What is Constellation?
Constellation, an Edgeless Systems creation, is the first always-encrypted Kubernetes engine in history, meaning that no one, not even cloud admins, operators, foreign governments, or – needless to say – even hackers, can get access to the data in its cluster. It’s an open-source Kubernetes engine. Though a normal K8s distribution like SUSE Rancher or RedHat OpenShift on the outside – fully-featured and CNCF or Certified Kubernetes Conformance certified – it is 100% confidential. How?
How does Constellation ensure a trustable level of security for clusters while functioning like normal K8s?
With Constellation, Kubernetes nodes run inside confidential virtual machines that shield computer workloads from their cloud environments and keep data encrypted even during runtime, giving you better control over your data and processes. In other words, Constellation shields the Kubernetes clusters from the infrastructure layer.
It is a breakthrough development from the existing structures, which need you to bet your trust on the cloud provider. You can have better control over your data and processes with Constellation.
How does Constellation implement data shielding?
Constellation’s data shielding capacity or confidentiality is provided by, among other factors:
- The underlying hardware, including AMD Secure Encrypted Virtualization (AEM) and SEV-Secure Nested Paging (SEV-SNP), and Intel Trust Domain Extensions (TDX): With ARM announced its new V9 design with confidential VM features, called Realms, last year, ensuring the confidentiality of data and processes has become further possible.
- The always-on encryption
- Cluster attestation or verification using cryptographic certificates at the cluster level: Cluster attestation is of two types – cluster-facing attestation and user-facing attestation. While Constellation’s JoinService provides cluster-facing attestation, user-facing attestation is provided by Constellation’s Verification Service.
With all the additional encryption layers, you might think there’s a significant reduction in performance as compared to non-confidential managed Kubernetes options like Azure Kubernetes Service (AKS) and Google Kubernetes Service (GKS). But that’s where the real surprise lies.
Performance Impact Study From Runtime Encryption
To assess Constellation’s performance, Edgeless Systems performed a study on two fronts:
- Comparison of the general impact of using runtime memory encryption with Confidential Virtual Machines (CVMs) and Standard VMs
- Benchmarking of Constellation against non-confidential managed Kubernetes options like AKS and GKE using K-Bench
The following are the key takeaways from the study:
Performance impact from runtime memory encryption
Since the nodes in a Constellation cluster run inside CVMs to ensure confidentiality, the performance of CVMs impacts the Constellation’s performance. Results from a performance analysis study conducted by Azure and AMD showed that Constellation performed lower than the normal non-confidentiality VMs – but by a staggering 2 to 8%. However, these figures would typically stay on the lower end for most microservice applications, and with newer generation confidential computing hardware, these figures would likely further decrease.
K-Bench benchmark for the overall performance of Constellation vs AKS and GKE
Kubernetes API:
Comparing the latencies for pods, services and deployments between the three revealed that Constellation performed faster than the others with just a few exceptions.
Network:
Network performance is assessed using two indicators: intra-node and inter-node transmission speed. While the intra-node transmission is communication between pods running on the same node, inter-node communication refers to communication between different Kubernetes nodes.
Results from the benchmark study show that Constellation provides a comparably fast networking speed with exceptions for slower speed arising due to its network encryption for in-transit data protection.
Storage Input/Output:
Constellation, like Azure and GCP’s Container Storage Interfaces (CSIs), provides persistent storage on Azure and GCP – but with encryption on the CSI layer.
Results from the benchmark performance study show that Constellation on GCP has a similar speed in all scenarios. But the speed of Constellation on Azure and AKS differ partially. Constellation on Azure outperforms AKS in read-write mixes.
The Results:
Though encryption and performance are a known trade-off, the performance benchmarks reveal that Constellation is at the same level as AKS and GKE for networking and storage throughput and even outperforms them on API latency. Wherever it performs lower than the others, it’s because of its automatic data encryption over the network or storage for enhanced protection.
To Conclude: Can Your Company Benefit From Constellation?
In short, yes. But that also depends on your specific requirements. With compatibility across all major clouds, including Azure and GCP, CNCF-certification for compatibility with other Kubernetes tools and workloads, comparably less performance impact (as per the results from their revealed study), and increased security gains, among other benefits, Constellation can comfortably help you kickstart your cloud confidentiality journey.
In search of a reliable Kubernetes Consulting Services provider, we have the best solutions for your help. Experience the technical proficiency of our Kubernetes experts.
