Show HN: Constellation – An always encrypted Kubernetes engine

Hey HN,<p>my colleagues and I have been working on Constellation for 1.5+ years. We open sourced it today under AGPLv3. It&#x27;s a standalone Kubernetes engine&#x2F;distribution that operations-wise is very much vanilla K8s (v1.24). Security-wise, it comes with some new concepts: It&#x27;s designed to shield K8s clusters as a whole from the cloud. The goal is that not even the cloud provider and its employees can access any data in a cluster. Constellation basically ensures that all nodes in a cluster (1) run inside verified &quot;Confidential VMs&quot; and (2) encrypt all network traffic and storage.<p>Confidential VMs are VMs that have the AMD SEV feature. Intel TDX and Arm Realms are similar. CVMs protect workloads against a compromised host and malicious admins. For this, CVMs remain encrypted at runtime in memory, are strongly isolated, and have cool remote attestation capabilities. This is also often referred to as &quot;confidential computing&quot;.<p>CVMs are currently available in Azure and GCP. Constellation comes with a Fedora CoreOS-based node image that is optimized for CVMs and protected with Sigstore. More info in the README&#x2F;docs.<p>What do you think?<p>-Felix