI documentation](https://doc
|
|||||||
|
|
||||||
</tabItem>
|
</tabItem>
|
||||||
|
|
||||||
|
|
||||||
</tabs>
|
</tabs>
|
||||||
|
|
||||||
## Next steps
|
## Next steps
|
||||||
|
@ -28,7 +28,7 @@ Recently, Azure [announced](https://techcommunity.microsoft.com/t5/azure-confide
|
|||||||
|
|
||||||
## Google Cloud Platform (GCP)
|
## Google Cloud Platform (GCP)
|
||||||
|
|
||||||
The [CVMs available in GCP](https://cloud.google.com/compute/confidential-vm/docs/create-confidential-vm-instance) are based on AMD SEV but don't have SNP features enabled. This impacts attestation capabilities. Currently, GCP doesn't offer CVM-based attestation at all. Instead, GCP provides attestation statements based on its regular [vTPM](https://cloud.google.com/blog/products/identity-security/virtual-trusted-platform-module-for-shielded-vms-security-in-plaintext), which is managed by the hypervisor. On GCP, the hypervisor is thus currently part of Constellation's TCB.
|
The [CVMs available in GCP](https://cloud.google.com/confidential-computing/confidential-vm/docs/confidential-vm-overview#amd_sev) are based on AMD SEV but don't have SNP features enabled. This impacts attestation capabilities. Currently, GCP doesn't offer CVM-based attestation at all. Instead, GCP provides attestation statements based on its regular [vTPM](https://cloud.google.com/blog/products/identity-security/virtual-trusted-platform-module-for-shielded-vms-security-in-plaintext), which is managed by the hypervisor. On GCP, the hypervisor is thus currently part of Constellation's TCB.
|
||||||
|
|
||||||
## Amazon Web Services (AWS)
|
## Amazon Web Services (AWS)
|
||||||
|
|
||||||
|
@ -6,6 +6,6 @@ From a security perspective, Constellation implements the [Confidential Kubernet
|
|||||||
|
|
||||||
From an operational perspective, Constellation provides the following key features:
|
From an operational perspective, Constellation provides the following key features:
|
||||||
|
|
||||||
* **Native support for different clouds**: Constellation works on Microsoft Azure, Google Cloud Platform (GCP), and Amazon Web Services (AWS). Support for OpenStack-based environments is coming with a future release. Constellation securely interfaces with the cloud infrastructure to provide [cluster autoscaling](https://github.com/kubernetes/autoscaler/tree/master/cluster-autoscaler), [dynamic persistent volumes](https://kubernetes.io/docs/concepts/storage/dynamic-provisioning/), and [service load balancing](https://kubernetes.io/docs/concepts/services-networking/service/#loadbalancer).
|
* **Native support for different clouds**: Constellation works on Amazon Web Services (AWS), Microsoft Azure, and Google Cloud Platform (GCP). Support for OpenStack-based environments is coming with a future release. Constellation securely interfaces with the cloud infrastructure to provide [cluster autoscaling](https://github.com/kubernetes/autoscaler/tree/master/cluster-autoscaler), [dynamic persistent volumes](https://kubernetes.io/docs/concepts/storage/dynamic-provisioning/), and [service load balancing](https://kubernetes.io/docs/concepts/services-networking/service/#loadbalancer).
|
||||||
* **High availability**: Constellation uses a [multi-master architecture](https://kubernetes.io/docs/setup/production-environment/tools/kubeadm/high-availability/) with a [stacked etcd topology](https://kubernetes.io/docs/setup/production-environment/tools/kubeadm/ha-topology/#stacked-etcd-topology) to ensure high availability.
|
* **High availability**: Constellation uses a [multi-master architecture](https://kubernetes.io/docs/setup/production-environment/tools/kubeadm/high-availability/) with a [stacked etcd topology](https://kubernetes.io/docs/setup/production-environment/tools/kubeadm/ha-topology/#stacked-etcd-topology) to ensure high availability.
|
||||||
* **Integrated Day-2 operations**: Constellation lets you securely [upgrade](../workflows/upgrade.md) your cluster to a new release. It also lets you securely [recover](../workflows/recovery.md) a failed cluster. Both with a single command.
|
* **Integrated Day-2 operations**: Constellation lets you securely [upgrade](../workflows/upgrade.md) your cluster to a new release. It also lets you securely [recover](../workflows/recovery.md) a failed cluster. Both with a single command.
|
||||||
|
@ -105,7 +105,7 @@ Initially, it will support the following KMSs:
|
|||||||
* [Azure Key Vault](https://azure.microsoft.com/en-us/services/key-vault/#product-overview)
|
* [Azure Key Vault](https://azure.microsoft.com/en-us/services/key-vault/#product-overview)
|
||||||
* [KMIP-compatible KMS](https://www.oasis-open.org/committees/tc_home.php?wg_abbrev=kmip)
|
* [KMIP-compatible KMS](https://www.oasis-open.org/committees/tc_home.php?wg_abbrev=kmip)
|
||||||
|
|
||||||
Storing the keys in Cloud KMS of AWS, GCP, or Azure binds the key usage to the particular cloud identity access management (IAM).
|
Storing the keys in Cloud KMS of AWS, Azure, or GCP binds the key usage to the particular cloud identity access management (IAM).
|
||||||
In the future, Constellation will support remote attestation-based access policies for Cloud KMS once available.
|
In the future, Constellation will support remote attestation-based access policies for Cloud KMS once available.
|
||||||
Note that using a Cloud KMS limits the isolation and protection to the guarantees of the particular offering.
|
Note that using a Cloud KMS limits the isolation and protection to the guarantees of the particular offering.
|
||||||
|
|
||||||
|
@ -11,7 +11,7 @@ Make sure the following requirements are met:
|
|||||||
- Your machine is running Linux or macOS
|
- Your machine is running Linux or macOS
|
||||||
- You have admin rights on your machine
|
- You have admin rights on your machine
|
||||||
- [kubectl](https://kubernetes.io/docs/tasks/tools/) is installed
|
- [kubectl](https://kubernetes.io/docs/tasks/tools/) is installed
|
||||||
- Your CSP is Microsoft Azure, Google Cloud Platform (GCP), or Amazon Web Services (AWS)
|
- Your CSP is Amazon Web Services (AWS), Microsoft Azure, or Google Cloud Platform (GCP)
|
||||||
|
|
||||||
## Install the Constellation CLI
|
## Install the Constellation CLI
|
||||||
|
|
||||||
@ -52,7 +52,6 @@ curl -LO https://github.com/edgelesssys/constellation/releases/latest/download/c
|
|||||||
sudo install constellation-linux-arm64 /usr/local/bin/constellation
|
sudo install constellation-linux-arm64 /usr/local/bin/constellation
|
||||||
```
|
```
|
||||||
|
|
||||||
|
|
||||||
</tabItem>
|
</tabItem>
|
||||||
|
|
||||||
<tabItem value="darwin-arm64" label="macOS (Apple Silicon)">
|
<tabItem value="darwin-arm64" label="macOS (Apple Silicon)">
|
||||||
@ -71,8 +70,6 @@ curl -LO https://github.com/edgelesssys/constellation/releases/latest/download/c
|
|||||||
sudo install constellation-darwin-arm64 /usr/local/bin/constellation
|
sudo install constellation-darwin-arm64 /usr/local/bin/constellation
|
||||||
```
|
```
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
</tabItem>
|
</tabItem>
|
||||||
|
|
||||||
<tabItem value="darwin-amd64" label="macOS (Intel)">
|
<tabItem value="darwin-amd64" label="macOS (Intel)">
|
||||||
@ -343,7 +340,6 @@ Options and first steps are described in the [AWS CLI documentation](https://doc
|
|||||||
|
|
||||||
</tabItem>
|
</tabItem>
|
||||||
|
|
||||||
|
|
||||||
</tabs>
|
</tabs>
|
||||||
|
|
||||||
## Next steps
|
## Next steps
|
||||||
|
@ -28,7 +28,7 @@ With its [CVM offering](https://docs.microsoft.com/en-us/azure/confidential-comp
|
|||||||
|
|
||||||
## Google Cloud Platform (GCP)
|
## Google Cloud Platform (GCP)
|
||||||
|
|
||||||
The [CVMs available in GCP](https://cloud.google.com/compute/confidential-vm/docs/create-confidential-vm-instance) are based on AMD SEV but don't have SNP features enabled. This impacts attestation capabilities. Currently, GCP doesn't offer CVM-based attestation at all. Instead, GCP provides attestation statements based on its regular [vTPM](https://cloud.google.com/blog/products/identity-security/virtual-trusted-platform-module-for-shielded-vms-security-in-plaintext), which is managed by the hypervisor. On GCP, the hypervisor is thus currently part of Constellation's TCB.
|
The [CVMs available in GCP](https://cloud.google.com/confidential-computing/confidential-vm/docs/confidential-vm-overview#amd_sev) are based on AMD SEV but don't have SNP features enabled. This impacts attestation capabilities. Currently, GCP doesn't offer CVM-based attestation at all. Instead, GCP provides attestation statements based on its regular [vTPM](https://cloud.google.com/blog/products/identity-security/virtual-trusted-platform-module-for-shielded-vms-security-in-plaintext), which is managed by the hypervisor. On GCP, the hypervisor is thus currently part of Constellation's TCB.
|
||||||
|
|
||||||
## Amazon Web Services (AWS)
|
## Amazon Web Services (AWS)
|
||||||
|
|
||||||
|
@ -6,6 +6,6 @@ From a security perspective, Constellation implements the [Confidential Kubernet
|
|||||||
|
|
||||||
From an operational perspective, Constellation provides the following key features:
|
From an operational perspective, Constellation provides the following key features:
|
||||||
|
|
||||||
* **Native support for different clouds**: Constellation works on Microsoft Azure, Google Cloud Platform (GCP), and Amazon Web Services (AWS). Support for OpenStack-based environments is coming with a future release. Constellation securely interfaces with the cloud infrastructure to provide [cluster autoscaling](https://github.com/kubernetes/autoscaler/tree/master/cluster-autoscaler), [dynamic persistent volumes](https://kubernetes.io/docs/concepts/storage/dynamic-provisioning/), and [service load balancing](https://kubernetes.io/docs/concepts/services-networking/service/#loadbalancer).
|
* **Native support for different clouds**: Constellation works on Amazon Web Services (AWS), Microsoft Azure, and Google Cloud Platform (GCP). Support for OpenStack-based environments is coming with a future release. Constellation securely interfaces with the cloud infrastructure to provide [cluster autoscaling](https://github.com/kubernetes/autoscaler/tree/master/cluster-autoscaler), [dynamic persistent volumes](https://kubernetes.io/docs/concepts/storage/dynamic-provisioning/), and [service load balancing](https://kubernetes.io/docs/concepts/services-networking/service/#loadbalancer).
|
||||||
* **High availability**: Constellation uses a [multi-master architecture](https://kubernetes.io/docs/setup/production-environment/tools/kubeadm/high-availability/) with a [stacked etcd topology](https://kubernetes.io/docs/setup/production-environment/tools/kubeadm/ha-topology/#stacked-etcd-topology) to ensure high availability.
|
* **High availability**: Constellation uses a [multi-master architecture](https://kubernetes.io/docs/setup/production-environment/tools/kubeadm/high-availability/) with a [stacked etcd topology](https://kubernetes.io/docs/setup/production-environment/tools/kubeadm/ha-topology/#stacked-etcd-topology) to ensure high availability.
|
||||||
* **Integrated Day-2 operations**: Constellation lets you securely [upgrade](../workflows/upgrade.md) your cluster to a new release. It also lets you securely [recover](../workflows/recovery.md) a failed cluster. Both with a single command.
|
* **Integrated Day-2 operations**: Constellation lets you securely [upgrade](../workflows/upgrade.md) your cluster to a new release. It also lets you securely [recover](../workflows/recovery.md) a failed cluster. Both with a single command.
|
||||||
|
@ -105,7 +105,7 @@ Initially, it will support the following KMSs:
|
|||||||
* [Azure Key Vault](https://azure.microsoft.com/en-us/services/key-vault/#product-overview)
|
* [Azure Key Vault](https://azure.microsoft.com/en-us/services/key-vault/#product-overview)
|
||||||
* [KMIP-compatible KMS](https://www.oasis-open.org/committees/tc_home.php?wg_abbrev=kmip)
|
* [KMIP-compatible KMS](https://www.oasis-open.org/committees/tc_home.php?wg_abbrev=kmip)
|
||||||
|
|
||||||
Storing the keys in Cloud KMS of AWS, GCP, or Azure binds the key usage to the particular cloud identity access management (IAM).
|
Storing the keys in Cloud KMS of AWS, Azure, or GCP binds the key usage to the particular cloud identity access management (IAM).
|
||||||
In the future, Constellation will support remote attestation-based access policies for Cloud KMS once available.
|
In the future, Constellation will support remote attestation-based access policies for Cloud KMS once available.
|
||||||
Note that using a Cloud KMS limits the isolation and protection to the guarantees of the particular offering.
|
Note that using a Cloud KMS limits the isolation and protection to the guarantees of the particular offering.
|
||||||
|
|
||||||
|
@ -11,7 +11,7 @@ Make sure the following requirements are met:
|
|||||||
- Your machine is running Linux or macOS
|
- Your machine is running Linux or macOS
|
||||||
- You have admin rights on your machine
|
- You have admin rights on your machine
|
||||||
- [kubectl](https://kubernetes.io/docs/tasks/tools/) is installed
|
- [kubectl](https://kubernetes.io/docs/tasks/tools/) is installed
|
||||||
- Your CSP is Microsoft Azure, Google Cloud Platform (GCP), or Amazon Web Services (AWS)
|
- Your CSP is Amazon Web Services (AWS), Microsoft Azure, or Google Cloud Platform (GCP)
|
||||||
|
|
||||||
## Install the Constellation CLI
|
## Install the Constellation CLI
|
||||||
|
|
||||||
@ -52,7 +52,6 @@ curl -LO https://github.com/edgelesssys/constellation/releases/latest/download/c
|
|||||||
sudo install constellation-linux-arm64 /usr/local/bin/constellation
|
sudo install constellation-linux-arm64 /usr/local/bin/constellation
|
||||||
```
|
```
|
||||||
|
|
||||||
|
|
||||||
</tabItem>
|
</tabItem>
|
||||||
|
|
||||||
<tabItem value="darwin-arm64" label="macOS (Apple Silicon)">
|
<tabItem value="darwin-arm64" label="macOS (Apple Silicon)">
|
||||||
@ -71,8 +70,6 @@ curl -LO https://github.com/edgelesssys/constellation/releases/latest/download/c
|
|||||||
sudo install constellation-darwin-arm64 /usr/local/bin/constellation
|
sudo install constellation-darwin-arm64 /usr/local/bin/constellation
|
||||||
```
|
```
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
</tabItem>
|
</tabItem>
|
||||||
|
|
||||||
<tabItem value="darwin-amd64" label="macOS (Intel)">
|
<tabItem value="darwin-amd64" label="macOS (Intel)">
|
||||||
@ -343,7 +340,6 @@ Options and first steps are described in the [AWS CLI documentation](https://doc
|
|||||||
|
|
||||||
</tabItem>
|
</tabItem>
|
||||||
|
|
||||||
|
|
||||||
</tabs>
|
</tabs>
|
||||||
|
|
||||||
## Next steps
|
## Next steps
|
||||||
|
@ -28,7 +28,7 @@ With its [CVM offering](https://docs.microsoft.com/en-us/azure/confidential-comp
|
|||||||
|
|
||||||
## Google Cloud Platform (GCP)
|
## Google Cloud Platform (GCP)
|
||||||
|
|
||||||
The [CVMs available in GCP](https://cloud.google.com/compute/confidential-vm/docs/create-confidential-vm-instance) are based on AMD SEV but don't have SNP features enabled. This impacts attestation capabilities. Currently, GCP doesn't offer CVM-based attestation at all. Instead, GCP provides attestation statements based on its regular [vTPM](https://cloud.google.com/blog/products/identity-security/virtual-trusted-platform-module-for-shielded-vms-security-in-plaintext), which is managed by the hypervisor. On GCP, the hypervisor is thus currently part of Constellation's TCB.
|
The [CVMs available in GCP](https://cloud.google.com/confidential-computing/confidential-vm/docs/confidential-vm-overview#amd_sev) are based on AMD SEV but don't have SNP features enabled. This impacts attestation capabilities. Currently, GCP doesn't offer CVM-based attestation at all. Instead, GCP provides attestation statements based on its regular [vTPM](https://cloud.google.com/blog/products/identity-security/virtual-trusted-platform-module-for-shielded-vms-security-in-plaintext), which is managed by the hypervisor. On GCP, the hypervisor is thus currently part of Constellation's TCB.
|
||||||
|
|
||||||
## Amazon Web Services (AWS)
|
## Amazon Web Services (AWS)
|
||||||
|
|
||||||
|
@ -63,7 +63,6 @@ The following infrastructure configurations was used:
|
|||||||
- CVM: `false`
|
- CVM: `false`
|
||||||
- Zone: `europe-west3-b`
|
- Zone: `europe-west3-b`
|
||||||
|
|
||||||
|
|
||||||
### Results
|
### Results
|
||||||
|
|
||||||
#### Network
|
#### Network
|
||||||
@ -71,7 +70,7 @@ The following infrastructure configurations was used:
|
|||||||
This section gives a thorough analysis of the network performance of Constellation, specifically focusing on measuring TCP and UDP bandwidth.
|
This section gives a thorough analysis of the network performance of Constellation, specifically focusing on measuring TCP and UDP bandwidth.
|
||||||
The benchmark measured the bandwidth of pod-to-pod and pod-to-service connections between two different nodes using [`iperf`](https://iperf.fr/).
|
The benchmark measured the bandwidth of pod-to-pod and pod-to-service connections between two different nodes using [`iperf`](https://iperf.fr/).
|
||||||
|
|
||||||
GKE and Constellation on GCP had a maximum network bandwidth of [10 Gbps](https://cloud.google.com/compute/docs/general-purpose-machines#n2d_machineshttps://cloud.google.com/compute/docs/general-purpose-machines#n2d_machines).
|
GKE and Constellation on GCP had a maximum network bandwidth of [10 Gbps](https://cloud.google.com/compute/docs/general-purpose-machines#n2d_machines).
|
||||||
AKS with `Standard_D4as_v5` machines a maximum network bandwidth of [12.5 Gbps](https://learn.microsoft.com/en-us/azure/virtual-machines/dasv5-dadsv5-series#dasv5-series).
|
AKS with `Standard_D4as_v5` machines a maximum network bandwidth of [12.5 Gbps](https://learn.microsoft.com/en-us/azure/virtual-machines/dasv5-dadsv5-series#dasv5-series).
|
||||||
The Confidential VM equivalent `Standard_DC4as_v5` currently has a network bandwidth of [1.25 Gbps](https://learn.microsoft.com/en-us/azure/virtual-machines/dcasv5-dcadsv5-series#dcasv5-series-products).
|
The Confidential VM equivalent `Standard_DC4as_v5` currently has a network bandwidth of [1.25 Gbps](https://learn.microsoft.com/en-us/azure/virtual-machines/dcasv5-dcadsv5-series#dcasv5-series-products).
|
||||||
Therefore, to make the test comparable, both AKS and Constellation on Azure were running with `Standard_DC4as_v5` machines and 1.25 Gbps bandwidth.
|
Therefore, to make the test comparable, both AKS and Constellation on Azure were running with `Standard_DC4as_v5` machines and 1.25 Gbps bandwidth.
|
||||||
@ -79,11 +78,10 @@ Therefore, to make the test comparable, both AKS and Constellation on Azure were
|
|||||||
Constellation on Azure and AKS used an MTU of 1500.
|
Constellation on Azure and AKS used an MTU of 1500.
|
||||||
Constellation on GCP used an MTU of 8896. GKE used an MTU of 1450.
|
Constellation on GCP used an MTU of 8896. GKE used an MTU of 1450.
|
||||||
|
|
||||||
|
|
||||||
The difference in network bandwidth can largely be attributed to two factors.
|
The difference in network bandwidth can largely be attributed to two factors.
|
||||||
|
|
||||||
* Constellation's [network encryption](../architecture/networking.md) via Cilium and WireGuard, which protects data in-transit.
|
- Constellation's [network encryption](../architecture/networking.md) via Cilium and WireGuard, which protects data in-transit.
|
||||||
* [AMD SEV using SWIOTLB bounce buffers](https://lore.kernel.org/all/20200204193500.GA15564@ashkalra_ubuntu_server/T/) for all DMA including network I/O.
|
- [AMD SEV using SWIOTLB bounce buffers](https://lore.kernel.org/all/20200204193500.GA15564@ashkalra_ubuntu_server/T/) for all DMA including network I/O.
|
||||||
|
|
||||||
##### Pod-to-Pod
|
##### Pod-to-Pod
|
||||||
|
|
||||||
@ -134,6 +132,7 @@ The results for "Pod-to-Pod" on GCP are as follows:
|
|||||||
In our recent comparison of Constellation on GCP with GKE, Constellation has 58% less TCP bandwidth. However, UDP bandwidth was slightly better with Constellation, thanks to its higher MTU.
|
In our recent comparison of Constellation on GCP with GKE, Constellation has 58% less TCP bandwidth. However, UDP bandwidth was slightly better with Constellation, thanks to its higher MTU.
|
||||||
|
|
||||||
Similarly, when comparing Constellation on Azure with AKS using CVMs, Constellation achieved approximately 10% less TCP and 40% less UDP bandwidth.
|
Similarly, when comparing Constellation on Azure with AKS using CVMs, Constellation achieved approximately 10% less TCP and 40% less UDP bandwidth.
|
||||||
|
|
||||||
#### Storage I/O
|
#### Storage I/O
|
||||||
|
|
||||||
Azure and GCP offer persistent storage for their Kubernetes services AKS and GKE via the Container Storage Interface (CSI). CSI storage in Kubernetes is available via `PersistentVolumes` (PV) and consumed via `PersistentVolumeClaims` (PVC).
|
Azure and GCP offer persistent storage for their Kubernetes services AKS and GKE via the Container Storage Interface (CSI). CSI storage in Kubernetes is available via `PersistentVolumes` (PV) and consumed via `PersistentVolumeClaims` (PVC).
|
||||||
@ -143,21 +142,25 @@ Similarly, upon a PVC request, Constellation will provision a PV via a default s
|
|||||||
|
|
||||||
For Constellation on Azure and AKS, the benchmark ran with Azure Disk storage [Standard SSD](https://learn.microsoft.com/en-us/azure/virtual-machines/disks-types#standard-ssds) of 400 GiB size.
|
For Constellation on Azure and AKS, the benchmark ran with Azure Disk storage [Standard SSD](https://learn.microsoft.com/en-us/azure/virtual-machines/disks-types#standard-ssds) of 400 GiB size.
|
||||||
The [DC4as machine type](https://learn.microsoft.com/en-us/azure/virtual-machines/dasv5-dadsv5-series#dasv5-series) with four cores provides the following maximum performance:
|
The [DC4as machine type](https://learn.microsoft.com/en-us/azure/virtual-machines/dasv5-dadsv5-series#dasv5-series) with four cores provides the following maximum performance:
|
||||||
|
|
||||||
- 6400 (20000 burst) IOPS
|
- 6400 (20000 burst) IOPS
|
||||||
- 144 MB/s (600 MB/s burst) throughput
|
- 144 MB/s (600 MB/s burst) throughput
|
||||||
|
|
||||||
However, the performance is bound by the capabilities of the [512 GiB Standard SSD size](https://learn.microsoft.com/en-us/azure/virtual-machines/disks-types#standard-ssds) (the size class of 400 GiB volumes):
|
However, the performance is bound by the capabilities of the [512 GiB Standard SSD size](https://learn.microsoft.com/en-us/azure/virtual-machines/disks-types#standard-ssds) (the size class of 400 GiB volumes):
|
||||||
|
|
||||||
- 500 (600 burst) IOPS
|
- 500 (600 burst) IOPS
|
||||||
- 60 MB/s (150 MB/s burst) throughput
|
- 60 MB/s (150 MB/s burst) throughput
|
||||||
|
|
||||||
For Constellation on GCP and GKE, the benchmark ran with Compute Engine Persistent Disk Storage [pd-balanced](https://cloud.google.com/compute/docs/disks) of 400 GiB size.
|
For Constellation on GCP and GKE, the benchmark ran with Compute Engine Persistent Disk Storage [pd-balanced](https://cloud.google.com/compute/docs/disks) of 400 GiB size.
|
||||||
The N2D machine type with four cores and pd-balanced provides the following [maximum performance](https://cloud.google.com/compute/docs/disks/performance#n2d_vms):
|
The N2D machine type with four cores and pd-balanced provides the following [maximum performance](https://cloud.google.com/compute/docs/disks/performance#n2d_vms):
|
||||||
|
|
||||||
- 3,000 read IOPS
|
- 3,000 read IOPS
|
||||||
- 15,000 write IOPS
|
- 15,000 write IOPS
|
||||||
- 240 MB/s read throughput
|
- 240 MB/s read throughput
|
||||||
- 240 MB/s write throughput
|
- 240 MB/s write throughput
|
||||||
|
|
||||||
However, the performance is bound by the capabilities of a [`Zonal balanced PD`](https://cloud.google.com/compute/docs/disks/performance#zonal-persistent-disks) with 400 GiB size:
|
However, the performance is bound by the capabilities of a [`Zonal balanced PD`](https://cloud.google.com/compute/docs/disks/performance#zonal-persistent-disks) with 400 GiB size:
|
||||||
|
|
||||||
- 2400 read IOPS
|
- 2400 read IOPS
|
||||||
- 2400 write IOPS
|
- 2400 write IOPS
|
||||||
- 112 MB/s read throughput
|
- 112 MB/s read throughput
|
||||||
@ -180,7 +183,6 @@ The following `fio` settings were used:
|
|||||||
|
|
||||||
For more details, see the [`fio` test configuration](../../../../.github/actions/e2e_benchmark/fio.ini).
|
For more details, see the [`fio` test configuration](../../../../.github/actions/e2e_benchmark/fio.ini).
|
||||||
|
|
||||||
|
|
||||||
The results for IOPS on Azure are as follows:
|
The results for IOPS on Azure are as follows:
|
||||||
|
|
||||||
![I/O IOPS Azure benchmark graph](../_media/benchmark_fio_azure_iops.png)
|
![I/O IOPS Azure benchmark graph](../_media/benchmark_fio_azure_iops.png)
|
||||||
|
@ -6,6 +6,6 @@ From a security perspective, Constellation implements the [Confidential Kubernet
|
|||||||
|
|
||||||
From an operational perspective, Constellation provides the following key features:
|
From an operational perspective, Constellation provides the following key features:
|
||||||
|
|
||||||
* **Native support for different clouds**: Constellation works on Microsoft Azure, Google Cloud Platform (GCP), and Amazon Web Services (AWS). Support for OpenStack-based environments is coming with a future release. Constellation securely interfaces with the cloud infrastructure to provide [cluster autoscaling](https://github.com/kubernetes/autoscaler/tree/master/cluster-autoscaler), [dynamic persistent volumes](https://kubernetes.io/docs/concepts/storage/dynamic-provisioning/), and [service load balancing](https://kubernetes.io/docs/concepts/services-networking/service/#loadbalancer).
|
* **Native support for different clouds**: Constellation works on Amazon Web Services (AWS), Microsoft Azure, and Google Cloud Platform (GCP). Support for OpenStack-based environments is coming with a future release. Constellation securely interfaces with the cloud infrastructure to provide [cluster autoscaling](https://github.com/kubernetes/autoscaler/tree/master/cluster-autoscaler), [dynamic persistent volumes](https://kubernetes.io/docs/concepts/storage/dynamic-provisioning/), and [service load balancing](https://kubernetes.io/docs/concepts/services-networking/service/#loadbalancer).
|
||||||
* **High availability**: Constellation uses a [multi-master architecture](https://kubernetes.io/docs/setup/production-environment/tools/kubeadm/high-availability/) with a [stacked etcd topology](https://kubernetes.io/docs/setup/production-environment/tools/kubeadm/ha-topology/#stacked-etcd-topology) to ensure high availability.
|
* **High availability**: Constellation uses a [multi-master architecture](https://kubernetes.io/docs/setup/production-environment/tools/kubeadm/high-availability/) with a [stacked etcd topology](https://kubernetes.io/docs/setup/production-environment/tools/kubeadm/ha-topology/#stacked-etcd-topology) to ensure high availability.
|
||||||
* **Integrated Day-2 operations**: Constellation lets you securely [upgrade](../workflows/upgrade.md) your cluster to a new release. It also lets you securely [recover](../workflows/recovery.md) a failed cluster. Both with a single command.
|
* **Integrated Day-2 operations**: Constellation lets you securely [upgrade](../workflows/upgrade.md) your cluster to a new release. It also lets you securely [recover](../workflows/recovery.md) a failed cluster. Both with a single command.
|
||||||
|
@ -105,7 +105,7 @@ Initially, it will support the following KMSs:
|
|||||||
* [Azure Key Vault](https://azure.microsoft.com/en-us/services/key-vault/#product-overview)
|
* [Azure Key Vault](https://azure.microsoft.com/en-us/services/key-vault/#product-overview)
|
||||||
* [KMIP-compatible KMS](https://www.oasis-open.org/committees/tc_home.php?wg_abbrev=kmip)
|
* [KMIP-compatible KMS](https://www.oasis-open.org/committees/tc_home.php?wg_abbrev=kmip)
|
||||||
|
|
||||||
Storing the keys in Cloud KMS of AWS, GCP, or Azure binds the key usage to the particular cloud identity access management (IAM).
|
Storing the keys in Cloud KMS of AWS, Azure, or GCP binds the key usage to the particular cloud identity access management (IAM).
|
||||||
In the future, Constellation will support remote attestation-based access policies for Cloud KMS once available.
|
In the future, Constellation will support remote attestation-based access policies for Cloud KMS once available.
|
||||||
Note that using a Cloud KMS limits the isolation and protection to the guarantees of the particular offering.
|
Note that using a Cloud KMS limits the isolation and protection to the guarantees of the particular offering.
|
||||||
|
|
||||||
|
@ -11,7 +11,7 @@ Make sure the following requirements are met:
|
|||||||
- Your machine is running Linux or macOS
|
- Your machine is running Linux or macOS
|
||||||
- You have admin rights on your machine
|
- You have admin rights on your machine
|
||||||
- [kubectl](https://kubernetes.io/docs/tasks/tools/) is installed
|
- [kubectl](https://kubernetes.io/docs/tasks/tools/) is installed
|
||||||
- Your CSP is Microsoft Azure, Google Cloud Platform (GCP), or Amazon Web Services (AWS)
|
- Your CSP is Amazon Web Services (AWS), Microsoft Azure, or Google Cloud Platform (GCP)
|
||||||
|
|
||||||
## Install the Constellation CLI
|
## Install the Constellation CLI
|
||||||
|
|
||||||
@ -52,7 +52,6 @@ curl -LO https://github.com/edgelesssys/constellation/releases/latest/download/c
|
|||||||
sudo install constellation-linux-arm64 /usr/local/bin/constellation
|
sudo install constellation-linux-arm64 /usr/local/bin/constellation
|
||||||
```
|
```
|
||||||
|
|
||||||
|
|
||||||
</tabItem>
|
</tabItem>
|
||||||
|
|
||||||
<tabItem value="darwin-arm64" label="macOS (Apple Silicon)">
|
<tabItem value="darwin-arm64" label="macOS (Apple Silicon)">
|
||||||
@ -71,8 +70,6 @@ curl -LO https://github.com/edgelesssys/constellation/releases/latest/download/c
|
|||||||
sudo install constellation-darwin-arm64 /usr/local/bin/constellation
|
sudo install constellation-darwin-arm64 /usr/local/bin/constellation
|
||||||
```
|
```
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
</tabItem>
|
</tabItem>
|
||||||
|
|
||||||
<tabItem value="darwin-amd64" label="macOS (Intel)">
|
<tabItem value="darwin-amd64" label="macOS (Intel)">
|
||||||
@ -437,7 +434,6 @@ Options and first steps are described in the [AWS CLI documentation](https://doc
|
|||||||
|
|
||||||
</tabItem>
|
</tabItem>
|
||||||
|
|
||||||
|
|
||||||
</tabs>
|
</tabs>
|
||||||
|
|
||||||
## Next steps
|
## Next steps
|
||||||
|
@ -28,20 +28,19 @@ With its [CVM offering](https://docs.microsoft.com/en-us/azure/confidential-comp
|
|||||||
|
|
||||||
## Google Cloud Platform (GCP)
|
## Google Cloud Platform (GCP)
|
||||||
|
|
||||||
The [CVMs Generally Available in GCP](https://cloud.google.com/compute/confidential-vm/docs/create-confidential-vm-instance) are based on AMD SEV but don't have SNP features enabled.
|
The [CVMs Generally Available in GCP](https://cloud.google.com/confidential-computing/confidential-vm/docs/confidential-vm-overview#amd_sev) are based on AMD SEV but don't have SNP features enabled.
|
||||||
CVMs with SEV-SNP enabled are currently in [private preview](https://cloud.google.com/blog/products/identity-security/rsa-snp-vm-more-confidential). Regarding (3), with their SEV-SNP offering Google provides direct access to remote-attestation statements.
|
CVMs with SEV-SNP enabled are currently in [private preview](https://cloud.google.com/blog/products/identity-security/rsa-snp-vm-more-confidential). Regarding (3), with their SEV-SNP offering Google provides direct access to remote-attestation statements.
|
||||||
However, regarding (4), the CVMs still include closed-source firmware.
|
However, regarding (4), the CVMs still include closed-source firmware.
|
||||||
|
|
||||||
Intel and Google have [collaborated](https://cloud.google.com/blog/products/identity-security/rsa-google-intel-confidential-computing-more-secure) to enhance the security of TDX, and have recently [revealed](https://venturebeat.com/security/intel-launches-confidential-computing-solution-for-virtual-machines/) their plans to make TDX compatible with Google Cloud.
|
Intel and Google have [collaborated](https://cloud.google.com/blog/products/identity-security/rsa-google-intel-confidential-computing-more-secure) to enhance the security of TDX, and have recently [revealed](https://venturebeat.com/security/intel-launches-confidential-computing-solution-for-virtual-machines/) their plans to make TDX compatible with Google Cloud.
|
||||||
|
|
||||||
## Amazon Web Services (AWS)
|
## Amazon Web Services (AWS)
|
||||||
|
|
||||||
Amazon EC2 [supports AMD SEV-SNP](https://aws.amazon.com/de/about-aws/whats-new/2023/04/amazon-ec2-amd-sev-snp/). Regarding (3), AWS provides direct access to remote-attestation statements.
|
Amazon EC2 [supports AMD SEV-SNP](https://aws.amazon.com/de/about-aws/whats-new/2023/04/amazon-ec2-amd-sev-snp/). Regarding (3), AWS provides direct access to remote-attestation statements.
|
||||||
However, attestation is partially based on the [NitroTPM](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/nitrotpm.html) for [measured boot](../architecture/attestation.md#measured-boot), which is a vTPM managed by the Nitro hypervisor. Hence, the hypervisor is currently part of Constellation's TCB.
|
However, attestation is partially based on the [NitroTPM](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/nitrotpm.html) for [measured boot](../architecture/attestation.md#measured-boot), which is a vTPM managed by the Nitro hypervisor. Hence, the hypervisor is currently part of Constellation's TCB.
|
||||||
|
|
||||||
\* Regarding (4), the CVMs include initial firmware inside the CVM based on [OVMF](https://github.com/tianocore/tianocore.github.io/wiki/OVMF). Once this firmware will be reproducible and therefore verifiable, (4) switches from *No* to *Yes*.
|
\* Regarding (4), the CVMs include initial firmware inside the CVM based on [OVMF](https://github.com/tianocore/tianocore.github.io/wiki/OVMF). Once this firmware will be reproducible and therefore verifiable, (4) switches from *No* to *Yes*.
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
## OpenStack
|
## OpenStack
|
||||||
|
|
||||||
OpenStack is an open-source cloud and infrastructure management software. It's used by many smaller CSPs and datacenters. In the latest *Yoga* version, OpenStack has basic support for CVMs. However, much depends on the employed kernel and hypervisor. Features (2)--(4) are likely to be a *Yes* with Linux kernel version 6.2. Thus, going forward, OpenStack on corresponding AMD or Intel hardware will be a viable underpinning for Constellation.
|
OpenStack is an open-source cloud and infrastructure management software. It's used by many smaller CSPs and datacenters. In the latest *Yoga* version, OpenStack has basic support for CVMs. However, much depends on the employed kernel and hypervisor. Features (2)--(4) are likely to be a *Yes* with Linux kernel version 6.2. Thus, going forward, OpenStack on corresponding AMD or Intel hardware will be a viable underpinning for Constellation.
|
||||||
|
@ -63,7 +63,6 @@ The following infrastructure configurations was used:
|
|||||||
- CVM: `false`
|
- CVM: `false`
|
||||||
- Zone: `europe-west3-b`
|
- Zone: `europe-west3-b`
|
||||||
|
|
||||||
|
|
||||||
### Results
|
### Results
|
||||||
|
|
||||||
#### Network
|
#### Network
|
||||||
@ -71,7 +70,7 @@ The following infrastructure configurations was used:
|
|||||||
This section gives a thorough analysis of the network performance of Constellation, specifically focusing on measuring TCP and UDP bandwidth.
|
This section gives a thorough analysis of the network performance of Constellation, specifically focusing on measuring TCP and UDP bandwidth.
|
||||||
The benchmark measured the bandwidth of pod-to-pod and pod-to-service connections between two different nodes using [`iperf`](https://iperf.fr/).
|
The benchmark measured the bandwidth of pod-to-pod and pod-to-service connections between two different nodes using [`iperf`](https://iperf.fr/).
|
||||||
|
|
||||||
GKE and Constellation on GCP had a maximum network bandwidth of [10 Gbps](https://cloud.google.com/compute/docs/general-purpose-machines#n2d_machineshttps://cloud.google.com/compute/docs/general-purpose-machines#n2d_machines).
|
GKE and Constellation on GCP had a maximum network bandwidth of [10 Gbps](https://cloud.google.com/compute/docs/general-purpose-machines#n2d_machines).
|
||||||
AKS with `Standard_D4as_v5` machines a maximum network bandwidth of [12.5 Gbps](https://learn.microsoft.com/en-us/azure/virtual-machines/dasv5-dadsv5-series#dasv5-series).
|
AKS with `Standard_D4as_v5` machines a maximum network bandwidth of [12.5 Gbps](https://learn.microsoft.com/en-us/azure/virtual-machines/dasv5-dadsv5-series#dasv5-series).
|
||||||
The Confidential VM equivalent `Standard_DC4as_v5` currently has a network bandwidth of [1.25 Gbps](https://learn.microsoft.com/en-us/azure/virtual-machines/dcasv5-dcadsv5-series#dcasv5-series-products).
|
The Confidential VM equivalent `Standard_DC4as_v5` currently has a network bandwidth of [1.25 Gbps](https://learn.microsoft.com/en-us/azure/virtual-machines/dcasv5-dcadsv5-series#dcasv5-series-products).
|
||||||
Therefore, to make the test comparable, both AKS and Constellation on Azure were running with `Standard_DC4as_v5` machines and 1.25 Gbps bandwidth.
|
Therefore, to make the test comparable, both AKS and Constellation on Azure were running with `Standard_DC4as_v5` machines and 1.25 Gbps bandwidth.
|
||||||
@ -79,11 +78,10 @@ Therefore, to make the test comparable, both AKS and Constellation on Azure were
|
|||||||
Constellation on Azure and AKS used an MTU of 1500.
|
Constellation on Azure and AKS used an MTU of 1500.
|
||||||
Constellation on GCP used an MTU of 8896. GKE used an MTU of 1450.
|
Constellation on GCP used an MTU of 8896. GKE used an MTU of 1450.
|
||||||
|
|
||||||
|
|
||||||
The difference in network bandwidth can largely be attributed to two factors.
|
The difference in network bandwidth can largely be attributed to two factors.
|
||||||
|
|
||||||
* Constellation's [network encryption](../architecture/networking.md) via Cilium and WireGuard, which protects data in-transit.
|
- Constellation's [network encryption](../architecture/networking.md) via Cilium and WireGuard, which protects data in-transit.
|
||||||
* [AMD SEV using SWIOTLB bounce buffers](https://lore.kernel.org/all/20200204193500.GA15564@ashkalra_ubuntu_server/T/) for all DMA including network I/O.
|
- [AMD SEV using SWIOTLB bounce buffers](https://lore.kernel.org/all/20200204193500.GA15564@ashkalra_ubuntu_server/T/) for all DMA including network I/O.
|
||||||
|
|
||||||
##### Pod-to-Pod
|
##### Pod-to-Pod
|
||||||
|
|
||||||
@ -134,6 +132,7 @@ The results for "Pod-to-Pod" on GCP are as follows:
|
|||||||
In our recent comparison of Constellation on GCP with GKE, Constellation has 58% less TCP bandwidth. However, UDP bandwidth was slightly better with Constellation, thanks to its higher MTU.
|
In our recent comparison of Constellation on GCP with GKE, Constellation has 58% less TCP bandwidth. However, UDP bandwidth was slightly better with Constellation, thanks to its higher MTU.
|
||||||
|
|
||||||
Similarly, when comparing Constellation on Azure with AKS using CVMs, Constellation achieved approximately 10% less TCP and 40% less UDP bandwidth.
|
Similarly, when comparing Constellation on Azure with AKS using CVMs, Constellation achieved approximately 10% less TCP and 40% less UDP bandwidth.
|
||||||
|
|
||||||
#### Storage I/O
|
#### Storage I/O
|
||||||
|
|
||||||
Azure and GCP offer persistent storage for their Kubernetes services AKS and GKE via the Container Storage Interface (CSI). CSI storage in Kubernetes is available via `PersistentVolumes` (PV) and consumed via `PersistentVolumeClaims` (PVC).
|
Azure and GCP offer persistent storage for their Kubernetes services AKS and GKE via the Container Storage Interface (CSI). CSI storage in Kubernetes is available via `PersistentVolumes` (PV) and consumed via `PersistentVolumeClaims` (PVC).
|
||||||
@ -143,21 +142,25 @@ Similarly, upon a PVC request, Constellation will provision a PV via a default s
|
|||||||
|
|
||||||
For Constellation on Azure and AKS, the benchmark ran with Azure Disk storage [Standard SSD](https://learn.microsoft.com/en-us/azure/virtual-machines/disks-types#standard-ssds) of 400 GiB size.
|
For Constellation on Azure and AKS, the benchmark ran with Azure Disk storage [Standard SSD](https://learn.microsoft.com/en-us/azure/virtual-machines/disks-types#standard-ssds) of 400 GiB size.
|
||||||
The [DC4as machine type](https://learn.microsoft.com/en-us/azure/virtual-machines/dasv5-dadsv5-series#dasv5-series) with four cores provides the following maximum performance:
|
The [DC4as machine type](https://learn.microsoft.com/en-us/azure/virtual-machines/dasv5-dadsv5-series#dasv5-series) with four cores provides the following maximum performance:
|
||||||
|
|
||||||
- 6400 (20000 burst) IOPS
|
- 6400 (20000 burst) IOPS
|
||||||
- 144 MB/s (600 MB/s burst) throughput
|
- 144 MB/s (600 MB/s burst) throughput
|
||||||
|
|
||||||
However, the performance is bound by the capabilities of the [512 GiB Standard SSD size](https://learn.microsoft.com/en-us/azure/virtual-machines/disks-types#standard-ssds) (the size class of 400 GiB volumes):
|
However, the performance is bound by the capabilities of the [512 GiB Standard SSD size](https://learn.microsoft.com/en-us/azure/virtual-machines/disks-types#standard-ssds) (the size class of 400 GiB volumes):
|
||||||
|
|
||||||
- 500 (600 burst) IOPS
|
- 500 (600 burst) IOPS
|
||||||
- 60 MB/s (150 MB/s burst) throughput
|
- 60 MB/s (150 MB/s burst) throughput
|
||||||
|
|
||||||
For Constellation on GCP and GKE, the benchmark ran with Compute Engine Persistent Disk Storage [pd-balanced](https://cloud.google.com/compute/docs/disks) of 400 GiB size.
|
For Constellation on GCP and GKE, the benchmark ran with Compute Engine Persistent Disk Storage [pd-balanced](https://cloud.google.com/compute/docs/disks) of 400 GiB size.
|
||||||
The N2D machine type with four cores and pd-balanced provides the following [maximum performance](https://cloud.google.com/compute/docs/disks/performance#n2d_vms):
|
The N2D machine type with four cores and pd-balanced provides the following [maximum performance](https://cloud.google.com/compute/docs/disks/performance#n2d_vms):
|
||||||
|
|
||||||
- 3,000 read IOPS
|
- 3,000 read IOPS
|
||||||
- 15,000 write IOPS
|
- 15,000 write IOPS
|
||||||
- 240 MB/s read throughput
|
- 240 MB/s read throughput
|
||||||
- 240 MB/s write throughput
|
- 240 MB/s write throughput
|
||||||
|
|
||||||
However, the performance is bound by the capabilities of a [`Zonal balanced PD`](https://cloud.google.com/compute/docs/disks/performance#zonal-persistent-disks) with 400 GiB size:
|
However, the performance is bound by the capabilities of a [`Zonal balanced PD`](https://cloud.google.com/compute/docs/disks/performance#zonal-persistent-disks) with 400 GiB size:
|
||||||
|
|
||||||
- 2400 read IOPS
|
- 2400 read IOPS
|
||||||
- 2400 write IOPS
|
- 2400 write IOPS
|
||||||
- 112 MB/s read throughput
|
- 112 MB/s read throughput
|
||||||
@ -180,7 +183,6 @@ The following `fio` settings were used:
|
|||||||
|
|
||||||
For more details, see the [`fio` test configuration](../../../../.github/actions/e2e_benchmark/fio.ini).
|
For more details, see the [`fio` test configuration](../../../../.github/actions/e2e_benchmark/fio.ini).
|
||||||
|
|
||||||
|
|
||||||
The results for IOPS on Azure are as follows:
|
The results for IOPS on Azure are as follows:
|
||||||
|
|
||||||
![I/O IOPS Azure benchmark graph](../_media/benchmark_fio_azure_iops.png)
|
![I/O IOPS Azure benchmark graph](../_media/benchmark_fio_azure_iops.png)
|
||||||
|
@ -6,6 +6,6 @@ From a security perspective, Constellation implements the [Confidential Kubernet
|
|||||||
|
|
||||||
From an operational perspective, Constellation provides the following key features:
|
From an operational perspective, Constellation provides the following key features:
|
||||||
|
|
||||||
* **Native support for different clouds**: Constellation works on Microsoft Azure, Google Cloud Platform (GCP), and Amazon Web Services (AWS). Support for OpenStack-based environments is coming with a future release. Constellation securely interfaces with the cloud infrastructure to provide [cluster autoscaling](https://github.com/kubernetes/autoscaler/tree/master/cluster-autoscaler), [dynamic persistent volumes](https://kubernetes.io/docs/concepts/storage/dynamic-provisioning/), and [service load balancing](https://kubernetes.io/docs/concepts/services-networking/service/#loadbalancer).
|
* **Native support for different clouds**: Constellation works on Amazon Web Services (AWS), Microsoft Azure, and Google Cloud Platform (GCP). Support for OpenStack-based environments is coming with a future release. Constellation securely interfaces with the cloud infrastructure to provide [cluster autoscaling](https://github.com/kubernetes/autoscaler/tree/master/cluster-autoscaler), [dynamic persistent volumes](https://kubernetes.io/docs/concepts/storage/dynamic-provisioning/), and [service load balancing](https://kubernetes.io/docs/concepts/services-networking/service/#loadbalancer).
|
||||||
* **High availability**: Constellation uses a [multi-master architecture](https://kubernetes.io/docs/setup/production-environment/tools/kubeadm/high-availability/) with a [stacked etcd topology](https://kubernetes.io/docs/setup/production-environment/tools/kubeadm/ha-topology/#stacked-etcd-topology) to ensure high availability.
|
* **High availability**: Constellation uses a [multi-master architecture](https://kubernetes.io/docs/setup/production-environment/tools/kubeadm/high-availability/) with a [stacked etcd topology](https://kubernetes.io/docs/setup/production-environment/tools/kubeadm/ha-topology/#stacked-etcd-topology) to ensure high availability.
|
||||||
* **Integrated Day-2 operations**: Constellation lets you securely [upgrade](../workflows/upgrade.md) your cluster to a new release. It also lets you securely [recover](../workflows/recovery.md) a failed cluster. Both with a single command.
|
* **Integrated Day-2 operations**: Constellation lets you securely [upgrade](../workflows/upgrade.md) your cluster to a new release. It also lets you securely [recover](../workflows/recovery.md) a failed cluster. Both with a single command.
|
||||||
|
@ -105,7 +105,7 @@ Initially, it will support the following KMSs:
|
|||||||
* [Azure Key Vault](https://azure.microsoft.com/en-us/services/key-vault/#product-overview)
|
* [Azure Key Vault](https://azure.microsoft.com/en-us/services/key-vault/#product-overview)
|
||||||
* [KMIP-compatible KMS](https://www.oasis-open.org/committees/tc_home.php?wg_abbrev=kmip)
|
* [KMIP-compatible KMS](https://www.oasis-open.org/committees/tc_home.php?wg_abbrev=kmip)
|
||||||
|
|
||||||
Storing the keys in Cloud KMS of AWS, GCP, or Azure binds the key usage to the particular cloud identity access management (IAM).
|
Storing the keys in Cloud KMS of AWS, Azure, or GCP binds the key usage to the particular cloud identity access management (IAM).
|
||||||
In the future, Constellation will support remote attestation-based access policies for Cloud KMS once available.
|
In the future, Constellation will support remote attestation-based access policies for Cloud KMS once available.
|
||||||
Note that using a Cloud KMS limits the isolation and protection to the guarantees of the particular offering.
|
Note that using a Cloud KMS limits the isolation and protection to the guarantees of the particular offering.
|
||||||
|
|
||||||
|
@ -11,7 +11,7 @@ Make sure the following requirements are met:
|
|||||||
- Your machine is running Linux or macOS
|
- Your machine is running Linux or macOS
|
||||||
- You have admin rights on your machine
|
- You have admin rights on your machine
|
||||||
- [kubectl](https://kubernetes.io/docs/tasks/tools/) is installed
|
- [kubectl](https://kubernetes.io/docs/tasks/tools/) is installed
|
||||||
- Your CSP is Microsoft Azure, Google Cloud Platform (GCP), or Amazon Web Services (AWS)
|
- Your CSP is Amazon Web Services (AWS), Microsoft Azure, or Google Cloud Platform (GCP)
|
||||||
|
|
||||||
## Install the Constellation CLI
|
## Install the Constellation CLI
|
||||||
|
|
||||||
@ -52,7 +52,6 @@ curl -LO https://github.com/edgelesssys/constellation/releases/latest/download/c
|
|||||||
sudo install constellation-linux-arm64 /usr/local/bin/constellation
|
sudo install constellation-linux-arm64 /usr/local/bin/constellation
|
||||||
```
|
```
|
||||||
|
|
||||||
|
|
||||||
</tabItem>
|
</tabItem>
|
||||||
|
|
||||||
<tabItem value="darwin-arm64" label="macOS (Apple Silicon)">
|
<tabItem value="darwin-arm64" label="macOS (Apple Silicon)">
|
||||||
@ -71,8 +70,6 @@ curl -LO https://github.com/edgelesssys/constellation/releases/latest/download/c
|
|||||||
sudo install constellation-darwin-arm64 /usr/local/bin/constellation
|
sudo install constellation-darwin-arm64 /usr/local/bin/constellation
|
||||||
```
|
```
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
</tabItem>
|
</tabItem>
|
||||||
|
|
||||||
<tabItem value="darwin-amd64" label="macOS (Intel)">
|
<tabItem value="darwin-amd64" label="macOS (Intel)">
|
||||||
@ -438,7 +435,6 @@ Options and first steps are described in the [AWS CLI documentation](https://doc
|
|||||||
|
|
||||||
</tabItem>
|
</tabItem>
|
||||||
|
|
||||||
|
|
||||||
</tabs>
|
</tabs>
|
||||||
|
|
||||||
## Next steps
|
## Next steps
|
||||||
|
@ -35,7 +35,7 @@ Thus, the Azure closed-source firmware becomes part of Constellation's trusted c
|
|||||||
|
|
||||||
## Google Cloud Platform (GCP)
|
## Google Cloud Platform (GCP)
|
||||||
|
|
||||||
The [CVMs Generally Available in GCP](https://cloud.google.com/compute/confidential-vm/docs/create-confidential-vm-instance) are based on AMD SEV but don't have SNP features enabled.
|
The [CVMs Generally Available in GCP](https://cloud.google.com/confidential-computing/confidential-vm/docs/confidential-vm-overview#amd_sev) are based on AMD SEV but don't have SNP features enabled.
|
||||||
CVMs with SEV-SNP enabled are currently in [private preview](https://cloud.google.com/blog/products/identity-security/rsa-snp-vm-more-confidential). Regarding (3), with their SEV-SNP offering Google provides direct access to remote-attestation statements.
|
CVMs with SEV-SNP enabled are currently in [private preview](https://cloud.google.com/blog/products/identity-security/rsa-snp-vm-more-confidential). Regarding (3), with their SEV-SNP offering Google provides direct access to remote-attestation statements.
|
||||||
However, regarding (4), the CVMs still include closed-source firmware.
|
However, regarding (4), the CVMs still include closed-source firmware.
|
||||||
|
|
||||||
|
@ -63,7 +63,6 @@ The following infrastructure configurations was used:
|
|||||||
- CVM: `false`
|
- CVM: `false`
|
||||||
- Zone: `europe-west3-b`
|
- Zone: `europe-west3-b`
|
||||||
|
|
||||||
|
|
||||||
### Results
|
### Results
|
||||||
|
|
||||||
#### Network
|
#### Network
|
||||||
@ -71,7 +70,7 @@ The following infrastructure configurations was used:
|
|||||||
This section gives a thorough analysis of the network performance of Constellation, specifically focusing on measuring TCP and UDP bandwidth.
|
This section gives a thorough analysis of the network performance of Constellation, specifically focusing on measuring TCP and UDP bandwidth.
|
||||||
The benchmark measured the bandwidth of pod-to-pod and pod-to-service connections between two different nodes using [`iperf`](https://iperf.fr/).
|
The benchmark measured the bandwidth of pod-to-pod and pod-to-service connections between two different nodes using [`iperf`](https://iperf.fr/).
|
||||||
|
|
||||||
GKE and Constellation on GCP had a maximum network bandwidth of [10 Gbps](https://cloud.google.com/compute/docs/general-purpose-machines#n2d_machineshttps://cloud.google.com/compute/docs/general-purpose-machines#n2d_machines).
|
GKE and Constellation on GCP had a maximum network bandwidth of [10 Gbps](https://cloud.google.com/compute/docs/general-purpose-machines#n2d_machines).
|
||||||
AKS with `Standard_D4as_v5` machines a maximum network bandwidth of [12.5 Gbps](https://learn.microsoft.com/en-us/azure/virtual-machines/dasv5-dadsv5-series#dasv5-series).
|
AKS with `Standard_D4as_v5` machines a maximum network bandwidth of [12.5 Gbps](https://learn.microsoft.com/en-us/azure/virtual-machines/dasv5-dadsv5-series#dasv5-series).
|
||||||
The Confidential VM equivalent `Standard_DC4as_v5` currently has a network bandwidth of [1.25 Gbps](https://learn.microsoft.com/en-us/azure/virtual-machines/dcasv5-dcadsv5-series#dcasv5-series-products).
|
The Confidential VM equivalent `Standard_DC4as_v5` currently has a network bandwidth of [1.25 Gbps](https://learn.microsoft.com/en-us/azure/virtual-machines/dcasv5-dcadsv5-series#dcasv5-series-products).
|
||||||
Therefore, to make the test comparable, both AKS and Constellation on Azure were running with `Standard_DC4as_v5` machines and 1.25 Gbps bandwidth.
|
Therefore, to make the test comparable, both AKS and Constellation on Azure were running with `Standard_DC4as_v5` machines and 1.25 Gbps bandwidth.
|
||||||
@ -79,11 +78,10 @@ Therefore, to make the test comparable, both AKS and Constellation on Azure were
|
|||||||
Constellation on Azure and AKS used an MTU of 1500.
|
Constellation on Azure and AKS used an MTU of 1500.
|
||||||
Constellation on GCP used an MTU of 8896. GKE used an MTU of 1450.
|
Constellation on GCP used an MTU of 8896. GKE used an MTU of 1450.
|
||||||
|
|
||||||
|
|
||||||
The difference in network bandwidth can largely be attributed to two factors.
|
The difference in network bandwidth can largely be attributed to two factors.
|
||||||
|
|
||||||
* Constellation's [network encryption](../architecture/networking.md) via Cilium and WireGuard, which protects data in-transit.
|
- Constellation's [network encryption](../architecture/networking.md) via Cilium and WireGuard, which protects data in-transit.
|
||||||
* [AMD SEV using SWIOTLB bounce buffers](https://lore.kernel.org/all/20200204193500.GA15564@ashkalra_ubuntu_server/T/) for all DMA including network I/O.
|
- [AMD SEV using SWIOTLB bounce buffers](https://lore.kernel.org/all/20200204193500.GA15564@ashkalra_ubuntu_server/T/) for all DMA including network I/O.
|
||||||
|
|
||||||
##### Pod-to-Pod
|
##### Pod-to-Pod
|
||||||
|
|
||||||
@ -134,6 +132,7 @@ The results for "Pod-to-Pod" on GCP are as follows:
|
|||||||
In our recent comparison of Constellation on GCP with GKE, Constellation has 58% less TCP bandwidth. However, UDP bandwidth was slightly better with Constellation, thanks to its higher MTU.
|
In our recent comparison of Constellation on GCP with GKE, Constellation has 58% less TCP bandwidth. However, UDP bandwidth was slightly better with Constellation, thanks to its higher MTU.
|
||||||
|
|
||||||
Similarly, when comparing Constellation on Azure with AKS using CVMs, Constellation achieved approximately 10% less TCP and 40% less UDP bandwidth.
|
Similarly, when comparing Constellation on Azure with AKS using CVMs, Constellation achieved approximately 10% less TCP and 40% less UDP bandwidth.
|
||||||
|
|
||||||
#### Storage I/O
|
#### Storage I/O
|
||||||
|
|
||||||
Azure and GCP offer persistent storage for their Kubernetes services AKS and GKE via the Container Storage Interface (CSI). CSI storage in Kubernetes is available via `PersistentVolumes` (PV) and consumed via `PersistentVolumeClaims` (PVC).
|
Azure and GCP offer persistent storage for their Kubernetes services AKS and GKE via the Container Storage Interface (CSI). CSI storage in Kubernetes is available via `PersistentVolumes` (PV) and consumed via `PersistentVolumeClaims` (PVC).
|
||||||
@ -143,21 +142,25 @@ Similarly, upon a PVC request, Constellation will provision a PV via a default s
|
|||||||
|
|
||||||
For Constellation on Azure and AKS, the benchmark ran with Azure Disk storage [Standard SSD](https://learn.microsoft.com/en-us/azure/virtual-machines/disks-types#standard-ssds) of 400 GiB size.
|
For Constellation on Azure and AKS, the benchmark ran with Azure Disk storage [Standard SSD](https://learn.microsoft.com/en-us/azure/virtual-machines/disks-types#standard-ssds) of 400 GiB size.
|
||||||
The [DC4as machine type](https://learn.microsoft.com/en-us/azure/virtual-machines/dasv5-dadsv5-series#dasv5-series) with four cores provides the following maximum performance:
|
The [DC4as machine type](https://learn.microsoft.com/en-us/azure/virtual-machines/dasv5-dadsv5-series#dasv5-series) with four cores provides the following maximum performance:
|
||||||
|
|
||||||
- 6400 (20000 burst) IOPS
|
- 6400 (20000 burst) IOPS
|
||||||
- 144 MB/s (600 MB/s burst) throughput
|
- 144 MB/s (600 MB/s burst) throughput
|
||||||
|
|
||||||
However, the performance is bound by the capabilities of the [512 GiB Standard SSD size](https://learn.microsoft.com/en-us/azure/virtual-machines/disks-types#standard-ssds) (the size class of 400 GiB volumes):
|
However, the performance is bound by the capabilities of the [512 GiB Standard SSD size](https://learn.microsoft.com/en-us/azure/virtual-machines/disks-types#standard-ssds) (the size class of 400 GiB volumes):
|
||||||
|
|
||||||
- 500 (600 burst) IOPS
|
- 500 (600 burst) IOPS
|
||||||
- 60 MB/s (150 MB/s burst) throughput
|
- 60 MB/s (150 MB/s burst) throughput
|
||||||
|
|
||||||
For Constellation on GCP and GKE, the benchmark ran with Compute Engine Persistent Disk Storage [pd-balanced](https://cloud.google.com/compute/docs/disks) of 400 GiB size.
|
For Constellation on GCP and GKE, the benchmark ran with Compute Engine Persistent Disk Storage [pd-balanced](https://cloud.google.com/compute/docs/disks) of 400 GiB size.
|
||||||
The N2D machine type with four cores and pd-balanced provides the following [maximum performance](https://cloud.google.com/compute/docs/disks/performance#n2d_vms):
|
The N2D machine type with four cores and pd-balanced provides the following [maximum performance](https://cloud.google.com/compute/docs/disks/performance#n2d_vms):
|
||||||
|
|
||||||
- 3,000 read IOPS
|
- 3,000 read IOPS
|
||||||
- 15,000 write IOPS
|
- 15,000 write IOPS
|
||||||
- 240 MB/s read throughput
|
- 240 MB/s read throughput
|
||||||
- 240 MB/s write throughput
|
- 240 MB/s write throughput
|
||||||
|
|
||||||
However, the performance is bound by the capabilities of a [`Zonal balanced PD`](https://cloud.google.com/compute/docs/disks/performance#zonal-persistent-disks) with 400 GiB size:
|
However, the performance is bound by the capabilities of a [`Zonal balanced PD`](https://cloud.google.com/compute/docs/disks/performance#zonal-persistent-disks) with 400 GiB size:
|
||||||
|
|
||||||
- 2400 read IOPS
|
- 2400 read IOPS
|
||||||
- 2400 write IOPS
|
- 2400 write IOPS
|
||||||
- 112 MB/s read throughput
|
- 112 MB/s read throughput
|
||||||
@ -180,7 +183,6 @@ The following `fio` settings were used:
|
|||||||
|
|
||||||
For more details, see the [`fio` test configuration](../../../../.github/actions/e2e_benchmark/fio.ini).
|
For more details, see the [`fio` test configuration](../../../../.github/actions/e2e_benchmark/fio.ini).
|
||||||
|
|
||||||
|
|
||||||
The results for IOPS on Azure are as follows:
|
The results for IOPS on Azure are as follows:
|
||||||
|
|
||||||
![I/O IOPS Azure benchmark graph](../_media/benchmark_fio_azure_iops.png)
|
![I/O IOPS Azure benchmark graph](../_media/benchmark_fio_azure_iops.png)
|
||||||
|
@ -6,6 +6,6 @@ From a security perspective, Constellation implements the [Confidential Kubernet
|
|||||||
|
|
||||||
From an operational perspective, Constellation provides the following key features:
|
From an operational perspective, Constellation provides the following key features:
|
||||||
|
|
||||||
* **Native support for different clouds**: Constellation works on Microsoft Azure, Google Cloud Platform (GCP), and Amazon Web Services (AWS). Support for OpenStack-based environments is coming with a future release. Constellation securely interfaces with the cloud infrastructure to provide [cluster autoscaling](https://github.com/kubernetes/autoscaler/tree/master/cluster-autoscaler), [dynamic persistent volumes](https://kubernetes.io/docs/concepts/storage/dynamic-provisioning/), and [service load balancing](https://kubernetes.io/docs/concepts/services-networking/service/#loadbalancer).
|
* **Native support for different clouds**: Constellation works on Amazon Web Services (AWS), Microsoft Azure, and Google Cloud Platform (GCP). Support for OpenStack-based environments is coming with a future release. Constellation securely interfaces with the cloud infrastructure to provide [cluster autoscaling](https://github.com/kubernetes/autoscaler/tree/master/cluster-autoscaler), [dynamic persistent volumes](https://kubernetes.io/docs/concepts/storage/dynamic-provisioning/), and [service load balancing](https://kubernetes.io/docs/concepts/services-networking/service/#loadbalancer).
|
||||||
* **High availability**: Constellation uses a [multi-master architecture](https://kubernetes.io/docs/setup/production-environment/tools/kubeadm/high-availability/) with a [stacked etcd topology](https://kubernetes.io/docs/setup/production-environment/tools/kubeadm/ha-topology/#stacked-etcd-topology) to ensure high availability.
|
* **High availability**: Constellation uses a [multi-master architecture](https://kubernetes.io/docs/setup/production-environment/tools/kubeadm/high-availability/) with a [stacked etcd topology](https://kubernetes.io/docs/setup/production-environment/tools/kubeadm/ha-topology/#stacked-etcd-topology) to ensure high availability.
|
||||||
* **Integrated Day-2 operations**: Constellation lets you securely [upgrade](../workflows/upgrade.md) your cluster to a new release. It also lets you securely [recover](../workflows/recovery.md) a failed cluster. Both with a single command.
|
* **Integrated Day-2 operations**: Constellation lets you securely [upgrade](../workflows/upgrade.md) your cluster to a new release. It also lets you securely [recover](../workflows/recovery.md) a failed cluster. Both with a single command.
|
||||||
|
@ -105,7 +105,7 @@ Initially, it will support the following KMSs:
|
|||||||
* [Azure Key Vault](https://azure.microsoft.com/en-us/services/key-vault/#product-overview)
|
* [Azure Key Vault](https://azure.microsoft.com/en-us/services/key-vault/#product-overview)
|
||||||
* [KMIP-compatible KMS](https://www.oasis-open.org/committees/tc_home.php?wg_abbrev=kmip)
|
* [KMIP-compatible KMS](https://www.oasis-open.org/committees/tc_home.php?wg_abbrev=kmip)
|
||||||
|
|
||||||
Storing the keys in Cloud KMS of AWS, GCP, or Azure binds the key usage to the particular cloud identity access management (IAM).
|
Storing the keys in Cloud KMS of AWS, Azure, or GCP binds the key usage to the particular cloud identity access management (IAM).
|
||||||
In the future, Constellation will support remote attestation-based access policies for Cloud KMS once available.
|
In the future, Constellation will support remote attestation-based access policies for Cloud KMS once available.
|
||||||
Note that using a Cloud KMS limits the isolation and protection to the guarantees of the particular offering.
|
Note that using a Cloud KMS limits the isolation and protection to the guarantees of the particular offering.
|
||||||
|
|
||||||
|
@ -11,7 +11,7 @@ Make sure the following requirements are met:
|
|||||||
- Your machine is running Linux or macOS
|
- Your machine is running Linux or macOS
|
||||||
- You have admin rights on your machine
|
- You have admin rights on your machine
|
||||||
- [kubectl](https://kubernetes.io/docs/tasks/tools/) is installed
|
- [kubectl](https://kubernetes.io/docs/tasks/tools/) is installed
|
||||||
- Your CSP is Microsoft Azure, Google Cloud Platform (GCP), or Amazon Web Services (AWS)
|
- Your CSP is Amazon Web Services (AWS), Microsoft Azure, or Google Cloud Platform (GCP)
|
||||||
|
|
||||||
## Install the Constellation CLI
|
## Install the Constellation CLI
|
||||||
|
|
||||||
@ -52,7 +52,6 @@ curl -LO https://github.com/edgelesssys/constellation/releases/latest/download/c
|
|||||||
sudo install constellation-linux-arm64 /usr/local/bin/constellation
|
sudo install constellation-linux-arm64 /usr/local/bin/constellation
|
||||||
```
|
```
|
||||||
|
|
||||||
|
|
||||||
</tabItem>
|
</tabItem>
|
||||||
|
|
||||||
<tabItem value="darwin-arm64" label="macOS (Apple Silicon)">
|
<tabItem value="darwin-arm64" label="macOS (Apple Silicon)">
|
||||||
@ -71,8 +70,6 @@ curl -LO https://github.com/edgelesssys/constellation/releases/latest/download/c
|
|||||||
sudo install constellation-darwin-arm64 /usr/local/bin/constellation
|
sudo install constellation-darwin-arm64 /usr/local/bin/constellation
|
||||||
```
|
```
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
</tabItem>
|
</tabItem>
|
||||||
|
|
||||||
<tabItem value="darwin-amd64" label="macOS (Intel)">
|
<tabItem value="darwin-amd64" label="macOS (Intel)">
|
||||||
@ -438,7 +435,6 @@ Options and first steps are described in the [AWS CLI documentation](https://doc
|
|||||||
|
|
||||||
</tabItem>
|
</tabItem>
|
||||||
|
|
||||||
|
|
||||||
</tabs>
|
</tabs>
|
||||||
|
|
||||||
## Next steps
|
## Next steps
|
||||||
|
@ -35,7 +35,7 @@ Thus, the Azure closed-source firmware becomes part of Constellation's trusted c
|
|||||||
|
|
||||||
## Google Cloud Platform (GCP)
|
## Google Cloud Platform (GCP)
|
||||||
|
|
||||||
The [CVMs Generally Available in GCP](https://cloud.google.com/compute/confidential-vm/docs/create-confidential-vm-instance) are based on AMD SEV but don't have SNP features enabled.
|
The [CVMs Generally Available in GCP](https://cloud.google.com/confidential-computing/confidential-vm/docs/confidential-vm-overview#amd_sev) are based on AMD SEV but don't have SNP features enabled.
|
||||||
CVMs with SEV-SNP enabled are currently in [private preview](https://cloud.google.com/blog/products/identity-security/rsa-snp-vm-more-confidential). Regarding (3), with their SEV-SNP offering Google provides direct access to remote-attestation statements.
|
CVMs with SEV-SNP enabled are currently in [private preview](https://cloud.google.com/blog/products/identity-security/rsa-snp-vm-more-confidential). Regarding (3), with their SEV-SNP offering Google provides direct access to remote-attestation statements.
|
||||||
However, regarding (4), the CVMs still include closed-source firmware.
|
However, regarding (4), the CVMs still include closed-source firmware.
|
||||||
|
|
||||||
|
@ -70,7 +70,7 @@ The following infrastructure configurations was used:
|
|||||||
This section gives a thorough analysis of the network performance of Constellation, specifically focusing on measuring TCP and UDP bandwidth.
|
This section gives a thorough analysis of the network performance of Constellation, specifically focusing on measuring TCP and UDP bandwidth.
|
||||||
The benchmark measured the bandwidth of pod-to-pod and pod-to-service connections between two different nodes using [`iperf`](https://iperf.fr/).
|
The benchmark measured the bandwidth of pod-to-pod and pod-to-service connections between two different nodes using [`iperf`](https://iperf.fr/).
|
||||||
|
|
||||||
GKE and Constellation on GCP had a maximum network bandwidth of [10 Gbps](https://cloud.google.com/compute/docs/general-purpose-machines#n2d_machineshttps://cloud.google.com/compute/docs/general-purpose-machines#n2d_machines).
|
GKE and Constellation on GCP had a maximum network bandwidth of [10 Gbps](https://cloud.google.com/compute/docs/general-purpose-machines#n2d_machines).
|
||||||
AKS with `Standard_D4as_v5` machines a maximum network bandwidth of [12.5 Gbps](https://learn.microsoft.com/en-us/azure/virtual-machines/dasv5-dadsv5-series#dasv5-series).
|
AKS with `Standard_D4as_v5` machines a maximum network bandwidth of [12.5 Gbps](https://learn.microsoft.com/en-us/azure/virtual-machines/dasv5-dadsv5-series#dasv5-series).
|
||||||
The Confidential VM equivalent `Standard_DC4as_v5` currently has a network bandwidth of [1.25 Gbps](https://learn.microsoft.com/en-us/azure/virtual-machines/dcasv5-dcadsv5-series#dcasv5-series-products).
|
The Confidential VM equivalent `Standard_DC4as_v5` currently has a network bandwidth of [1.25 Gbps](https://learn.microsoft.com/en-us/azure/virtual-machines/dcasv5-dcadsv5-series#dcasv5-series-products).
|
||||||
Therefore, to make the test comparable, both AKS and Constellation on Azure were running with `Standard_DC4as_v5` machines and 1.25 Gbps bandwidth.
|
Therefore, to make the test comparable, both AKS and Constellation on Azure were running with `Standard_DC4as_v5` machines and 1.25 Gbps bandwidth.
|
||||||
|
@ -6,6 +6,6 @@ From a security perspective, Constellation implements the [Confidential Kubernet
|
|||||||
|
|
||||||
From an operational perspective, Constellation provides the following key features:
|
From an operational perspective, Constellation provides the following key features:
|
||||||
|
|
||||||
* **Native support for different clouds**: Constellation works on Microsoft Azure, Google Cloud Platform (GCP), and Amazon Web Services (AWS). Support for OpenStack-based environments is coming with a future release. Constellation securely interfaces with the cloud infrastructure to provide [cluster autoscaling](https://github.com/kubernetes/autoscaler/tree/master/cluster-autoscaler), [dynamic persistent volumes](https://kubernetes.io/docs/concepts/storage/dynamic-provisioning/), and [service load balancing](https://kubernetes.io/docs/concepts/services-networking/service/#loadbalancer).
|
* **Native support for different clouds**: Constellation works on Amazon Web Services (AWS), Microsoft Azure, and Google Cloud Platform (GCP). Support for OpenStack-based environments is coming with a future release. Constellation securely interfaces with the cloud infrastructure to provide [cluster autoscaling](https://github.com/kubernetes/autoscaler/tree/master/cluster-autoscaler), [dynamic persistent volumes](https://kubernetes.io/docs/concepts/storage/dynamic-provisioning/), and [service load balancing](https://kubernetes.io/docs/concepts/services-networking/service/#loadbalancer).
|
||||||
* **High availability**: Constellation uses a [multi-master architecture](https://kubernetes.io/docs/setup/production-environment/tools/kubeadm/high-availability/) with a [stacked etcd topology](https://kubernetes.io/docs/setup/production-environment/tools/kubeadm/ha-topology/#stacked-etcd-topology) to ensure high availability.
|
* **High availability**: Constellation uses a [multi-master architecture](https://kubernetes.io/docs/setup/production-environment/tools/kubeadm/high-availability/) with a [stacked etcd topology](https://kubernetes.io/docs/setup/production-environment/tools/kubeadm/ha-topology/#stacked-etcd-topology) to ensure high availability.
|
||||||
* **Integrated Day-2 operations**: Constellation lets you securely [upgrade](../workflows/upgrade.md) your cluster to a new release. It also lets you securely [recover](../workflows/recovery.md) a failed cluster. Both with a single command.
|
* **Integrated Day-2 operations**: Constellation lets you securely [upgrade](../workflows/upgrade.md) your cluster to a new release. It also lets you securely [recover](../workflows/recovery.md) a failed cluster. Both with a single command.
|
||||||
|
Loading…
Reference in New Issue
Block a user