Upgrade to Pro — share decks privately, control downloads, hide ads and more …

An Introduction to SPIFFE/SPIRE

9e8bdaea0cc26ccf98270c870b9ad26a?s=47 Tomoya Usami
November 20, 2017
490

An Introduction to SPIFFE/SPIRE

9e8bdaea0cc26ccf98270c870b9ad26a?s=128

Tomoya Usami

November 20, 2017
Tweet

Transcript

  1. An Introduction to SPIFFE / SPIRE 2017/11/17 Tomoya Usami <tousami@zlab.co.jp>

    @hiyosi
  2. None
  3. What’s SPIFFE ? "SPIFFE is the single #1 missing piece

    for enabling cloud native ecosystems." - Brian Grant (CNCF TOC)
  4. What’s SPIFFE ? • Secure Production Identity Framework For Everyone

    • ηΩϡΞͳαʔϏεؒೝূͷͨΊͷϑϨʔϜϫʔΫͱ࢓༷Λࡦఆ • An Open Standard for Identity in Cloud Native Environments • Low Overhead Authentication System
  5. What’s SPIFFE ? • ඪ४࢓༷ͱͯ͠ݱࡏ͸ҎԼʹ͍ͭͯఆٛ • SPIFFE ID • SVID

    • Workload API
  6. SPIFFE ID • γεςϜ΍ΞϓϦέʔγϣϯͷ໊લΛදݱ͢ΔURIܗࣜͷߏ଄Խ͞Εͨจࣈྻ • spiffe://${trust-domain}/${path} • spiffe://example.org/payments/mysql 
 (e.g.,

    serviceΛදݱ) • spiffe://k8s.example.org/ns/staging/sa/default 
 (e.g., service ownerΛදݱ)
  7. SVID • SPIFFE Verifiable Identity Document • جຊͱͯ̏ͭ͠ͷ৘ใΛؚΉυΩϡϝϯτΛද͢
 <SPIFFE ID>


    <public key>
 < valid signature> • υΩϡϝϯτϑΥʔϚοτͱͯ͠͸ɺ2017/11 ࣌఺Ͱ͸X.509͕α ϙʔτ͞Ε͍ͯΔ
  8. X.509 SVID Extention Field Desc Subject Alternate Name URI SPIFFE

    ID͕Ұͭηοτ͞ΕΔ Basic Constraints CA signing certificateͰ͋Δ৔߹ʹ͸ true Basic Constraints pathLenConstraint ઃఆ͠ͳ͍ Name Constraints permittedSubtrees URI੍໊໿Λ࢖͍͍ͨ৔߹ʹηοτ Key Usage keyCertSign, cRLSign signing certificateͰ͋Δ৔߹ʹηοτ Key Usage keyAgreement, keyEncipherment, digitalSignature leaf certificateͰ͋Δ৔߹ʹηοτ Extended Key Usage id-kp-serverAuth, id-kp-clientAuth leaf certificateͰ͋Δ৔߹ʹηοτ • https://github.com/spiffe/spiffe/blob/master/standards/X509-SVID.md
  9. Workload API • Workload ͕ར༻͢ΔSVID΍ඞཁͳCAূ໌ॻΛऔಘ͢ΔͨΊͷ ϕϯμʔχϡʔτϥϧͳAPI • ϕϯμʔχϡʔτϥϧͳAPIʹΑΓɺͲͷ؀ڥͰ΋ಉ͡ํ๏Ͱ SVIDΛऔಘͰ͖Δɻ •

    ϩʔΧϧ௨৴ͰͷΈར༻͞ΕΔ͜ͱΛ૝ఆ
  10. None
  11. What’s SPIRE ? • SPIFFE Runtime Environment • Reference Implementation

    • SPIRE Server = Controle Plane • SPIRE Agent = Node Agent • Current Version is 0.2 (Beatrice)
  12. Design Concept SPIFFE Reference Implementation Architecture: Interaction Diagrams

  13. SPIRE-Server • SPIFFE signing authorityͱͯ͠ػೳ͢Δ • ݺͼग़͠ݩͷNodeͷਖ਼౰ੑΛূ໌͠CSR΁ॺ໊ • Node,Workload৘ใΛ؅ཧ͠SVIDΛൃߦ͢Δ

  14. NodeAPI Cient NodeAPI Node Attestor CA Plugin construct CSR FetchBaseSVID

    (CSR, AttestData) Attest Base SPIFFE ID Sign CSR resolver, other process… Response Node Agent Control Plane (SVID, CA Certs, …) BaseSVID
  15. SPIRE-Server • Node API • SPIRE-Agentଆ͔Βݺͼग़͞ΕΔAPIΛެ։ • NodeͷͨΊͷBaseSVID΍WorkloadͷSVIDɺඞཁͳCAূ໌ॻ Λฦ͢

  16. SPIRE-Server • Registration API • WorkloadʹରԠ͢ΔSPIFFE IDΛొ࿥͢ΔͨΊͷAPIΛެ։ • SelectorͱͦͷSPIFFE IDɺParent

    SPIFFE IDΛొ࿥
  17. SPIRE-Server • Node Attestor (Server) • JoinTokenͳͲPluginຖʹҟͳΔσʔλ(AttestData)Λ࢖ͬͯϦ ΫΤετ͖ͯͨ͠Nodeͷ਎ݩΛ֬ೝ͢Δ • ϦΫΤετσʔλʹؚ·ΕΔCSR΁ͷॺ໊ΛCA

    Pluginʹґཔ ͯ͠BaseSVIDΛੜ੒͢Δ
  18. SPIRE-Server • Node Resolver ※ ཁܧଓௐࠪ • Base SPIFFE ID͔ΒͦͷNode্Ͱಈ࡞͢Δ͜ͱΛڐՄ͞Εͨ

    WorkloadΛ൑ఆ͢ΔͨΊͷ৘ใ(selector)Λऔಘ͢Δ • 0.2 Ͱ͸ NOOP ͷ࣮૷͔͠ͳ͍
  19. SPIRE-Server • Selector • Node·ͨ͸WorkloadΛಛఆ͢ΔͨΊͷϓϩύςΟ (ෳ਺ࢦఆՄ) • unix:uid:1000
 (uid 1000

    Ͱಈ࡞͢ΔWorkloadΛද͢) • k8s:ns:sample-ns × k8s:sa:sample-sa
 (sample-nsͰಈ࡞͠sample-saΛ࢖͏workloadΛද͢)
  20. Design Concept SPIFFE Reference Implementation Architecture: Interaction Diagrams

  21. SPIRE-Agent • ࿈ܞ͢Δ͢΂ͯͷNodeͰ࣮ߦ͞ΕΔ • ࣗ਎Ͱಈ࡞ΛڐՄ͞ΕͨWorkloadͷ৘ใ(SVID, CA Cert Selector)ΛSPIRE-Server͔Βऔಘͯ͠؅ཧ͢Δ • Workloadͷਖ਼౰ੑΛݕূ͠SVIDΛఏڙ͢Δ

  22. Workload Attestor Plugins WorkloadAPI Cient FetchSVIDBundles WorkloadAPI Workload Attestor Plugins

    Workload Attestor Plugins Attest Workload Node Selectors lookup SVID Bundles in Cache Response (SVID, CA Certs, …) Node Agent
  23. SPIRE-Agent • Node Attestor (Agent) • ࣗ਎Λূ໌͢ΔͨΊͷPluginຖʹҟͳΔσʔλ(AttestData)ΛServerʹ౉͢ ͜ͱͰਖ਼͍͠NodeͰ͋Δ͜ͱΛূ໌͢Δ • CSRΛServerʹ౉ͯ͠BaseSVIDΛൃߦͯ͠΋Β͏

    • Key Manager • SVID ʹରԠ͢Δ伴Λੜ੒ɾ؅ཧ
  24. SPIRE-Agent • Workload API • gRPCͰAPIΛఏڙ • ݺͼग़͞ΕΔͱWorkload Attestor(*ޙड़)Λܦ༝ͯ͠ΫϥΠΞϯτͷpid͔ ΒSelectorΛಛఆ

    • Selector͕Control Planeʹొ࿥ࡁΈͰ͋Ε͹Workloadͷ SVID΍ͦͷൿີ 伴ɺඞཁͳCAূ໌ॻͳͲΛฦ͢
  25. Workload Attestor • workloadͷpid͔Β༗ޮͳpluginຖʹSelectorΛੜ੒ͯ͠ฦ͢ • e.g., unix pluginͷ৔߹ Selector {

    Type: unix, Value: unix:uid:1000, }
  26. Workload Attestor k8s plugin • k8sͷpodΛର৅ͱ͢ΔWorkload Attestor • Workload APIΛݺͼग़͍ͯ͠Δpid͔Βର৅ͷpodͱNamespace,

    Service AccountΛऔಘ • /proc/${PID}/cgroup • ্هϑΝΠϧ͔ΒContainerIDΛऔಘ •
  27. Workload Attestor k8s plugin • kubelet ͷ readonly port ʹΞΫηεͯ͠Pod৘ใΛऔಘ͢Δ

    • .status.containerStatuses[*].containerID • /proc/${PID}/cgroup ϑΝΠϧ͔ΒಘͨContainerIDͱҰக͢Δ΋ͷΛ୳ࡧ • ҎԼͷ৘ใΛSelectorͷ Type=k8sͷValueͱͯ͠ฦ٫ • k8s:sa:<.spec.ServiceAccountName> • k8s:ns:<.metadata.Namespace>
  28. Workload Components • Proxy • X.509 SVIDΛαϙʔτ͢Δ΋ͷͱͯ͠mTLS Proxy͕͋Δ • 2017/11ݱࡏ͸

    ghostunnel ͱ͍͏αʔυύʔςΟͷιϑτ ΢ΣΞΛ࢖͍ͬͯΔ • কདྷతʹ͸Envoy΋αϙʔτ༧ఆ
  29. Workload Components • Workload API Client • sidecar ͱ͍͏ ghostunnel

    ͷwrapperΛ։ൃ͍ͯ͠Δ • WorkloadAPIͷΫϥΠΞϯτͱͯ͠SVID΍CAূ໌ॻΛऔಘ͠ ghostunnelΛىಈ
  30. Workload Proxy SVID Node Workload API FetchSVIDBundles Workload Workload API

    Proxy FetchSVIDBundles SVID Authenticate Node TLS How to authenticate
  31. Demo with k8s https://github.com/spiffe/spiffe-example/blob/master/beatrice/doc/beatrice_diagram.png

  32. Roadmap

  33. Roadmap - 2017

  34. Roadmap 2018 -

  35. End Goal

  36. Thank you for your attention. That’s it for now.

  37. References • https://spiffe.io/ • https://github.com/spiffe • SPIFFE Reference Implementation Archetecure

    • Design Document: SPIFFE Reference Implementation (SRI)