From 3255ce3e72de21730553ccc2525dd01545222bda Mon Sep 17 00:00:00 2001 From: Thomas Tendyck Date: Thu, 12 Oct 2023 14:07:58 +0200 Subject: [PATCH] docs: add s3proxy to features --- README.md | 14 ++++++++++---- docs/docs/overview/confidential-kubernetes.md | 2 +- .../overview/confidential-kubernetes.md | 2 +- 3 files changed, 12 insertions(+), 6 deletions(-) diff --git a/README.md b/README.md index 47c42db303..e6f298f5e9 100644 --- a/README.md +++ b/README.md @@ -34,7 +34,9 @@ Encrypting your K8s is good for: ### 🔒 Everything always encrypted * Runtime encryption: All nodes run inside AMD SEV-based Confidential VMs (CVMs). Support for Intel TDX will be added in the future. -* Transparent encryption of network and storage: All pod-to-pod traffic and all writes to persistent storage are [automatically encrypted][network-encryption] +* Transparent encryption of network: All [pod-to-pod traffic is automatically encrypted][network-encryption] +* Transparent encryption of storage: All writes to persistent storage are automatically encrypted. + This includes [nodes' state disks][storage-encryption], [persistent volumes via CSI][csi], and [S3 object storage][s3proxy]. * Transparent key management: All cryptographic [keys are managed within the confidential context][key-management] ### 🔍 Everything verifiable @@ -72,8 +74,9 @@ If you're already familiar with Kubernetes, it's easy to get started with Conste ## Live demos We're running public instances of popular software on Constellation: -* Rocket.Chat: https://rocket.edgeless.systems/ ([blog post](https://dev.to/flxflx/rocketchat-constellation-most-secure-chat-server-ever--50oa)) -* GitLab: https://gitlab.edgeless.systems/ ([blog post](https://dev.to/flxflx/setting-up-a-confidential-gitlab-333h)) + +* Rocket.Chat: ([blog post](https://dev.to/flxflx/rocketchat-constellation-most-secure-chat-server-ever--50oa)) +* GitLab: ([blog post](https://dev.to/flxflx/setting-up-a-confidential-gitlab-333h)) These instances run on CVMs in Azure and Constellation keeps them end-to-end confidential. @@ -102,7 +105,7 @@ Refer to [`CONTRIBUTING.md`](CONTRIBUTING.md) on how to contribute. The most imp * Please follow the [Code of Conduct](/CODE_OF_CONDUCT.md). > **Warning** -> Please report any security issue via a [private GitHub vulnerability report](https://github.com/edgelesssys/constellation/security/advisories/new) or write to security@edgeless.systems. +> Please report any security issue via a [private GitHub vulnerability report](https://github.com/edgelesssys/constellation/security/advisories/new) or write to . ## License @@ -126,6 +129,9 @@ The Constellation source code is licensed under the [GNU Affero General Public L [key-management]: https://docs.edgeless.systems/constellation/architecture/keys [license]: https://docs.edgeless.systems/constellation/overview/license [network-encryption]: https://docs.edgeless.systems/constellation/architecture/keys#network-encryption +[storage-encryption]: https://docs.edgeless.systems/constellation/architecture/keys#storage-encryption +[csi]: https://docs.edgeless.systems/constellation/workflows/storage +[s3proxy]: https://docs.edgeless.systems/constellation/workflows/s3proxy [supply-chain]: https://docs.edgeless.systems/constellation/architecture/attestation#chain-of-trust [security-benefits]: https://docs.edgeless.systems/constellation/overview/security-benefits [twitter]: https://twitter.com/EdgelessSystems diff --git a/docs/docs/overview/confidential-kubernetes.md b/docs/docs/overview/confidential-kubernetes.md index 2b6c6ed17d..ca20df4de7 100644 --- a/docs/docs/overview/confidential-kubernetes.md +++ b/docs/docs/overview/confidential-kubernetes.md @@ -13,7 +13,7 @@ Each of the above properties is equally important. Only with all three in conjun Constellation implements the Confidential Kubernetes concept with the following security features. * **Runtime encryption**: Constellation runs all Kubernetes nodes inside Confidential VMs (CVMs). This gives runtime encryption for the entire cluster. -* **Network and storage encryption**: Constellation augments this with transparent encryption of the [network](../architecture/networking.md) and [persistent storage](../architecture/encrypted-storage.md). Thus, workloads and control plane are truly end-to-end encrypted: at rest, in transit, and at runtime. +* **Network and storage encryption**: Constellation augments this with transparent encryption of the [network](../architecture/networking.md), [persistent storage](../architecture/encrypted-storage.md), and other managed storage like [AWS S3](../architecture/encrypted-storage.md#encrypted-s3-object-storage). Thus, workloads and control plane are truly end-to-end encrypted: at rest, in transit, and at runtime. * **Transparent key management**: Constellation manages the corresponding [cryptographic keys](../architecture/keys.md) inside CVMs. * **Node attestation and verification**: Constellation verifies the integrity of each new CVM-based node using [remote attestation](../architecture/attestation.md). Only "good" nodes receive the cryptographic keys required to access the network and storage of a cluster. * **Confidential computing-optimized images**: A node is "good" if it's running a signed Constellation [node image](../architecture/images.md) inside a CVM and is in the expected state. (Node images are hardware-measured during boot. The measurements are reflected in the attestation statements that are produced by nodes and verified by Constellation.) diff --git a/docs/versioned_docs/version-2.12/overview/confidential-kubernetes.md b/docs/versioned_docs/version-2.12/overview/confidential-kubernetes.md index 2b6c6ed17d..ca20df4de7 100644 --- a/docs/versioned_docs/version-2.12/overview/confidential-kubernetes.md +++ b/docs/versioned_docs/version-2.12/overview/confidential-kubernetes.md @@ -13,7 +13,7 @@ Each of the above properties is equally important. Only with all three in conjun Constellation implements the Confidential Kubernetes concept with the following security features. * **Runtime encryption**: Constellation runs all Kubernetes nodes inside Confidential VMs (CVMs). This gives runtime encryption for the entire cluster. -* **Network and storage encryption**: Constellation augments this with transparent encryption of the [network](../architecture/networking.md) and [persistent storage](../architecture/encrypted-storage.md). Thus, workloads and control plane are truly end-to-end encrypted: at rest, in transit, and at runtime. +* **Network and storage encryption**: Constellation augments this with transparent encryption of the [network](../architecture/networking.md), [persistent storage](../architecture/encrypted-storage.md), and other managed storage like [AWS S3](../architecture/encrypted-storage.md#encrypted-s3-object-storage). Thus, workloads and control plane are truly end-to-end encrypted: at rest, in transit, and at runtime. * **Transparent key management**: Constellation manages the corresponding [cryptographic keys](../architecture/keys.md) inside CVMs. * **Node attestation and verification**: Constellation verifies the integrity of each new CVM-based node using [remote attestation](../architecture/attestation.md). Only "good" nodes receive the cryptographic keys required to access the network and storage of a cluster. * **Confidential computing-optimized images**: A node is "good" if it's running a signed Constellation [node image](../architecture/images.md) inside a CVM and is in the expected state. (Node images are hardware-measured during boot. The measurements are reflected in the attestation statements that are produced by nodes and verified by Constellation.)