An Introduction to SPIFFE/SPIRE

Transcript

1. An Introduction to SPIFFE / SPIRE 2017/11/17 Tomoya Usami <[email protected]>

   @hiyosi
2. None

3. What’s SPIFFE ? "SPIFFE is the single #1 missing piece

   for enabling cloud native ecosystems." - Brian Grant (CNCF TOC)

4. What’s SPIFFE ? • Secure Production Identity Framework For Everyone

   • ηΩϡΞͳαʔϏεؒೝূͷͨΊͷϑϨʔϜϫʔΫͱ࢓༷Λࡦఆ • An Open Standard for Identity in Cloud Native Environments • Low Overhead Authentication System

5. What’s SPIFFE ? • ඪ४࢓༷ͱͯ͠ݱࡏ͸ҎԼʹ͍ͭͯఆٛ • SPIFFE ID • SVID

   • Workload API

6. SPIFFE ID • γεςϜ΍ΞϓϦέʔγϣϯͷ໊લΛදݱ͢ΔURIܗࣜͷߏ଄Խ͞Εͨจࣈྻ • spiffe://${trust-domain}/${path} • spiffe://example.org/payments/mysql 
 (e.g.,

   serviceΛදݱ) • spiffe://k8s.example.org/ns/staging/sa/default 
 (e.g., service ownerΛදݱ)

7. SVID • SPIFFE Verifiable Identity Document • جຊͱͯ̏ͭ͠ͷ৘ใΛؚΉυΩϡϝϯτΛද͢
 <SPIFFE ID>


   <public key>
 < valid signature> • υΩϡϝϯτϑΥʔϚοτͱͯ͠͸ɺ2017/11 ࣌఺Ͱ͸X.509͕α ϙʔτ͞Ε͍ͯΔ

8. X.509 SVID Extention Field Desc Subject Alternate Name URI SPIFFE

   ID͕Ұͭηοτ͞ΕΔ Basic Constraints CA signing certificateͰ͋Δ৔߹ʹ͸ true Basic Constraints pathLenConstraint ઃఆ͠ͳ͍ Name Constraints permittedSubtrees URI੍໊໿Λ࢖͍͍ͨ৔߹ʹηοτ Key Usage keyCertSign, cRLSign signing certificateͰ͋Δ৔߹ʹηοτ Key Usage keyAgreement, keyEncipherment, digitalSignature leaf certificateͰ͋Δ৔߹ʹηοτ Extended Key Usage id-kp-serverAuth, id-kp-clientAuth leaf certificateͰ͋Δ৔߹ʹηοτ • https://github.com/spiffe/spiffe/blob/master/standards/X509-SVID.md

9. Workload API • Workload ͕ར༻͢ΔSVID΍ඞཁͳCAূ໌ॻΛऔಘ͢ΔͨΊͷ ϕϯμʔχϡʔτϥϧͳAPI • ϕϯμʔχϡʔτϥϧͳAPIʹΑΓɺͲͷ؀ڥͰ΋ಉ͡ํ๏Ͱ SVIDΛऔಘͰ͖Δɻ •

   ϩʔΧϧ௨৴ͰͷΈར༻͞ΕΔ͜ͱΛ૝ఆ
10. None

11. What’s SPIRE ? • SPIFFE Runtime Environment • Reference Implementation

    • SPIRE Server = Controle Plane • SPIRE Agent = Node Agent • Current Version is 0.2 (Beatrice)

12. Design Concept SPIFFE Reference Implementation Architecture: Interaction Diagrams

13. SPIRE-Server • SPIFFE signing authorityͱͯ͠ػೳ͢Δ • ݺͼग़͠ݩͷNodeͷਖ਼౰ੑΛূ໌͠CSR΁ॺ໊ • Node,Workload৘ใΛ؅ཧ͠SVIDΛൃߦ͢Δ

14. NodeAPI Cient NodeAPI Node Attestor CA Plugin construct CSR FetchBaseSVID

    (CSR, AttestData) Attest Base SPIFFE ID Sign CSR resolver, other process… Response Node Agent Control Plane (SVID, CA Certs, …) BaseSVID

15. SPIRE-Server • Node API • SPIRE-Agentଆ͔Βݺͼग़͞ΕΔAPIΛެ։ • NodeͷͨΊͷBaseSVID΍WorkloadͷSVIDɺඞཁͳCAূ໌ॻ Λฦ͢

16. SPIRE-Server • Registration API • WorkloadʹରԠ͢ΔSPIFFE IDΛొ࿥͢ΔͨΊͷAPIΛެ։ • SelectorͱͦͷSPIFFE IDɺParent

    SPIFFE IDΛొ࿥

17. SPIRE-Server • Node Attestor (Server) • JoinTokenͳͲPluginຖʹҟͳΔσʔλ(AttestData)Λ࢖ͬͯϦ ΫΤετ͖ͯͨ͠Nodeͷ਎ݩΛ֬ೝ͢Δ • ϦΫΤετσʔλʹؚ·ΕΔCSR΁ͷॺ໊ΛCA

    Pluginʹґཔ ͯ͠BaseSVIDΛੜ੒͢Δ

18. SPIRE-Server • Node Resolver ※ ཁܧଓௐࠪ • Base SPIFFE ID͔ΒͦͷNode্Ͱಈ࡞͢Δ͜ͱΛڐՄ͞Εͨ

    WorkloadΛ൑ఆ͢ΔͨΊͷ৘ใ(selector)Λऔಘ͢Δ • 0.2 Ͱ͸ NOOP ͷ࣮૷͔͠ͳ͍

19. SPIRE-Server • Selector • Node·ͨ͸WorkloadΛಛఆ͢ΔͨΊͷϓϩύςΟ (ෳ਺ࢦఆՄ) • unix:uid:1000
 (uid 1000

    Ͱಈ࡞͢ΔWorkloadΛද͢) • k8s:ns:sample-ns × k8s:sa:sample-sa
 (sample-nsͰಈ࡞͠sample-saΛ࢖͏workloadΛද͢)

20. Design Concept SPIFFE Reference Implementation Architecture: Interaction Diagrams

21. SPIRE-Agent • ࿈ܞ͢Δ͢΂ͯͷNodeͰ࣮ߦ͞ΕΔ • ࣗ਎Ͱಈ࡞ΛڐՄ͞ΕͨWorkloadͷ৘ใ(SVID, CA Cert Selector)ΛSPIRE-Server͔Βऔಘͯ͠؅ཧ͢Δ • Workloadͷਖ਼౰ੑΛݕূ͠SVIDΛఏڙ͢Δ

22. Workload Attestor Plugins WorkloadAPI Cient FetchSVIDBundles WorkloadAPI Workload Attestor Plugins

    Workload Attestor Plugins Attest Workload Node Selectors lookup SVID Bundles in Cache Response (SVID, CA Certs, …) Node Agent

23. SPIRE-Agent • Node Attestor (Agent) • ࣗ਎Λূ໌͢ΔͨΊͷPluginຖʹҟͳΔσʔλ(AttestData)ΛServerʹ౉͢ ͜ͱͰਖ਼͍͠NodeͰ͋Δ͜ͱΛূ໌͢Δ • CSRΛServerʹ౉ͯ͠BaseSVIDΛൃߦͯ͠΋Β͏

    • Key Manager • SVID ʹରԠ͢Δ伴Λੜ੒ɾ؅ཧ

24. SPIRE-Agent • Workload API • gRPCͰAPIΛఏڙ • ݺͼग़͞ΕΔͱWorkload Attestor(*ޙड़)Λܦ༝ͯ͠ΫϥΠΞϯτͷpid͔ ΒSelectorΛಛఆ

    • Selector͕Control Planeʹొ࿥ࡁΈͰ͋Ε͹Workloadͷ SVID΍ͦͷൿີ 伴ɺඞཁͳCAূ໌ॻͳͲΛฦ͢

25. Workload Attestor • workloadͷpid͔Β༗ޮͳpluginຖʹSelectorΛੜ੒ͯ͠ฦ͢ • e.g., unix pluginͷ৔߹ Selector {

    Type: unix, Value: unix:uid:1000, }

26. Workload Attestor k8s plugin • k8sͷpodΛର৅ͱ͢ΔWorkload Attestor • Workload APIΛݺͼग़͍ͯ͠Δpid͔Βର৅ͷpodͱNamespace,

    Service AccountΛऔಘ • /proc/${PID}/cgroup • ্هϑΝΠϧ͔ΒContainerIDΛऔಘ •

27. Workload Attestor k8s plugin • kubelet ͷ readonly port ʹΞΫηεͯ͠Pod৘ใΛऔಘ͢Δ

    • .status.containerStatuses[*].containerID • /proc/${PID}/cgroup ϑΝΠϧ͔ΒಘͨContainerIDͱҰக͢Δ΋ͷΛ୳ࡧ • ҎԼͷ৘ใΛSelectorͷ Type=k8sͷValueͱͯ͠ฦ٫ • k8s:sa:<.spec.ServiceAccountName> • k8s:ns:<.metadata.Namespace>

28. Workload Components • Proxy • X.509 SVIDΛαϙʔτ͢Δ΋ͷͱͯ͠mTLS Proxy͕͋Δ • 2017/11ݱࡏ͸

    ghostunnel ͱ͍͏αʔυύʔςΟͷιϑτ ΢ΣΞΛ࢖͍ͬͯΔ • কདྷతʹ͸Envoy΋αϙʔτ༧ఆ

29. Workload Components • Workload API Client • sidecar ͱ͍͏ ghostunnel

    ͷwrapperΛ։ൃ͍ͯ͠Δ • WorkloadAPIͷΫϥΠΞϯτͱͯ͠SVID΍CAূ໌ॻΛऔಘ͠ ghostunnelΛىಈ

30. Workload Proxy SVID Node Workload API FetchSVIDBundles Workload Workload API

    Proxy FetchSVIDBundles SVID Authenticate Node TLS How to authenticate

31. Demo with k8s https://github.com/spiffe/spiffe-example/blob/master/beatrice/doc/beatrice_diagram.png

32. Roadmap

33. Roadmap - 2017

34. Roadmap 2018 -

35. End Goal

36. Thank you for your attention. That’s it for now.

37. References • https://spiffe.io/ • https://github.com/spiffe • SPIFFE Reference Implementation Archetecure

    • Design Document: SPIFFE Reference Implementation (SRI)