Upgrade to Pro — share decks privately, control downloads, hide ads and more …

An Introduction to SPIFFE/SPIRE

Tomoya Usami
November 20, 2017
740

An Introduction to SPIFFE/SPIRE

Tomoya Usami

November 20, 2017
Tweet

Transcript

  1. What’s SPIFFE ? "SPIFFE is the single #1 missing piece

    for enabling cloud native ecosystems." - Brian Grant (CNCF TOC)
  2. What’s SPIFFE ? • Secure Production Identity Framework For Everyone

    • ηΩϡΞͳαʔϏεؒೝূͷͨΊͷϑϨʔϜϫʔΫͱ࢓༷Λࡦఆ • An Open Standard for Identity in Cloud Native Environments • Low Overhead Authentication System
  3. SVID • SPIFFE Verifiable Identity Document • جຊͱͯ̏ͭ͠ͷ৘ใΛؚΉυΩϡϝϯτΛද͢
 <SPIFFE ID>


    <public key>
 < valid signature> • υΩϡϝϯτϑΥʔϚοτͱͯ͠͸ɺ2017/11 ࣌఺Ͱ͸X.509͕α ϙʔτ͞Ε͍ͯΔ
  4. X.509 SVID Extention Field Desc Subject Alternate Name URI SPIFFE

    ID͕Ұͭηοτ͞ΕΔ Basic Constraints CA signing certificateͰ͋Δ৔߹ʹ͸ true Basic Constraints pathLenConstraint ઃఆ͠ͳ͍ Name Constraints permittedSubtrees URI੍໊໿Λ࢖͍͍ͨ৔߹ʹηοτ Key Usage keyCertSign, cRLSign signing certificateͰ͋Δ৔߹ʹηοτ Key Usage keyAgreement, keyEncipherment, digitalSignature leaf certificateͰ͋Δ৔߹ʹηοτ Extended Key Usage id-kp-serverAuth, id-kp-clientAuth leaf certificateͰ͋Δ৔߹ʹηοτ • https://github.com/spiffe/spiffe/blob/master/standards/X509-SVID.md
  5. What’s SPIRE ? • SPIFFE Runtime Environment • Reference Implementation

    • SPIRE Server = Controle Plane • SPIRE Agent = Node Agent • Current Version is 0.2 (Beatrice)
  6. NodeAPI Cient NodeAPI Node Attestor CA Plugin construct CSR FetchBaseSVID

    (CSR, AttestData) Attest Base SPIFFE ID Sign CSR resolver, other process… Response Node Agent Control Plane (SVID, CA Certs, …) BaseSVID
  7. SPIRE-Server • Node Resolver ※ ཁܧଓௐࠪ • Base SPIFFE ID͔ΒͦͷNode্Ͱಈ࡞͢Δ͜ͱΛڐՄ͞Εͨ

    WorkloadΛ൑ఆ͢ΔͨΊͷ৘ใ(selector)Λऔಘ͢Δ • 0.2 Ͱ͸ NOOP ͷ࣮૷͔͠ͳ͍
  8. SPIRE-Server • Selector • Node·ͨ͸WorkloadΛಛఆ͢ΔͨΊͷϓϩύςΟ (ෳ਺ࢦఆՄ) • unix:uid:1000
 (uid 1000

    Ͱಈ࡞͢ΔWorkloadΛද͢) • k8s:ns:sample-ns × k8s:sa:sample-sa
 (sample-nsͰಈ࡞͠sample-saΛ࢖͏workloadΛද͢)
  9. Workload Attestor Plugins WorkloadAPI Cient FetchSVIDBundles WorkloadAPI Workload Attestor Plugins

    Workload Attestor Plugins Attest Workload Node Selectors lookup SVID Bundles in Cache Response (SVID, CA Certs, …) Node Agent
  10. SPIRE-Agent • Workload API • gRPCͰAPIΛఏڙ • ݺͼग़͞ΕΔͱWorkload Attestor(*ޙड़)Λܦ༝ͯ͠ΫϥΠΞϯτͷpid͔ ΒSelectorΛಛఆ

    • Selector͕Control Planeʹొ࿥ࡁΈͰ͋Ε͹Workloadͷ SVID΍ͦͷൿີ 伴ɺඞཁͳCAূ໌ॻͳͲΛฦ͢
  11. Workload Attestor k8s plugin • k8sͷpodΛର৅ͱ͢ΔWorkload Attestor • Workload APIΛݺͼग़͍ͯ͠Δpid͔Βର৅ͷpodͱNamespace,

    Service AccountΛऔಘ • /proc/${PID}/cgroup • ্هϑΝΠϧ͔ΒContainerIDΛऔಘ •
  12. Workload Attestor k8s plugin • kubelet ͷ readonly port ʹΞΫηεͯ͠Pod৘ใΛऔಘ͢Δ

    • .status.containerStatuses[*].containerID • /proc/${PID}/cgroup ϑΝΠϧ͔ΒಘͨContainerIDͱҰக͢Δ΋ͷΛ୳ࡧ • ҎԼͷ৘ใΛSelectorͷ Type=k8sͷValueͱͯ͠ฦ٫ • k8s:sa:<.spec.ServiceAccountName> • k8s:ns:<.metadata.Namespace>
  13. Workload Components • Proxy • X.509 SVIDΛαϙʔτ͢Δ΋ͷͱͯ͠mTLS Proxy͕͋Δ • 2017/11ݱࡏ͸

    ghostunnel ͱ͍͏αʔυύʔςΟͷιϑτ ΢ΣΞΛ࢖͍ͬͯΔ • কདྷతʹ͸Envoy΋αϙʔτ༧ఆ
  14. Workload Components • Workload API Client • sidecar ͱ͍͏ ghostunnel

    ͷwrapperΛ։ൃ͍ͯ͠Δ • WorkloadAPIͷΫϥΠΞϯτͱͯ͠SVID΍CAূ໌ॻΛऔಘ͠ ghostunnelΛىಈ
  15. Workload Proxy SVID Node Workload API FetchSVIDBundles Workload Workload API

    Proxy FetchSVIDBundles SVID Authenticate Node TLS How to authenticate