Constellation is the first Confidential Kubernetes. Constellation shields entire Kubernetes clusters from the (cloud) infrastructure using confidential computing.
upgradeConfig
and require name
and microserviceVersion
fields by @daniel-weisse in https://github.com/edgelesssys/constellation/pull/1541
EnforceIDKeyDigest
config field to enable Microsoft Azure Attestation fallback when verifying AMD SNP-SEV id key digest by @daniel-weisse in https://github.com/edgelesssys/constellation/pull/1257
upgrade apply
now allows upgrading measurements only by @derpsteb in https://github.com/edgelesssys/constellation/pull/1432
confidentialVM
config option for Azure clusters in favor of attestationVariant
by @daniel-weisse in https://github.com/edgelesssys/constellation/pull/1539
status
command to print upgrade and version status of cluster by @derpsteb in https://github.com/edgelesssys/constellation/pull/1520
upgrade check
command by @msanft in https://github.com/edgelesssys/constellation/pull/1394
constellation verify
by @msanft in https://github.com/edgelesssys/constellation/pull/1577
upgrade apply
for image-only upgrades by @derpsteb in https://github.com/edgelesssys/constellation/pull/1468
Full Changelog: https://github.com/edgelesssys/constellation/compare/v2.6.0...v2.7.0
iam destroy
command to delete resources created by iam create
by @miampf in https://github.com/edgelesssys/constellation/pull/946
constellation create
on OpenStack by @malt3 in https://github.com/edgelesssys/constellation/pull/1283
$HOME/.kube/config
on init by @daniel-weisse in https://github.com/edgelesssys/constellation/pull/1136
--kubernetes
flag to config generate
to let CLI extend the correct Kubernetes patch version by @derpsteb in https://github.com/edgelesssys/constellation/pull/1226
--kubernetes
flag to iam create
(when used with --create-config
) by @Nirusu in https://github.com/edgelesssys/constellation/pull/1326
config kubernetes-versions
subcommand to print supported Kubernetes versions by @derpsteb in https://github.com/edgelesssys/constellation/pull/1224
iam create
command by @msanft in https://github.com/edgelesssys/constellation/pull/1127
iam create
twice in the same workspace. This prevents cases where existing IAM resources are mistakenly rolled back by @msanft in https://github.com/edgelesssys/constellation/pull/1148
iam create
by @msanft in https://github.com/edgelesssys/constellation/pull/1149
create
output by @daniel-weisse in https://github.com/edgelesssys/constellation/pull/1209
--generate-config
by @Nirusu in https://github.com/edgelesssys/constellation/pull/1285
Full Changelog: https://github.com/edgelesssys/constellation/compare/v2.5.0...v2.6.0
connection refused
errors by @3u13r in https://github.com/edgelesssys/constellation/pull/1245
timeout
errors by @derpsteb in https://github.com/edgelesssys/constellation/pull/1151
iam create
to prevent erroneous rollback by @msanft in https://github.com/edgelesssys/constellation/pull/1148
iam create
by @msanft in https://github.com/edgelesssys/constellation/pull/1149
Full Changelog: https://github.com/edgelesssys/constellation/compare/v2.5.2...v2.5.3
Full Changelog: https://github.com/edgelesssys/constellation/compare/v2.5.1...v2.5.2
Full Changelog: https://github.com/edgelesssys/constellation/compare/v2.5.0...v2.5.1
constellation-init
may report an invalid idkeydigest
. To circumvent the problem, add under the key idKeyDigest
in your constellation-conf.yaml
an additional value: 934f68bd8ba01938eec21475c872e3a942b60c59fafc6df9e9a76ee66bc47f2d09c676f61c0315c578da26085fb13a71
--generate-config
flag to constellation iam create
command, which creates a config file with IAM values filled in by @msanft in https://github.com/edgelesssys/constellation/pull/782
Full Changelog: https://github.com/edgelesssys/constellation/compare/v2.4.0...v2.5.0
constellation-init
may report an invalid idkeydigest
. To circumvent the problem change the key idKeyDigest
in your constellation-conf.yaml
to the new value: 0356215882a825279a85b300b0b742931d113bf7e32dde2e50ffde7ec743ca491ecdd7f336dc28a6e0b2bb57af7a44a3
.fixed.
below. We keep the original ones uploaded with .original.
to keep the provenance valid. In doubt, you can independently generate a SBOM of all components using Syft.--debug
flag by @osintalex in https://github.com/edgelesssys/constellation/pull/809
Full Changelog: https://github.com/edgelesssys/constellation/compare/v2.3.0...v2.4.0
constellation iam create
can be used to automatically create service accounts and set permissions for Constellationconstellation init
CONSTELL_AZURE_CLIENT_SECRET_VALUE
as an alternative way to provide the configuration value provider.azure.clientSecretValue
.images
field of the configuration file.measurements
entry in the CLI now uses an updated format, merging enforcedMeasurements
and old measurements
into oneaccess-manager
was removed from code base. K8s native way to SSH into nodes documented.SSHUsers
has been removed from the user configuration following the removal of access-manager
.constellation create
on GCP now always uses the local default credentials.constellation create
on GCP now always uses the local default credentials..new.
SBOM file uploaded. In doubt, you can independently generate a SBOM of all components using Syft.:warning: The default config for QEMU-based cluster creation is broken in this release. Please upgrade to v2.2.2.
constellation config fetch-measurements
from 3 seconds to 60 seconds.stderr
.Vulnerabilities in kube-apiserver
fixed by upgrading to v1.23.14, v1.24.8 and v1.25.4: