文字内容
1. Intro: SPIFFE A developer’s tour of the SPIFFE project Andrew and Dan from Scytale KubeCon North America, December 2018
2. About us... Andrew Jessup Dan Feldman Recovering engineer @ Scytale Software engineer @ Scytale @whenfalse @d_feldman @spiffeio 2/40 A developers tour of SPIFFE
3. Today A short history of SPIFFE What SPIFFE solves for SVIDs, Workload API and Federation How to use SPIFFE What’s Next & Get Involved @spiffeio 3/40 A developers tour of SPIFFE
4. 11th USENIX Security Symposium (2002) Plan9 security design published Circa 2005 Google rolls-out LOAS GlueCon 2016 Joe Beda proposes SPIFFE April 2018 CNCF welcomes SPIFFE & SPIRE KubeCon NA 2017 SPIFFE & SPIRE 0.1 are released
5. Project growth Kubecon 2017 With thanks to our fantastic open-source community @spiffeio Mark Lakewood Twilio Matthew McPherrin Square Matt Moyer Heptio Andreas Zitzelsberger QAware Spike Curtis Tigera Neel Shah VMWare Guy Templeton Skyscanner John Gelsey Xnor.ai Jon Debonis Blend Adam Bozanich Overclock Labs Enrico Schiattarella Pensando And many more! 5/40 A developers tour of SPIFFE
6. Today A short history of SPIFFE What SPIFFE solves for SVIDs, Workload API and Federation How to use SPIFFE What’s Next? @spiffeio 6/40 A developers tour of SPIFFE
7. SPIFFE delivers trusted identities to software systems Source Workload Destination Workload “Do I believe the source workload is who it says it is?” “Do I believe the legitimacy of the message I received?” @spiffeio A developers tour of SPIFFE
8. NOT SPIFFE and SPIRE Identity is the basis for AuthN and AuthZ Directory of Entitlements Source TLS TLS JWT JWT Who am I? (And how can I prove it)? AuthZ Destination Who is this workload? Should I trust it is who it says it is? SPIFFE @spiffeio A developers tour of SPIFFE
9. Modern software is complex and heterogeneous Orchestrator Cloud Vendor PaaS @spiffeio On-prem 9/40 A developers tour of SPIFFE
10. Workload identity? Use the network? Security Group Network overlays VP N/V Cloud Vendor PC Orchestrator Firewall PaaS @spiffeio On-prem 10/40 A developers tour of SPIFFE
11. Workload identity? Shared secrets? y Ke PI A eg. Cloud Vendor Orchestrator eg. U serna me & PaaS @spiffeio pass word On-prem 11/40 A developers tour of SPIFFE
12. Workload identity? Ask my platform? eg. IAM ties i t n Ide ce rvi . Se eg u acco nts Orchestrator Cloud Vendor eg. A D on I i t a c ppli bs s PaaS @spiffeio bero er g. K e yta s Ke On-prem 12/40 A developers tour of SPIFFE
13. SPIFFE: Federated, platform-mediated, vendor neutral identity Orchestrator Cloud Vendor PaaS @spiffeio On-prem 13/40 A developers tour of SPIFFE
14. SPIFFE: Federated, platform-mediated, vendor neutral identity SVID Cont. Orchst. Cloud Vendor Workload API Federation PaaS @spiffeio On-prem 14/40 A developers tour of SPIFFE
15. SPIFFE Issuers SPIFFE Consumers SPIRE (Full implementation) HashiCorp Vault Secret store HashiCorp Consul Connect (Partial implementation) Knox Secret store Istio Citadel (Partial implementation) Ghostunnel Proxy nginx Web server and proxy Envoy Proxy ? @spiffeio 15/40 Your code Using libraries A developers tour of SPIFFE
16. Today A short history of SPIFFE What SPIFFE solves for SVIDs, Workload API and Federation How to use SPIFFE What’s Next? @spiffeio 16/40 A developers tour of SPIFFE
17. What is an SVID? Identity documents are: Unique Static Verifiable Attested by a trusted authority @spiffeio 17/40 A developers tour of SPIFFE
18. What is an SVID? spiffe://acme.com/billing/payments A SPIFFE ID X.509-SVID describes exactly how to encode a SPIFFE ID in an X.509 certificate @spiffeio JWT-SVID describes exactly how to encode a SPIFFE ID in an JWT bearer token 18/40 A developers tour of SPIFFE
19. SPIFFE Verifiable Identity Document SPIFFE Verifiable Identity Document (SVID) @spiffeio Trust Bundle 19/40 A developers tour of SPIFFE
20. SPIFFE Verifiable Identity Document SPIFFE Verifiable Identity Document (SVID) Trust Bundle spiffe://acme.com/billing/payments @spiffeio 20/40 A developers tour of SPIFFE
21. SPIFFE Verifiable Identity Document SVID comes from the SPIFFE implementation, not from the workload itself SPIFFE Verifiable Identity Document (SVID) @spiffeio Trust Bundle 21/40 A developers tour of SPIFFE
22. SPIFFE Verifiable Identity Document SPIFFE Verifiable Identity Document (SVID) @spiffeio Trust Bundle 22/40 A developers tour of SPIFFE
23. SPIFFE Workload API Server Workload Workload whoami() whoami() Workload API @spiffeio 23/40 A developers tour of SPIFFE
24. SPIFFE Federation API Trust Domain @spiffeio Trust Domain Workload Workload SPIFFE SPIFFE 24/40 A developers tour of SPIFFE
25. Today A short history of SPIFFE What SPIFFE solves for SVIDs, Workload API and Federation How to use SPIFFE What’s Next? @spiffeio 25/40 A developers tour of SPIFFE
26. How do I get an SVID? My Code My Code Library Proxy call workload api spiffe-helper Service Mesh @spiffeio SPIFFE Implementation 26/40 A developers tour of SPIFFE
27. How do I get an SVID? My Code My Code Library Proxy SVID spiffe-helper Service Mesh @spiffeio Trust Bundle SPIFFE Implementation 27/40 A developers tour of SPIFFE
28. How do I get an SVID? My Code Library Proxy spiffe-helper Service Mesh @spiffeio 28/40 A developers tour of SPIFFE
29. How do I get an SVID? My Code Library Proxy spiffe-helper Service Mesh @spiffeio 29/40 A developers tour of SPIFFE
30. How do I get an SVID? My Code My code Library Proxy Client spiffe-helper Service Mesh @spiffeio SPIFFE Implementation 30/40 A developers tour of SPIFFE
31. How do I get an SVID? My Code My code Library Proxy Client spiffe-helper Service Mesh @spiffeio SPIFFE Implementation 31/40 A developers tour of SPIFFE
32. How do I get an SVID? My Code My code Library Proxy Client spiffe-helper Service Mesh @spiffeio SPIFFE Implementation 32/40 A developers tour of SPIFFE
33. How do I get an SVID? My Code My code Library Proxy Client spiffe-helper spiffe-helper Service Mesh @spiffeio SPIFFE Implementation 33/40 A developers tour of SPIFFE
34. How do I get an SVID? My Code Library Proxy spiffe-helper Service Mesh @spiffeio 34/40 A developers tour of SPIFFE
35. Today A short history of SPIFFE What SPIFFE solves for SVIDs, Workload API and Federation How to use SPIFFE What’s Next? @spiffeio 35/40 A developers tour of SPIFFE
36. Thank you! Where to find us slack.spiffe.io github.com/spiffe spiffe.io Today at KubeCon 1.45pm Correlating metrics with SPIFFE and SPIRE (Gitlab) 3.40pm SPIFFE and SPIRE Security (Scytale & Heptio) Tomorrow at KubeCon 1.45pm SPIFFE Deep Dive (Scytale) (Lots of details about Federation and JWT) @spiffeio A developers tour of SPIFFE
37. Thank you!
38. A day in the life of an SVID (using SPIRE) spiffe://acme.com/billing/payments selector: aws:sg:sg-edcd9784 SPIRE Server selector: unix:uid:1001
39. A day in the life of an SVID (using SPIRE) spiffe://acme.com/billing/payments selector: aws:sg:sg-edcd9784 SPIRE Server selector: unix:uid:1001
40. A day in the life of an SVID (using SPIRE) EC2 Instance Workload AWS Instance Metadata API 1. Node agent authenticates to the SPIRE Server, passes AWS Instance Identity Document Workload API SPIRE Agent SPIRE Server
41. A day in the life of an SVID (using SPIRE) EC2 Instance Workload 2. List of valid SPIFFE IDs for the node, and selectors, returned Workload API SPIRE Agent SPIRE Server
42. A day in the life of an SVID (using SPIRE) EC2 Instance Workload whoami() 3. Workload requests identity 4. Node agent performs an out-of-band check of the workload process metadata, compares to known selectors Workload API SPIRE Agent SPIRE Server
43. A day in the life of an SVID (using SPIRE) EC2 Instance Workload 5. If match found, NA generates a key for the workload 6. NA sends certificate signing request based on that key to SPIRE Server Workload API SPIRE Agent SPIRE Server
44. A day in the life of an SVID (using SPIRE) EC2 Instance Workload 6. SPIRE server issues SVID (as well as certificates for any other workload the instance should support) Workload API SPIRE Agent SPIRE Server
45. A day in the life of an SVID (using SPIRE) EC2 Instance Workload 7. Certificate bundle returned to the workload Workload API SPIRE Agent SPIRE Server