Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Upcoming SlideShare
What to Upload to SlideShare
What to Upload to SlideShare
Loading in …3
×
1 of 26

SPIFFE Meetup Tokyo #2 - Attestation Internals in SPIRE - Shingo Omura

1

Share

Download to read offline

In SPIRE, attestation is the essential process because it certifies a node or workload, i.e. it asserts the identities of them. This talk describes how SPIRE implement this process and make it flexible. Moreover, it explains the detail of how spire-server and spire-agent (running at a node) interacts in the attestation process.

Related Books

Free with a 30 day trial from Scribd

See all

Related Audiobooks

Free with a 30 day trial from Scribd

See all

SPIFFE Meetup Tokyo #2 - Attestation Internals in SPIRE - Shingo Omura

  1. 1. Shingo Omura, Preferred Networks, Inc. SPIFFE Meetup Tokyo #2 2019-10-02 Attestation Internals in SPIRE Icons made by Freepik from www.flaticon.com 💚

  2. 2. Shingo Omura ● ML Platform Engineer, Preferred Networks, Inc. ○ On-Prem GPU(2000+) k8s clusters ○ kubernetes org member (sig-scheduling) ○ kubeflow contributor ● @everpeace
  3. 3. Recap: SPIFFE Standardizations • SPIFFE ID − identity namespace and defines how services identify themselves to each other • SVID (SPIFFE Verification Itenditity Document) − defines verifiable representation of issued identities (in X.509 and JWT format) • Workload API − defines API for issuing and/or retrieving another workload’s SVID
  4. 4. example of SPIFFE ID based authentication spiffe://dev.acme.com/payments/web scheme=spiffe Trust Domain Path Recap: SPIFFE ID spiffe://dev.acme.com/payments/api spiffe://dev.acme.com/payments/db
  5. 5. Recap: SVID (SPIFFE Verification Identity Document) Icons made by Freepik from www.flaticon.com Trust Domain (spiffe://dev.acme.com/) As Signing Authority • consists of – SPIFFE ID – valid signature – public key(optional) • supported format – X509-SVID, JWT-SVID • typically short-lived SVID SPIFFE Bundle Provides Trust Bundle • used for validating SVIDs • contains a trust domain's public keys or X.509 CA certificate in JWK Set format
  6. 6. SVIDResponse Recap: Workload API WorkloadAPI Workload (Src) ● grpc with unix domain socket (aka Workload API Endpoint) ● no authentication for avoiding bootstrapping Transport SVIDRequest Icons made by Freepik, photo3idea_studio, Pixel Buddha from www.flaticon.com SVIDs Workload (Dst) SPIFFE Bundles SVIDRequest SVIDResponse verify src SVID by SPIFFE Bundle Identify the Caller - kernel introspection - orchestrator interrogation may contain Federated Bundles (bundles for other trust domains)
  7. 7. Overview of SPIRE: SPIFFE Runtime Environment Icons made by Freepik, photo3idea_studio, Pixel Buddha, srip from www.flaticon.com spire-agent Workload API Work load Work load spire-agent Workload API Work load Work load spire-server Node API Registration API ● Identity Mapping ● Node Attestation ● SVID IssuanceCLI API ● Workload Attestation ● Workload API
  8. 8. ● workload identities must be registered first ● entries defines a mapping of workload <--> SPIFFE ID via workload selectors ● entries has hierarchy. note that this hierarchy is independent to one of SPIFFE ID’s path Identity(Workload) Registration spire-server Node API Registration API CLI API SPIFFE ID spiffe://dev.acme.com/payments/web Parent ID spiffe://dev.acme.com/k8s/cluster/foo Selectors k8s:ns:payments k8s:sa:payment-web k8s:container-image:payments Workload Registration Entry of /payments/web Icons made by Freepik from www.flaticon.com type value
  9. 9. Identity(Node) Registration spire-server Node API Registration API CLI API SPIFFE ID spiffe://dev.acme.com/k8s/cluster/foo Parent ID spiffe://dev.acme.com/ Selectors k8s_psat:custer:foo k8s_psat:agent_ns:spire k8s_psat:agent_sa:agent Node Registration Entry of /k8s/cluster/foo ● node identities registration enables to assign one workload SPIFFE ID across multiple nodes ● registration entries defines a mapping of node(agent) <--> SPIFFE ID via node selectors
  10. 10. What is Attestation in SPIRE? Attestation is the process of certifying that something is true. spire-server spire-agent Workload API Work load Node API Node Attestation • verifying the identity of the node the workload is running on • runs when booting spire-agent Workload Attestation • verifying the workload on the node
  11. 11. Overview: How SPIRE issue SVIDs spire server spire agent Work load 1. register entries 2.0 attest node 2.3 node SVIDs Cloud Providers (k8s, instance metadata, etc.) 2.1 verify node identity kernel/orchestrators (e.g. kubelet/docker) 3.3 workload identity 3.1 verify workload identity Icons made by Freepik from www.flaticon.com 3.2 obtaining workload info 3.0 attest workload 3.4 workload SVIDs 3.5 workload SVIDs
  12. 12. Node Attestation Internals (based on version 0.8.1) spire server spire agent 2.0 attest node 2.3 node SVIDs Cloud Providers (k8s, instance metadata, etc.) 2.1 verify node identity
  13. 13. Node Attestation • Both server & agent participate in node attestation • Only one node attestor can be configured in spire agent – multiple node attestors can be configured in spire server • Node attestor is pluggable – join_token, aws, azure, k8s, etc. (supported plugins list) spire serverspire agent Node Attestor Plugin Node Attestor PluginNode Attestor PluginNode Attestor Plugin
  14. 14. Before: Node Attestation Icons made by Freepik, photo3idea_studio, Pixel Buddha, srip from www.flaticon.com spire-server CLI API
  15. 15. Node Attestation Internals (based on version 0.8.1) spire serverspire agent Booting... … Booted Icons made by Freepik, Pixel Buddha, Smashicons from www.flaticon.com 0. generate key-pair for this node 1. plugin makes proof of the node identity 2. make certificate signing request 3. send node identity and signing request 4.1 perform challenge & response in arbitrary number of rounds 5. issue node SVID (sign the signing request) CA’s key pair SPIFFE Bundle 6. send node SVID transport is secured by using upstream CA 4. verify the proof 4.2 issue node SPIFFE ID and its selectors
  16. 16. Example of AWS Node Attestor Plugin spire serverspire agent AWS Node Attestor Plugin AWS Node Attestor Plugin Instance Identity Document SPIFFE ID /aws_iid/{acctID}/{region}/{instanceID} Selectors AWS Node Resolver Plugin aws_iid:tag:name:value aws_iid:sg:id:sg-01234567 aws_iid:sg:name:sg-name aws_iid:iamrole:arn:aws... instance metadata service Icons made by Freepik, Pixel Buddha, Smashicons from www.flaticon.com
  17. 17. mTLS with node SVID spire server Sync all the registration entries match ● selectors of the node SVIDs ● and their descendants ● (subset match included) Completing Agent Bootup Icons made by Freepik from www.flaticon.com spire agent node(base) SVID (/aws_iid/acct/reg/instanceID) Node SVID Rotator refresh when rotatedrotate SVID/Bundle/ RegistrationEntries Synchronizer /aws_iid/acct/reg/instanceID aws_iid:tag:name:value aws_iid:sg:id:sg-01234567 aws_iid:sg:name:sg-name aws_iid:iamrole:arn:aws... /cluster/payments MATCH! /payments/api /payments/web /payments/db entries
  18. 18. After: Booting Up Agent Completely Icons made by Freepik, photo3idea_studio, Pixel Buddha, srip from www.flaticon.com spire-agent Workload API spire-agent Workload API spire-server CLI API
  19. 19. Workload Attestation Internals (based on version 0.8.1) spire server spire agent Work load kernel/orchestrators (e.g. kubelet/docker) 3.3 workload identity 3.1 verify workload identity 3.2 obtaining workload info 3.0 attest workload 3.4 workload SVIDs 3.5 workload SVIDs
  20. 20. entries Workload Attestation • Only agent participates in workload attestation – synchronizer is responsible for fetching workload SVIDs/Bundles • Multiple workload attestors can be configured in spire agent • Workload attestor is also pluggable – unix, docker, k8s etc. (supported plugins list) spire agent Workload spire server Worload Attestor Plugin Worload Attestor Plugin Worload Attestor Plugin WorkloadAPI
  21. 21. Before: Workload Attestation Completed Icons made by Freepik, photo3idea_studio, Pixel Buddha, srip from www.flaticon.com spire-agent Workload API Work load Work load spire-agent Workload API Work load Work load spire-server CLI API
  22. 22. Workload Attestation Internals (based on version 0.8.1) spire server spire agent Icons made by Freepik, Pixel Buddha, Smashicons from www.flaticon.com Synchronizer mTLS with node SVID entries Work load kernel/orchestrators (e.g. kubelet/docker) Worload Attestor Plugin WorkloadEndpoint(unixsocket) 0. attestation request 1.2 obtain workload info 2. request syncing entries matched to merged selectors 3. request to issue their SVIDs (synchronizer generates key-pairs) 1.1 each attestor verify workload identity (pid) and transform it to selectors 4. matched SVIDs & Bundles unix:uid, unix:gid docker:image_id, docker:label k8s:ns, k8s:sa, k8s:pod-name etc. 1. attest in all attestors
  23. 23. Ready to Authenticate Workload Each Other!! Icons made by Freepik, photo3idea_studio, Pixel Buddha, srip from www.flaticon.com spire-agent Workload API Work load Work load spire-agent Workload API Work load Work load spire-server CLI API
  24. 24. Quick Start • Rercommended: SPIRE101 in spire repo – you can try spire environment in docker-compose • !!CAUTION!! – this does NOT work on 0.8.1 or later – this works in 0.8.0 – ref: spiffe/spire#1155
  25. 25. Custom Attestation Plugin? • Just implementing several interafaces • Node Attestation Plugin (server, agent interface) • Node Resolver Plugin(server interface) • Workload Attestation Plugin (agent interface) • And plumbing to make it gRPC server • But, no comprehensive document right now – github.com/spiffe/plugin-template is obsolete • Official document points to reference custom plugin implementations
  26. 26. Icons made by Vincent Le Moign from https://icon-icons.com/ licensed by CC 3.0 BY Thank you for Listening!! Any Questions?

×