[!IMPORTANT] Constellation is no longer actively maintained by Edgeless Systems.
This project is no longer receiving updates or support from Edgeless Systems. The repository remains available for archival purposes and community use. New development continues in Contrast, which provides workload-level confidential computing using Confidential Containers. 👉 https://github.com/edgelesssys/contrast
Constellation is a Kubernetes engine that aims to provide the best possible data security. It wraps your K8s cluster into a single confidential context that is shielded from the underlying cloud infrastructure. Everything inside is always encrypted, including at runtime in memory. For this, Constellation leverages confidential computing (see the whitepaper) and more specifically Confidential VMs.
From a security perspective, Constellation is designed to keep all data always encrypted and to prevent access from the infrastructure layer (i.e., remove the infrastructure from the TCB). This includes access from datacenter employees, privileged cloud admins, and attackers coming through the infrastructure (e.g., malicious co-tenants escalating their privileges).
From a DevOps perspective, Constellation is designed to work just like what you would expect from a modern K8s engine.
Encrypting your K8s is good for:
If you're already familiar with Kubernetes, it's easy to get started with Constellation:
Learn more: "Getting started with Constellation" videos series.
To learn more, see the documentation. You may want to start with one of the following sections.
Refer to CONTRIBUTING.md on how to contribute. The most important points:
Warning Please report any security issue via a private GitHub vulnerability report or write to security@edgeless.systems.
Constellation is licensed under the Business Source License 1.1. You may use it free of charge for non-production use. You can find more information in the license section of the docs.