SPIFFE

Posted by Manish Panchmatia on Wednesday, January 8, 2025 Labels: ,

SA is at cluster level. 

So Nepheo could not use SA

Every CSP has workload identity

spiffe is standard: 

- spiffe id. It is URL. 

- spiffe verifiable documents (SVIDs): cert or toekn

- The spiffe workload API. 

spire: spiffe Runtime Environment. 

- A toolchain of API for establising trust based on spifee

- provides out of the box attestation plugins

Expiry is short. can be 4 hours. So no need of revocation

* spire agent can be colocated. it is dameonset in K8s. 

=========

Nephio

ss7, sigtra, ngin, CN model (e.g. ORAN)

DISH is on AWS

CP based requirement for identity

Nephio SIG security wiki page has all details

Porch : Package Orchestration KPT

KPT does in place substitution 

5G requirements / usecases

IMS, SMO , IMS

LF article about Nephio spifee implementation at LF wiki

Catalog packages at GitOps

Each cluster shall have its own repo

Identity federation is based on cert chain. 

R3 Oct 23 of Nephio. 

It is proposed solution. It will be upstream. 

Workload identity solution shall not be native to specific cloud provider. 

Identity federation across CSPs. 

Google, E//, RedHat are in Nephio

SPIRE's alternative may be due to speicfic attestion plugin

What protocol between SPIRE Agent and SPIRE server? Bootstrap trust. it is pre-provision aspect. REST API and TLS. x.509 cert will be pulled. protocol is spire specific

Today's attestation is based on SA, pod labels, namespace. 

CA, Cert Manager can be used. 

0 comments:

Post a Comment