Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Using Kubernetes as a datastore for SPIRE

Using Kubernetes as a datastore for SPIRE

Moto Ishizawa

May 14, 2019
Tweet

More Decks by Moto Ishizawa

Other Decks in Technology

Transcript

  1. Using Kubernetes as a datastore for SPIRE
    Moto Ishizawa
    @summerwind SPIFFE Meetup Tokyo #1

    View Slide

  2. Moto Ishizawa
    @summerwind

    View Slide

  3. View Slide

  4. I would like to use SPIRE server on Kubernetes…
    SQL database !

    View Slide

  5. • SPIRE's datastore is pluggable and interchangeable
    • We already have a data storage to run Kubernetes cluster (It’s you, etcd!)
    • kube-apiserver has a function to aggregate data by labels
    No, wait...

    View Slide

  6. Kubernetes Cluster
    SPIRE Agent
    SPIRE Agent
    ‘k8s’ datastore plugin for SPIRE
    • https://github.com/summerwind/spire-plugin-datastore-k8s
    • This plugin enables to use Kubernetes as a data store for SPIRE server
    • Store SPIRE’s data as Custom Resources in Kubernetes
    • It's still experimental, but it works!
    SPIRE Server SPIRE Agent
    kube-apiserver
    Request SVID
    Store data

    View Slide

  7. Using ‘k8s’ datastore plugin on minikube (1)
    Start your Kubernetes cluster with minikube.
    $ minikube start \
    --extra-config=apiserver.authorization-mode=RBAC \
    --extra-config=apiserver.service-account-signing-key-file=/var/lib/minikube/certs/sa.key \
    --extra-config=apiserver.service-account-key-file=/var/lib/minikube/certs/sa.pub \
    --extra-config=apiserver.service-account-issuer=api \
    --extra-config=apiserver.service-account-api-audiences=api,spire-server

    View Slide

  8. Using ‘k8s’ datastore plugin on minikube (2)
    Create CustomResourceDefinition resources.
    $ curl -L https://github.com/summerwind/spire-plugin-datastore-k8s/releases/latest/
    download/crd.yaml | kubectl apply -f -

    View Slide

  9. Using ‘k8s’ datastore plugin on minikube (3)
    Installing SPIRE server and SPIRE agents to your cluster.
    $ curl -L https://raw.githubusercontent.com/summerwind/spire-plugin-datastore-k8s/master/
    manifests/examples/spire-server.yaml | kubectl apply -f -
    $ curl -L https://raw.githubusercontent.com/summerwind/spire-plugin-datastore-k8s/master/
    manifests/examples/spire-agent.yaml | kubectl apply -f -

    View Slide

  10. Using ‘k8s’ datastore plugin on minikube (4)
    Ensure that the k8s plugin is enabled.
    $ kubectl logs -n spire spire-server-0 spire-server

    time="2019-05-10T14:24:59Z" level=debug msg="DataStore(k8s): starting plugin" subsystem_name=catalog
    time="2019-05-10T14:24:59Z" level=debug msg="starting plugin" args="[/opt/spire/bin/spire-plugin-
    datastore-k8s]" path=/opt/spire/bin/spire-plugin-datastore-k8s plugin_name=k8s plugin_type=DataStore
    subsystem_name=catalog
    time="2019-05-10T14:24:59Z" level=debug msg="waiting for RPC address" path=/opt/spire/bin/spire-
    plugin-datastore-k8s plugin_name=k8s plugin_type=DataStore subsystem_name=catalog
    time="2019-05-10T14:24:59Z" level=debug msg="plugin address" address=/tmp/plugin572155409 network=unix
    plugin_name=k8s plugin_type=DataStore subsystem_name=plugin.spire-plugin-datastore-k8s
    timestamp="2019-05-10T14:24:59.838Z"
    time="2019-05-10T14:24:59Z" level=debug msg="DataStore(k8s): configuring plugin"
    subsystem_name=catalog

    time="2019-05-10T14:25:00Z" level=info msg="plugins started"

    View Slide

  11. Using ‘k8s’ datastore plugin on minikube (5)
    You can also see attested nodes as a Kubernetes resource.
    $ kubectl get attestednodes -n spire 01dah25fn6fh3xzpjv6aw9meq3 -o yaml
    apiVersion: kubernetes.spire.summerwind.dev/v1alpha1
    kind: AttestedNode
    metadata:
    creationTimestamp: "2019-05-10T14:25:47Z"
    generation: 1
    labels:
    spire.summerwind.dev/spiffe-id: 8a2858aa535a02e5fe19a323601c60a3ed0e75a11c039eecedc8b962
    name: 01dah25fn6fh3xzpjv6aw9meq3
    namespace: spire
    resourceVersion: "1597"
    selfLink: /apis/kubernetes.spire.summerwind.dev/v1alpha1/namespaces/spire/attestednodes/01dah25fn6fh3xzpjv6aw9meq3
    uid: 80b8beda-732f-11e9-a486-080027bfff3c
    spec:
    attestationDataType: k8s_sat
    certNotAfter: 1557501947
    certSerialNumber: "2"
    spiffeID: spiffe://example.org/spire/agent/k8s_sat/dev/3e247299-015d-4bf0-935f-718179e7dc0a
    status: {}

    View Slide

  12. There's room for improvement in KeyManager...?
    Persistent Storage !

    View Slide

  13. Thank you!

    View Slide