How does Istio implement this spec point of SPIFFE?
up vote
0
down vote
favorite
In the SPIFFE specification it is stated that
Since a workload in its early stages may have no prior knowledge of
its identity or whom it should trust, it is very difficult to secure
access to the endpoint. As a result, the SPIFFE Workload Endpoint
SHOULD be exposed through a local endpoint, and implementers SHOULD
NOT expose the same endpoint instance to more than one host.
Can you please explain on what is meant by this and how Istio implements this?
istio
asked Nov 13 at 5:24
Pasan W.
129513
add a comment |
up vote
0
down vote
favorite
In the SPIFFE specification it is stated that
Since a workload in its early stages may have no prior knowledge of
its identity or whom it should trust, it is very difficult to secure
access to the endpoint. As a result, the SPIFFE Workload Endpoint
SHOULD be exposed through a local endpoint, and implementers SHOULD
NOT expose the same endpoint instance to more than one host.
Can you please explain on what is meant by this and how Istio implements this?
istio
asked Nov 13 at 5:24
Pasan W.
129513
add a comment |
up vote
0
down vote
favorite
up vote
0
down vote
favorite
In the SPIFFE specification it is stated that
Since a workload in its early stages may have no prior knowledge of
its identity or whom it should trust, it is very difficult to secure
access to the endpoint. As a result, the SPIFFE Workload Endpoint
SHOULD be exposed through a local endpoint, and implementers SHOULD
NOT expose the same endpoint instance to more than one host.
Can you please explain on what is meant by this and how Istio implements this?
istio
asked Nov 13 at 5:24
Pasan W.
129513
In the SPIFFE specification it is stated that
Since a workload in its early stages may have no prior knowledge of
its identity or whom it should trust, it is very difficult to secure
access to the endpoint. As a result, the SPIFFE Workload Endpoint
SHOULD be exposed through a local endpoint, and implementers SHOULD
NOT expose the same endpoint instance to more than one host.
Can you please explain on what is meant by this and how Istio implements this?
istio
istio
asked Nov 13 at 5:24
Pasan W.
129513
asked Nov 13 at 5:24
Pasan W.
129513
asked Nov 13 at 5:24
Pasan W.
129513
asked Nov 13 at 5:24
Pasan W.
129513
asked Nov 13 at 5:24
Pasan W.
129513
129513
add a comment |
add a comment |
1 Answer
1
active
oldest
votes
up vote
0
down vote
Actually, Istio mesh services adopt SPIFFE standard policies through Istio Security mechanisms using the same identity document SVID. Istio Citadel is the key component for secure provisioning various identities and provides credential management.
It is feasible in the near future to use Node agent within Istio mesh in order to discover relevant services via Envoy secret discovery service (SDS) API and this approach is very similar to SPIRE design.
The key concepts of SPIRE design, described in the official documentation, you can find below:
SPIRE consists of two components, an agent and a server.
The server provides a central registry of SPIFFE IDs, and the
attestation policies that describe which workloads are entitled to
assume those identities. Attestation policies describe the properties
that the workload must exhibit in order to be assigned an identity,
and are typically described as a mix of process attributes (such as a
Linux UID) and infrastructure attributes (such as running in a VM that
has a particular EC2 label).
The agent runs on any machine (or, more formally, any kernel) and
exposes the local workload API to any process that needs to retrieve a
SPIFFE ID, key, or trust bundle. On *nix systems, the Workload API is
exposed locally through a Unix Domain Socket. By verifying the
attributes of a calling workload, the workload API avoids requiring
the workload to supply a secret to authenticate.
SPIRE promises to become the main contributor for workload authentication mechanisms, however so far it's on developing stage with desired future implementation on production deployments.
answered Nov 13 at 12:57
mk_sta
58518
Are you saying Istio uses SPIRE internally? From the facts I've read Istio(security) and SPIRE are both implementations for the SPIFFE specification. Never is it mentioned that Istio uses SPIRE.
– Pasan W.
Nov 13 at 16:56
Yes, you are right Istio implements SPIFFE standards through Istio Auth(Security), I was thinking about similarity between SPIRE design and Node agents in Istio, however I've added some information in my answer.
– mk_sta
Nov 14 at 15:18
Istio does NOT expose the Workload API at all. Still it is SPIFFE compliant because the only requirement to be Spiffe compliant is to adhere to this doc which Istio does.
– Pasan W.
Nov 16 at 10:46
add a comment |
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
up vote
0
down vote
Actually, Istio mesh services adopt SPIFFE standard policies through Istio Security mechanisms using the same identity document SVID. Istio Citadel is the key component for secure provisioning various identities and provides credential management.
It is feasible in the near future to use Node agent within Istio mesh in order to discover relevant services via Envoy secret discovery service (SDS) API and this approach is very similar to SPIRE design.
The key concepts of SPIRE design, described in the official documentation, you can find below:
SPIRE consists of two components, an agent and a server.
The server provides a central registry of SPIFFE IDs, and the
attestation policies that describe which workloads are entitled to
assume those identities. Attestation policies describe the properties
that the workload must exhibit in order to be assigned an identity,
and are typically described as a mix of process attributes (such as a
Linux UID) and infrastructure attributes (such as running in a VM that
has a particular EC2 label).
The agent runs on any machine (or, more formally, any kernel) and
exposes the local workload API to any process that needs to retrieve a
SPIFFE ID, key, or trust bundle. On *nix systems, the Workload API is
exposed locally through a Unix Domain Socket. By verifying the
attributes of a calling workload, the workload API avoids requiring
the workload to supply a secret to authenticate.
SPIRE promises to become the main contributor for workload authentication mechanisms, however so far it's on developing stage with desired future implementation on production deployments.
answered Nov 13 at 12:57
mk_sta
58518
Are you saying Istio uses SPIRE internally? From the facts I've read Istio(security) and SPIRE are both implementations for the SPIFFE specification. Never is it mentioned that Istio uses SPIRE.
– Pasan W.
Nov 13 at 16:56
Yes, you are right Istio implements SPIFFE standards through Istio Auth(Security), I was thinking about similarity between SPIRE design and Node agents in Istio, however I've added some information in my answer.
– mk_sta
Nov 14 at 15:18
Istio does NOT expose the Workload API at all. Still it is SPIFFE compliant because the only requirement to be Spiffe compliant is to adhere to this doc which Istio does.
– Pasan W.
Nov 16 at 10:46
add a comment |
up vote
0
down vote
Actually, Istio mesh services adopt SPIFFE standard policies through Istio Security mechanisms using the same identity document SVID. Istio Citadel is the key component for secure provisioning various identities and provides credential management.
It is feasible in the near future to use Node agent within Istio mesh in order to discover relevant services via Envoy secret discovery service (SDS) API and this approach is very similar to SPIRE design.
The key concepts of SPIRE design, described in the official documentation, you can find below:
SPIRE consists of two components, an agent and a server.
The server provides a central registry of SPIFFE IDs, and the
attestation policies that describe which workloads are entitled to
assume those identities. Attestation policies describe the properties
that the workload must exhibit in order to be assigned an identity,
and are typically described as a mix of process attributes (such as a
Linux UID) and infrastructure attributes (such as running in a VM that
has a particular EC2 label).
The agent runs on any machine (or, more formally, any kernel) and
exposes the local workload API to any process that needs to retrieve a
SPIFFE ID, key, or trust bundle. On *nix systems, the Workload API is
exposed locally through a Unix Domain Socket. By verifying the
attributes of a calling workload, the workload API avoids requiring
the workload to supply a secret to authenticate.
SPIRE promises to become the main contributor for workload authentication mechanisms, however so far it's on developing stage with desired future implementation on production deployments.
answered Nov 13 at 12:57
mk_sta
58518
Are you saying Istio uses SPIRE internally? From the facts I've read Istio(security) and SPIRE are both implementations for the SPIFFE specification. Never is it mentioned that Istio uses SPIRE.
– Pasan W.
Nov 13 at 16:56
Yes, you are right Istio implements SPIFFE standards through Istio Auth(Security), I was thinking about similarity between SPIRE design and Node agents in Istio, however I've added some information in my answer.
– mk_sta
Nov 14 at 15:18
Istio does NOT expose the Workload API at all. Still it is SPIFFE compliant because the only requirement to be Spiffe compliant is to adhere to this doc which Istio does.
– Pasan W.
Nov 16 at 10:46
add a comment |
up vote
0
down vote
up vote
0
down vote
Actually, Istio mesh services adopt SPIFFE standard policies through Istio Security mechanisms using the same identity document SVID. Istio Citadel is the key component for secure provisioning various identities and provides credential management.
It is feasible in the near future to use Node agent within Istio mesh in order to discover relevant services via Envoy secret discovery service (SDS) API and this approach is very similar to SPIRE design.
The key concepts of SPIRE design, described in the official documentation, you can find below:
SPIRE consists of two components, an agent and a server.
The server provides a central registry of SPIFFE IDs, and the
attestation policies that describe which workloads are entitled to
assume those identities. Attestation policies describe the properties
that the workload must exhibit in order to be assigned an identity,
and are typically described as a mix of process attributes (such as a
Linux UID) and infrastructure attributes (such as running in a VM that
has a particular EC2 label).
The agent runs on any machine (or, more formally, any kernel) and
exposes the local workload API to any process that needs to retrieve a
SPIFFE ID, key, or trust bundle. On *nix systems, the Workload API is
exposed locally through a Unix Domain Socket. By verifying the
attributes of a calling workload, the workload API avoids requiring
the workload to supply a secret to authenticate.
SPIRE promises to become the main contributor for workload authentication mechanisms, however so far it's on developing stage with desired future implementation on production deployments.
answered Nov 13 at 12:57
mk_sta
58518
Actually, Istio mesh services adopt SPIFFE standard policies through Istio Security mechanisms using the same identity document SVID. Istio Citadel is the key component for secure provisioning various identities and provides credential management.
It is feasible in the near future to use Node agent within Istio mesh in order to discover relevant services via Envoy secret discovery service (SDS) API and this approach is very similar to SPIRE design.
The key concepts of SPIRE design, described in the official documentation, you can find below:
SPIRE consists of two components, an agent and a server.
The server provides a central registry of SPIFFE IDs, and the
attestation policies that describe which workloads are entitled to
assume those identities. Attestation policies describe the properties
that the workload must exhibit in order to be assigned an identity,
and are typically described as a mix of process attributes (such as a
Linux UID) and infrastructure attributes (such as running in a VM that
has a particular EC2 label).
The agent runs on any machine (or, more formally, any kernel) and
exposes the local workload API to any process that needs to retrieve a
SPIFFE ID, key, or trust bundle. On *nix systems, the Workload API is
exposed locally through a Unix Domain Socket. By verifying the
attributes of a calling workload, the workload API avoids requiring
the workload to supply a secret to authenticate.
SPIRE promises to become the main contributor for workload authentication mechanisms, however so far it's on developing stage with desired future implementation on production deployments.
answered Nov 13 at 12:57
mk_sta
58518
edited Nov 14 at 15:23
answered Nov 13 at 12:57
mk_sta
58518
answered Nov 13 at 12:57
mk_sta
58518
answered Nov 13 at 12:57
mk_sta
58518
58518
Are you saying Istio uses SPIRE internally? From the facts I've read Istio(security) and SPIRE are both implementations for the SPIFFE specification. Never is it mentioned that Istio uses SPIRE.
– Pasan W.
Nov 13 at 16:56
Yes, you are right Istio implements SPIFFE standards through Istio Auth(Security), I was thinking about similarity between SPIRE design and Node agents in Istio, however I've added some information in my answer.
– mk_sta
Nov 14 at 15:18
Istio does NOT expose the Workload API at all. Still it is SPIFFE compliant because the only requirement to be Spiffe compliant is to adhere to this doc which Istio does.
– Pasan W.
Nov 16 at 10:46
add a comment |
Are you saying Istio uses SPIRE internally? From the facts I've read Istio(security) and SPIRE are both implementations for the SPIFFE specification. Never is it mentioned that Istio uses SPIRE.
– Pasan W.
Nov 13 at 16:56
Yes, you are right Istio implements SPIFFE standards through Istio Auth(Security), I was thinking about similarity between SPIRE design and Node agents in Istio, however I've added some information in my answer.
– mk_sta
Nov 14 at 15:18
Istio does NOT expose the Workload API at all. Still it is SPIFFE compliant because the only requirement to be Spiffe compliant is to adhere to this doc which Istio does.
– Pasan W.
Nov 16 at 10:46
Are you saying Istio uses SPIRE internally? From the facts I've read Istio(security) and SPIRE are both implementations for the SPIFFE specification. Never is it mentioned that Istio uses SPIRE.
– Pasan W.
Nov 13 at 16:56
Are you saying Istio uses SPIRE internally? From the facts I've read Istio(security) and SPIRE are both implementations for the SPIFFE specification. Never is it mentioned that Istio uses SPIRE.
– Pasan W.
Nov 13 at 16:56
Yes, you are right Istio implements SPIFFE standards through Istio Auth(Security), I was thinking about similarity between SPIRE design and Node agents in Istio, however I've added some information in my answer.
– mk_sta
Nov 14 at 15:18
Yes, you are right Istio implements SPIFFE standards through Istio Auth(Security), I was thinking about similarity between SPIRE design and Node agents in Istio, however I've added some information in my answer.
– mk_sta
Nov 14 at 15:18
Istio does NOT expose the Workload API at all. Still it is SPIFFE compliant because the only requirement to be Spiffe compliant is to adhere to this doc which Istio does.
– Pasan W.
Nov 16 at 10:46
Istio does NOT expose the Workload API at all. Still it is SPIFFE compliant because the only requirement to be Spiffe compliant is to adhere to this doc which Istio does.
– Pasan W.
Nov 16 at 10:46
add a comment |
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53274332%2fhow-does-istio-implement-this-spec-point-of-spiffe%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
