SPIFEE & SPIRE


SPIFEE Introduction 

SPIFEE standard is all about 
- How to encode SPIFEE ID into X.509 certificate
- Which field to use
- How to validate (1) X.509 certificate and (2) JWT token, when SPIFEE ID is inside. 

SPIFEE is for universal ID. SPIFEE is for how different components can trust each other in distributed system. SPIFEE was launched in KubeCon 2017. SPIFEE Federation API was main focus during 2018, 2019. 

SPIRE

SPIRE is open source project, that implements SPIFEE standards. 
1. It expose workload API
2. It is framework to manage issue of ID. 
3. It is for 'secure introduction' = 'credential zero' ='bootstrap credential' Workload authenticate itself with SPIRE agent and agent with server. 
4. trust bootstrapping 
SPIRE is stand alone. It has many custom plugins

SPIRE server
- Identity Mapping / Identity Registry. It exposes Registration API
- Node API using Node Attestation plugin +  Node Resolver plugin
- Federation API
- SVID Issuance (SPIFFE Verifiable Identity Document)
- signing key
- registry of workloads

It can have plugins like

1. Upstream CA plugin
2. Node Attestor plugin to validate node. Both SIRE agent and SPIRE server
3. Node Resolver plugin
4. Datastore plugin MySQL, SQLite 3 (default), or PostgresSQL
5. Key Manager plugin. To store private key to sign SVIDs (X.509 and JWT both)

It can be deployed as stateful set. It can have PV. In production environment, it can use DB: Pstgres or MySQL

SPIRE Agent

SPIRE Agent assign SPIFEE ID to workload and generates CSR to SPIRE server. The SPIRE server returns SPIFEE ID and trust bundle (a set of certificates to verify X.509-SVID OR public key to verify JWT). They gets transfer from SPIRE server to Node agent to workload. The private key of workload, never leave node. 

- Workload API
- Workload Attestation : Verify authenticity of caller. only SPIRE agent

It can have plugins like

1.  Multiple Workload attestor plugins 
      1.a Unix attestor (OS attestor). It use out-of-band Linux kernel to verify selector mentioned in request are genuine or not. 
      1.b K8s attestor. It communicate with kubelet. Verify it is genuine K8s workload. then ns, sa, docker image id etc. 
2. Node attestor plugin. It used bootstrap configuration. Server responds with SVID to agent. Also SPIFEE ID of node. It becomes parent ID for workload. 
3. key manager plugin. Generate and use private keys for X.509-SVID

It can be deployed as daemon set

Valid Node ID
1. cloud platform e.g. AWS Instance Identification Document IID, Azure Managed Service Identities, GCE Instance Identity Tokens
2. Private key stored at TPM = Trusted Platform Module or HSM = Hardware Security Module
3. manual verification through a joint token
4. SA token
5. etc. 

SVID (SPIFFE Verifiable Identity Document) has two format
1. X.509 certificate
2. JWT token 
 - it is susceptible to replay attacks
 - Use it when L7 proxy of L7 LB is on path. 
SPIRE supports a specific form of JWT that is specifically designed to encode SPIFFE IDs, the JWT-SVID. 

Workload registry entry fields
- Properties are called selector 
  (1) ns = namespace 
  (2) sa = service account 
  (3) docker image id 
- Parent ID can be K8s cluster name
- SPIFEE ID: Format spiffe://trust domain/workload 
- DNS Name: OR CN:
- TTL:
- Entry ID:

Usecases
1. DB Access
2. Access to cloud provider
3. identity translation, 
4. OAuth client authentication, 
5. mTLS "encryption everywhere" and 
6. workload observability.
7. Square talks about how Square uses SPIFFE and SPIRE to secure communications across hybrid infrastructure services: https://youtu.be/H5IlmYmEDKk?t=2585
8. Uber talks about integrating SPIRE with workload schedulers: https://youtu.be/H5IlmYmEDKk?t=4703
9. Tigera demonstrates how Calico, Envoy and SPIRE are used to deliver unified Layer 4 and Layer 7 authorization policies: https://youtu.be/H5IlmYmEDKk?t=7812
10. Bloomberg talks about TPM node attestation with SPIRE: https://youtu.be/30S0sKRxzjM
11. NGINX/F5 on how NGINX service mesh leverages SPIFFE and SPIRE https://youtu.be/plRkDK5xFpM

Other tools
1. Secret Stores
    1.1 Hashicorp Vault
    1.2 Square Keywhiz
2. Identity Provider
    2.1 ory.sh
    2.2 VMWare Lightwave
    2.3 WS02 Identity Serve
3. Authorization Policy Engines
    3.1 Open Policy Agent
4. Service Mesh 

In case of Istio: "Istio Node Agent" is "SPIRE Agent". The "SPIRE server" can have "Istio Node Attestor Plugin"

Reference:
https://www.youtube.com/watch?v=5m6kjzdysBI
https://www.youtube.com/watch?v=ikmxZdZRTio
https://www.youtube.com/watch?v=0LSaNrOabH4
https://www.thoughtworks.com/radar/platforms/spiffe
https://github.com/spiffe/spire/blob/master/ADOPTERS.md
https://www.youtube.com/watch?v=OHiPsqT1gcI

Replication Controller


Replication Controller

replicationcontrollerMetadata attributes:


  • clusterName: The name of the cluster which the object belongs to.
  • clusterName->namespace->name
  • deletionGracePeriodSeconds: Seconds allowed for gracefully terminate before forcefully removed from the system.
  • deletionTimestamp: RFC 3339 date and time at which this resource will be deleted. Is not directly settable by a client.
  • finalizers: Must be empty before the object is deleted from the registry.
  • generateName: Optional prefix, used by the server, to generate a unique name ONLY IF the Name field has not been provided.
  • generation: A sequence number representing a specific generation of the desired state. Populated by the system. Read-only.
  • initializers: An initializer is a controller which enforces some system invariant at object creation time.
  • labels: Map of string keys and values that can be used to organize and categorize (scope and select) objects.
  • ownerReferences: List of objects depended by this object.

replicationcontrollerSpec attributes:


  • minReadySeconds: Minimum number of seconds for which a newly created pod should be ready without any of its container crashing, for it to be considered available. Defaults to 0


By default, deployment will add a pod-template-hash to the name of RS that it creates.

CKA: 4. Logging and Monitoring


Open Source: Metrics Server, Prometheus, Elastic Stack
Proprietary: Datadog, dynatrace

Original project was: Heapster
Now it is Metrics Server (in-memory)

kubelet has cAdvisor = Container Advisor

minikube addons enable metrics-server

k top node

k top pode


CKA: 3. Scheduling


Manual scheduling

* before pod is created using nodeName
* POST to pod's Binding API

Affinity and Anti-Affinity

Operators
- In
- NotIn
- Equal
- Exists

Node Affinity Types

- Required During Scheduling, Ignored During Execution 
- Preferred During Scheduling, Ignored During Execution
- Required During Scheduling, Required During Execution (Planned)

Example: 

    nodeAffinity:
      requiredDuringSchedulingIgnoredDuringExecution:
        nodeSelectorTerms:
        - matchExpressions:
          - key: disktype
            operator: In
            values:
            - ssd 
=========================================
For running pod, one can edit only
  • spec.containers[*].image
  • spec.initContainers[*].image
  • spec.activeDeadlineSeconds
  • spec.tolerations
=========================================

The YAML file for ReplicaSet and DaemonSet are same, except kind. Daemonset is similar to Deployment also. There is no replica , no strategy in Daemonset. Neither (1) replicaset nor (2) daemonset can be created using "kubectl create" command. One need to create Deployment using "kubectl create" command and then remove (1) replica and (2) strategy

=========================================

static pod

pod only. No replicaset. No deployment. No service. 

Add file create pod. The pod will be recreated if crashes. 
Delete file delete pod.
Replace file, restart pod as per new file. 

folder is passed to kubelet as "--pod-manifest-path"
kube-adm uses kubeconfig.yaml file
possible value: /etc/kubernetes/manifests in K8s

Master node has readonly mirror copy of static pod. Static pod cannot be deleted, cannot be modified by kubectl command. Its name will be "pod name"-"node name"

usecase to deploy control plane component. So all control plane pod on master have name : "pod name"-"master node name" Master node name is minikube in case of minikube setup.

Daemonset and static pod, both are ignored by scheduler. 

=========================================

"k describe pod 'pod-name' " in the event section we can see scheduler name. In YAML file we shall mention
schedularName: "NAME OF SCHEDULAR"

copy scheduler pod YAML. it is static pod. so located at /etc/kubernetes/manifest. Then in the command: section add

command:
- --scheduler-name="NAME OF SCHEDULER"
- --lock-object-name="NAME OF SCHEDULER"

Reference: 

https://github.com/kubernetes/community/blob/master/contributors/devel/sig-scheduling/scheduler.md

https://kubernetes.io/blog/2017/03/advanced-scheduling-in-kubernetes/

https://stackoverflow.com/questions/28857993/how-does-kubernetes-scheduler-work

अष्टाध्यायी


माहेश्वर सूत्र

॥ अइउण् । ऋऌक् । एओङ् । ऐऔच् ।
हयवरट् । लण् । ञमङणनम् । झभञ् ।
घढधष् । जबगडदश् । खफछठथचटतव् ।
कपय् । शषसर् । हल् ॥

१. अइउण्।
२. ऋऌक्।
३. एओङ्।
४. ऐऔच्।
५. हयवरट्।
६. लण्।
७. ञमङणनम्।
८. झभञ्।
९. घढधष्।
१०. जबगडदश्।
११. खफछठथचटतव्।
१२. कपय्।
१३. शषसर्।
१४. हल्।

प्रत्याहार
अण्अण्इण्यण्अक्इक्उक्एङ्अच्इच्एच्ऐच्अट्अम्
अल्यम्ङम्ञम्यञ्झष्भष्अश्हश्वश्झश्जश्बश्छव्
यय्मय्झय्खय्चय्यर्झर्चर्शर्हल्वल्रल्झल्
====================================================
पाणिनीय व्याकरण = 
अष्टाध्यायी  by महर्षि पाणिनि 
+
वार्तिक  by महामुनि कात्यायन 
+
महाभाष्य  by पतंजलि 

Later on:

सिद्धान्तकौमुदी by भट्टोजिदीक्षित
लघुसिद्धान्तकौमुदी by वरदराज 
====================================================
पाणिनीय व्याकरण = 
अष्टाध्यायी (4000)
+
शिवसूत्र या माहेश्वर सूत्र (14) 
+
धातुपाठ (2000)
+
गणपाठ (261)
====================================================
What is Sutra?

अल्पाक्षरमसान्दीग्धं साखद्विश्वतो मुखम् ।
अदुष्टमनवद्यञ्च सूत्रं सूत्रविदो विदुः ।। इति ।

1. स्वल्पाक्षरम् having minimal number of letters

2. असंदिग्धम् clear, non-confusing

3. सारवत्‌ containing the essential, summary

4. विश्वतोमुखम् unto the universe, universal, omnipresent

5. अस्तोभम्  non-stoppable, eternal

6. अनवद्यम् not unspeakable, hence speakable, worth quoting

====================================================
अष्टाध्यायी 

Types of Sutra 

संज्ञा च परिभाषा च विधिर्नियम एव च।
अतिदेशोऽधिकारश्च षड्विधम् सूत्रं मतम् ॥

(१) संज्ञा सूत्र (total 91) :
नामकरणं संज्ञा - तकनीकी शब्दों का नामकरण।
E.g.
वृद्धिरादैच् 1।1।1
शेषो घ्यसखि 1|4|7
अदेङ् गुणः1| 1| 2
हलोऽनन्तराः संयोगः 1| 1| 7
मुखनासिकावचनोऽनुनासिकः 1|1|8
Most of them are present in 1st chapter or 2nd chapter 

(२) परिभाषा सूत्र (total 23) :
अनियमे नियमकारिणी परिभाषा।
E.g.
In त्यदादीनाम् अ: 7|2|102
परिभाषासूत्रम् called अलोऽन्त्यस्य 1|1|52 is परिभाषा सूत्र 
Most of them are present in 1st chapter or 2nd chapter 
इको गुणवृद्धी  1| 1| 3
आद्यन्तवदेकस्मिन् 1|1|21
आद्यन्तौ टकितौ 1|1|46
मिदचोऽन्त्यात्परः 1|1|47

(३) विधि सूत्र :
कर्तव्यत्वेनोपदेशो विधि:
विषय का विधान।
E.g.
इको यण् अचि 6।1।77
नलोप: प्रातिपदिकान्तस्य 8|2|7
ऋत्यकः 6|1| 128
सिचि वृद्धिः परस्मैपदेषु 7|2|1

(४) नियम सूत्र :
बहुत्र प्राप्तौ संकोचनं नियमः
बहुत्र प्राप्तो संकोचनं हेतु।
E.g.
पति: समास एव 1|4|8
अनुदात्तङित् आत्मनेपदम् 1|3|12

(५) अतिदेश सूत्र : (total 35)
अन्यतुल्यत्वविधानम् अतिदेश:
जो अपने गुणधर्म को दूसरे सूत्रों पर लागू करते हैं। 
E.g.
तृज्वत् क्रोष्टुः 7|1|95
स्थानिवदादेशोऽनल्विधौ  1|1|56
अचः परस्मिन् पूर्वविधौ 1|1|57
द्विर्वचनेऽचि 1|1|59
विज इट् 1|2|2


(६) अधिकार सूत्र : (total 74)
उत्तरप्रकरणव्यापी अधिकारः
एकत्र उपात्तस्य अन्यत्र व्यापारः अधिकारः। 
E.g.
प्रत्यय: 3।1।1
आकडारात् एका संज्ञा 1| 4| 1
प्राग्रीश्वरान्निपाताः 1|4|56
अनभिहिते 2|3|1
तत्पुरुषोऽनञ्‌ कर्मधारयः 2|4|19
कारके 1|4|23
====================================================
अष्टाध्यायी 
8 x 4 x (38 to 200) = around 4000


1. The first two chapters primarily focus on new rules and definitions that will be used across all other chapters, and also sutras that talk about formation of प्रातिपदिकs, sutra that talk about deciding  पद धातु
2. The third chapter gives all the प्रत्यया: that can be attached to a धातु. This list sequentially includes the twelve सनादिप्रत्यया:, followed by विकरणप्रत्यया:, then कृत्-प्रत्यया:, then तिङ्-प्रत्यया: and finally the आदेशा: that happen to various लकारा:.
3. The fourth and the fifth chapters enumerate all the प्रत्यया: that can be attached to a प्रातिपदिकम् । This included the स्त्रीप्रत्यया:, सुप्-प्रत्यया: and the  तद्धितप्रत्यया: ।
4. The Sixth chapter and the seventh chapter contain the rules (सन्धि / आदेश / transformation etc) pertaining to how a प्रत्यय should be attached to the अङ्ग.
5. Finally, the eighth chapter lists the rules regarding what happens after a complete पद is formed. It includes rules regarding णत्व, षत्व, श्चुत्व, जश्त्व, विसर्गलोप and so on.

The detailed division of all 32 paads with important topics in them is as follows -

1.1
संज्ञाप्रकरणम्
1.2
अतिदेशप्रकरणम्, एकश्रुतिप्रकरणम्, वचननिर्धारणम्, एकशेषप्रकरणम्
1.3
इत्संज्ञाप्रकरणम्, धातुपदनिर्णय:
1.4
एकसंज्ञाप्रकरणम्, कारकप्रकरणम्, निपातप्रकरणम्, कर्मप्रवचनीयप्रकरणम्
2.1
अव्ययीभावसमास:, तत्पुरुषसमास:,
2.2
बहुव्रीहिसमास:, द्वन्द्वसमास:, पूर्वनिपात-परनिपातप्रकरणम्
2.3
 विभक्तिनिर्णय:
2.4
समासानां लिङ्गवचननिर्धारणम्, लुक्-प्रकरणम्
3.1 to 3.4
धातुभ्य: विहिता: सर्वे प्रत्यया:
Chapters 4 and 5
प्रातिपदिकेभ्य: विहिता: सर्वे प्रत्यया:
6.1
द्वित्वप्रकरणम्, सम्प्रसारणप्रकरणम्, आत्वप्रकरणम्, अच्सन्धिप्रकरणम्, स्वरप्रकरणम्
6.2
स्वरप्रकरणम्
6.3
उत्तरपदाधिकार, संहिताधिकार
6.4
, असिद्धवदधिकार, आर्धधातुकप्रकरणम्, भाधिकार
7.1
प्रत्ययादेशा:
7.2
इडागमप्रकरणम्, सार्वधातुके परे अङ्गकार्याणि
7.3
 सार्वधातुके परे अङ्गकार्याणि, विभक्तिप्रत्यये परे अङ्गकार्याणि
7.4
अङ्गकार्याणि, अभ्यासकार्याणि
8.1
द्विरुक्तप्रकरणम्, पदाधिकार
8.2
लोपकार्याणि, झलिपदान्ते कार्याणि, प्लुताधिकार, संहिताधिकार,
8.3
रुत्वम्, आदेशा:, आगमा:, षत्वम्
8.4
णत्वम्, हल्सन्धय:


Reference:

https://docs.google.com/document/d/e/2PACX-1vRVI2PN33awPw5n_1u0_iftvygDxOCck6PZzWmys76XJlKH4Hl12Cr5j-46d0wcq6TaslYKM_MzI1tm/pub 

https://docs.google.com/document/d/e/2PACX-1vQ_G9OqsoFptuSJUSkNjN6JWW3HDPglFX-khXDd4u2a0TFbnBW0b9zgCKwdTe0xIdFCbH7lQZj0eVGs/pub

https://slabhyankar.wordpress.com/category/learning-sanskrit-by-fresh-approach/lessons-111-120/lesson-119/ 

https://ashtadhyayi.com/

https://sa.wikipedia.org/wiki/%E0%A4%85%E0%A4%B7%E0%A5%8D%E0%A4%9F%E0%A4%BE%E0%A4%A7%E0%A5%8D%E0%A4%AF%E0%A4%BE%E0%A4%AF%E0%A5%80

http://sanskritavyakaranaprakasha.blogspot.com/2017/12/blog-post_58.html