2.9 KiB
Verify your cluster
Constellation's attestation feature allows you, or a third party, to verify the confidentiality and integrity of your Constellation.
Fetch measurements
To verify the integrity of Constellation you need trusted measurements to verify against. For each of the released images there are signed measurements, which you can download using the CLI:
constellation config fetch-measurements
This command performs the following steps:
- Look up the signed measurements for the configured image.
- Download the measurements.
- Verify the signature.
- Write measurements into configuration file.
Custom arguments
To comply with regulations and policies it may be necessary that you need to generate the measurements yourself. You can either manually write these measurements to the configuration file or download them from a custom location using this command:
constellation config fetch-measurements -u http://my.storage/measurements.yaml -s http://my.storage/measurements.yaml.sig -p "$(cat cosign.pub)"
For more details consult the CLI reference.
The verify command
Once measurements are configured, this command verifies an attestation statement issued by a Constellation, thereby verifying the integrity and confidentiality of the whole cluster.
The following command performs attestation on the Constellation in your current workspace:
constellation verify azure
constellation verify gcp
The command makes sure the value passed to -cluster-id
matches the clusterID presented in the attestation statement.
This allows you to verify that you are connecting to a specific Constellation instance
Additionally, the confidential computing capabilities, as well as the VM image, are verified to match the expected configurations.
Custom arguments
You can provide additional arguments for verify
to verify any Constellation you have network access to. This requires you to provide:
- The IP address of a running Constellation's VerificationService. The VerificationService is exposed via a NodePort service using the external IP address of your cluster. Run
kubectl get nodes -o wide
and look forEXTERNAL-IP
. - The Constellation's clusterID. See cluster identity for more details.
constellation verify azure -e 192.0.2.1 --cluster-id Q29uc3RlbGxhdGlvbkRvY3VtZW50YXRpb25TZWNyZXQ=
constellation verify gcp -e 192.0.2.1 --cluster-id Q29uc3RlbGxhdGlvbkRvY3VtZW50YXRpb25TZWNyZXQ=