Git-Mirrors/constellation
1
0
Fork 0
mirror of https://github.com/edgelesssys/constellation.git synced 2025-03-04 20:59:33 -05:00
Code Issues Packages Projects Releases Wiki Activity
constellation/docs/versioned_docs/version-2.0/workflows/verify-cluster.md
Felix Schuster eb213878a2
Re-wording in docs/workflows (#135) 
* Quick pass over create.md

* pass over verify.md

* Re-arrange workflows

* Quick polish of scale.md and upgrade.md

* Quick polish of terminate.md

* Cut recovery.md down

* Brush over ssh

* storage

* Brush over trusted launch VMs

* Update docs/docs/workflows/verify-cluster.md

Co-authored-by: Thomas Tendyck <51411342+thomasten@users.noreply.github.com>

* Update docs/docs/workflows/verify-cluster.md

Co-authored-by: Thomas Tendyck <51411342+thomasten@users.noreply.github.com>

* Update docs/docs/workflows/verify-cluster.md

Co-authored-by: Thomas Tendyck <51411342+thomasten@users.noreply.github.com>

* Add Azure back to title

* Update docs/docs/workflows/verify-cluster.md

Co-authored-by: Thomas Tendyck <51411342+thomasten@users.noreply.github.com>

* fix lint errors

* publish to 2.0

Co-authored-by: Thomas Tendyck <51411342+thomasten@users.noreply.github.com>
Co-authored-by: Thomas Tendyck <tt@edgeless.systems>
2022-09-13 15:12:05 +02:00

2.4 KiB
Raw Blame History

Manually verify your cluster

Constellation's attestation feature allows you, or a third party, to explicitly verify the integrity and confidentiality of your Constellation cluster.

:::note The steps below are purely optional. They're automatically executed by constellation init when you initialize your cluster. The constellation verify command mostly has an illustrative purpose. :::

Fetch measurements

To verify the integrity of Constellation you need trusted measurements to verify against. For each node image released by Edgeless Systems, there are signed measurements, which you can download using the CLI:

constellation config fetch-measurements

This command performs the following steps:

  1. Download the signed measurements for the configured image. By default, this will use Edgeless Systems' public measurement registry.
  2. Verify the signed images. This will use Edgeless Systems' public key.
  3. Write measurements into configuration file.

The verify command

The verify command obtains and verifies an attestation statement from a running Constellation cluster.

constellation verify [--cluster-id ...]

From the attestation statement, the command verifies the following properties:

  • The cluster is using the correct Confidential VM (CVM) type.
  • Inside the CVMs, the correct node images are running. The node images are identified through the measurements obtained in the previous step.
  • The unique ID of the cluster matches the one passed in via --cluster-id.

Once the above properties are verified, you know that you are talking to the right Constellation cluster and it's in a good and trustworthy shape.

Custom arguments

The verify command also allows you to verify any Constellation deployment that you have network access to. For this you need to following:

  • The IP address of a running Constellation cluster's VerificationService. The VerificationService is exposed via a NodePort service using the external IP address of your cluster. Run kubectl get nodes -o wide and look for EXTERNAL-IP.
  • The cluster's clusterID. See cluster identity for more details.

For example:

constellation verify -e 192.0.2.1 --cluster-id Q29uc3RlbGxhdGlvbkRvY3VtZW50YXRpb25TZWNyZXQ=