Using Kubernetes as a datastore for SPIRE

Transcript

1. Using Kubernetes as a datastore for SPIRE Moto Ishizawa @summerwind

   SPIFFE Meetup Tokyo #1

2. Moto Ishizawa @summerwind

3. None

4. I would like to use SPIRE server on Kubernetes… SQL

   database !

5. • SPIRE's datastore is pluggable and interchangeable • We already

   have a data storage to run Kubernetes cluster (It’s you, etcd!) • kube-apiserver has a function to aggregate data by labels No, wait...

6. Kubernetes Cluster SPIRE Agent SPIRE Agent ‘k8s’ datastore plugin for

   SPIRE • https://github.com/summerwind/spire-plugin-datastore-k8s • This plugin enables to use Kubernetes as a data store for SPIRE server • Store SPIRE’s data as Custom Resources in Kubernetes • It's still experimental, but it works! SPIRE Server SPIRE Agent kube-apiserver Request SVID Store data

7. Using ‘k8s’ datastore plugin on minikube (1) Start your Kubernetes

   cluster with minikube. $ minikube start \ --extra-config=apiserver.authorization-mode=RBAC \ --extra-config=apiserver.service-account-signing-key-file=/var/lib/minikube/certs/sa.key \ --extra-config=apiserver.service-account-key-file=/var/lib/minikube/certs/sa.pub \ --extra-config=apiserver.service-account-issuer=api \ --extra-config=apiserver.service-account-api-audiences=api,spire-server

8. Using ‘k8s’ datastore plugin on minikube (2) Create CustomResourceDefinition resources.

   $ curl -L https://github.com/summerwind/spire-plugin-datastore-k8s/releases/latest/ download/crd.yaml | kubectl apply -f -

9. Using ‘k8s’ datastore plugin on minikube (3) Installing SPIRE server

   and SPIRE agents to your cluster. $ curl -L https://raw.githubusercontent.com/summerwind/spire-plugin-datastore-k8s/master/ manifests/examples/spire-server.yaml | kubectl apply -f - $ curl -L https://raw.githubusercontent.com/summerwind/spire-plugin-datastore-k8s/master/ manifests/examples/spire-agent.yaml | kubectl apply -f -

10. Using ‘k8s’ datastore plugin on minikube (4) Ensure that the

    k8s plugin is enabled. $ kubectl logs -n spire spire-server-0 spire-server … time="2019-05-10T14:24:59Z" level=debug msg="DataStore(k8s): starting plugin" subsystem_name=catalog time="2019-05-10T14:24:59Z" level=debug msg="starting plugin" args="[/opt/spire/bin/spire-plugin- datastore-k8s]" path=/opt/spire/bin/spire-plugin-datastore-k8s plugin_name=k8s plugin_type=DataStore subsystem_name=catalog time="2019-05-10T14:24:59Z" level=debug msg="waiting for RPC address" path=/opt/spire/bin/spire- plugin-datastore-k8s plugin_name=k8s plugin_type=DataStore subsystem_name=catalog time="2019-05-10T14:24:59Z" level=debug msg="plugin address" address=/tmp/plugin572155409 network=unix plugin_name=k8s plugin_type=DataStore subsystem_name=plugin.spire-plugin-datastore-k8s timestamp="2019-05-10T14:24:59.838Z" time="2019-05-10T14:24:59Z" level=debug msg="DataStore(k8s): configuring plugin" subsystem_name=catalog … time="2019-05-10T14:25:00Z" level=info msg="plugins started"

11. Using ‘k8s’ datastore plugin on minikube (5) You can also

    see attested nodes as a Kubernetes resource. $ kubectl get attestednodes -n spire 01dah25fn6fh3xzpjv6aw9meq3 -o yaml apiVersion: kubernetes.spire.summerwind.dev/v1alpha1 kind: AttestedNode metadata: creationTimestamp: "2019-05-10T14:25:47Z" generation: 1 labels: spire.summerwind.dev/spiffe-id: 8a2858aa535a02e5fe19a323601c60a3ed0e75a11c039eecedc8b962 name: 01dah25fn6fh3xzpjv6aw9meq3 namespace: spire resourceVersion: "1597" selfLink: /apis/kubernetes.spire.summerwind.dev/v1alpha1/namespaces/spire/attestednodes/01dah25fn6fh3xzpjv6aw9meq3 uid: 80b8beda-732f-11e9-a486-080027bfff3c spec: attestationDataType: k8s_sat certNotAfter: 1557501947 certSerialNumber: "2" spiffeID: spiffe://example.org/spire/agent/k8s_sat/dev/3e247299-015d-4bf0-935f-718179e7dc0a status: {}

12. There's room for improvement in KeyManager...? Persistent Storage !

13. Thank you!