SPIFFE and SPIRE: Don’t Trust The Network 🤞

This week on the Kubelist Podcast, we welcome Sunil James from Hewlett Packard Enterprise to chat about the SPIFFE and SPIRE projects. Sunil is one of the founders of Scytale, the company that brought SPIFFE into the CNCF, and has continued to work on it after being acquired by HPE. If you’re running microservices and are thinking about security and identity, check out the links in this issue to learn more about SPIFFE and SPIRE, and tune in to this week’s podcast episode!

Issue #105

Istio already uses Kubernetes RBAC for access control, so when we first saw this post from IBM, we wondered where it was going. They included a section titled “Why the current Istio mechanism is not enough” – which helped by illustrating a scenario where the SPIFFE model can work on top of Istio to solve a problem. For anyone with Istio, this is a recommended read.

An interesting approach to using SPIFFE with AWS IAM instance roles by John Harris of VMWare. This post shows how SPIFFE can deliver a secure, Kubernetes-native alternative to providing access to IAM roles for a Pod, instead of the cluster or the node. If you have questions about the capabilities or use of SPIFFE, this is an interesting way to use it, and shows the flexibility of the projects.

Here’s a link to the Gluecon presentation where Joe Beda originally introduced SPIFFE. Keep in mind that this was presented before any SPIFFE code was written. While at Google, Joe identified this problem and wrote a proposal for the SPIFFE specification. This presentation is still one of the best walk-throughs to answer the question “why are strong microservice identities important?” (something that we have all asked ourselves on sleepless nights). ☎

If you’d had enough to read about the SPIFFE specification, you can dive into an implementation (SPIRE). This post on the Envoy blog is an informative guide on integrating SPIRE (so, SPIFFE) with Envoy to make your application more secure.

From KubeCon NA (San Diego 2019), this is a walk through of some use cases of SPIFFE and SPIRE. This presentation isn’t theoretical or experimental edge cases, but following some of the advice in this highly relevant talk will lead you to building a more secure production system.

The original whitepaper published to start the SPIFFE project. It’s an interesting read, even if somewhat outdated at this point because Scytale, HP and the entire community have continued to push and evolve this project. If you want to dig deeper into SPIFFE, this is the origin story. 📜

Justin does a good job explaining these recent CVEs and why we will continue to see issues like this unless we make some changes to how we write code.