Constellation is a Kubernetes engine designed to shield entire clusters from underlying cloud infrastructure using confidential computing. It targets users seeking enhanced data security for sensitive workloads, SaaS offerings, or cloud migrations, providing runtime encryption and verifiable cluster integrity.

How It Works

Constellation leverages Confidential VMs (CVMs) with AMD SEV or Intel TDX to create a secure, encrypted runtime environment for all nodes. This approach transparently encrypts data at rest (storage, persistent volumes, S3) and in transit (pod-to-pod traffic), with all cryptographic keys managed within the confidential context. This design aims to remove the infrastructure layer from the Trusted Computing Base (TCB).

Quick Start & Requirements

• Install: CLI or Terraform provider.
• Prerequisites: Confidential VMs (AMD SEV or Intel TDX) required for cloud deployments. Local installations via MiniConstellation are supported.
• Resources: Cloud provider support includes AWS, Azure, GCP, and STACKIT.
• Learn More: Getting started videos, Documentation

Highlighted Details

• CNCF-certified Kubernetes, compatible with existing workloads and tools.
• "Whole cluster" attestation via CVM remote-attestation features.
• Supply chain protection with sigstore and SLSA Level 3.
• High availability with multi-master and stacked etcd.

Maintenance & Community

• Developed by Edgeless Systems, offering Enterprise Support.
• Community engagement via GitHub discussions.
• Follow on LinkedIn for news.

Licensing & Compatibility

• Licensed under GNU Affero General Public License v3.0 (AGPL-3.0).
• Pre-built binaries and images are free for internal consumption, evaluation, or non-commercial use. Commercial use or linking with closed-source software may require specific licensing considerations due to AGPL-3.0's strong copyleft provisions.

Limitations & Caveats

The AGPL-3.0 license imposes significant obligations for any modifications or derivative works distributed, potentially impacting commercial closed-source integrations. Compatibility with specific CVM hardware and cloud provider implementations is crucial.