Session at ContainerDay Security 2023 on the 8th of March in Hamburg.
Confidential computing is a relatively new technology that allows one to keep workloads encrypted and isolated in memory during processing. If used correctly, confidential computing can shield workloads from the underlying cloud. It's the first technology that effectively prevents data access from the cloud provider and its employees, co-tenants, and hackers coming through the infrastructure.
Constellation (https://github.com/edgelesssys/constellation) is an open-source K8s distro/engine that applies the confidential-computing concept to entire K8s clusters. Constellation ensures that all data in the cluster is always encrypted - at rest, in transit, and at runtime. Constellation also provides hardware-rooted "whole cluster" attestation with which the integrity of a cluster can be verified remotely. (This process partly relies on the amazing Sigstore project.)
Operations-wise, Constellation is very much vanilla K8s and should work with existing tooling. It's easy to set up and the security features are largely transparent to the DevOps engineer. To run, Constellation requires the availability of "Confidential VMs", which are available in Azure, GCP and elsewhere.
In this talk, I'll give an introduction to confidential computing, discuss the motivation behind Constellation, discuss the exciting use cases, give an overview over its architecture, and show a demo.
6. 6
Confidential VMs
Intel TDX, ARM CCA
Defining properties
AMD SEV
🏝 Isolation
🏃♀️ Runtime memory-encryption
📃 Remote attestation
🔒 Sealing of state
…
Hypervisor
Hardware
App
Guest OS
Host OS
14. 14
On prem
Manually managed
Fully managed
Automatically managed by CSP
Join
Update OS
Scale
Update K8s
Cluster management strategies
Join
Update OS
Scale
Update K8s
Admin in control CSP in control
20. 20
Encryption in transit
• Wireguard VPN between Nodes
• Strict-mode preventing any
leaked packages due to only
eventually consistent state
• Blog post coming soon on
blog.cilium.io
21. 21
Encryption at rest: Kubernetes cluster state
✓ Storing etcd on encrypted and integrity protected disks
▪ Recovery:
✓ Automatically if at least one etcd node is healthy
▪ Manually via CLI in case of a disaster
22. 22
Encryption at rest: Volumes
Problem: Backend-encryption not enough – need in-cluster encryption
▪ CSI plugins for encrypted block storage (Azure Disk , Google PD)
▪ Encrypted RWX File and Blob storage based on Rook/Ceph
27. 27
Protection against infrastructure based threats
Status quo
Datacenter
employee
BIOS &
Firmware
Host OS Hypervisor Cloud admin Guest OS Application
Software and insiders with potential access to data.
You don’t have to trust the cloud provider and cloud admins anymore.
BIOS &
Firmware
Host OS Hypervisor Cloud admin Guest OS Application
Datacenter
employee
Workload
Infrastructure / cloud provider
Workload
Infrastructure / cloud provider
29. 29
Thanks!
▪ Check it out on GitHub:
https://github.com/edgelesssys/constellation
▪ Get in touch via @m1ghtymo
▪ Or join us @ https://discord.gg/rH8QTH56JN
Learn more
CLI demo
Features,
benchmarks, etc.
App demos: