SPIFEE & SPIRE


SPIFEE Introduction 

SPIFEE standard is all about 
- How to encode SPIFEE ID into X.509 certificate
- Which field to use
- How to validate (1) X.509 certificate and (2) JWT token, when SPIFEE ID is inside. 

SPIFEE is for universal ID. SPIFEE is for how different components can trust each other in distributed system. SPIFEE was launched in KubeCon 2017. SPIFEE Federation API was main focus during 2018, 2019. 

SPIRE

SPIRE is open source project, that implements SPIFEE standards. 
1. It expose workload API
2. It is framework to manage issue of ID. 
3. It is for 'secure introduction' = 'credential zero' ='bootstrap credential' Workload authenticate itself with SPIRE agent and agent with server. 
4. trust bootstrapping 
SPIRE is stand alone. It has many custom plugins

SPIRE server
- Identity Mapping / Identity Registry. It exposes Registration API
- Node API using Node Attestation plugin +  Node Resolver plugin
- Federation API
- SVID Issuance (SPIFFE Verifiable Identity Document)
- signing key
- registry of workloads

It can have plugins like

1. Upstream CA plugin
2. Node Attestor plugin to validate node. Both SIRE agent and SPIRE server
3. Node Resolver plugin
4. Datastore plugin MySQL, SQLite 3 (default), or PostgresSQL
5. Key Manager plugin. To store private key to sign SVIDs (X.509 and JWT both)

It can be deployed as stateful set. It can have PV. In production environment, it can use DB: Pstgres or MySQL

SPIRE Agent

SPIRE Agent assign SPIFEE ID to workload and generates CSR to SPIRE server. The SPIRE server returns SPIFEE ID and trust bundle (a set of certificates to verify X.509-SVID OR public key to verify JWT). They gets transfer from SPIRE server to Node agent to workload. The private key of workload, never leave node. 

- Workload API
- Workload Attestation : Verify authenticity of caller. only SPIRE agent

It can have plugins like

1.  Multiple Workload attestor plugins 
      1.a Unix attestor (OS attestor). It use out-of-band Linux kernel to verify selector mentioned in request are genuine or not. 
      1.b K8s attestor. It communicate with kubelet. Verify it is genuine K8s workload. then ns, sa, docker image id etc. 
2. Node attestor plugin. It used bootstrap configuration. Server responds with SVID to agent. Also SPIFEE ID of node. It becomes parent ID for workload. 
3. key manager plugin. Generate and use private keys for X.509-SVID

It can be deployed as daemon set

Valid Node ID
1. cloud platform e.g. AWS Instance Identification Document IID, Azure Managed Service Identities, GCE Instance Identity Tokens
2. Private key stored at TPM = Trusted Platform Module or HSM = Hardware Security Module
3. manual verification through a joint token
4. SA token
5. etc. 

SVID (SPIFFE Verifiable Identity Document) has two format
1. X.509 certificate
2. JWT token 
 - it is susceptible to replay attacks
 - Use it when L7 proxy of L7 LB is on path. 
SPIRE supports a specific form of JWT that is specifically designed to encode SPIFFE IDs, the JWT-SVID. 

Workload registry entry fields
- Properties are called selector 
  (1) ns = namespace 
  (2) sa = service account 
  (3) docker image id 
- Parent ID can be K8s cluster name
- SPIFEE ID: Format spiffe://trust domain/workload 
- DNS Name: OR CN:
- TTL:
- Entry ID:

Usecases
1. DB Access
2. Access to cloud provider
3. identity translation, 
4. OAuth client authentication, 
5. mTLS "encryption everywhere" and 
6. workload observability.
7. Square talks about how Square uses SPIFFE and SPIRE to secure communications across hybrid infrastructure services: https://youtu.be/H5IlmYmEDKk?t=2585
8. Uber talks about integrating SPIRE with workload schedulers: https://youtu.be/H5IlmYmEDKk?t=4703
9. Tigera demonstrates how Calico, Envoy and SPIRE are used to deliver unified Layer 4 and Layer 7 authorization policies: https://youtu.be/H5IlmYmEDKk?t=7812
10. Bloomberg talks about TPM node attestation with SPIRE: https://youtu.be/30S0sKRxzjM
11. NGINX/F5 on how NGINX service mesh leverages SPIFFE and SPIRE https://youtu.be/plRkDK5xFpM

Other tools
1. Secret Stores
    1.1 Hashicorp Vault
    1.2 Square Keywhiz
2. Identity Provider
    2.1 ory.sh
    2.2 VMWare Lightwave
    2.3 WS02 Identity Serve
3. Authorization Policy Engines
    3.1 Open Policy Agent
4. Service Mesh 

In case of Istio: "Istio Node Agent" is "SPIRE Agent". The "SPIRE server" can have "Istio Node Attestor Plugin"

Reference:
https://www.youtube.com/watch?v=5m6kjzdysBI
https://www.youtube.com/watch?v=ikmxZdZRTio
https://www.youtube.com/watch?v=0LSaNrOabH4
https://www.thoughtworks.com/radar/platforms/spiffe
https://github.com/spiffe/spire/blob/master/ADOPTERS.md
https://www.youtube.com/watch?v=OHiPsqT1gcI

0 comments:

Post a Comment