Constellation is the first Confidential Kubernetes. Constellation shields entire Kubernetes clusters from the (cloud) infrastructure using confidential computing.
Go to file
Moritz Eckert 6dc97590fe Enable and configure k8s audit-log (#160)
* Enable and configure k8s audit-log

* Update coordinator/kubernetes/k8sapi/kubeadm_config.go

Co-authored-by: Malte Poll <mp@edgeless.systems>

* add mount point for audit log dir in kubeadm conf

* Mount audit policy into kube-apiserver static pod

* Write default auditpolicy on cluster init / cluster join

Co-authored-by: Malte Poll <mp@edgeless.systems>
2022-05-20 17:30:37 +02:00
.github Add cis benchmark to conformance test (#165) 2022-05-19 14:57:21 +02:00
cli fixed wording (#162) 2022-05-18 19:01:11 +02:00
conformance Add cis benchmark to conformance test (#165) 2022-05-19 14:57:21 +02:00
coordinator Enable and configure k8s audit-log (#160) 2022-05-20 17:30:37 +02:00
debugd readme: move debugd and local image testing to other files and add a component overview 2022-05-19 08:56:28 +02:00
docs readme: move debugd and local image testing to other files and add a component overview 2022-05-19 08:56:28 +02:00
hack run go mod tidy in hack folder. (#161) 2022-05-18 18:44:40 +02:00
image CoreOS build pipeline: Cleanup azure disk and image after converting to SIG (#137) 2022-05-12 17:16:57 +02:00
internal AB#2098 versioned & strict yaml reading (#157) 2022-05-18 18:10:57 +02:00
kms Fix proto file generation (#155) 2022-05-17 15:02:14 +02:00
mount AB#2103 Derive key from LUKS UUID instead of disk name (#156) 2022-05-19 08:47:17 +02:00
proto Fix proto file generation (#155) 2022-05-17 15:02:14 +02:00
state AB#2046 : Add option to create SSH users for the first coordinator upon initialization (#133) 2022-05-16 17:32:00 +02:00
test AB#1943 Extract KMS package (#56) 2022-05-10 12:35:17 +02:00
.dockerignore AB#2064 Feat/config/dev config to config (#139) 2022-05-13 11:56:43 +02:00
.gitignore AB#2064 Feat/config/dev config to config (#139) 2022-05-13 11:56:43 +02:00
.golangci.yml monorepo 2022-03-22 16:09:39 +01:00
CMakeLists.txt disable tpm simulator in coordinator release binary 2022-04-29 13:44:09 +02:00
CONTRIBUTING.md monorepo 2022-03-22 16:09:39 +01:00
Dockerfile.build migrate coordinator build dockerfile to fedora 2022-04-29 16:35:41 +02:00
Dockerfile.e2e AB#2064 Feat/config/dev config to config (#139) 2022-05-13 11:56:43 +02:00
go.mod Enable and configure k8s audit-log (#160) 2022-05-20 17:30:37 +02:00
go.sum Enable and configure k8s audit-log (#160) 2022-05-20 17:30:37 +02:00
go.work Create hack folder with independent modules (#131) 2022-05-17 11:14:23 +02:00
go.work.sum Create hack folder with independent modules (#131) 2022-05-17 11:14:23 +02:00
README.md readme: move debugd and local image testing to other files and add a component overview 2022-05-19 08:56:28 +02:00

Constellation

This is the main repository of Constellation.

Core components:

  • cli: The CLI is used to manage a Constellation cluster
  • coordinator: The Coordinator is a node agent whose most important task is to bootstrap a node
  • image: Build files for the Constellation disk image
  • kms: Constellation's key management client and server
  • mount: Package used by CSI plugins to create and mount encrypted block devices
  • state: Contains the disk-mapper that maps the encrypted node data disk during boot

Development components:

  • conformance: Kubernetes conformance tests
  • debugd: Debug daemon and client
  • hack: Development tools
  • proto: Proto files generator
  • test: Integration test

Additional repositories:

Build

Prerequisites:

  • Go 1.18
  • Packages on Ubuntu:
    sudo apt install build-essential cmake libssl-dev pkg-config libcryptsetup12 libcryptsetup-dev
    
mkdir build
cd build
cmake ..
make -j`nproc`

Cloud credentials

Using the CLI requires the user to make authorized API calls to the CSP API. See the docs for configuration.

Deploying a locally compiled coordinator binary

By default, constellation create ... will spawn cloud provider instances with a pre-baked coordinator binary. For testing, you can use the constellation debug daemon (debugd) to upload your local coordinator binary to running instances and to obtain SSH access. Follow this introduction on how to install and setup cdbg

Development Guides

Deployment Guides