Using Kubernetes as a datastore for SPIRE

20e958629852b653fad35c99706fc3ac?s=47 Moto Ishizawa
May 14, 2019
Technology
1
470

Using Kubernetes as a datastore for SPIRE

20e958629852b653fad35c99706fc3ac?s=128

Moto Ishizawa

May 14, 2019
Tweet

More Decks by Moto Ishizawa

See All by Moto Ishizawa
20e958629852b653fad35c99706fc3ac?s=48 summerwind
1
3.7k
20e958629852b653fad35c99706fc3ac?s=48 summerwind
5
1.4k
20e958629852b653fad35c99706fc3ac?s=48 summerwind
2
3k
20e958629852b653fad35c99706fc3ac?s=48 summerwind
18
4.6k
20e958629852b653fad35c99706fc3ac?s=48 summerwind
17
2.8k
20e958629852b653fad35c99706fc3ac?s=48 summerwind
1
1.7k
20e958629852b653fad35c99706fc3ac?s=48 summerwind
3
2.1k
20e958629852b653fad35c99706fc3ac?s=48 summerwind
5
3.1k
20e958629852b653fad35c99706fc3ac?s=48 summerwind
2
1.7k

Other Decks in Technology

See All in Technology
9321a57bcb62d9d6fca07b5c5ca6f6d0?s=48 ohbashunsuke
1
450
96f06c7c9af1405aa0f0e4102b2812be?s=48 iwashi86
9
2.6k
9e7a653ed313b3da4b263a772bfc5026?s=48 clustervr
0
130
A2cac4b3dcb2bc0b87917ddc034ef708?s=48 sansandsoc
7
1.3k
9e7a653ed313b3da4b263a772bfc5026?s=48 clustervr
0
240
7e6a435700dda6cdb22105d601f20892?s=48 picardparis
4
2k
9ec05c5a1b9b0ce9cd53ec3a63838b9a?s=48 yuuu
1
280
0d29d155ce5c5a93ed46363626da3ea7?s=48 ocise
2
1.4k
Da467feb3ca0106d571915faedb714f2?s=48 enakai00
3
140
42bb3169f708bebf80653cbce796c311?s=48 nishi_yama
1
120
0dbafc17e04503dfef253274853b2c8a?s=48 terapyon
0
160
5919537a0ecfa5d4dea704cf878ae90e?s=48 toshimaru
4
1.4k

Featured

See All Featured
8081b26e05bb4354f7d65ffc34cbbd67?s=48 chriscoyier
775
240k
3ab1249be442027903e1180025340b3f?s=48 reverentgeek
165
6.8k
E195ae45320d9202eaa01c9f1d31a416?s=48 marktimemedia
5
190
8081b26e05bb4354f7d65ffc34cbbd67?s=48 chriscoyier
682
180k
245cee81a9c424266e5e401d844ea881?s=48 lara
590
60k
Dad095ea7038f89f760419ce475d5d14?s=48 michaelherold
224
8.3k
4394ceb8b277f35ee3da7030384efb5d?s=48 davidbonilla
69
3.4k
A9179349dd2bdc67f377719f56d85656?s=48 garrettdimon
285
110k
96270e4c3e5e9806cf7245475c00b275?s=48 addyosmani
308
21k
8ec1383b240b5ba15ffb9743fceb3c0e?s=48 philnash
4
270
A9704266587836f7e784235e5073b93e?s=48 jmmastey
5
350
1519587b1a0febb658c36c94f6272b0d?s=48 roundedbygravity
241
20k

Transcript

  1. Using Kubernetes as a datastore for SPIRE Moto Ishizawa @summerwind

    SPIFFE Meetup Tokyo #1

  2. Moto Ishizawa @summerwind

  3. None

  4. I would like to use SPIRE server on Kubernetes… SQL

    database !

  5. • SPIRE's datastore is pluggable and interchangeable • We already

    have a data storage to run Kubernetes cluster (It’s you, etcd!) • kube-apiserver has a function to aggregate data by labels No, wait...

  6. Kubernetes Cluster SPIRE Agent SPIRE Agent ‘k8s’ datastore plugin for

    SPIRE • https://github.com/summerwind/spire-plugin-datastore-k8s • This plugin enables to use Kubernetes as a data store for SPIRE server • Store SPIRE’s data as Custom Resources in Kubernetes • It's still experimental, but it works! SPIRE Server SPIRE Agent kube-apiserver Request SVID Store data

  7. Using ‘k8s’ datastore plugin on minikube (1) Start your Kubernetes

    cluster with minikube. $ minikube start \ --extra-config=apiserver.authorization-mode=RBAC \ --extra-config=apiserver.service-account-signing-key-file=/var/lib/minikube/certs/sa.key \ --extra-config=apiserver.service-account-key-file=/var/lib/minikube/certs/sa.pub \ --extra-config=apiserver.service-account-issuer=api \ --extra-config=apiserver.service-account-api-audiences=api,spire-server

  8. Using ‘k8s’ datastore plugin on minikube (2) Create CustomResourceDefinition resources.

    $ curl -L https://github.com/summerwind/spire-plugin-datastore-k8s/releases/latest/ download/crd.yaml | kubectl apply -f -

  9. Using ‘k8s’ datastore plugin on minikube (3) Installing SPIRE server

    and SPIRE agents to your cluster. $ curl -L https://raw.githubusercontent.com/summerwind/spire-plugin-datastore-k8s/master/ manifests/examples/spire-server.yaml | kubectl apply -f - $ curl -L https://raw.githubusercontent.com/summerwind/spire-plugin-datastore-k8s/master/ manifests/examples/spire-agent.yaml | kubectl apply -f -

  10. Using ‘k8s’ datastore plugin on minikube (4) Ensure that the

    k8s plugin is enabled. $ kubectl logs -n spire spire-server-0 spire-server … time="2019-05-10T14:24:59Z" level=debug msg="DataStore(k8s): starting plugin" subsystem_name=catalog time="2019-05-10T14:24:59Z" level=debug msg="starting plugin" args="[/opt/spire/bin/spire-plugin- datastore-k8s]" path=/opt/spire/bin/spire-plugin-datastore-k8s plugin_name=k8s plugin_type=DataStore subsystem_name=catalog time="2019-05-10T14:24:59Z" level=debug msg="waiting for RPC address" path=/opt/spire/bin/spire- plugin-datastore-k8s plugin_name=k8s plugin_type=DataStore subsystem_name=catalog time="2019-05-10T14:24:59Z" level=debug msg="plugin address" address=/tmp/plugin572155409 network=unix plugin_name=k8s plugin_type=DataStore subsystem_name=plugin.spire-plugin-datastore-k8s timestamp="2019-05-10T14:24:59.838Z" time="2019-05-10T14:24:59Z" level=debug msg="DataStore(k8s): configuring plugin" subsystem_name=catalog … time="2019-05-10T14:25:00Z" level=info msg="plugins started"

  11. Using ‘k8s’ datastore plugin on minikube (5) You can also

    see attested nodes as a Kubernetes resource. $ kubectl get attestednodes -n spire 01dah25fn6fh3xzpjv6aw9meq3 -o yaml apiVersion: kubernetes.spire.summerwind.dev/v1alpha1 kind: AttestedNode metadata: creationTimestamp: "2019-05-10T14:25:47Z" generation: 1 labels: spire.summerwind.dev/spiffe-id: 8a2858aa535a02e5fe19a323601c60a3ed0e75a11c039eecedc8b962 name: 01dah25fn6fh3xzpjv6aw9meq3 namespace: spire resourceVersion: "1597" selfLink: /apis/kubernetes.spire.summerwind.dev/v1alpha1/namespaces/spire/attestednodes/01dah25fn6fh3xzpjv6aw9meq3 uid: 80b8beda-732f-11e9-a486-080027bfff3c spec: attestationDataType: k8s_sat certNotAfter: 1557501947 certSerialNumber: "2" spiffeID: spiffe://example.org/spire/agent/k8s_sat/dev/3e247299-015d-4bf0-935f-718179e7dc0a status: {}

  12. There's room for improvement in KeyManager...? Persistent Storage !

  13. Thank you!