OC3 registrations are now open! Join the premier event for confidential computing online or in Berlin on March 27.

Constellation

The world’s most
secure Kubernetes


Constellation leverages confidential computing to isolate entire Kubernetes clusters from the infrastructure. Finally, the public cloud turns into your private cloud.

Shield your entire Kubernetes deployments

lock icon

Everything always encrypted


All data in the cluster remains encrypted in all states - at rest, in transit, and during processing.

cloud icon

Assured workload integrity


The integrity of the entire cluster is verified based on cryptographic certificates and latest supply-chain security mechanisms.

performance icon

Performance and scale


High availability, autoscaling, and close to native performance.

Why Constellation


By encrypting your entire K8s cluster, Constellation supports you in migrating

sensitive workloads to the cloud with maximum security and increasing your

SaaS offerings' trustworthiness. Constellation will help you prevent

data breaches and address regulatory requirements like GDPR

and DORA. Constellation works on all major clouds.

Constellation illustration
Constellation icon

Easy to use and integrate


Constellation can be set up in minutes in your favorite cloud with an easy-to-use CLI. Afterwards, you can connect your favorite Kubernetes tooling via the kubeadm interface.

Constellation enables you to

01.

Migrate sensitive workloads to the cloud

02.

Make your SaaS
more trustworthy

03.

Increase the security of your Kubernetes clusters

Comparison with managed Kubernetes


For end-to-end confidentiality, it is not enough to use managed Kubernetes offerings like AKS, EKS, or GKE with Confidential VMs. Many attack vectors remain.

Security analysis preview

Constellation is the leading confidential-computing solution

Kubernetes certified logo

Constellation is a CNCF-certified Kubernetes distribution


This ensures compatibility with all existing Kubernetes tooling. On top, we implement Kubernetes security updates within 24 hours.

Slsa level 3

Constellation implements SLSA, the gold standard for supply-chain security


Constellation achieves SLSA Level 3. With reproducible builds, hardware-based attestation, and sigstore-based software signatures throughout, Constellation is leading the way in supply-chain security for Kubernetes.

Center for Internet Security logo

Constellation passes the CIS Kubernetes security benchmarks


The benchmarks from the Center for Internet Security (CIS) are widely recognized standards for defending IT systems against cyberattacks.

cilium

Constellation uses Cilium and WireGuard


This enables granular cluster traffic control via eBPF and ensures complete encryption. As a result, the Kubernetes clusters are fully isolated from the infrastructure and entirely secured.

GitHub logo

Constellation is open source


The source code of Constellation is accessible for anyone to review on GitHub. This enables meaningful remote attestation.

OCCRP uses Constellation on GCP to protect journalists


Constellation’s ease of use meant that Organized Crime and Corruption Reporting Project (OCCRP) developers could easily implement it and subsequently continue focusing on the other technical tools that augment their journalists’ work. With Constellation, OCCRP could rest assured that the most valuable information remains safe for use by international journalists.

Crowd of journalists

FAQ

Which cloud platforms support Constellation?

Constellation is available on Azure, AWS, and GCP through their respective marketplaces. It also integrates with STACKIT and supports any OpenStack-based cloud. Currently, Azure offers the most comprehensive feature support, followed by AWS and GCP. With this setup, you can create self-managed Constellation clusters billed on a pay-per-use basis (hourly, per vCPU) through your cloud account, with direct support from Edgeless Systems.

Can Constellation run on-prem? What are the requirements?

Yes, Constellation can run on-premises but requires a “cloud operating system” like OpenStack. It does not support bare-metal setups. Additionally, it requires Confidential Virtual Machines (CVMs) based on AMD SEV or Intel TDX.

Is Constellation compatible with Kubernetes distributions like OpenShift, Rancher/RKE, or Tanzu?

Constellation is a CNCF-certified distribution and serves as an alternative to Kubernetes distributions like OpenShift, Rancher/RKE, and Tanzu. It can also be used alongside "meta-orchestration" tools like Rancher or Portainer to enhance management capabilities.

What is the commercial model for Constellation?

Constellation is open-source and available under the GNU Affero General Public License v3.0. The community edition is free for testing and is available to NGOs. However, companies require an enterprise license for production use, which includes support and additional features, such as KMIP integration. Pricing follows a per vCPU, per year model, with specific offers available upon request. Constellation is also accessible through the AWS, Azure, GCP, and STACKIT marketplaces, allowing for self-managed clusters billed on a pay-per-use basis.

What happens when I reach my quota limit?

There is no hard stop when you reach your quota limit; however, exceeding it would violate the licensing agreement. We urge you to inform us and increase your quota to remain compliant.

What’s the difference between Constellation and Contrast? When should I use each?

Constellation is a Kubernetes distribution that isolates entire clusters, providing a standard Kubernetes and DevOps experience. It is best suited for organizations looking to use third-party infrastructure or operate in high-security environments. With Constellation, the complexities of confidential computing are managed for you, allowing users to focus on their applications without dealing with underlying security details.


Contrast is a platform designed for confidential containers, providing isolation for individual workloads. It is intended for users who want to integrate confidential computing with managed Kubernetes offerings, handle multi-party use cases, or restrict access to application data from their own administrators. With Contrast, users are required to define a manifest for their applications, allowing for precise control over their setup.


If your goal is to shield an entire Kubernetes cluster with minimal changes, Constellation is likely the better choice. However, if you need more granular control over workloads and are comfortable writing app-specific manifests, Contrast provides this flexibility.

Has Constellation undergone a penetration test?

Yes, Constellation has undergone penetration testing, primarily conducted by our customers and their contractors. Typically, larger clients perform their own assessments. We welcome inquiries regarding individual evaluation options and are happy to discuss them upon request.

Do I have to change my application?

You don't need to modify your application to deploy on Constellation. Existing applications can be migrated to Constellation without changes to their code or architecture, while ensuring all data remains encrypted and secure from the underlying infrastructure.

Can I use Constellation with Infrastructure-as-Code, GitOps, service mesh, or security tools?

Yes, Constellation seamlessly integrates with tools like Infrastructure-as-Code (IaC), GitOps, service meshes, and security tooling. You can utilize Constellation's Terraform Provider to set up infrastructure using IaC tools such as Terraform, facilitating integration into GitOps workflows with tools like Argo CD or Flux. As a CNCF-certified Kubernetes distribution, Constellation is compatible with standard Kubernetes tooling, allowing for the deployment of service meshes like Istio and integration with various security tools within the cluster. This ensures a smooth integration into existing DevOps and SecOps pipelines while leveraging Constellation's confidential computing capabilities.

Where are keys stored in Constellation?

In Constellation, keys are securely stored and managed within trusted execution environments (TEEs) to ensure robust data protection. Memory encryption keys are handled exclusively by the CPU and hardware, preventing access from any software layer, including Constellation components. For network encryption, Constellation uses Cilium’s WireGuard-based encryption, with keys dynamically generated and rotated within the TEE. Additionally, persistent volume encryption can utilize Constellation’s integrated Key Management Service (KMS) within the TEE or integrate with an external Key Management System (KMS) or Hardware Security Module (HSM) to securely store the master encryption key.

Embark into the future of cloud security