Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
An Introduction to SPIFFE/SPIRE
Search
Sponsored
·
Your Podcast. Everywhere. Effortlessly.
Share. Educate. Inspire. Entertain. You do you. We'll handle the rest.
→
Tomoya Usami
November 20, 2017
900
0
Share
Embed
Copy iframe code
Copy JS code
Copy link
Start on current slide
An Introduction to SPIFFE/SPIRE
Tomoya Usami
November 20, 2017
More Decks by Tomoya Usami
See All by Tomoya Usami
Using SPIRE as Identity Provider for Athenz at Yahoo! JAPAN
hiyosi
0
820
Challenging Multiple SPIRE Server
hiyosi
1
950
Challenging_Secure_Introduction_With_SPIFFE.pdf
hiyosi
0
2.5k
Intro SPIFFE
hiyosi
7
2k
Featured
See All Featured
Leveraging LLMs for student feedback in introductory data science courses - posit::conf(2025)
minecr
1
310
How to Build an AI Search Optimization Roadmap - Criteria and Steps to Take #SEOIRL
aleyda
1
2.1k
I Don’t Have Time: Getting Over the Fear to Launch Your Podcast
jcasabona
34
2.8k
Mind Mapping
helmedeiros
PRO
1
280
Leading Effective Engineering Teams in the AI Era
addyosmani
9
2.1k
GraphQLとの向き合い方2022年版
quramy
50
15k
Why Your Marketing Sucks and What You Can Do About It - Sophie Logan
marketingsoph
0
190
Game over? The fight for quality and originality in the time of robots
wayneb77
1
220
Music & Morning Musume
bryan
47
7.3k
XXLCSS - How to scale CSS and keep your sanity
sugarenia
250
1.3M
Writing Fast Ruby
sferik
630
63k
The Art of Delivering Value - GDevCon NA Keynote
reverentgeek
16
2k
Transcript
An Introduction to SPIFFE / SPIRE 2017/11/17 Tomoya Usami <
[email protected]
>
@hiyosi
None
What’s SPIFFE ? "SPIFFE is the single #1 missing piece
for enabling cloud native ecosystems." - Brian Grant (CNCF TOC)
What’s SPIFFE ? • Secure Production Identity Framework For Everyone
• ηΩϡΞͳαʔϏεؒೝূͷͨΊͷϑϨʔϜϫʔΫͱ༷Λࡦఆ • An Open Standard for Identity in Cloud Native Environments • Low Overhead Authentication System
What’s SPIFFE ? • ඪ४༷ͱͯ͠ݱࡏҎԼʹ͍ͭͯఆٛ • SPIFFE ID • SVID
• Workload API
SPIFFE ID • γεςϜΞϓϦέʔγϣϯͷ໊લΛදݱ͢ΔURIܗࣜͷߏԽ͞Εͨจࣈྻ • spiffe://${trust-domain}/${path} • spiffe://example.org/payments/mysql (e.g.,
serviceΛදݱ) • spiffe://k8s.example.org/ns/staging/sa/default (e.g., service ownerΛදݱ)
SVID • SPIFFE Verifiable Identity Document • جຊͱͯ̏ͭ͠ͷใΛؚΉυΩϡϝϯτΛද͢ <SPIFFE ID>
<public key> < valid signature> • υΩϡϝϯτϑΥʔϚοτͱͯ͠ɺ2017/11 ࣌ͰX.509͕α ϙʔτ͞Ε͍ͯΔ
X.509 SVID Extention Field Desc Subject Alternate Name URI SPIFFE
ID͕Ұͭηοτ͞ΕΔ Basic Constraints CA signing certificateͰ͋Δ߹ʹ true Basic Constraints pathLenConstraint ઃఆ͠ͳ͍ Name Constraints permittedSubtrees URI੍໊Λ͍͍ͨ߹ʹηοτ Key Usage keyCertSign, cRLSign signing certificateͰ͋Δ߹ʹηοτ Key Usage keyAgreement, keyEncipherment, digitalSignature leaf certificateͰ͋Δ߹ʹηοτ Extended Key Usage id-kp-serverAuth, id-kp-clientAuth leaf certificateͰ͋Δ߹ʹηοτ • https://github.com/spiffe/spiffe/blob/master/standards/X509-SVID.md
Workload API • Workload ͕ར༻͢ΔSVIDඞཁͳCAূ໌ॻΛऔಘ͢ΔͨΊͷ ϕϯμʔχϡʔτϥϧͳAPI • ϕϯμʔχϡʔτϥϧͳAPIʹΑΓɺͲͷڥͰಉ͡ํ๏Ͱ SVIDΛऔಘͰ͖Δɻ •
ϩʔΧϧ௨৴ͰͷΈར༻͞ΕΔ͜ͱΛఆ
None
What’s SPIRE ? • SPIFFE Runtime Environment • Reference Implementation
• SPIRE Server = Controle Plane • SPIRE Agent = Node Agent • Current Version is 0.2 (Beatrice)
Design Concept SPIFFE Reference Implementation Architecture: Interaction Diagrams
SPIRE-Server • SPIFFE signing authorityͱͯ͠ػೳ͢Δ • ݺͼग़͠ݩͷNodeͷਖ਼ੑΛূ໌͠CSRॺ໊ • Node,WorkloadใΛཧ͠SVIDΛൃߦ͢Δ
NodeAPI Cient NodeAPI Node Attestor CA Plugin construct CSR FetchBaseSVID
(CSR, AttestData) Attest Base SPIFFE ID Sign CSR resolver, other process… Response Node Agent Control Plane (SVID, CA Certs, …) BaseSVID
SPIRE-Server • Node API • SPIRE-Agentଆ͔Βݺͼग़͞ΕΔAPIΛެ։ • NodeͷͨΊͷBaseSVIDWorkloadͷSVIDɺඞཁͳCAূ໌ॻ Λฦ͢
SPIRE-Server • Registration API • WorkloadʹରԠ͢ΔSPIFFE IDΛొ͢ΔͨΊͷAPIΛެ։ • SelectorͱͦͷSPIFFE IDɺParent
SPIFFE IDΛొ
SPIRE-Server • Node Attestor (Server) • JoinTokenͳͲPluginຖʹҟͳΔσʔλ(AttestData)ΛͬͯϦ ΫΤετ͖ͯͨ͠NodeͷݩΛ֬ೝ͢Δ • ϦΫΤετσʔλʹؚ·ΕΔCSRͷॺ໊ΛCA
Pluginʹґཔ ͯ͠BaseSVIDΛੜ͢Δ
SPIRE-Server • Node Resolver ※ ཁܧଓௐࠪ • Base SPIFFE ID͔ΒͦͷNode্Ͱಈ࡞͢Δ͜ͱΛڐՄ͞Εͨ
WorkloadΛఆ͢ΔͨΊͷใ(selector)Λऔಘ͢Δ • 0.2 Ͱ NOOP ͷ࣮͔͠ͳ͍
SPIRE-Server • Selector • Node·ͨWorkloadΛಛఆ͢ΔͨΊͷϓϩύςΟ (ෳࢦఆՄ) • unix:uid:1000 (uid 1000
Ͱಈ࡞͢ΔWorkloadΛද͢) • k8s:ns:sample-ns × k8s:sa:sample-sa (sample-nsͰಈ࡞͠sample-saΛ͏workloadΛද͢)
Design Concept SPIFFE Reference Implementation Architecture: Interaction Diagrams
SPIRE-Agent • ࿈ܞ͢Δͯ͢ͷNodeͰ࣮ߦ͞ΕΔ • ࣗͰಈ࡞ΛڐՄ͞ΕͨWorkloadͷใ(SVID, CA Cert Selector)ΛSPIRE-Server͔Βऔಘͯ͠ཧ͢Δ • Workloadͷਖ਼ੑΛݕূ͠SVIDΛఏڙ͢Δ
Workload Attestor Plugins WorkloadAPI Cient FetchSVIDBundles WorkloadAPI Workload Attestor Plugins
Workload Attestor Plugins Attest Workload Node Selectors lookup SVID Bundles in Cache Response (SVID, CA Certs, …) Node Agent
SPIRE-Agent • Node Attestor (Agent) • ࣗΛূ໌͢ΔͨΊͷPluginຖʹҟͳΔσʔλ(AttestData)ΛServerʹ͢ ͜ͱͰਖ਼͍͠NodeͰ͋Δ͜ͱΛূ໌͢Δ • CSRΛServerʹͯ͠BaseSVIDΛൃߦͯ͠Β͏
• Key Manager • SVID ʹରԠ͢Δ伴Λੜɾཧ
SPIRE-Agent • Workload API • gRPCͰAPIΛఏڙ • ݺͼग़͞ΕΔͱWorkload Attestor(*ޙड़)Λܦ༝ͯ͠ΫϥΠΞϯτͷpid͔ ΒSelectorΛಛఆ
• Selector͕Control PlaneʹొࡁΈͰ͋ΕWorkloadͷ SVIDͦͷൿີ 伴ɺඞཁͳCAূ໌ॻͳͲΛฦ͢
Workload Attestor • workloadͷpid͔Β༗ޮͳpluginຖʹSelectorΛੜͯ͠ฦ͢ • e.g., unix pluginͷ߹ Selector {
Type: unix, Value: unix:uid:1000, }
Workload Attestor k8s plugin • k8sͷpodΛରͱ͢ΔWorkload Attestor • Workload APIΛݺͼग़͍ͯ͠Δpid͔ΒରͷpodͱNamespace,
Service AccountΛऔಘ • /proc/${PID}/cgroup • ্هϑΝΠϧ͔ΒContainerIDΛऔಘ •
Workload Attestor k8s plugin • kubelet ͷ readonly port ʹΞΫηεͯ͠PodใΛऔಘ͢Δ
• .status.containerStatuses[*].containerID • /proc/${PID}/cgroup ϑΝΠϧ͔ΒಘͨContainerIDͱҰக͢ΔͷΛ୳ࡧ • ҎԼͷใΛSelectorͷ Type=k8sͷValueͱͯ͠ฦ٫ • k8s:sa:<.spec.ServiceAccountName> • k8s:ns:<.metadata.Namespace>
Workload Components • Proxy • X.509 SVIDΛαϙʔτ͢Δͷͱͯ͠mTLS Proxy͕͋Δ • 2017/11ݱࡏ
ghostunnel ͱ͍͏αʔυύʔςΟͷιϑτ ΣΞΛ͍ͬͯΔ • কདྷతʹEnvoyαϙʔτ༧ఆ
Workload Components • Workload API Client • sidecar ͱ͍͏ ghostunnel
ͷwrapperΛ։ൃ͍ͯ͠Δ • WorkloadAPIͷΫϥΠΞϯτͱͯ͠SVIDCAূ໌ॻΛऔಘ͠ ghostunnelΛىಈ
Workload Proxy SVID Node Workload API FetchSVIDBundles Workload Workload API
Proxy FetchSVIDBundles SVID Authenticate Node TLS How to authenticate
Demo with k8s https://github.com/spiffe/spiffe-example/blob/master/beatrice/doc/beatrice_diagram.png
Roadmap
Roadmap - 2017
Roadmap 2018 -
End Goal
Thank you for your attention. That’s it for now.
References • https://spiffe.io/ • https://github.com/spiffe • SPIFFE Reference Implementation Archetecure
• Design Document: SPIFFE Reference Implementation (SRI)