Constellation: The First Confidential Kubernetes Distribution
How do you run sensitive workloads on someone else’s infrastructure? “You don’t” is probably a common spontaneous answer to this question. However, in a cloud-first world, not running on someone else’s infrastructure is becoming less and less a viable option.
Confidential computing is a relatively new security paradigm that addresses this problem with technology. Fundamentally, confidential computing is about two things: (1) keeping workloads encrypted and isolated during processing and (2) making this circumstance externally verifiable via cryptographic certificates (“remote attestation”).
Yes, that’s right, with confidential computing, workloads remain fully encrypted at runtime in memory. Only the CPU knows the encryption key, and it only temporarily decrypts the data in 64-byte chunks inside its internal registers and caches, which are inaccessible to other software and hardware.
With these two fundamental features, confidential computing lets you securely run workloads on potentially compromised systems. If implemented correctly, confidential computing can effectively shield workloads from malicious admins, OS kernels, hypervisors, and physical attacks like “cold boot.” Both runtime encryption and remote attestation are equally important here. Without remote attestation, a compromised infrastructure could simply lie about runtime encryption and the software it’s running and access your data once you send it over.
With Constellation, Edgeless Systems this month published probably the first implementation of the Confidential K8s concept as open source. Constellation is a CNCF-certified K8s and, from a usability perspective, should work like “normal” K8s distributions. Constellation adds features like Sigstore-based supply chain security to the core Confidential K8s concept. A feature list and benchmark comparisons for Constellation can be found on GitHub.
Constellation currently works with Azure and GCP with support for Amazon Web Services and OpenStack coming.
What Is Confidential Kubernetes?
Intel pioneered confidential computing when it started adding a feature called Software Guard Extensions (SGX) to its client CPUs in 2015. Back then, Intel primarily positioned SGX as a means to enforce digital rights management (DRM). Since then, the focus for the technology has shifted to the cloud, and AMD and Arm have jumped on the bandwagon with their Secure Encrypted Virtualization (SEV) and Realms features, respectively.
In essence, most of the recent Intel and AMD server CPUs support confidential computing, and the large cloud providers have all invested heavily in the tech and have corresponding offerings ready.
How Confidential Computing and Kubernetes Fit Together
OK, so if confidential computing is now prevalent, can we run our Kubernetes (K8s) clusters with it and keep everything encrypted and shielded from the infrastructure?
Unfortunately, it’s not that simple. To date, the clouds mostly offer so-called Confidential VMs (CVMs). These are normal VMs that provide runtime encryption and raw attestation capabilities. Running K8s nodes on CVMs automatically provides runtime encryption for those. However, as we’ve learned above, runtime encryption alone doesn’t cut it. We also need remote attestation and verification.
And this is where things become complicated in a K8s cluster: How does node A verify the genuineness of node B before sending data? What happens after a node image update or node failure? How can the K8s admin verify the genuineness of a whole cluster with many nodes before sending data? All of this can be solved, but it requires thoughtful design and engineering.
In addition, one would want mechanisms to ensure that data is not “only” encrypted at runtime, but that every single byte that goes on the wire or to cloud storage gets encrypted so that there are no gaps.
If all the above is given, we have something that almost seems a bit magical: a K8s cluster that is, as a whole, shielded from the infrastructure and in which all data is always encrypted — at rest, in transit and at runtime. Such a “Confidential K8s” is like a private carve-out on the public cloud. It prevents data access from malicious data-center employees, cloud admins, co-tenants and hackers coming through the cloud infrastructure software. Consequently, Confidential K8s enables companies to migrate even sensitive or regulated workloads to the cloud and to offer more trustworthy SaaS.
