Update README (#46)

* Update README

* Update images

* Add security policy

README.md

@@ -1,135 +1,98 @@
-<p align="center">
+![Constellation](docs/static/img/banner.svg)
-    <b>⭐ Star us on GitHub — it motivates us a lot!</b>
-</p>
 
-![](docs/static/img/constellation-header.png)
+# Always Encrypted K8s
 
-<h1 align="center">Welcome to Constellation!</h1>
+<p>
-
-<p align="center">
-    <a href="https://www.edgeless.systems/products/constellation/">Constellation</a> is the first Confidential Kubernetes platform. It leverages <a href="https://www.edgeless.systems/resources/confidential-computing/">confidential computing</a> to isolate entire Kubernetes clusters and all workloads from the rest of the cloud infrastructure.
-</p>
-
-<p align="center">
     <a href="https://github.com/edgelesssys/constellation/blob/master/LICENSE"><img src="https://img.shields.io/github/license/edgelesssys/constellation" alt="Constellation License"></a>
     <a href="https://github.com/edgelesssys/constellation/actions/workflows/e2e-test-azure.yml/badge.svg?branch=main"><img src="https://github.com/edgelesssys/constellation/actions/workflows/e2e-test-azure.yml/badge.svg?branch=main" alt="E2E Test Azure"></a>
     <a href="https://github.com/edgelesssys/constellation/actions/workflows/e2e-test-gcp.yml/badge.svg?branch=main"><img src="https://github.com/edgelesssys/constellation/actions/workflows/e2e-test-gcp.yml/badge.svg?branch=main" alt="E2E Test GCP"></a>
     <a href="https://goreportcard.com/report/github.com/edgelesssys/constellation"><img src="https://goreportcard.com/badge/github.com/edgelesssys/constellation" alt="Go Report"></a>
-    <a href="https://discord.gg/rH8QTH56JN"><img src="https://img.shields.io/badge/chat-on%20Discord-blue" alt="Discord"></a>
+    <a href="https://discord.gg/rH8QTH56JN"><img src="https://img.shields.io/discord/823900998606651454?color=7389D8&label=discord&logo=discord&logoColor=ffffff" alt="Discord"></a>
     <a href="https://twitter.com/EdgelessSystems"><img src="https://img.shields.io/twitter/follow/EdgelessSystems?label=Follow" alt="Twitter"></a>
 </p>
 
-## Table of contents <!-- omit in toc -->
+Constellation is a Kubernetes engine that aims to provide the best possible data security. It wraps your K8s cluster into a single *confidential context* that is shielded from the underlying cloud infrastructure. Everything inside is always encrypted, including at runtime in memory. For this, Constellation leverages confidential computing (see our [whitepaper]) and more specifically Confidential VMs.
 
-- [✨ What is Constellation?](#-what-is-constellation)
+<img src="docs/static/img/concept.svg" alt="Concept" width="65%"/>
-- [🛠 Features](#-features)
-  - [Everything always encrypted](#everything-always-encrypted)
-  - [Everything verifiable](#everything-verifiable)
-  - [Performance and scale](#performance-and-scale)
-  - [100% compatibility](#100-compatibility)
-- [🚀 Getting started](#-getting-started)
-- [📖 Documentation](#-documentation)
-- [👥 Community](#-community)
-- [🤝 Contributing](#-contributing)
-- [🗺 Roadmap](#-roadmap)
-- [❓ Support & Enterprise Support](#-support--enterprise-support)
-- [📃 License](#-license)
 
+## Goals
 
-## ✨ What is Constellation?
+From a security perspective, Constellation is designed to keep all data always encrypted and to prevent access from the infrastructure layer (i.e., remove the infrastructure from the TCB). This includes access from datacenter employees, privileged cloud admins, and attackers coming through the infrastructure (e.g., malicious co-tenants escalating their privileges). 
 
-From the inside, it's a fully featured, [certified] Kubernetes engine. From the outside, it's an end to end isolated, always encrypted stronghold. A Confidential Cloud in the public cloud.
+From a DevOps perspective, Constellation is designed to work just like what you would expect from a modern K8s engine. 
-Constellation is open source and enterprise-ready, tailored for unleashing the power of confidential computing for all your workloads at scale.
 
-<picture>
+## Use cases
-  <source media="(prefers-color-scheme: dark)" srcset="docs/docs/_media/product-overview-dark.png">
-  <source media="(prefers-color-scheme: light)" srcset="docs/docs/_media/product-overview.png">
-  <img alt="Constellation product overview" src="docs/docs/_media/product-overview.png">
-</picture>
 
-For a brief introduction to the Confidential Kubernetes concept, read the [introduction][confidential-kubernetes].
+Encrypting your K8s is good for:
-For more elaborate overviews of Constellation, see the [architecture] documentation.
 
-## 🛠 Features
+* Increasing the overall security of your clusters
+* Increasing the trustworthiness of your SaaS offerings
+* Moving sensitive workloads from on-prem to the cloud
+* Meeting regulatory requirements
 
-### Everything always encrypted
+## Features
 
-- Memory runtime encryption of all Kubernetes nodes
+### 🔒 Everything always encrypted
-- [Transparent network encryption][network-encryption] provided by [Cilium]. Application independent, no sidecar required
-- [Persistent volume](https://kubernetes.io/docs/concepts/storage/persistent-volumes/) encryption for block storage. [Encrypted in the confidential Kubernetes context][storage-encryption], keys and plaintext data never leave the cluster. No trust in the cloud storage backend required
-- [Key management][key-management] for transparent network and storage encryption
 
-### Everything verifiable
+* Runtime encryption: All nodes run inside AMD SEV-based Confidential VMs (CVMs). Support for Intel TDX will be added in the future.
+* Transparent encryption of network and storage: All pod-to-pod traffic and all writes to persistent storage are automatically encrypted ([more][network-encryption])
+* Transparent key management: All cryptographic keys are managed within the confidential context ([more][key-management])
 
-- [Verifiable][cluster-attestation] integrity and confidentiality of the entire Kubernetes cluster
+### 🔍 Everything verifiable
-- Kubernetes node attestation based on confidential computing. Nodes are [verified][node-attestation] on their integrity and identity with a hardware-based remote attestation procedure before joining the cluster
-- [Supply chain protection][supply-chain] with [sigstore](https://www.sigstore.dev/)
-- [Confidential computing-optimized][images], fully measured, and integrity-protected node OS
 
-### Performance and scale
+* "Whole cluster" attestation based on the remote-attestation feature of CVMs ([more][cluster-attestation])
+* Confidential computing-optimized node images based on Fedora CoreOS; fully measured and integrity-protected ([more][images])
+* Supply chain protection with [Sigstore](https://www.sigstore.dev/) ([more][supply-chain])
 
-- High-available, enterprise-ready Kubernetes engine
+### 🚀 Performance and scale
-- Multi-master architecture
-- [Stacked etcd topology][etcd-stacked]
-- Dynamic cluster autoscaling
 
-### 100% compatibility
+* High availability with multi-master architecture and stacked etcd topology 
+* Dynamic cluster autoscaling with verification and secure bootstrapping of new nodes
+* Competitive performance ([see K-Bench comparison with AKS and GKE][performance])
+
+### 🧩 Easy to use and integrate
 
 <a href="https://landscape.cncf.io/?selected=constellation"><img src="https://raw.githubusercontent.com/cncf/artwork/1c1a10d9cc7de24235e07c8831923874331ef233/projects/kubernetes/certified-kubernetes/versionless/color/certified-kubernetes-color.svg" align="right" width="100px"></a>
 
-- [Certified][certified] Kubernetes engine
+* Constellation is a [CNCF-certified][certified] Kubernetes. It's aligned to Kubernetes' [version support policy][k8s-version-support] and will likely work with your existing workloads and tools.
-- Works with all your existing containers and tools
+* ☁️ Support for Azure and GCP, more to come.
-- The only cloud-agnostic Confidential Kubernetes platform
-- Aligned to the [version support policy of Kubernetes][k8s-version-support]
-- [Cilium][Cilium] networking
 
-## 🚀 Getting started
+## Getting started
 
-![Constellation Shell](docs/static/img/constellation-shell-windowframe.svg)
+If you're already familiar with Kubernetes, it's easy to get started with Constellation:
 
-Sounds great, how can I try this?
+1. 📦 [Install the CLI][install]
+2. ⌨️ [Create a Constellation cluster][create-cluster]
+3. 🏎️ [Run your app][examples]
 
-Constellation can be deployed in minutes to your favorite infrastructure provider:
+![Constellation Shell](docs/static/img/shell-windowframe.svg)
 
-:wrench: [Install][install]
+## Documentation
 
-:lock: [Deploy][deploy]
+To learn more, see the official [documentation](https://docs.edgeless.systems/constellation).
+You may want to start with one of the following sections.
 
-:white_check_mark: [Profit][examples]
+* [Confidential Kubernetes][confidential-kubernetes] (Constellation vs. AKS/GKE + CVMs)
-
+* [Security benefits][security-benefits]
-## 📖 Documentation
-
-* [Concept][confidential-kubernetes]
-* [Threat model][threat-model]
 * [Architecture][architecture]
-* [Installing the CLI][install]
-* [Creating a Constellation cluster][deploy]
 
-## 👥 Community
+## Support
 
-* Got a question? Please get in touch via [Discord][discord] or file an [issue][github-issues].
+* Please ask questions via [Discord] or file an [issue][github-issues].
-* If you see an error message or run into an issue, please make sure to create a [bug report][github-issues].
+* If you experience errors, please create a [bug report][github-issues].
-* Get the latest news and announcements on [Twitter][twitter], [LinkedIn][linkedin] or sign up for our monthly [newsletter][newsletter].
+* Visit our [blog](https://blog.edgeless.systems/) for technical deep-dives and tutorials and follow us on [Twitter] for news.
-* Visit our [blog](https://blog.edgeless.systems/) for technical deep-dives and tutorials.
+* Edgeless Systems also offers [Enterprise Support][enterprise-support].
 
-## 🤝 Contributing
+## Contributing
 
-* Read [`CONTRIBUTING.md`](CONTRIBUTING.md) for information on issue reporting, code guidelines, and how to work in this repository.
+Refer to [`CONTRIBUTING.md`](CONTRIBUTING.md) on how to contribute. The most important points: 
 * Pull requests are welcome! You need to agree to our [Contributor License Agreement][cla-assistant].
-* This project and everyone participating in it are governed by the [Code of Conduct](/CODE_OF_CONDUCT.md). By participating, you are expected to uphold this code.
+* Please follow the [Code of Conduct](/CODE_OF_CONDUCT.md). 
-* To report a security issue, write to security@edgeless.systems.
+* ⚠️ To report a security issue, please write to security@edgeless.systems.
 
-## 🗺 Roadmap
+## License
 
-Constellation maintains a [public roadmap][TODO]. It gives a high-level view of the main priorities for the project, the maturity of different features, and how to influence the project direction.
+The Constellation source code is licensed under the [GNU Affero General Public License v3.0](https://www.gnu.org/licenses/agpl-3.0.en.html). Edgeless Systems provides pre-built and signed binaries and images for Constellation. You may use these free of charge to create and run services for internal consumption. You can find more information in the [license] section of the docs.
-
-## ❓ Support & Enterprise Support
-
-If you require a cluster with more than 8 vCPUs or need other services such as enterprise support: [Contact us][contact] or find more information on the [Constellation product page][constellation-product].
-
-## 📃 License
-
-TODO
 
 <!-- refs -->
 [architecture]: https://docs.edgeless.systems/constellation/architecture/overview
@@ -137,37 +100,21 @@ TODO
 [Cilium]: https://cilium.io/
 [cla-assistant]: https://cla-assistant.io/edgelesssys/constellation
 [cluster-attestation]: https://docs.edgeless.systems/constellation/architecture/attestation#cluster-attestation
-[community-license]: https://docs.edgeless.systems/constellation/overview/license
-[confidential-computing]: https://www.edgeless.systems/resources/confidential-computing/
 [confidential-kubernetes]: https://docs.edgeless.systems/constellation/overview/confidential-kubernetes
-[Constellation]: https://www.edgeless.systems/products/constellation/
-[constellation-product]: https://www.edgeless.systems/products/constellation/
-[contact]: https://www.edgeless.systems/contact/
-[deploy]: https://docs.edgeless.systems/constellation/workflows/create
 [discord]: https://discord.gg/rH8QTH56JN
-[discord-badge]: https://img.shields.io/badge/chat-on%20Discord-blue
+[enterprise-support]: https://www.edgeless.systems/products/constellation/
+[create-cluster]: https://docs.edgeless.systems/constellation/workflows/create
 [documentation]: https://docs.edgeless.systems/constellation/latest
-[e2eTestAzure]: https://github.com/edgelesssys/constellation/actions/workflows/e2e-test-azure.yml/badge.svg?branch=main
-[e2eTestGCP]: https://github.com/edgelesssys/constellation/actions/workflows/e2e-test-gcp.yml/badge.svg?branch=main
-[etcd-stacked]: https://kubernetes.io/docs/setup/production-environment/tools/kubeadm/ha-topology/#stacked-etcd-topology
 [examples]: https://docs.edgeless.systems/constellation/getting-started/examples
-[getting-started]: https://docs.edgeless.systems/constellation/getting-started
 [github-issues]: https://github.com/edgelesssys/constellation/issues/new/choose
-[go-report-card]: https://goreportcard.com/report/github.com/edgelesssys/constellation
-[go-report-card-badge]: https://goreportcard.com/badge/github.com/edgelesssys/constellation
 [images]: https://docs.edgeless.systems/constellation/architecture/images#constellation-images
 [install]: https://docs.edgeless.systems/constellation/getting-started/install
-[join-service]: https://docs.edgeless.systems/constellation/architecture/components#joinservice
 [k8s-version-support]: https://docs.edgeless.systems/constellation/architecture/versions#kubernetes-support-policy
-[key-management]: https://docs.edgeless.systems/constellation/architecture/keys#constellation-managed-key-management
+[key-management]: https://docs.edgeless.systems/constellation/architecture/keys
-[license]: https://github.com/edgelesssys/constellation/blob/master/LICENSE
+[license]: https://docs.edgeless.systems/constellation/next/overview/license
-[license-badge]: https://img.shields.io/github/license/edgelesssys/constellation
-[linkedin]: https://www.linkedin.com/company/edgeless-systems/
 [network-encryption]: https://docs.edgeless.systems/constellation/architecture/keys#network-encryption
-[newsletter]: https://www.edgeless.systems/#newsletter-signup
-[node-attestation]: https://docs.edgeless.systems/constellation/architecture/attestation#node-attestation
-[storage-encryption]: https://docs.edgeless.systems/constellation/architecture/keys#storage-encryption
 [supply-chain]: https://docs.edgeless.systems/constellation/architecture/attestation#chain-of-trust
-[troubleshooting]: https://docs.edgeless.systems/constellation/workflows/troubleshooting
+[security-benefits]: https://docs.edgeless.systems/constellation/next/overview/security-benefits
-[threat-model]: https://docs.edgeless.systems/constellation/overview/security-benefits
 [twitter]: https://twitter.com/EdgelessSystems
+[whitepaper]: https://content.edgeless.systems/hubfs/Confidential%20Computing%20Whitepaper.pdf
+[performance]: https://docs.edgeless.systems/constellation/next/overview/benchmarks

SECURITY.md

@@ -0,0 +1,9 @@
+# Security Policy
+
+## Supported Versions
+
+Latest version
+
+## Reporting a Vulnerability
+
+To report a security issue, please write to security@edgeless.systems.