Kubernetes Consulting Services

Constellation: An overview of the first always-encrypted Kubernetes engine

What is Constellation?

Constellation, an Edgeless Systems creation, is the first always-encrypted Kubernetes engine in history, meaning that no one, not even cloud admins, operators, foreign governments, or – needless to say – even hackers, can get access to the data in its cluster. It’s an open-source Kubernetes engine. Though a normal K8s distribution like SUSE Rancher or RedHat OpenShift on the outside – fully-featured and CNCF or Certified Kubernetes Conformance certified – it is 100% confidential. How? 

How does Constellation ensure a trustable level of security for clusters while functioning like normal K8s?

With Constellation, Kubernetes nodes run inside confidential virtual machines that shield computer workloads from their cloud environments and keep data encrypted even during runtime, giving you better control over your data and processes. In other words, Constellation shields the Kubernetes clusters from the infrastructure layer.

 

It is a breakthrough development from the existing structures, which need you to bet your trust on the cloud provider. You can have better control over your data and processes with Constellation.

 

How does Constellation implement data shielding?

Constellation’s data shielding capacity or confidentiality is provided by, among other factors:

 

  • The underlying hardware, including AMD Secure Encrypted Virtualization (AEM) and SEV-Secure Nested Paging (SEV-SNP), and Intel Trust Domain Extensions (TDX): With ARM announced its new V9 design with confidential VM features, called Realms, last year, ensuring the confidentiality of data and processes has become further possible.
  • The always-on encryption
  • Cluster attestation or verification using cryptographic certificates at the cluster level: Cluster attestation is of two types – cluster-facing attestation and user-facing attestation. While Constellation’s JoinService provides cluster-facing attestation, user-facing attestation is provided by Constellation’s Verification Service.

 

With all the additional encryption layers, you might think there’s a significant reduction in performance as compared to non-confidential managed Kubernetes options like Azure Kubernetes Service (AKS) and Google Kubernetes Service (GKS). But that’s where the real surprise lies. 

 

Performance Impact Study From Runtime Encryption

To assess Constellation’s performance, Edgeless Systems performed a study on two fronts:

  1. Comparison of the general impact of using runtime memory encryption with Confidential Virtual Machines (CVMs) and Standard VMs
  2. Benchmarking of Constellation against non-confidential managed Kubernetes options like AKS and GKE using K-Bench

The following are the key takeaways from the study:

 

Performance impact from runtime memory encryption

Since the nodes in a Constellation cluster run inside CVMs to ensure confidentiality, the performance of CVMs impacts the Constellation’s performance. Results from a performance analysis study conducted by Azure and AMD showed that Constellation performed lower than the normal non-confidentiality VMs – but by a staggering 2 to 8%. However, these figures would typically stay on the lower end for most microservice applications, and with newer generation confidential computing hardware, these figures would likely further decrease.

 

K-Bench benchmark for the overall performance of Constellation vs AKS and GKE

Kubernetes API: 

Comparing the latencies for pods, services and deployments between the three revealed that Constellation performed faster than the others with just a few exceptions.

 

Network: 

Network performance is assessed using two indicators: intra-node and inter-node transmission speed. While the intra-node transmission is communication between pods running on the same node, inter-node communication refers to communication between different Kubernetes nodes.

 

Results from the benchmark study show that Constellation provides a comparably fast networking speed with exceptions for slower speed arising due to its network encryption for in-transit data protection.

 

Storage Input/Output:

Constellation, like Azure and GCP’s Container Storage Interfaces (CSIs), provides persistent storage on Azure and GCP – but with encryption on the CSI layer. 

 

Results from the benchmark performance study show that Constellation on GCP has a similar speed in all scenarios. But the speed of Constellation on Azure and AKS differ partially. Constellation on Azure outperforms AKS in read-write mixes.

 

The Results: 

Though encryption and performance are a known trade-off, the performance benchmarks reveal that Constellation is at the same level as AKS and GKE for networking and storage throughput and even outperforms them on API latency. Wherever it performs lower than the others, it’s because of its automatic data encryption over the network or storage for enhanced protection. 

 

To Conclude: Can Your Company Benefit From Constellation?

In short, yes. But that also depends on your specific requirements. With compatibility across all major clouds, including Azure and GCP, CNCF-certification for compatibility with other Kubernetes tools and workloads, comparably less performance impact (as per the results from their revealed study), and increased security gains, among other benefits, Constellation can comfortably help you kickstart your cloud confidentiality journey.

 

In search of a reliable Kubernetes Consulting Services provider, we have the best solutions for your help. Experience the technical proficiency of our Kubernetes experts.

Urolime Technologies has made groundbreaking accomplishments in the field of Google Cloud & Kubernetes Consulting, DevOps Services, 24/7 Managed Services & Support, Dedicated IT Team, Managed AWS Consulting and Azure Cloud Consulting. We believe our customers are Smart to choose their IT Partner, and we “Do IT Smart”.
Posts created 434

Related Posts

Begin typing your search term above and press enter to search. Press ESC to cancel.

Enjoy this blog? Please spread the word :)

Follow by Email
Twitter
Visit Us
Follow Me
LinkedIn
Share
Instagram