Slide 1

Slide 1 text

@evan2645 Introducing SPIFFE Evan Gilman

Slide 2

Slide 2 text

@evan2645 About Me

Slide 3

Slide 3 text

@evan2645 Agenda ●Cloud Native Network Security ●SPIFFE ●SPIRE Overview ●SPIRE Walkthrough ●Live Demo

Slide 4

Slide 4 text

@evan2645 Not Your Parent’s Network Security

Slide 5

Slide 5 text

@evan2645 Not Your Parent’s Network Security

Slide 6

Slide 6 text

@evan2645 Software is Eating the World

Slide 7

Slide 7 text

@evan2645 Host Provider Process Process Process Process Security Group: sg-edcd9784 IP(s): 192.168.0.1/24

Slide 8

Slide 8 text

@evan2645 Host Provider Process Process Process Process Security Group: sg-edcd9784 IP(s): 192.168.0.1/24

Slide 9

Slide 9 text

@evan2645 Host Provider Process Process Process Process Security Group: sg-edcd9784 IP(s): 192.168.0.1/24

Slide 10

Slide 10 text

@evan2645 Host Provider Process Process Process Process Security Group: sg-edcd9784 IP(s): 192.168.0.1/24

Slide 11

Slide 11 text

@evan2645 Host Provider Process Process Process Process Security Group: sg-edcd9784 IP(s): 192.168.0.1/24

Slide 12

Slide 12 text

@evan2645 Host Provider Process Process Process Process Host Provider Process Process Process Process

Slide 13

Slide 13 text

@evan2645 Host Provider Process Process Process Process Host Provider Process Process Process Process

Slide 14

Slide 14 text

@evan2645 Host Provider Process Process Process Process Host Provider Process Process Process Process

Slide 15

Slide 15 text

@evan2645 Host Provider Process Process Process Process Security Group: sg-edcd9784 IP(s): 192.168.0.1/24

Slide 16

Slide 16 text

@evan2645 Host Provider Process Process Process Process Security Group: sg-edcd9784 IP(s): 192.168.0.1/24 ???

Slide 17

Slide 17 text

@evan2645 Workload Identity

Slide 18

Slide 18 text

@evan2645 Identity Domains Mesos Dell HP Identity Domain Hyper-V Kubernetes KVM

Slide 19

Slide 19 text

@evan2645 Identity Domains Mesos Dell HP Identity Domain Hyper-V Kubernetes KVM

Slide 20

Slide 20 text

@evan2645 Identity Domains Mesos Dell HP Identity Domain Hyper-V Kubernetes KVM

Slide 21

Slide 21 text

@evan2645 Universal Workload Identity

Slide 22

Slide 22 text

@evan2645 SPIFFE

Slide 23

Slide 23 text

@evan2645 SPIFFE

Slide 24

Slide 24 text

@evan2645 SPIFFE

Slide 25

Slide 25 text

@evan2645 SPIFFE ID spiffe://example.org/foo

Slide 26

Slide 26 text

@evan2645 SPIFFE ID spiffe://example.org/foo

Slide 27

Slide 27 text

@evan2645 SPIFFE Verifiable Identity Document spiffe://example.org/foo

Slide 28

Slide 28 text

@evan2645 SPIFFE Verifiable Identity Document spiffe://example.org/foo

Slide 29

Slide 29 text

@evan2645 SPIFFE Verifiable Identity Document spiffe://example.org/foo

Slide 30

Slide 30 text

@evan2645 SPIFFE Verifiable Identity Document spiffe://example.org/foo

Slide 31

Slide 31 text

@evan2645 SPIFFE Verifiable Identity Document spiffe://example.org/foo

Slide 32

Slide 32 text

@evan2645 SPIFFE Verifiable Identity Document spiffe://example.org/foo

Slide 33

Slide 33 text

@evan2645 SPIFFE Workload API Workload API Workload Workload Workload Server

Slide 34

Slide 34 text

@evan2645 SPIFFE Workload API Workload API Workload Workload Workload Server

Slide 35

Slide 35 text

@evan2645 SPIFFE Workload API Workload API Workload Workload Workload Server

Slide 36

Slide 36 text

@evan2645 How Do I SPIFFE?

Slide 37

Slide 37 text

@evan2645 SPIRE

Slide 38

Slide 38 text

@evan2645 SPIRE

Slide 39

Slide 39 text

@evan2645 SPIRE

Slide 40

Slide 40 text

@evan2645 ●Identity Mapping ●Node Attestation ●SVID Issuance spire-server ●Workload Attestation ●Workload API spire-agent

Slide 41

Slide 41 text

@evan2645 SPIRE Walkthrough CA spire-server

Slide 42

Slide 42 text

@evan2645 SPIRE Walkthrough Existing PKI (optional) Upstream CA CA spire-server

Slide 43

Slide 43 text

@evan2645 SPIRE Walkthrough Existing PKI (optional) Upstream CA CA Registration API spire-server

Slide 44

Slide 44 text

@evan2645 SPIRE Walkthrough Parent ID: spiffe://example.org/k8s/cluster/foo Selector: k8s:ns:operations Selector: k8s:sa:mediawiki Selector: docker:image-id: 746b819f315e SPIFFE ID: spiffe://example.org/ops/wiki

Slide 45

Slide 45 text

@evan2645 SPIRE Walkthrough spire-server Node Attestor AWS

Slide 46

Slide 46 text

@evan2645 SPIRE Walkthrough spire-agent Node Attestor spire-server Node Attestor AWS

Slide 47

Slide 47 text

@evan2645 SPIRE Walkthrough spire-agent Node Attestor spire-server Node Attestor AWS

Slide 48

Slide 48 text

@evan2645 SPIRE Walkthrough spire-agent Node Attestor spire-server Node Attestor AWS

Slide 49

Slide 49 text

@evan2645 SPIRE Walkthrough spire-agent Node Attestor spire-server Node Attestor AWS

Slide 50

Slide 50 text

@evan2645 SPIRE Walkthrough spire-agent Node Attestor spire-server Node Attestor AWS

Slide 51

Slide 51 text

@evan2645 SPIRE Walkthrough spire-agent Node Attestor spire-server Node Attestor AWS

Slide 52

Slide 52 text

@evan2645 SPIRE Walkthrough Linux Kernel spire-agent API Socket Server

Slide 53

Slide 53 text

@evan2645 SPIRE Walkthrough Linux Kernel spire-agent API Socket Server

Slide 54

Slide 54 text

@evan2645 SPIRE Walkthrough Linux Kernel spire-agent Workload API Socket Server

Slide 55

Slide 55 text

@evan2645 SPIRE Walkthrough Linux Kernel spire-agent Workload API Socket Server

Slide 56

Slide 56 text

@evan2645 SPIRE Walkthrough Linux Kernel spire-agent Workload API Socket Server

Slide 57

Slide 57 text

@evan2645 SPIRE Walkthrough Linux Kernel spire-agent Workload API Socket Server

Slide 58

Slide 58 text

@evan2645 SPIRE Walkthrough Linux Kernel spire-agent Workload kubelet API Socket Server

Slide 59

Slide 59 text

@evan2645 SPIRE Walkthrough Linux Kernel spire-agent Workload kubelet API Socket Server

Slide 60

Slide 60 text

@evan2645 SPIRE Secure Introduction

Slide 61

Slide 61 text

@evan2645 SPIRE Secure Introduction

Slide 62

Slide 62 text

@evan2645 SPIRE Secure Introduction

Slide 63

Slide 63 text

@evan2645 Demo Time!

Slide 64

Slide 64 text

@evan2645 In Summary

Slide 65

Slide 65 text

@evan2645 Looking Forward

Slide 66

Slide 66 text

@evan2645 Looking Forward

Slide 67

Slide 67 text

@evan2645 Play Today spiffe/spiffe spiffe/spire spiffe/spiffe-example slack.spiffe.io

Slide 68

Slide 68 text

@evan2645 Drink Today https://goo.gl/forms/SH16VG0iJYrkbfsJ2

Slide 69

Slide 69 text

@evan2645 Introducing SPIFFE Evan Gilman