Slide 1
Slide 1 text
Using Kubernetes as a datastore for SPIRE
Moto Ishizawa
@summerwind SPIFFE Meetup Tokyo #1
Slide 2
Slide 2 text
Moto Ishizawa
@summerwind
Slide 3
Slide 3 text
No content
Slide 4
Slide 4 text
I would like to use SPIRE server on Kubernetes…
SQL database !
Slide 5
Slide 5 text
• SPIRE's datastore is pluggable and interchangeable
• We already have a data storage to run Kubernetes cluster (It’s you, etcd!)
• kube-apiserver has a function to aggregate data by labels
No, wait...
Slide 6
Slide 6 text
Kubernetes Cluster
SPIRE Agent
SPIRE Agent
‘k8s’ datastore plugin for SPIRE
• https://github.com/summerwind/spire-plugin-datastore-k8s
• This plugin enables to use Kubernetes as a data store for SPIRE server
• Store SPIRE’s data as Custom Resources in Kubernetes
• It's still experimental, but it works!
SPIRE Server SPIRE Agent
kube-apiserver
Request SVID
Store data
Slide 7
Slide 7 text
Using ‘k8s’ datastore plugin on minikube (1)
Start your Kubernetes cluster with minikube.
$ minikube start \
--extra-config=apiserver.authorization-mode=RBAC \
--extra-config=apiserver.service-account-signing-key-file=/var/lib/minikube/certs/sa.key \
--extra-config=apiserver.service-account-key-file=/var/lib/minikube/certs/sa.pub \
--extra-config=apiserver.service-account-issuer=api \
--extra-config=apiserver.service-account-api-audiences=api,spire-server
Slide 8
Slide 8 text
Using ‘k8s’ datastore plugin on minikube (2)
Create CustomResourceDefinition resources.
$ curl -L https://github.com/summerwind/spire-plugin-datastore-k8s/releases/latest/
download/crd.yaml | kubectl apply -f -
Slide 9
Slide 9 text
Using ‘k8s’ datastore plugin on minikube (3)
Installing SPIRE server and SPIRE agents to your cluster.
$ curl -L https://raw.githubusercontent.com/summerwind/spire-plugin-datastore-k8s/master/
manifests/examples/spire-server.yaml | kubectl apply -f -
$ curl -L https://raw.githubusercontent.com/summerwind/spire-plugin-datastore-k8s/master/
manifests/examples/spire-agent.yaml | kubectl apply -f -
Slide 10
Slide 10 text
Using ‘k8s’ datastore plugin on minikube (4)
Ensure that the k8s plugin is enabled.
$ kubectl logs -n spire spire-server-0 spire-server
…
time="2019-05-10T14:24:59Z" level=debug msg="DataStore(k8s): starting plugin" subsystem_name=catalog
time="2019-05-10T14:24:59Z" level=debug msg="starting plugin" args="[/opt/spire/bin/spire-plugin-
datastore-k8s]" path=/opt/spire/bin/spire-plugin-datastore-k8s plugin_name=k8s plugin_type=DataStore
subsystem_name=catalog
time="2019-05-10T14:24:59Z" level=debug msg="waiting for RPC address" path=/opt/spire/bin/spire-
plugin-datastore-k8s plugin_name=k8s plugin_type=DataStore subsystem_name=catalog
time="2019-05-10T14:24:59Z" level=debug msg="plugin address" address=/tmp/plugin572155409 network=unix
plugin_name=k8s plugin_type=DataStore subsystem_name=plugin.spire-plugin-datastore-k8s
timestamp="2019-05-10T14:24:59.838Z"
time="2019-05-10T14:24:59Z" level=debug msg="DataStore(k8s): configuring plugin"
subsystem_name=catalog
…
time="2019-05-10T14:25:00Z" level=info msg="plugins started"
Slide 11
Slide 11 text
Using ‘k8s’ datastore plugin on minikube (5)
You can also see attested nodes as a Kubernetes resource.
$ kubectl get attestednodes -n spire 01dah25fn6fh3xzpjv6aw9meq3 -o yaml
apiVersion: kubernetes.spire.summerwind.dev/v1alpha1
kind: AttestedNode
metadata:
creationTimestamp: "2019-05-10T14:25:47Z"
generation: 1
labels:
spire.summerwind.dev/spiffe-id: 8a2858aa535a02e5fe19a323601c60a3ed0e75a11c039eecedc8b962
name: 01dah25fn6fh3xzpjv6aw9meq3
namespace: spire
resourceVersion: "1597"
selfLink: /apis/kubernetes.spire.summerwind.dev/v1alpha1/namespaces/spire/attestednodes/01dah25fn6fh3xzpjv6aw9meq3
uid: 80b8beda-732f-11e9-a486-080027bfff3c
spec:
attestationDataType: k8s_sat
certNotAfter: 1557501947
certSerialNumber: "2"
spiffeID: spiffe://example.org/spire/agent/k8s_sat/dev/3e247299-015d-4bf0-935f-718179e7dc0a
status: {}
Slide 12
Slide 12 text
There's room for improvement in KeyManager...?
Persistent Storage !
Slide 13
Slide 13 text
Thank you!