Constellation takes care of bootstrapping and initializing a Confidential Kubernetes cluster. During the lifetime of the cluster, it handles day 2 operations such as key management, remote attestation, and updates. These features are provided by several microservices:
- The Bootstrapper initializes a Constellation node and bootstraps the cluster
- The JoinService joins new nodes to an existing cluster
- The VerificationService provides remote attestation functionality
- The KeyService manages Constellation-internal keys
The relations between microservices are shown in the following diagram:
The Bootstrapper is the first microservice launched after booting a Constellation node image. It sets up that machine as a Kubernetes node and integrates that node into the Kubernetes cluster. To this end, the Bootstrapper first downloads and verifies the Kubernetes components at the configured versions. The Bootstrapper tries to find an existing cluster and if successful, communicates with the JoinService to join the node. Otherwise, it waits for an initialization request to create a new Kubernetes cluster.
The JoinService runs as DaemonSet on each control-plane node. New nodes (at cluster start, or later through autoscaling) send a request to the service over attested TLS (aTLS). The JoinService verifies the new node's certificate and attestation statement. If attestation is successful, the new node is supplied with an encryption key from the KeyService for its state disk, and a Kubernetes bootstrap token.
The VerificationService runs as DaemonSet on each node. It provides user-facing functionality for remote attestation during the cluster's lifetime via an endpoint for verifying the cluster. Read more about the hardware-based attestation feature of Constellation and how to verify a cluster on the client side.
The KeyService runs as DaemonSet on each control-plane node. It implements the key management for the storage encryption keys in Constellation. These keys are used for the state disk of each node and the transparently encrypted storage for Kubernetes. Depending on wether the constellation-managed or user-managed mode is used, the KeyService holds the key encryption key (KEK) directly or calls an external key management service (KMS) for key derivation respectively.