An Introduction to SPIFFE/SPIRE

An Introduction to SPIFFE / SPIRE 2017/11/17 Tomoya Usami <[email protected]>
@hiyosi

What’s SPIFFE ? "SPIFFE is the single #1 missing piece
for enabling cloud native ecosystems." - Brian Grant (CNCF TOC)

What’s SPIFFE ? • Secure Production Identity Framework For Everyone
• ηΩϡΞͳαʔϏεؒೝূͷͨΊͷϑϨʔϜϫʔΫͱ࢓༷Λࡦఆ • An Open Standard for Identity in Cloud Native Environments • Low Overhead Authentication System

What’s SPIFFE ? • ඪ४࢓༷ͱͯ͠ݱࡏ͸ҎԼʹ͍ͭͯఆٛ • SPIFFE ID • SVID
• Workload API

SPIFFE ID • γεςϜ΍ΞϓϦέʔγϣϯͷ໊લΛදݱ͢ΔURIܗࣜͷߏ଄Խ͞Εͨจࣈྻ • spiffe://${trust-domain}/${path} • spiffe://example.org/payments/mysql   (e.g.,
serviceΛදݱ) • spiffe://k8s.example.org/ns/staging/sa/default   (e.g., service ownerΛදݱ)

SVID • SPIFFE Veriﬁable Identity Document • جຊͱͯ̏ͭ͠ͷ৘ใΛؚΉυΩϡϝϯτΛද͢  <SPIFFE ID> 
<public key>  < valid signature> • υΩϡϝϯτϑΥʔϚοτͱͯ͠͸ɺ2017/11 ࣌఺Ͱ͸X.509͕α ϙʔτ͞Ε͍ͯΔ

X.509 SVID Extention Field Desc Subject Alternate Name URI SPIFFE
ID͕Ұͭηοτ͞ΕΔ Basic Constraints CA signing certificateͰ͋Δ৔߹ʹ͸ true Basic Constraints pathLenConstraint ઃఆ͠ͳ͍ Name Constraints permittedSubtrees URI੍໊໿Λ࢖͍͍ͨ৔߹ʹηοτ Key Usage keyCertSign, cRLSign signing certificateͰ͋Δ৔߹ʹηοτ Key Usage keyAgreement, keyEncipherment, digitalSignature leaf certificateͰ͋Δ৔߹ʹηοτ Extended Key Usage id-kp-serverAuth, id-kp-clientAuth leaf certificateͰ͋Δ৔߹ʹηοτ • https://github.com/spiffe/spiffe/blob/master/standards/X509-SVID.md

Workload API • Workload ͕ར༻͢ΔSVID΍ඞཁͳCAূ໌ॻΛऔಘ͢ΔͨΊͷ ϕϯμʔχϡʔτϥϧͳAPI • ϕϯμʔχϡʔτϥϧͳAPIʹΑΓɺͲͷ؀ڥͰ΋ಉ͡ํ๏Ͱ SVIDΛऔಘͰ͖Δɻ •
ϩʔΧϧ௨৴ͰͷΈར༻͞ΕΔ͜ͱΛ૝ఆ

What’s SPIRE ? • SPIFFE Runtime Environment • Reference Implementation
• SPIRE Server = Controle Plane • SPIRE Agent = Node Agent • Current Version is 0.2 (Beatrice)

Design Concept SPIFFE Reference Implementation Architecture: Interaction Diagrams

SPIRE-Server • SPIFFE signing authorityͱͯ͠ػೳ͢Δ • ݺͼग़͠ݩͷNodeͷਖ਼౰ੑΛূ໌͠CSR΁ॺ໊ • Node,Workload৘ใΛ؅ཧ͠SVIDΛൃߦ͢Δ

NodeAPI Cient NodeAPI Node Attestor CA Plugin construct CSR FetchBaseSVID
(CSR, AttestData) Attest Base SPIFFE ID Sign CSR resolver, other process… Response Node Agent Control Plane (SVID, CA Certs, …) BaseSVID

SPIRE-Server • Node API • SPIRE-Agentଆ͔Βݺͼग़͞ΕΔAPIΛެ։ • NodeͷͨΊͷBaseSVID΍WorkloadͷSVIDɺඞཁͳCAূ໌ॻ Λฦ͢

SPIRE-Server • Registration API • WorkloadʹରԠ͢ΔSPIFFE IDΛొ࿥͢ΔͨΊͷAPIΛެ։ • SelectorͱͦͷSPIFFE IDɺParent
SPIFFE IDΛొ࿥

SPIRE-Server • Node Attestor (Server) • JoinTokenͳͲPluginຖʹҟͳΔσʔλ(AttestData)Λ࢖ͬͯϦ ΫΤετ͖ͯͨ͠Nodeͷ਎ݩΛ֬ೝ͢Δ • ϦΫΤετσʔλʹؚ·ΕΔCSR΁ͷॺ໊ΛCA
Pluginʹґཔ ͯ͠BaseSVIDΛੜ੒͢Δ

SPIRE-Server • Node Resolver ※ ཁܧଓௐࠪ • Base SPIFFE ID͔ΒͦͷNode্Ͱಈ࡞͢Δ͜ͱΛڐՄ͞Εͨ
WorkloadΛ൑ఆ͢ΔͨΊͷ৘ใ(selector)Λऔಘ͢Δ • 0.2 Ͱ͸ NOOP ͷ࣮૷͔͠ͳ͍

SPIRE-Server • Selector • Node·ͨ͸WorkloadΛಛఆ͢ΔͨΊͷϓϩύςΟ (ෳ਺ࢦఆՄ) • unix:uid:1000  (uid 1000
Ͱಈ࡞͢ΔWorkloadΛද͢) • k8s:ns:sample-ns × k8s:sa:sample-sa  (sample-nsͰಈ࡞͠sample-saΛ࢖͏workloadΛද͢)

Design Concept SPIFFE Reference Implementation Architecture: Interaction Diagrams

SPIRE-Agent • ࿈ܞ͢Δ͢΂ͯͷNodeͰ࣮ߦ͞ΕΔ • ࣗ਎Ͱಈ࡞ΛڐՄ͞ΕͨWorkloadͷ৘ใ(SVID, CA Cert Selector)ΛSPIRE-Server͔Βऔಘͯ͠؅ཧ͢Δ • Workloadͷਖ਼౰ੑΛݕূ͠SVIDΛఏڙ͢Δ

Workload Attestor Plugins WorkloadAPI Cient FetchSVIDBundles WorkloadAPI Workload Attestor Plugins
Workload Attestor Plugins Attest Workload Node Selectors lookup SVID Bundles in Cache Response (SVID, CA Certs, …) Node Agent

SPIRE-Agent • Node Attestor (Agent) • ࣗ਎Λূ໌͢ΔͨΊͷPluginຖʹҟͳΔσʔλ(AttestData)ΛServerʹ౉͢ ͜ͱͰਖ਼͍͠NodeͰ͋Δ͜ͱΛূ໌͢Δ • CSRΛServerʹ౉ͯ͠BaseSVIDΛൃߦͯ͠΋Β͏
• Key Manager • SVID ʹରԠ͢Δ伴Λੜ੒ɾ؅ཧ

SPIRE-Agent • Workload API • gRPCͰAPIΛఏڙ • ݺͼग़͞ΕΔͱWorkload Attestor(*ޙड़)Λܦ༝ͯ͠ΫϥΠΞϯτͷpid͔ ΒSelectorΛಛఆ
• Selector͕Control Planeʹొ࿥ࡁΈͰ͋Ε͹Workloadͷ SVID΍ͦͷൿີ 伴ɺඞཁͳCAূ໌ॻͳͲΛฦ͢

Workload Attestor • workloadͷpid͔Β༗ޮͳpluginຖʹSelectorΛੜ੒ͯ͠ฦ͢ • e.g., unix pluginͷ৔߹ Selector {
Type: unix, Value: unix:uid:1000, }

Workload Attestor k8s plugin • k8sͷpodΛର৅ͱ͢ΔWorkload Attestor • Workload APIΛݺͼग़͍ͯ͠Δpid͔Βର৅ͷpodͱNamespace,
Service AccountΛऔಘ • /proc/${PID}/cgroup • ্هϑΝΠϧ͔ΒContainerIDΛऔಘ •

Workload Attestor k8s plugin • kubelet ͷ readonly port ʹΞΫηεͯ͠Pod৘ใΛऔಘ͢Δ
• .status.containerStatuses[*].containerID • /proc/${PID}/cgroup ϑΝΠϧ͔ΒಘͨContainerIDͱҰக͢Δ΋ͷΛ୳ࡧ • ҎԼͷ৘ใΛSelectorͷ Type=k8sͷValueͱͯ͠ฦ٫ • k8s:sa:<.spec.ServiceAccountName> • k8s:ns:<.metadata.Namespace>

Workload Components • Proxy • X.509 SVIDΛαϙʔτ͢Δ΋ͷͱͯ͠mTLS Proxy͕͋Δ • 2017/11ݱࡏ͸
ghostunnel ͱ͍͏αʔυύʔςΟͷιϑτ ΢ΣΞΛ࢖͍ͬͯΔ • কདྷతʹ͸Envoy΋αϙʔτ༧ఆ

Workload Components • Workload API Client • sidecar ͱ͍͏ ghostunnel
ͷwrapperΛ։ൃ͍ͯ͠Δ • WorkloadAPIͷΫϥΠΞϯτͱͯ͠SVID΍CAূ໌ॻΛऔಘ͠ ghostunnelΛىಈ

Workload Proxy SVID Node Workload API FetchSVIDBundles Workload Workload API
Proxy FetchSVIDBundles SVID Authenticate Node TLS How to authenticate

Demo with k8s https://github.com/spiffe/spiffe-example/blob/master/beatrice/doc/beatrice_diagram.png

Roadmap

Roadmap - 2017

Roadmap 2018 -

End Goal

Thank you for your attention. That’s it for now.

References • https://spiffe.io/ • https://github.com/spiffe • SPIFFE Reference Implementation Archetecure
• Design Document: SPIFFE Reference Implementation (SRI)

An Introduction to SPIFFE/SPIRE

An Introduction to SPIFFE/SPIRE

More Decks by Tomoya Usami

Featured

Transcript