SlideShare a Scribd company logo

SPIFFE Meetup Tokyo #2 - Attestation Internals in SPIRE - Shingo Omura

Preferred Networks
Preferred Networks

In SPIRE, attestation is the essential process because it certifies a node or workload, i.e. it asserts the identities of them. This talk describes how SPIRE implement this process and make it flexible. Moreover, it explains the detail of how spire-server and spire-agent (running at a node) interacts in the attestation process.

Software
1 of 26
Download to read offline
Shingo Omura, Preferred Networks, Inc. SPIFFE Meetup Tokyo #2 2019-10-02 Attestation Internals in SPIRE Icons made by Freepik from www.flaticon.com 💚

Shingo Omura ● ML Platform Engineer, Preferred Networks, Inc. ○ On-Prem GPU(2000+) k8s clusters ○ kubernetes org member (sig-scheduling) ○ kubeflow contributor ● @everpeace
Recap: SPIFFE Standardizations • SPIFFE ID − identity namespace and defines how services identify themselves to each other • SVID (SPIFFE Verification Itenditity Document) − defines verifiable representation of issued identities (in X.509 and JWT format) • Workload API − defines API for issuing and/or retrieving another workload’s SVID
example of SPIFFE ID based authentication spiffe://dev.acme.com/payments/web scheme=spiffe Trust Domain Path Recap: SPIFFE ID spiffe://dev.acme.com/payments/api spiffe://dev.acme.com/payments/db
Recap: SVID (SPIFFE Verification Identity Document) Icons made by Freepik from www.flaticon.com Trust Domain (spiffe://dev.acme.com/) As Signing Authority • consists of – SPIFFE ID – valid signature – public key(optional) • supported format – X509-SVID, JWT-SVID • typically short-lived SVID SPIFFE Bundle Provides Trust Bundle • used for validating SVIDs • contains a trust domain's public keys or X.509 CA certificate in JWK Set format
SVIDResponse Recap: Workload API WorkloadAPI Workload (Src) ● grpc with unix domain socket (aka Workload API Endpoint) ● no authentication for avoiding bootstrapping Transport SVIDRequest Icons made by Freepik, photo3idea_studio, Pixel Buddha from www.flaticon.com SVIDs Workload (Dst) SPIFFE Bundles SVIDRequest SVIDResponse verify src SVID by SPIFFE Bundle Identify the Caller - kernel introspection - orchestrator interrogation may contain Federated Bundles (bundles for other trust domains)
Overview of SPIRE: SPIFFE Runtime Environment Icons made by Freepik, photo3idea_studio, Pixel Buddha, srip from www.flaticon.com spire-agent Workload API Work load Work load spire-agent Workload API Work load Work load spire-server Node API Registration API ● Identity Mapping ● Node Attestation ● SVID IssuanceCLI API ● Workload Attestation ● Workload API
● workload identities must be registered first ● entries defines a mapping of workload <--> SPIFFE ID via workload selectors ● entries has hierarchy. note that this hierarchy is independent to one of SPIFFE ID’s path Identity(Workload) Registration spire-server Node API Registration API CLI API SPIFFE ID spiffe://dev.acme.com/payments/web Parent ID spiffe://dev.acme.com/k8s/cluster/foo Selectors k8s:ns:payments k8s:sa:payment-web k8s:container-image:payments Workload Registration Entry of /payments/web Icons made by Freepik from www.flaticon.com type value
Identity(Node) Registration spire-server Node API Registration API CLI API SPIFFE ID spiffe://dev.acme.com/k8s/cluster/foo Parent ID spiffe://dev.acme.com/ Selectors k8s_psat:custer:foo k8s_psat:agent_ns:spire k8s_psat:agent_sa:agent Node Registration Entry of /k8s/cluster/foo ● node identities registration enables to assign one workload SPIFFE ID across multiple nodes ● registration entries defines a mapping of node(agent) <--> SPIFFE ID via node selectors
What is Attestation in SPIRE? Attestation is the process of certifying that something is true. spire-server spire-agent Workload API Work load Node API Node Attestation • verifying the identity of the node the workload is running on • runs when booting spire-agent Workload Attestation • verifying the workload on the node
Overview: How SPIRE issue SVIDs spire server spire agent Work load 1. register entries 2.0 attest node 2.3 node SVIDs Cloud Providers (k8s, instance metadata, etc.) 2.1 verify node identity kernel/orchestrators (e.g. kubelet/docker) 3.3 workload identity 3.1 verify workload identity Icons made by Freepik from www.flaticon.com 3.2 obtaining workload info 3.0 attest workload 3.4 workload SVIDs 3.5 workload SVIDs
Node Attestation Internals (based on version 0.8.1) spire server spire agent 2.0 attest node 2.3 node SVIDs Cloud Providers (k8s, instance metadata, etc.) 2.1 verify node identity
Node Attestation • Both server & agent participate in node attestation • Only one node attestor can be configured in spire agent – multiple node attestors can be configured in spire server • Node attestor is pluggable – join_token, aws, azure, k8s, etc. (supported plugins list) spire serverspire agent Node Attestor Plugin Node Attestor PluginNode Attestor PluginNode Attestor Plugin
Before: Node Attestation Icons made by Freepik, photo3idea_studio, Pixel Buddha, srip from www.flaticon.com spire-server CLI API
Node Attestation Internals (based on version 0.8.1) spire serverspire agent Booting... … Booted Icons made by Freepik, Pixel Buddha, Smashicons from www.flaticon.com 0. generate key-pair for this node 1. plugin makes proof of the node identity 2. make certificate signing request 3. send node identity and signing request 4.1 perform challenge & response in arbitrary number of rounds 5. issue node SVID (sign the signing request) CA’s key pair SPIFFE Bundle 6. send node SVID transport is secured by using upstream CA 4. verify the proof 4.2 issue node SPIFFE ID and its selectors
Example of AWS Node Attestor Plugin spire serverspire agent AWS Node Attestor Plugin AWS Node Attestor Plugin Instance Identity Document SPIFFE ID /aws_iid/{acctID}/{region}/{instanceID} Selectors AWS Node Resolver Plugin aws_iid:tag:name:value aws_iid:sg:id:sg-01234567 aws_iid:sg:name:sg-name aws_iid:iamrole:arn:aws... instance metadata service Icons made by Freepik, Pixel Buddha, Smashicons from www.flaticon.com
mTLS with node SVID spire server Sync all the registration entries match ● selectors of the node SVIDs ● and their descendants ● (subset match included) Completing Agent Bootup Icons made by Freepik from www.flaticon.com spire agent node(base) SVID (/aws_iid/acct/reg/instanceID) Node SVID Rotator refresh when rotatedrotate SVID/Bundle/ RegistrationEntries Synchronizer /aws_iid/acct/reg/instanceID aws_iid:tag:name:value aws_iid:sg:id:sg-01234567 aws_iid:sg:name:sg-name aws_iid:iamrole:arn:aws... /cluster/payments MATCH! /payments/api /payments/web /payments/db entries
After: Booting Up Agent Completely Icons made by Freepik, photo3idea_studio, Pixel Buddha, srip from www.flaticon.com spire-agent Workload API spire-agent Workload API spire-server CLI API
Workload Attestation Internals (based on version 0.8.1) spire server spire agent Work load kernel/orchestrators (e.g. kubelet/docker) 3.3 workload identity 3.1 verify workload identity 3.2 obtaining workload info 3.0 attest workload 3.4 workload SVIDs 3.5 workload SVIDs
entries Workload Attestation • Only agent participates in workload attestation – synchronizer is responsible for fetching workload SVIDs/Bundles • Multiple workload attestors can be configured in spire agent • Workload attestor is also pluggable – unix, docker, k8s etc. (supported plugins list) spire agent Workload spire server Worload Attestor Plugin Worload Attestor Plugin Worload Attestor Plugin WorkloadAPI
Before: Workload Attestation Completed Icons made by Freepik, photo3idea_studio, Pixel Buddha, srip from www.flaticon.com spire-agent Workload API Work load Work load spire-agent Workload API Work load Work load spire-server CLI API
Workload Attestation Internals (based on version 0.8.1) spire server spire agent Icons made by Freepik, Pixel Buddha, Smashicons from www.flaticon.com Synchronizer mTLS with node SVID entries Work load kernel/orchestrators (e.g. kubelet/docker) Worload Attestor Plugin WorkloadEndpoint(unixsocket) 0. attestation request 1.2 obtain workload info 2. request syncing entries matched to merged selectors 3. request to issue their SVIDs (synchronizer generates key-pairs) 1.1 each attestor verify workload identity (pid) and transform it to selectors 4. matched SVIDs & Bundles unix:uid, unix:gid docker:image_id, docker:label k8s:ns, k8s:sa, k8s:pod-name etc. 1. attest in all attestors
Ready to Authenticate Workload Each Other!! Icons made by Freepik, photo3idea_studio, Pixel Buddha, srip from www.flaticon.com spire-agent Workload API Work load Work load spire-agent Workload API Work load Work load spire-server CLI API
Quick Start • Rercommended: SPIRE101 in spire repo – you can try spire environment in docker-compose • !!CAUTION!! – this does NOT work on 0.8.1 or later – this works in 0.8.0 – ref: spiffe/spire#1155
Custom Attestation Plugin? • Just implementing several interafaces • Node Attestation Plugin (server, agent interface) • Node Resolver Plugin(server interface) • Workload Attestation Plugin (agent interface) • And plumbing to make it gRPC server • But, no comprehensive document right now – github.com/spiffe/plugin-template is obsolete • Official document points to reference custom plugin implementations
Icons made by Vincent Le Moign from https://icon-icons.com/ licensed by CC 3.0 BY Thank you for Listening!! Any Questions?

Recommended

Cloud Native Identity with SPIFFE
Cloud Native Identity with SPIFFECloud Native Identity with SPIFFE
Cloud Native Identity with SPIFFE
Prabath Siriwardena
 
AWS CDK introduction
AWS CDK introductionAWS CDK introduction
AWS CDK introduction
leo lapworth
 
Grafana Loki: like Prometheus, but for Logs
Grafana Loki: like Prometheus, but for LogsGrafana Loki: like Prometheus, but for Logs
Grafana Loki: like Prometheus, but for Logs
Marco Pracucci
 
Speed-Up Kafka Delivery with AsyncAPI & Microcks | Hugo Guerrero, Red Hat
Speed-Up Kafka Delivery with AsyncAPI & Microcks | Hugo Guerrero, Red HatSpeed-Up Kafka Delivery with AsyncAPI & Microcks | Hugo Guerrero, Red Hat
Speed-Up Kafka Delivery with AsyncAPI & Microcks | Hugo Guerrero, Red Hat
HostedbyConfluent
 
StarlingX - A Platform for the Distributed Edge | Ildiko Vancsa
StarlingX - A Platform for the Distributed Edge | Ildiko VancsaStarlingX - A Platform for the Distributed Edge | Ildiko Vancsa
StarlingX - A Platform for the Distributed Edge | Ildiko Vancsa
Vietnam Open Infrastructure User Group
 
Big Data Redis Mongodb Dynamodb Sharding
Big Data Redis Mongodb Dynamodb ShardingBig Data Redis Mongodb Dynamodb Sharding
Big Data Redis Mongodb Dynamodb Sharding
Araf Karsh Hamid
 
Service Mesh @Lara Camp Myanmar - 02 Sep,2023
Service Mesh @Lara Camp Myanmar - 02 Sep,2023Service Mesh @Lara Camp Myanmar - 02 Sep,2023
Service Mesh @Lara Camp Myanmar - 02 Sep,2023
Hello Cloud
 
Lightweight Zero-trust Network Implementation and Transition with Keycloak an...
Lightweight Zero-trust Network Implementation and Transition with Keycloak an...Lightweight Zero-trust Network Implementation and Transition with Keycloak an...
Lightweight Zero-trust Network Implementation and Transition with Keycloak an...
Hitachi, Ltd. OSS Solution Center.
 

Recommended

Cloud Native Identity with SPIFFE
Cloud Native Identity with SPIFFECloud Native Identity with SPIFFE
Cloud Native Identity with SPIFFE
Prabath Siriwardena
 
AWS CDK introduction
AWS CDK introductionAWS CDK introduction
AWS CDK introduction
leo lapworth
 
Grafana Loki: like Prometheus, but for Logs
Grafana Loki: like Prometheus, but for LogsGrafana Loki: like Prometheus, but for Logs
Grafana Loki: like Prometheus, but for Logs
Marco Pracucci
 
Speed-Up Kafka Delivery with AsyncAPI & Microcks | Hugo Guerrero, Red Hat
Speed-Up Kafka Delivery with AsyncAPI & Microcks | Hugo Guerrero, Red HatSpeed-Up Kafka Delivery with AsyncAPI & Microcks | Hugo Guerrero, Red Hat
Speed-Up Kafka Delivery with AsyncAPI & Microcks | Hugo Guerrero, Red Hat
HostedbyConfluent
 
StarlingX - A Platform for the Distributed Edge | Ildiko Vancsa
StarlingX - A Platform for the Distributed Edge | Ildiko VancsaStarlingX - A Platform for the Distributed Edge | Ildiko Vancsa
StarlingX - A Platform for the Distributed Edge | Ildiko Vancsa
Vietnam Open Infrastructure User Group
 
Big Data Redis Mongodb Dynamodb Sharding
Big Data Redis Mongodb Dynamodb ShardingBig Data Redis Mongodb Dynamodb Sharding
Big Data Redis Mongodb Dynamodb Sharding
Araf Karsh Hamid
 
Service Mesh @Lara Camp Myanmar - 02 Sep,2023
Service Mesh @Lara Camp Myanmar - 02 Sep,2023Service Mesh @Lara Camp Myanmar - 02 Sep,2023
Service Mesh @Lara Camp Myanmar - 02 Sep,2023
Hello Cloud
 
Lightweight Zero-trust Network Implementation and Transition with Keycloak an...
Lightweight Zero-trust Network Implementation and Transition with Keycloak an...Lightweight Zero-trust Network Implementation and Transition with Keycloak an...
Lightweight Zero-trust Network Implementation and Transition with Keycloak an...
Hitachi, Ltd. OSS Solution Center.
 
Loki - like prometheus, but for logs
Loki - like prometheus, but for logsLoki - like prometheus, but for logs
Loki - like prometheus, but for logs
Juraj Hantak
 
The Best of Both Worlds: Introducing WSO2 API Manager 4.0.0
The Best of Both Worlds: Introducing WSO2 API Manager 4.0.0The Best of Both Worlds: Introducing WSO2 API Manager 4.0.0
The Best of Both Worlds: Introducing WSO2 API Manager 4.0.0
WSO2
 
API Security Best Practices & Guidelines
API Security Best Practices & GuidelinesAPI Security Best Practices & Guidelines
API Security Best Practices & Guidelines
Prabath Siriwardena
 
Service Mesh - Observability
Service Mesh - ObservabilityService Mesh - Observability
Service Mesh - Observability
Araf Karsh Hamid
 
Reusable, composable, battle-tested Terraform modules
Reusable, composable, battle-tested Terraform modulesReusable, composable, battle-tested Terraform modules
Reusable, composable, battle-tested Terraform modules
Yevgeniy Brikman
 
Istio service mesh introduction
Istio service mesh introductionIstio service mesh introduction
Istio service mesh introduction
Kyohei Mizumoto
 
CI-CD with AWS Developer Tools and Fargate_AWSPSSummit_Singapore
CI-CD with AWS Developer Tools and Fargate_AWSPSSummit_SingaporeCI-CD with AWS Developer Tools and Fargate_AWSPSSummit_Singapore
CI-CD with AWS Developer Tools and Fargate_AWSPSSummit_Singapore
Amazon Web Services
 
VPC Design and New Capabilities for Amazon VPC
VPC Design and New Capabilities for Amazon VPCVPC Design and New Capabilities for Amazon VPC
VPC Design and New Capabilities for Amazon VPC
Amazon Web Services
 
MeetUp Monitoring with Prometheus and Grafana (September 2018)
MeetUp Monitoring with Prometheus and Grafana (September 2018)MeetUp Monitoring with Prometheus and Grafana (September 2018)
MeetUp Monitoring with Prometheus and Grafana (September 2018)
Lucas Jellema
 
apidays Paris 2022 - Adding a mock as a service capability to your API strate...
apidays Paris 2022 - Adding a mock as a service capability to your API strate...apidays Paris 2022 - Adding a mock as a service capability to your API strate...
apidays Paris 2022 - Adding a mock as a service capability to your API strate...
apidays
 
APIsecure 2023 - Approaching Multicloud API Security USing Metacloud, David L...
APIsecure 2023 - Approaching Multicloud API Security USing Metacloud, David L...APIsecure 2023 - Approaching Multicloud API Security USing Metacloud, David L...
APIsecure 2023 - Approaching Multicloud API Security USing Metacloud, David L...
apidays
 
Anatomy of a Continuous Integration and Delivery (CICD) Pipeline
Anatomy of a Continuous Integration and Delivery (CICD) PipelineAnatomy of a Continuous Integration and Delivery (CICD) Pipeline
Anatomy of a Continuous Integration and Delivery (CICD) Pipeline
Robert McDermott
 
Security Considerations for API Gateway Aggregation
Security Considerations for API Gateway AggregationSecurity Considerations for API Gateway Aggregation
Security Considerations for API Gateway Aggregation
Hitachi, Ltd. OSS Solution Center.
 
Zero-Trust SASE DevSecOps
Zero-Trust SASE DevSecOpsZero-Trust SASE DevSecOps
Zero-Trust SASE DevSecOps
Araf Karsh Hamid
 
Designing APIs with OpenAPI Spec
Designing APIs with OpenAPI SpecDesigning APIs with OpenAPI Spec
Designing APIs with OpenAPI Spec
Adam Paxton
 
Implementing WebAuthn & FAPI supports on Keycloak
Implementing WebAuthn & FAPI supports on KeycloakImplementing WebAuthn & FAPI supports on Keycloak
Implementing WebAuthn & FAPI supports on Keycloak
Yuichi Nakamura
 
Introduction to Istio Service Mesh
Introduction to Istio Service MeshIntroduction to Istio Service Mesh
Introduction to Istio Service Mesh
Georgios Andrianakis
 
Docker Kubernetes Istio
Docker Kubernetes IstioDocker Kubernetes Istio
Docker Kubernetes Istio
Araf Karsh Hamid
 
Infrastructure-as-Code (IaC) using Terraform
Infrastructure-as-Code (IaC) using TerraformInfrastructure-as-Code (IaC) using Terraform
Infrastructure-as-Code (IaC) using Terraform
Adin Ermie
 
Source Code Analysis with SAST
Source Code Analysis with SASTSource Code Analysis with SAST
Source Code Analysis with SAST
Blueinfy Solutions
 
アプリで簡単にスタンプを販売するためのAPI開発
アプリで簡単にスタンプを販売するためのAPI開発アプリで簡単にスタンプを販売するためのAPI開発
アプリで簡単にスタンプを販売するためのAPI開発
LINE Corporation
 
Serhiy Kalinets "Building Service Mesh with .NET Core"
Serhiy Kalinets "Building Service Mesh with .NET Core"Serhiy Kalinets "Building Service Mesh with .NET Core"
Serhiy Kalinets "Building Service Mesh with .NET Core"
Fwdays
 

More Related Content

What's hot

The Best of Both Worlds: Introducing WSO2 API Manager 4.0.0
The Best of Both Worlds: Introducing WSO2 API Manager 4.0.0The Best of Both Worlds: Introducing WSO2 API Manager 4.0.0
The Best of Both Worlds: Introducing WSO2 API Manager 4.0.0
WSO2
 
CI-CD with AWS Developer Tools and Fargate_AWSPSSummit_Singapore
CI-CD with AWS Developer Tools and Fargate_AWSPSSummit_SingaporeCI-CD with AWS Developer Tools and Fargate_AWSPSSummit_Singapore
CI-CD with AWS Developer Tools and Fargate_AWSPSSummit_Singapore
Amazon Web Services
 
apidays Paris 2022 - Adding a mock as a service capability to your API strate...
apidays Paris 2022 - Adding a mock as a service capability to your API strate...apidays Paris 2022 - Adding a mock as a service capability to your API strate...
apidays Paris 2022 - Adding a mock as a service capability to your API strate...
apidays
 

What's hot (20)

Loki - like prometheus, but for logs
Loki - like prometheus, but for logsLoki - like prometheus, but for logs
Loki - like prometheus, but for logs
 
The Best of Both Worlds: Introducing WSO2 API Manager 4.0.0
The Best of Both Worlds: Introducing WSO2 API Manager 4.0.0The Best of Both Worlds: Introducing WSO2 API Manager 4.0.0
The Best of Both Worlds: Introducing WSO2 API Manager 4.0.0
 
API Security Best Practices & Guidelines
API Security Best Practices & GuidelinesAPI Security Best Practices & Guidelines
API Security Best Practices & Guidelines
 
Service Mesh - Observability
Service Mesh - ObservabilityService Mesh - Observability
Service Mesh - Observability
 
Reusable, composable, battle-tested Terraform modules
Reusable, composable, battle-tested Terraform modulesReusable, composable, battle-tested Terraform modules
Reusable, composable, battle-tested Terraform modules
 
Istio service mesh introduction
Istio service mesh introductionIstio service mesh introduction
Istio service mesh introduction
 
CI-CD with AWS Developer Tools and Fargate_AWSPSSummit_Singapore
CI-CD with AWS Developer Tools and Fargate_AWSPSSummit_SingaporeCI-CD with AWS Developer Tools and Fargate_AWSPSSummit_Singapore
CI-CD with AWS Developer Tools and Fargate_AWSPSSummit_Singapore
 
VPC Design and New Capabilities for Amazon VPC
VPC Design and New Capabilities for Amazon VPCVPC Design and New Capabilities for Amazon VPC
VPC Design and New Capabilities for Amazon VPC
 
MeetUp Monitoring with Prometheus and Grafana (September 2018)
MeetUp Monitoring with Prometheus and Grafana (September 2018)MeetUp Monitoring with Prometheus and Grafana (September 2018)
MeetUp Monitoring with Prometheus and Grafana (September 2018)
 
apidays Paris 2022 - Adding a mock as a service capability to your API strate...
apidays Paris 2022 - Adding a mock as a service capability to your API strate...apidays Paris 2022 - Adding a mock as a service capability to your API strate...
apidays Paris 2022 - Adding a mock as a service capability to your API strate...
 
APIsecure 2023 - Approaching Multicloud API Security USing Metacloud, David L...
APIsecure 2023 - Approaching Multicloud API Security USing Metacloud, David L...APIsecure 2023 - Approaching Multicloud API Security USing Metacloud, David L...
APIsecure 2023 - Approaching Multicloud API Security USing Metacloud, David L...
 
Anatomy of a Continuous Integration and Delivery (CICD) Pipeline
Anatomy of a Continuous Integration and Delivery (CICD) PipelineAnatomy of a Continuous Integration and Delivery (CICD) Pipeline
Anatomy of a Continuous Integration and Delivery (CICD) Pipeline
 
Security Considerations for API Gateway Aggregation
Security Considerations for API Gateway AggregationSecurity Considerations for API Gateway Aggregation
Security Considerations for API Gateway Aggregation
 
Zero-Trust SASE DevSecOps
Zero-Trust SASE DevSecOpsZero-Trust SASE DevSecOps
Zero-Trust SASE DevSecOps
 
Designing APIs with OpenAPI Spec
Designing APIs with OpenAPI SpecDesigning APIs with OpenAPI Spec
Designing APIs with OpenAPI Spec
 
Implementing WebAuthn & FAPI supports on Keycloak
Implementing WebAuthn & FAPI supports on KeycloakImplementing WebAuthn & FAPI supports on Keycloak
Implementing WebAuthn & FAPI supports on Keycloak
 
Introduction to Istio Service Mesh
Introduction to Istio Service MeshIntroduction to Istio Service Mesh
Introduction to Istio Service Mesh
 
Docker Kubernetes Istio
Docker Kubernetes IstioDocker Kubernetes Istio
Docker Kubernetes Istio
 
Infrastructure-as-Code (IaC) using Terraform
Infrastructure-as-Code (IaC) using TerraformInfrastructure-as-Code (IaC) using Terraform
Infrastructure-as-Code (IaC) using Terraform
 
Source Code Analysis with SAST
Source Code Analysis with SASTSource Code Analysis with SAST
Source Code Analysis with SAST
 

Similar to SPIFFE Meetup Tokyo #2 - Attestation Internals in SPIRE - Shingo Omura

(ARC401) Cloud First: New Architecture for New Infrastructure
(ARC401) Cloud First: New Architecture for New Infrastructure(ARC401) Cloud First: New Architecture for New Infrastructure
(ARC401) Cloud First: New Architecture for New Infrastructure
Amazon Web Services
 
API First Workflow: How could we have better API Docs through DevOps pipeline
API First Workflow: How could we have better API Docs through DevOps pipelineAPI First Workflow: How could we have better API Docs through DevOps pipeline
API First Workflow: How could we have better API Docs through DevOps pipeline
Pronovix
 
Canadian CNCF: "Emissary-ingress 101: An introduction to the CNCF incubation-...
Canadian CNCF: "Emissary-ingress 101: An introduction to the CNCF incubation-...Canadian CNCF: "Emissary-ingress 101: An introduction to the CNCF incubation-...
Canadian CNCF: "Emissary-ingress 101: An introduction to the CNCF incubation-...
Daniel Bryant
 

Similar to SPIFFE Meetup Tokyo #2 - Attestation Internals in SPIRE - Shingo Omura (20)

アプリで簡単にスタンプを販売するためのAPI開発
アプリで簡単にスタンプを販売するためのAPI開発アプリで簡単にスタンプを販売するためのAPI開発
アプリで簡単にスタンプを販売するためのAPI開発
 
Serhiy Kalinets "Building Service Mesh with .NET Core"
Serhiy Kalinets "Building Service Mesh with .NET Core"Serhiy Kalinets "Building Service Mesh with .NET Core"
Serhiy Kalinets "Building Service Mesh with .NET Core"
 
Building Trust Between Modern Distributed Systems with SPIFFE
Building Trust Between Modern Distributed Systems with SPIFFEBuilding Trust Between Modern Distributed Systems with SPIFFE
Building Trust Between Modern Distributed Systems with SPIFFE
 
Building trust between modern distributed systems with spiffe
Building trust between modern distributed systems with spiffeBuilding trust between modern distributed systems with spiffe
Building trust between modern distributed systems with spiffe
 
Araport Workshop Tutorial 2: Authentication and the Agave Profiles Service
Araport Workshop Tutorial 2: Authentication and the Agave Profiles ServiceAraport Workshop Tutorial 2: Authentication and the Agave Profiles Service
Araport Workshop Tutorial 2: Authentication and the Agave Profiles Service
 
Cloud Foundry Meetup Stuttgart 2017 - Spring Cloud Development
Cloud Foundry Meetup Stuttgart 2017 - Spring Cloud DevelopmentCloud Foundry Meetup Stuttgart 2017 - Spring Cloud Development
Cloud Foundry Meetup Stuttgart 2017 - Spring Cloud Development
 
(ARC401) Cloud First: New Architecture for New Infrastructure
(ARC401) Cloud First: New Architecture for New Infrastructure(ARC401) Cloud First: New Architecture for New Infrastructure
(ARC401) Cloud First: New Architecture for New Infrastructure
 
CloudStack EC2 Configuration
CloudStack EC2 ConfigurationCloudStack EC2 Configuration
CloudStack EC2 Configuration
 
Introduction and hacking OpenStack, Pycon India
Introduction and hacking OpenStack, Pycon IndiaIntroduction and hacking OpenStack, Pycon India
Introduction and hacking OpenStack, Pycon India
 
ОЛЕКСАНДР ЛИПКО «Graceful Shutdown Node.js + k8s» Online WDDay 2021
ОЛЕКСАНДР ЛИПКО «Graceful Shutdown Node.js + k8s» Online WDDay 2021ОЛЕКСАНДР ЛИПКО «Graceful Shutdown Node.js + k8s» Online WDDay 2021
ОЛЕКСАНДР ЛИПКО «Graceful Shutdown Node.js + k8s» Online WDDay 2021
 
IVS CTO Night And Day 2018 Winter - [re:Cap] Serverless & Mobile
IVS CTO Night And Day 2018 Winter - [re:Cap] Serverless & MobileIVS CTO Night And Day 2018 Winter - [re:Cap] Serverless & Mobile
IVS CTO Night And Day 2018 Winter - [re:Cap] Serverless & Mobile
 
API First Workflow: How could we have better API Docs through DevOps pipeline
API First Workflow: How could we have better API Docs through DevOps pipelineAPI First Workflow: How could we have better API Docs through DevOps pipeline
API First Workflow: How could we have better API Docs through DevOps pipeline
 
Telerik AppBuilder Presentation for TelerikNEXT Conference
Telerik AppBuilder Presentation for TelerikNEXT ConferenceTelerik AppBuilder Presentation for TelerikNEXT Conference
Telerik AppBuilder Presentation for TelerikNEXT Conference
 
Canadian CNCF: "Emissary-ingress 101: An introduction to the CNCF incubation-...
Canadian CNCF: "Emissary-ingress 101: An introduction to the CNCF incubation-...Canadian CNCF: "Emissary-ingress 101: An introduction to the CNCF incubation-...
Canadian CNCF: "Emissary-ingress 101: An introduction to the CNCF incubation-...
 
使用 Prometheus 監控 Kubernetes Cluster
使用 Prometheus 監控 Kubernetes Cluster 使用 Prometheus 監控 Kubernetes Cluster
使用 Prometheus 監控 Kubernetes Cluster
 
Continuous Integration e Delivery per (r)innovare lo sviluppo software e la g...
Continuous Integration e Delivery per (r)innovare lo sviluppo software e la g...Continuous Integration e Delivery per (r)innovare lo sviluppo software e la g...
Continuous Integration e Delivery per (r)innovare lo sviluppo software e la g...
 
SoftLayer API 12032015
SoftLayer API 12032015SoftLayer API 12032015
SoftLayer API 12032015
 
Meet the Forge Runtime
Meet the Forge RuntimeMeet the Forge Runtime
Meet the Forge Runtime
 
Amazon API Gateway
Amazon API GatewayAmazon API Gateway
Amazon API Gateway
 
Keystone - Openstack Identity Service
Keystone - Openstack Identity Service Keystone - Openstack Identity Service
Keystone - Openstack Identity Service
 

More from Preferred Networks

PFNのオンプレ計算機クラスタの取り組み_第55回情報科学若手の会
PFNのオンプレ計算機クラスタの取り組み_第55回情報科学若手の会PFNのオンプレ計算機クラスタの取り組み_第55回情報科学若手の会
PFNのオンプレ計算機クラスタの取り組み_第55回情報科学若手の会
Preferred Networks
 
続・PFN のオンプレML基盤の取り組み / オンプレML基盤 on Kubernetes 〜PFN、ヤフー〜 #2
続・PFN のオンプレML基盤の取り組み / オンプレML基盤 on Kubernetes 〜PFN、ヤフー〜 #2続・PFN のオンプレML基盤の取り組み / オンプレML基盤 on Kubernetes 〜PFN、ヤフー〜 #2
続・PFN のオンプレML基盤の取り組み / オンプレML基盤 on Kubernetes 〜PFN、ヤフー〜 #2
Preferred Networks
 

More from Preferred Networks (20)

PodSecurityPolicy からGatekeeper に移行しました / Kubernetes Meetup Tokyo #57
PodSecurityPolicy からGatekeeper に移行しました / Kubernetes Meetup Tokyo #57PodSecurityPolicy からGatekeeper に移行しました / Kubernetes Meetup Tokyo #57
PodSecurityPolicy からGatekeeper に移行しました / Kubernetes Meetup Tokyo #57
 
Optunaを使ったHuman-in-the-loop最適化の紹介 - 2023/04/27 W&B 東京ミートアップ #3
Optunaを使ったHuman-in-the-loop最適化の紹介 - 2023/04/27 W&B 東京ミートアップ #3Optunaを使ったHuman-in-the-loop最適化の紹介 - 2023/04/27 W&B 東京ミートアップ #3
Optunaを使ったHuman-in-the-loop最適化の紹介 - 2023/04/27 W&B 東京ミートアップ #3
 
Kubernetes + containerd で cgroup v2 に移行したら "failed to create fsnotify watcher...
Kubernetes + containerd で cgroup v2 に移行したら "failed to create fsnotify watcher...Kubernetes + containerd で cgroup v2 に移行したら "failed to create fsnotify watcher...
Kubernetes + containerd で cgroup v2 に移行したら "failed to create fsnotify watcher...
 
深層学習の新しい応用と、 それを支える計算機の進化 - Preferred Networks CEO 西川徹 (SEMICON Japan 2022 Ke...
深層学習の新しい応用と、 それを支える計算機の進化 - Preferred Networks CEO 西川徹 (SEMICON Japan 2022 Ke...深層学習の新しい応用と、 それを支える計算機の進化 - Preferred Networks CEO 西川徹 (SEMICON Japan 2022 Ke...
深層学習の新しい応用と、 それを支える計算機の進化 - Preferred Networks CEO 西川徹 (SEMICON Japan 2022 Ke...
 
Kubernetes ControllerをScale-Outさせる方法 / Kubernetes Meetup Tokyo #55
Kubernetes ControllerをScale-Outさせる方法 / Kubernetes Meetup Tokyo #55Kubernetes ControllerをScale-Outさせる方法 / Kubernetes Meetup Tokyo #55
Kubernetes ControllerをScale-Outさせる方法 / Kubernetes Meetup Tokyo #55
 
Kaggle Happywhaleコンペ優勝解法でのOptuna使用事例 - 2022/12/10 Optuna Meetup #2
Kaggle Happywhaleコンペ優勝解法でのOptuna使用事例 - 2022/12/10 Optuna Meetup #2Kaggle Happywhaleコンペ優勝解法でのOptuna使用事例 - 2022/12/10 Optuna Meetup #2
Kaggle Happywhaleコンペ優勝解法でのOptuna使用事例 - 2022/12/10 Optuna Meetup #2
 
最新リリース:Optuna V3の全て - 2022/12/10 Optuna Meetup #2
最新リリース:Optuna V3の全て - 2022/12/10 Optuna Meetup #2最新リリース:Optuna V3の全て - 2022/12/10 Optuna Meetup #2
最新リリース:Optuna V3の全て - 2022/12/10 Optuna Meetup #2
 
Optuna Dashboardの紹介と設計解説 - 2022/12/10 Optuna Meetup #2
Optuna Dashboardの紹介と設計解説 - 2022/12/10 Optuna Meetup #2Optuna Dashboardの紹介と設計解説 - 2022/12/10 Optuna Meetup #2
Optuna Dashboardの紹介と設計解説 - 2022/12/10 Optuna Meetup #2
 
スタートアップが提案する2030年の材料開発 - 2022/11/11 QPARC講演
スタートアップが提案する2030年の材料開発 - 2022/11/11 QPARC講演スタートアップが提案する2030年の材料開発 - 2022/11/11 QPARC講演
スタートアップが提案する2030年の材料開発 - 2022/11/11 QPARC講演
 
Deep Learningのための専用プロセッサ「MN-Core」の開発と活用(2022/10/19東大大学院「 融合情報学特別講義Ⅲ」)
Deep Learningのための専用プロセッサ「MN-Core」の開発と活用(2022/10/19東大大学院「 融合情報学特別講義Ⅲ」)Deep Learningのための専用プロセッサ「MN-Core」の開発と活用(2022/10/19東大大学院「 融合情報学特別講義Ⅲ」)
Deep Learningのための専用プロセッサ「MN-Core」の開発と活用(2022/10/19東大大学院「 融合情報学特別講義Ⅲ」)
 
PFNにおける研究開発(2022/10/19 東大大学院「融合情報学特別講義Ⅲ」)
PFNにおける研究開発(2022/10/19 東大大学院「融合情報学特別講義Ⅲ」)PFNにおける研究開発(2022/10/19 東大大学院「融合情報学特別講義Ⅲ」)
PFNにおける研究開発(2022/10/19 東大大学院「融合情報学特別講義Ⅲ」)
 
自然言語処理を 役立てるのはなぜ難しいのか(2022/10/25東大大学院「自然言語処理応用」)
自然言語処理を 役立てるのはなぜ難しいのか(2022/10/25東大大学院「自然言語処理応用」)自然言語処理を 役立てるのはなぜ難しいのか(2022/10/25東大大学院「自然言語処理応用」)
自然言語処理を 役立てるのはなぜ難しいのか(2022/10/25東大大学院「自然言語処理応用」)
 
Kubernetes にこれから入るかもしれない注目機能!(2022年11月版) / TechFeed Experts Night #7 〜 コンテナ技術を語る
Kubernetes にこれから入るかもしれない注目機能!(2022年11月版) / TechFeed Experts Night #7 〜 コンテナ技術を語るKubernetes にこれから入るかもしれない注目機能!(2022年11月版) / TechFeed Experts Night #7 〜 コンテナ技術を語る
Kubernetes にこれから入るかもしれない注目機能!(2022年11月版) / TechFeed Experts Night #7 〜 コンテナ技術を語る
 
Matlantis™のニューラルネットワークポテンシャルPFPの適用範囲拡張
Matlantis™のニューラルネットワークポテンシャルPFPの適用範囲拡張Matlantis™のニューラルネットワークポテンシャルPFPの適用範囲拡張
Matlantis™のニューラルネットワークポテンシャルPFPの適用範囲拡張
 
PFNのオンプレ計算機クラスタの取り組み_第55回情報科学若手の会
PFNのオンプレ計算機クラスタの取り組み_第55回情報科学若手の会PFNのオンプレ計算機クラスタの取り組み_第55回情報科学若手の会
PFNのオンプレ計算機クラスタの取り組み_第55回情報科学若手の会
 
続・PFN のオンプレML基盤の取り組み / オンプレML基盤 on Kubernetes 〜PFN、ヤフー〜 #2
続・PFN のオンプレML基盤の取り組み / オンプレML基盤 on Kubernetes 〜PFN、ヤフー〜 #2続・PFN のオンプレML基盤の取り組み / オンプレML基盤 on Kubernetes 〜PFN、ヤフー〜 #2
続・PFN のオンプレML基盤の取り組み / オンプレML基盤 on Kubernetes 〜PFN、ヤフー〜 #2
 
Kubernetes Service Account As Multi-Cloud Identity / Cloud Native Security Co...
Kubernetes Service Account As Multi-Cloud Identity / Cloud Native Security Co...Kubernetes Service Account As Multi-Cloud Identity / Cloud Native Security Co...
Kubernetes Service Account As Multi-Cloud Identity / Cloud Native Security Co...
 
KubeCon + CloudNativeCon Europe 2022 Recap / Kubernetes Meetup Tokyo #51 / #k...
KubeCon + CloudNativeCon Europe 2022 Recap / Kubernetes Meetup Tokyo #51 / #k...KubeCon + CloudNativeCon Europe 2022 Recap / Kubernetes Meetup Tokyo #51 / #k...
KubeCon + CloudNativeCon Europe 2022 Recap / Kubernetes Meetup Tokyo #51 / #k...
 
KubeCon + CloudNativeCon Europe 2022 Recap - Batch/HPCの潮流とScheduler拡張事例 / Kub...
KubeCon + CloudNativeCon Europe 2022 Recap - Batch/HPCの潮流とScheduler拡張事例 / Kub...KubeCon + CloudNativeCon Europe 2022 Recap - Batch/HPCの潮流とScheduler拡張事例 / Kub...
KubeCon + CloudNativeCon Europe 2022 Recap - Batch/HPCの潮流とScheduler拡張事例 / Kub...
 
独断と偏見で選んだ Kubernetes 1.24 の注目機能と今後! / Kubernetes Meetup Tokyo 50
独断と偏見で選んだ Kubernetes 1.24 の注目機能と今後! / Kubernetes Meetup Tokyo 50独断と偏見で選んだ Kubernetes 1.24 の注目機能と今後! / Kubernetes Meetup Tokyo 50
独断と偏見で選んだ Kubernetes 1.24 の注目機能と今後! / Kubernetes Meetup Tokyo 50
 

Recently uploaded

GraphAware - Transforming policing with graph-based intelligence analysis
GraphAware - Transforming policing with graph-based intelligence analysisGraphAware - Transforming policing with graph-based intelligence analysis
GraphAware - Transforming policing with graph-based intelligence analysis
Neo4j
 
AI/ML Infra Meetup | ML explainability in Michelangelo
AI/ML Infra Meetup | ML explainability in MichelangeloAI/ML Infra Meetup | ML explainability in Michelangelo
AI/ML Infra Meetup | ML explainability in Michelangelo
Alluxio, Inc.
 
SOCRadar Research Team: Latest Activities of IntelBroker
SOCRadar Research Team: Latest Activities of IntelBrokerSOCRadar Research Team: Latest Activities of IntelBroker
SOCRadar Research Team: Latest Activities of IntelBroker
SOCRadar
 
How To Build a Successful SaaS Design.pdf
How To Build a Successful SaaS Design.pdfHow To Build a Successful SaaS Design.pdf
How To Build a Successful SaaS Design.pdf
ayushiqss
 

Recently uploaded (20)

KLARNA - Language Models and Knowledge Graphs: A Systems Approach
KLARNA - Language Models and Knowledge Graphs: A Systems ApproachKLARNA - Language Models and Knowledge Graphs: A Systems Approach
KLARNA - Language Models and Knowledge Graphs: A Systems Approach
 
A Comprehensive Appium Guide for Hybrid App Automation Testing.pdf
A Comprehensive Appium Guide for Hybrid App Automation Testing.pdfA Comprehensive Appium Guide for Hybrid App Automation Testing.pdf
A Comprehensive Appium Guide for Hybrid App Automation Testing.pdf
 
Studiovity film pre-production and screenwriting software
Studiovity film pre-production and screenwriting softwareStudiovity film pre-production and screenwriting software
Studiovity film pre-production and screenwriting software
 
Benefits of Employee Monitoring Software
Benefits of Employee Monitoring SoftwareBenefits of Employee Monitoring Software
Benefits of Employee Monitoring Software
 
GraphAware - Transforming policing with graph-based intelligence analysis
GraphAware - Transforming policing with graph-based intelligence analysisGraphAware - Transforming policing with graph-based intelligence analysis
GraphAware - Transforming policing with graph-based intelligence analysis
 
Abortion ^Clinic ^%[+971588192166''] Abortion Pill Al Ain (?@?) Abortion Pill...
Abortion ^Clinic ^%[+971588192166''] Abortion Pill Al Ain (?@?) Abortion Pill...Abortion ^Clinic ^%[+971588192166''] Abortion Pill Al Ain (?@?) Abortion Pill...
Abortion ^Clinic ^%[+971588192166''] Abortion Pill Al Ain (?@?) Abortion Pill...
 
A Guideline to Gorgias to to Re:amaze Data Migration
A Guideline to Gorgias to to Re:amaze Data MigrationA Guideline to Gorgias to to Re:amaze Data Migration
A Guideline to Gorgias to to Re:amaze Data Migration
 
Secure Software Ecosystem Teqnation 2024
Secure Software Ecosystem Teqnation 2024Secure Software Ecosystem Teqnation 2024
Secure Software Ecosystem Teqnation 2024
 
AI/ML Infra Meetup | ML explainability in Michelangelo
AI/ML Infra Meetup | ML explainability in MichelangeloAI/ML Infra Meetup | ML explainability in Michelangelo
AI/ML Infra Meetup | ML explainability in Michelangelo
 
A Guideline to Zendesk to Re:amaze Data Migration
A Guideline to Zendesk to Re:amaze Data MigrationA Guideline to Zendesk to Re:amaze Data Migration
A Guideline to Zendesk to Re:amaze Data Migration
 
SOCRadar Research Team: Latest Activities of IntelBroker
SOCRadar Research Team: Latest Activities of IntelBrokerSOCRadar Research Team: Latest Activities of IntelBroker
SOCRadar Research Team: Latest Activities of IntelBroker
 
INGKA DIGITAL: Linked Metadata by Design
INGKA DIGITAL: Linked Metadata by DesignINGKA DIGITAL: Linked Metadata by Design
INGKA DIGITAL: Linked Metadata by Design
 
GraphSummit Stockholm - Neo4j - Knowledge Graphs and Product Updates
GraphSummit Stockholm - Neo4j - Knowledge Graphs and Product UpdatesGraphSummit Stockholm - Neo4j - Knowledge Graphs and Product Updates
GraphSummit Stockholm - Neo4j - Knowledge Graphs and Product Updates
 
De mooiste recreatieve routes ontdekken met RouteYou en FME
De mooiste recreatieve routes ontdekken met RouteYou en FMEDe mooiste recreatieve routes ontdekken met RouteYou en FME
De mooiste recreatieve routes ontdekken met RouteYou en FME
 
Facemoji Keyboard released its 2023 State of Emoji report, outlining the most...
Facemoji Keyboard released its 2023 State of Emoji report, outlining the most...Facemoji Keyboard released its 2023 State of Emoji report, outlining the most...
Facemoji Keyboard released its 2023 State of Emoji report, outlining the most...
 
How Does XfilesPro Ensure Security While Sharing Documents in Salesforce?
How Does XfilesPro Ensure Security While Sharing Documents in Salesforce?How Does XfilesPro Ensure Security While Sharing Documents in Salesforce?
How Does XfilesPro Ensure Security While Sharing Documents in Salesforce?
 
Breaking the Code : A Guide to WhatsApp Business API.pdf
Breaking the Code : A Guide to WhatsApp Business API.pdfBreaking the Code : A Guide to WhatsApp Business API.pdf
Breaking the Code : A Guide to WhatsApp Business API.pdf
 
top nidhi software solution freedownload
top nidhi software solution freedownloadtop nidhi software solution freedownload
top nidhi software solution freedownload
 
How To Build a Successful SaaS Design.pdf
How To Build a Successful SaaS Design.pdfHow To Build a Successful SaaS Design.pdf
How To Build a Successful SaaS Design.pdf
 
WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital Transformation
WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital TransformationWSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital Transformation
WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital Transformation
 

SPIFFE Meetup Tokyo #2 - Attestation Internals in SPIRE - Shingo Omura

  • 1. Shingo Omura, Preferred Networks, Inc. SPIFFE Meetup Tokyo #2 2019-10-02 Attestation Internals in SPIRE Icons made by Freepik from www.flaticon.com 💚

  • 2. Shingo Omura ● ML Platform Engineer, Preferred Networks, Inc. ○ On-Prem GPU(2000+) k8s clusters ○ kubernetes org member (sig-scheduling) ○ kubeflow contributor ● @everpeace
  • 3. Recap: SPIFFE Standardizations • SPIFFE ID − identity namespace and defines how services identify themselves to each other • SVID (SPIFFE Verification Itenditity Document) − defines verifiable representation of issued identities (in X.509 and JWT format) • Workload API − defines API for issuing and/or retrieving another workload’s SVID
  • 4. example of SPIFFE ID based authentication spiffe://dev.acme.com/payments/web scheme=spiffe Trust Domain Path Recap: SPIFFE ID spiffe://dev.acme.com/payments/api spiffe://dev.acme.com/payments/db
  • 5. Recap: SVID (SPIFFE Verification Identity Document) Icons made by Freepik from www.flaticon.com Trust Domain (spiffe://dev.acme.com/) As Signing Authority • consists of – SPIFFE ID – valid signature – public key(optional) • supported format – X509-SVID, JWT-SVID • typically short-lived SVID SPIFFE Bundle Provides Trust Bundle • used for validating SVIDs • contains a trust domain's public keys or X.509 CA certificate in JWK Set format
  • 6. SVIDResponse Recap: Workload API WorkloadAPI Workload (Src) ● grpc with unix domain socket (aka Workload API Endpoint) ● no authentication for avoiding bootstrapping Transport SVIDRequest Icons made by Freepik, photo3idea_studio, Pixel Buddha from www.flaticon.com SVIDs Workload (Dst) SPIFFE Bundles SVIDRequest SVIDResponse verify src SVID by SPIFFE Bundle Identify the Caller - kernel introspection - orchestrator interrogation may contain Federated Bundles (bundles for other trust domains)
  • 7. Overview of SPIRE: SPIFFE Runtime Environment Icons made by Freepik, photo3idea_studio, Pixel Buddha, srip from www.flaticon.com spire-agent Workload API Work load Work load spire-agent Workload API Work load Work load spire-server Node API Registration API ● Identity Mapping ● Node Attestation ● SVID IssuanceCLI API ● Workload Attestation ● Workload API
  • 8. ● workload identities must be registered first ● entries defines a mapping of workload <--> SPIFFE ID via workload selectors ● entries has hierarchy. note that this hierarchy is independent to one of SPIFFE ID’s path Identity(Workload) Registration spire-server Node API Registration API CLI API SPIFFE ID spiffe://dev.acme.com/payments/web Parent ID spiffe://dev.acme.com/k8s/cluster/foo Selectors k8s:ns:payments k8s:sa:payment-web k8s:container-image:payments Workload Registration Entry of /payments/web Icons made by Freepik from www.flaticon.com type value
  • 9. Identity(Node) Registration spire-server Node API Registration API CLI API SPIFFE ID spiffe://dev.acme.com/k8s/cluster/foo Parent ID spiffe://dev.acme.com/ Selectors k8s_psat:custer:foo k8s_psat:agent_ns:spire k8s_psat:agent_sa:agent Node Registration Entry of /k8s/cluster/foo ● node identities registration enables to assign one workload SPIFFE ID across multiple nodes ● registration entries defines a mapping of node(agent) <--> SPIFFE ID via node selectors
  • 10. What is Attestation in SPIRE? Attestation is the process of certifying that something is true. spire-server spire-agent Workload API Work load Node API Node Attestation • verifying the identity of the node the workload is running on • runs when booting spire-agent Workload Attestation • verifying the workload on the node
  • 11. Overview: How SPIRE issue SVIDs spire server spire agent Work load 1. register entries 2.0 attest node 2.3 node SVIDs Cloud Providers (k8s, instance metadata, etc.) 2.1 verify node identity kernel/orchestrators (e.g. kubelet/docker) 3.3 workload identity 3.1 verify workload identity Icons made by Freepik from www.flaticon.com 3.2 obtaining workload info 3.0 attest workload 3.4 workload SVIDs 3.5 workload SVIDs
  • 12. Node Attestation Internals (based on version 0.8.1) spire server spire agent 2.0 attest node 2.3 node SVIDs Cloud Providers (k8s, instance metadata, etc.) 2.1 verify node identity
  • 13. Node Attestation • Both server & agent participate in node attestation • Only one node attestor can be configured in spire agent – multiple node attestors can be configured in spire server • Node attestor is pluggable – join_token, aws, azure, k8s, etc. (supported plugins list) spire serverspire agent Node Attestor Plugin Node Attestor PluginNode Attestor PluginNode Attestor Plugin
  • 14. Before: Node Attestation Icons made by Freepik, photo3idea_studio, Pixel Buddha, srip from www.flaticon.com spire-server CLI API
  • 15. Node Attestation Internals (based on version 0.8.1) spire serverspire agent Booting... … Booted Icons made by Freepik, Pixel Buddha, Smashicons from www.flaticon.com 0. generate key-pair for this node 1. plugin makes proof of the node identity 2. make certificate signing request 3. send node identity and signing request 4.1 perform challenge & response in arbitrary number of rounds 5. issue node SVID (sign the signing request) CA’s key pair SPIFFE Bundle 6. send node SVID transport is secured by using upstream CA 4. verify the proof 4.2 issue node SPIFFE ID and its selectors
  • 16. Example of AWS Node Attestor Plugin spire serverspire agent AWS Node Attestor Plugin AWS Node Attestor Plugin Instance Identity Document SPIFFE ID /aws_iid/{acctID}/{region}/{instanceID} Selectors AWS Node Resolver Plugin aws_iid:tag:name:value aws_iid:sg:id:sg-01234567 aws_iid:sg:name:sg-name aws_iid:iamrole:arn:aws... instance metadata service Icons made by Freepik, Pixel Buddha, Smashicons from www.flaticon.com
  • 17. mTLS with node SVID spire server Sync all the registration entries match ● selectors of the node SVIDs ● and their descendants ● (subset match included) Completing Agent Bootup Icons made by Freepik from www.flaticon.com spire agent node(base) SVID (/aws_iid/acct/reg/instanceID) Node SVID Rotator refresh when rotatedrotate SVID/Bundle/ RegistrationEntries Synchronizer /aws_iid/acct/reg/instanceID aws_iid:tag:name:value aws_iid:sg:id:sg-01234567 aws_iid:sg:name:sg-name aws_iid:iamrole:arn:aws... /cluster/payments MATCH! /payments/api /payments/web /payments/db entries
  • 18. After: Booting Up Agent Completely Icons made by Freepik, photo3idea_studio, Pixel Buddha, srip from www.flaticon.com spire-agent Workload API spire-agent Workload API spire-server CLI API
  • 19. Workload Attestation Internals (based on version 0.8.1) spire server spire agent Work load kernel/orchestrators (e.g. kubelet/docker) 3.3 workload identity 3.1 verify workload identity 3.2 obtaining workload info 3.0 attest workload 3.4 workload SVIDs 3.5 workload SVIDs
  • 20. entries Workload Attestation • Only agent participates in workload attestation – synchronizer is responsible for fetching workload SVIDs/Bundles • Multiple workload attestors can be configured in spire agent • Workload attestor is also pluggable – unix, docker, k8s etc. (supported plugins list) spire agent Workload spire server Worload Attestor Plugin Worload Attestor Plugin Worload Attestor Plugin WorkloadAPI
  • 21. Before: Workload Attestation Completed Icons made by Freepik, photo3idea_studio, Pixel Buddha, srip from www.flaticon.com spire-agent Workload API Work load Work load spire-agent Workload API Work load Work load spire-server CLI API
  • 22. Workload Attestation Internals (based on version 0.8.1) spire server spire agent Icons made by Freepik, Pixel Buddha, Smashicons from www.flaticon.com Synchronizer mTLS with node SVID entries Work load kernel/orchestrators (e.g. kubelet/docker) Worload Attestor Plugin WorkloadEndpoint(unixsocket) 0. attestation request 1.2 obtain workload info 2. request syncing entries matched to merged selectors 3. request to issue their SVIDs (synchronizer generates key-pairs) 1.1 each attestor verify workload identity (pid) and transform it to selectors 4. matched SVIDs & Bundles unix:uid, unix:gid docker:image_id, docker:label k8s:ns, k8s:sa, k8s:pod-name etc. 1. attest in all attestors
  • 23. Ready to Authenticate Workload Each Other!! Icons made by Freepik, photo3idea_studio, Pixel Buddha, srip from www.flaticon.com spire-agent Workload API Work load Work load spire-agent Workload API Work load Work load spire-server CLI API
  • 24. Quick Start • Rercommended: SPIRE101 in spire repo – you can try spire environment in docker-compose • !!CAUTION!! – this does NOT work on 0.8.1 or later – this works in 0.8.0 – ref: spiffe/spire#1155
  • 25. Custom Attestation Plugin? • Just implementing several interafaces • Node Attestation Plugin (server, agent interface) • Node Resolver Plugin(server interface) • Workload Attestation Plugin (agent interface) • And plumbing to make it gRPC server • But, no comprehensive document right now – github.com/spiffe/plugin-template is obsolete • Official document points to reference custom plugin implementations
  • 26. Icons made by Vincent Le Moign from https://icon-icons.com/ licensed by CC 3.0 BY Thank you for Listening!! Any Questions?