Confidential Kubernetes Cluster on StackIT Cloud with Constellation

This project demonstrates how to deploy a confidential Kubernetes cluster using Edgeless Systems Constellation on StackIT Cloud. The cluster provides hardware-based security features including memory encryption, secure attestation, and protection against various attack vectors.

Table of Contents

• Prerequisites
• Installation
• Configuration
• Deployment
• Verification
• Cleanup
• Troubleshooting

Prerequisites

System Requirements

• Linux operating system (ARM64/AMD64)
• Admin rights on the machine
• Terraform installation (version v1.4.4 or above)
• kubectl installed

StackIT Cloud Requirements

• Active StackIT Cloud account
• Service Account with editor role
• User Access Token (UAT) for OpenStack API
• StackIT Project ID and Project Name

Installation

1. Install Constellation CLI

Linux (amd64)

# Download the CLI
curl -LO https://github.com/edgelesssys/constellation/releases/latest/download/constellation-linux-amd64

# Optional: Verify the signature
# (See Constellation documentation for signature verification steps)

# Install the CLI to your PATH
sudo install constellation-linux-amd64 /usr/local/bin/constellation

Linux (arm64)

# Download the CLI
curl -LO https://github.com/edgelesssys/constellation/releases/latest/download/constellation-linux-arm64

# Optional: Verify the signature
# (See Constellation documentation for signature verification steps)

# Install the CLI to your PATH
sudo install constellation-linux-arm64 /usr/local/bin/constellation

Windows (amd64)

# Download the CLI
Invoke-WebRequest -OutFile ./constellation.exe -Uri 'https://github.com/edgelesssys/constellation/releases/latest/download/constellation-windows-amd64.exe'

# Optional: Verify the signature
# (See Constellation documentation for signature verification steps)

# Install the CLI under C:\Program Files\Constellation\bin\constellation.exe
# Add the CLI to your PATH:
# 1. Open Advanced system settings
# 2. Go to the Advanced tab
# 3. Click Environment Variables…
# 4. Click variable called Path and click Edit…
# 5. Click New
# 6. Enter: C:\Program Files\Constellation\bin

Configuration

1. Create StackIT Service Account

1. Log in to the StackIT Portal
2. Navigate to IAM → Service Accounts
3. Create a new Service Account
4. Assign the editor role to the service account
5. Create an Access Token for the service account
6. Download the service account key file

2. Set up Cloud Credentials

Create StackIT Service Account Key

1. Download Service Account Key from StackIT Portal:

   • Navigate to the StackIT Portal → IAM → Service Accounts
   • Select your service account
   • Go to Service Account Keys section
   • Create a new key (let StackIT generate the key pair)
   • Download the JSON file provided by StackIT

2. Save the Service Account Key: The downloaded credentials.json file will have this structure:

   {
     "id": "uuid",
     "publicKey": "public key",
     "credentials": {
       "kid": "string",
       "iss": "my-sa@sa.stackit.cloud",
       "sub": "uuid",
       "aud": "string",
       "privateKey": "private key (if StackIT-generated)"
     }
   }

3. Configure Terraform

Update Configuration Files

1. Update terraform.tfvars.example with your specific values and rename it to terraform.tfvars

   Note: The service_account_key_path should point to the downloaded credentials.json file from the StackIT Portal, while private_key_path should point to the private key file (if you generated your own key pair).

2. Update clouds.yaml with your OpenStack credentials:

   clouds:
       stackit:
           auth:
               auth_url: https://keystone.api.iaas.eu01.stackit.cloud/v3
               username: your-uat-token-name
               password: your-uat-password
               project_id: your-project-id
               project_name: your-project-name
               user_domain_name: portal_mvp
               project_domain_name: portal_mvp
           region_name: RegionOne
           identity_api_version: 3

Deployment

1. Initialize Terraform

cd terraform/
terraform init

2. Plan the Deployment

terraform plan

3. Apply the Configuration

terraform apply

Note: The deployment process may take 10-15 minutes. You can monitor the progress with:

terraform apply

4. Save Kubeconfig

terraform output -raw kubeconfig > constellation-admin.conf
export KUBECONFIG=$(realpath constellation-admin.conf)

Verification

1. Verify Cluster Attestation

constellation verify

Expected output:

✓ Constellation cluster verified
✓ Attestation successful
✓ TPM measurements valid
✓ Node measurements match
✓ Cluster state consistent

2. Check Cluster Status

kubectl get nodes -o wide

Expected output:

NAME                    STATUS   ROLES           AGE   VERSION   INTERNAL-IP     EXTERNAL-IP   OS-IMAGE             KERNEL-VERSION   CONTAINER-RUNTIME
constellation-node-1    Ready    control-plane   1h    v1.31.8   192.168.178.2   <none>        Constellation OS    5.15.0          containerd://1.7.0
constellation-node-2    Ready    <none>          1h    v1.31.8   192.168.178.3   <none>        Constellation OS    5.15.0          containerd://1.7.0

Cleanup

1. Destroy the Cluster

cd terraform/
terraform destroy

Warning: This will permanently delete the cluster and all data.

Troubleshooting

Common Issues

1. Authentication Errors

# Verify the downloaded credentials.json file
cat /path/to/your/downloaded/credentials.json

# Test StackIT authentication
stackit auth login

2. Terraform Errors

# Check Terraform logs
TF_LOG=DEBUG terraform apply

# Verify provider versions
terraform providers

3. Cluster Connection Issues

# Verify kubeconfig
kubectl cluster-info

# Check node status
kubectl get nodes

4. Attestation Failures

# Verify cluster state
constellation status

# Check node measurements
kubectl get nodes -o jsonpath='{.items[*].status.nodeInfo.systemUUID}'

Getting Help

1. StackIT Documentation: Installation and Setup
2. Constellation Documentation: Constellation Docs
3. Terraform Provider: Use the Terraform Provider

Security Notes

• This demo uses example secrets and configurations for demonstration purposes
• In production environments, always follow security best practices
• Ensure proper access controls and network policies are in place
• Regularly rotate secrets and keys
• Monitor cluster attestation status

References

• StackIT Confidential Kubernetes Documentation
• Constellation Terraform Provider Documentation
• Edgeless Systems Constellation
• Kubernetes Confidential Computing