Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

SPIFFE Meetup Tokyo #2 - Attestation Internals in SPIRE - Shingo Omura

1,872 views

Published on

In SPIRE, attestation is the essential process because it certifies a node or workload, i.e. it asserts the identities of them. This talk describes how SPIRE implement this process and make it flexible. Moreover, it explains the detail of how spire-server and spire-agent (running at a node) interacts in the attestation process.

Published in: Software
  • D0WNL0AD FULL ▶ ▶ ▶ ▶ http://1url.pw/FJyZd ◀ ◀ ◀ ◀
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • DOWNLOAD THE BOOK INTO AVAILABLE FORMAT (New Update) ......................................................................................................................... ......................................................................................................................... Download Full PDF EBOOK here { https://redirect.is/fyxsb0u } ......................................................................................................................... Download Full EPUB Ebook here { https://redirect.is/fyxsb0u } ......................................................................................................................... Download Full doc Ebook here { https://redirect.is/fyxsb0u } ......................................................................................................................... Download PDF EBOOK here { https://redirect.is/fyxsb0u } ......................................................................................................................... Download EPUB Ebook here { https://redirect.is/fyxsb0u } ......................................................................................................................... Download doc Ebook here { https://redirect.is/fyxsb0u } ......................................................................................................................... ......................................................................................................................... ................................................................................................................................... eBook is an electronic version of a traditional print book THE can be read by using a personal computer or by using an eBook reader. (An eBook reader can be a software application for use on a computer such as Microsoft's free Reader application, or a book-sized computer THE is used solely as a reading device such as Nuvomedia's Rocket eBook.) Users can purchase an eBook on diskette or CD, but the most popular method of getting an eBook is to purchase a downloadable file of the eBook (or other reading material) from a Web site (such as Barnes and Noble) to be read from the user's computer or reading device. Generally, an eBook can be downloaded in five minutes or less ......................................................................................................................... .............. Browse by Genre Available eBOOK .............................................................................................................................. Art, Biography, Business, Chick Lit, Children's, Christian, Classics, Comics, Contemporary, CookBOOK, Manga, Memoir, Music, Mystery, Non Fiction, Paranormal, Philosophy, Poetry, Psychology, Religion, Romance, Science, Science Fiction, Self Help, Suspense, Spirituality, Sports, Thriller, Travel, Young Adult, Crime, EBOOK, Fantasy, Fiction, Graphic Novels, Historical Fiction, History, Horror, Humor And Comedy, ......................................................................................................................... ......................................................................................................................... .....BEST SELLER FOR EBOOK RECOMMEND............................................................. ......................................................................................................................... Blowout: Corrupted Democracy, Rogue State Russia, and the Richest, Most Destructive Industry on Earth,-- The Ride of a Lifetime: Lessons Learned from 15 Years as CEO of the Walt Disney Company,-- Call Sign Chaos: Learning to Lead,-- StrengthsFinder 2.0,-- Stillness Is the Key,-- She Said: Breaking the Sexual Harassment Story THE Helped Ignite a Movement,-- Atomic Habits: An Easy & Proven Way to Build Good Habits & Break Bad Ones,-- Everything Is Figureoutable,-- What It Takes: Lessons in the Pursuit of Excellence,-- Rich Dad Poor Dad: What the Rich Teach Their Kids About Money THE the Poor and Middle Class Do Not!,-- The Total Money Makeover: Classic Edition: A Proven Plan for Financial Fitness,-- Shut Up and Listen!: Hard Business Truths THE Will Help You Succeed, ......................................................................................................................... .........................................................................................................................
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • You have to choose carefully. ⇒ www.HelpWriting.net ⇐ offers a professional writing service. I highly recommend them. The papers are delivered on time and customers are their first priority. This is their website: ⇒ www.HelpWriting.net ⇐
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • Looking For A Job? Positions available now. FT or PT. $10-$30/hr. No exp required. ♣♣♣ http://t.cn/AieXS5j0
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • D0WNL0AD FULL ▶ ▶ ▶ ▶ http://1url.pw/FJyZd ◀ ◀ ◀ ◀
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here

SPIFFE Meetup Tokyo #2 - Attestation Internals in SPIRE - Shingo Omura

  1. 1. Shingo Omura, Preferred Networks, Inc. SPIFFE Meetup Tokyo #2 2019-10-02 Attestation Internals in SPIRE Icons made by Freepik from www.flaticon.com 💚

  2. 2. Shingo Omura ● ML Platform Engineer, Preferred Networks, Inc. ○ On-Prem GPU(2000+) k8s clusters ○ kubernetes org member (sig-scheduling) ○ kubeflow contributor ● @everpeace
  3. 3. Recap: SPIFFE Standardizations • SPIFFE ID − identity namespace and defines how services identify themselves to each other • SVID (SPIFFE Verification Itenditity Document) − defines verifiable representation of issued identities (in X.509 and JWT format) • Workload API − defines API for issuing and/or retrieving another workload’s SVID
  4. 4. example of SPIFFE ID based authentication spiffe://dev.acme.com/payments/web scheme=spiffe Trust Domain Path Recap: SPIFFE ID spiffe://dev.acme.com/payments/api spiffe://dev.acme.com/payments/db
  5. 5. Recap: SVID (SPIFFE Verification Identity Document) Icons made by Freepik from www.flaticon.com Trust Domain (spiffe://dev.acme.com/) As Signing Authority • consists of – SPIFFE ID – valid signature – public key(optional) • supported format – X509-SVID, JWT-SVID • typically short-lived SVID SPIFFE Bundle Provides Trust Bundle • used for validating SVIDs • contains a trust domain's public keys or X.509 CA certificate in JWK Set format
  6. 6. SVIDResponse Recap: Workload API WorkloadAPI Workload (Src) ● grpc with unix domain socket (aka Workload API Endpoint) ● no authentication for avoiding bootstrapping Transport SVIDRequest Icons made by Freepik, photo3idea_studio, Pixel Buddha from www.flaticon.com SVIDs Workload (Dst) SPIFFE Bundles SVIDRequest SVIDResponse verify src SVID by SPIFFE Bundle Identify the Caller - kernel introspection - orchestrator interrogation may contain Federated Bundles (bundles for other trust domains)
  7. 7. Overview of SPIRE: SPIFFE Runtime Environment Icons made by Freepik, photo3idea_studio, Pixel Buddha, srip from www.flaticon.com spire-agent Workload API Work load Work load spire-agent Workload API Work load Work load spire-server Node API Registration API ● Identity Mapping ● Node Attestation ● SVID IssuanceCLI API ● Workload Attestation ● Workload API
  8. 8. ● workload identities must be registered first ● entries defines a mapping of workload <--> SPIFFE ID via workload selectors ● entries has hierarchy. note that this hierarchy is independent to one of SPIFFE ID’s path Identity(Workload) Registration spire-server Node API Registration API CLI API SPIFFE ID spiffe://dev.acme.com/payments/web Parent ID spiffe://dev.acme.com/k8s/cluster/foo Selectors k8s:ns:payments k8s:sa:payment-web k8s:container-image:payments Workload Registration Entry of /payments/web Icons made by Freepik from www.flaticon.com type value
  9. 9. Identity(Node) Registration spire-server Node API Registration API CLI API SPIFFE ID spiffe://dev.acme.com/k8s/cluster/foo Parent ID spiffe://dev.acme.com/ Selectors k8s_psat:custer:foo k8s_psat:agent_ns:spire k8s_psat:agent_sa:agent Node Registration Entry of /k8s/cluster/foo ● node identities registration enables to assign one workload SPIFFE ID across multiple nodes ● registration entries defines a mapping of node(agent) <--> SPIFFE ID via node selectors
  10. 10. What is Attestation in SPIRE? Attestation is the process of certifying that something is true. spire-server spire-agent Workload API Work load Node API Node Attestation • verifying the identity of the node the workload is running on • runs when booting spire-agent Workload Attestation • verifying the workload on the node
  11. 11. Overview: How SPIRE issue SVIDs spire server spire agent Work load 1. register entries 2.0 attest node 2.3 node SVIDs Cloud Providers (k8s, instance metadata, etc.) 2.1 verify node identity kernel/orchestrators (e.g. kubelet/docker) 3.3 workload identity 3.1 verify workload identity Icons made by Freepik from www.flaticon.com 3.2 obtaining workload info 3.0 attest workload 3.4 workload SVIDs 3.5 workload SVIDs
  12. 12. Node Attestation Internals (based on version 0.8.1) spire server spire agent 2.0 attest node 2.3 node SVIDs Cloud Providers (k8s, instance metadata, etc.) 2.1 verify node identity
  13. 13. Node Attestation • Both server & agent participate in node attestation • Only one node attestor can be configured in spire agent – multiple node attestors can be configured in spire server • Node attestor is pluggable – join_token, aws, azure, k8s, etc. (supported plugins list) spire serverspire agent Node Attestor Plugin Node Attestor PluginNode Attestor PluginNode Attestor Plugin
  14. 14. Before: Node Attestation Icons made by Freepik, photo3idea_studio, Pixel Buddha, srip from www.flaticon.com spire-server CLI API
  15. 15. Node Attestation Internals (based on version 0.8.1) spire serverspire agent Booting... … Booted Icons made by Freepik, Pixel Buddha, Smashicons from www.flaticon.com 0. generate key-pair for this node 1. plugin makes proof of the node identity 2. make certificate signing request 3. send node identity and signing request 4.1 perform challenge & response in arbitrary number of rounds 5. issue node SVID (sign the signing request) CA’s key pair SPIFFE Bundle 6. send node SVID transport is secured by using upstream CA 4. verify the proof 4.2 issue node SPIFFE ID and its selectors
  16. 16. Example of AWS Node Attestor Plugin spire serverspire agent AWS Node Attestor Plugin AWS Node Attestor Plugin Instance Identity Document SPIFFE ID /aws_iid/{acctID}/{region}/{instanceID} Selectors AWS Node Resolver Plugin aws_iid:tag:name:value aws_iid:sg:id:sg-01234567 aws_iid:sg:name:sg-name aws_iid:iamrole:arn:aws... instance metadata service Icons made by Freepik, Pixel Buddha, Smashicons from www.flaticon.com
  17. 17. mTLS with node SVID spire server Sync all the registration entries match ● selectors of the node SVIDs ● and their descendants ● (subset match included) Completing Agent Bootup Icons made by Freepik from www.flaticon.com spire agent node(base) SVID (/aws_iid/acct/reg/instanceID) Node SVID Rotator refresh when rotatedrotate SVID/Bundle/ RegistrationEntries Synchronizer /aws_iid/acct/reg/instanceID aws_iid:tag:name:value aws_iid:sg:id:sg-01234567 aws_iid:sg:name:sg-name aws_iid:iamrole:arn:aws... /cluster/payments MATCH! /payments/api /payments/web /payments/db entries
  18. 18. After: Booting Up Agent Completely Icons made by Freepik, photo3idea_studio, Pixel Buddha, srip from www.flaticon.com spire-agent Workload API spire-agent Workload API spire-server CLI API
  19. 19. Workload Attestation Internals (based on version 0.8.1) spire server spire agent Work load kernel/orchestrators (e.g. kubelet/docker) 3.3 workload identity 3.1 verify workload identity 3.2 obtaining workload info 3.0 attest workload 3.4 workload SVIDs 3.5 workload SVIDs
  20. 20. entries Workload Attestation • Only agent participates in workload attestation – synchronizer is responsible for fetching workload SVIDs/Bundles • Multiple workload attestors can be configured in spire agent • Workload attestor is also pluggable – unix, docker, k8s etc. (supported plugins list) spire agent Workload spire server Worload Attestor Plugin Worload Attestor Plugin Worload Attestor Plugin WorkloadAPI
  21. 21. Before: Workload Attestation Completed Icons made by Freepik, photo3idea_studio, Pixel Buddha, srip from www.flaticon.com spire-agent Workload API Work load Work load spire-agent Workload API Work load Work load spire-server CLI API
  22. 22. Workload Attestation Internals (based on version 0.8.1) spire server spire agent Icons made by Freepik, Pixel Buddha, Smashicons from www.flaticon.com Synchronizer mTLS with node SVID entries Work load kernel/orchestrators (e.g. kubelet/docker) Worload Attestor Plugin WorkloadEndpoint(unixsocket) 0. attestation request 1.2 obtain workload info 2. request syncing entries matched to merged selectors 3. request to issue their SVIDs (synchronizer generates key-pairs) 1.1 each attestor verify workload identity (pid) and transform it to selectors 4. matched SVIDs & Bundles unix:uid, unix:gid docker:image_id, docker:label k8s:ns, k8s:sa, k8s:pod-name etc. 1. attest in all attestors
  23. 23. Ready to Authenticate Workload Each Other!! Icons made by Freepik, photo3idea_studio, Pixel Buddha, srip from www.flaticon.com spire-agent Workload API Work load Work load spire-agent Workload API Work load Work load spire-server CLI API
  24. 24. Quick Start • Rercommended: SPIRE101 in spire repo – you can try spire environment in docker-compose • !!CAUTION!! – this does NOT work on 0.8.1 or later – this works in 0.8.0 – ref: spiffe/spire#1155
  25. 25. Custom Attestation Plugin? • Just implementing several interafaces • Node Attestation Plugin (server, agent interface) • Node Resolver Plugin(server interface) • Workload Attestation Plugin (agent interface) • And plumbing to make it gRPC server • But, no comprehensive document right now – github.com/spiffe/plugin-template is obsolete • Official document points to reference custom plugin implementations
  26. 26. Icons made by Vincent Le Moign from https://icon-icons.com/ licensed by CC 3.0 BY Thank you for Listening!! Any Questions?

×