The presentation discusses the Secure Production Identity Framework for Everyone (SPIFFE) and how it can be used with Cert Manager to deliver certificates to pods that are SPIFFE-compliant and attested by workload identity.
- SPIFFE is an open-source framework that defines a standard for defining a workload or machine identity.
- SPIFFE can issue SVIDs in two document formats, JWT and x509, and can verify SVIDs of other workloads.
- SPIFFE has an emerging ecosystem of plugins to integrate with other tools and services.
- CSI Driver SPIFFE can be used with Cert Manager to deliver certificates to pods that are SPIFFE-compliant and attested by workload identity.
- CSI is the way that any kind of storage works in Kubernetes.
The speaker shared a personal anecdote about creating a key with an expiry date of 99.99 years, not realizing the potential security risks. They also mentioned using a private repository on GitHub, which later led to others accessing their service account key with project-wide privileges.
If you’re like me, your Kubernetes journey started well. Booting up a cluster and deploying a demo application, only to find the dreaded “Your connection is not private” message in your web browser. Attackers could be stealing your information, credit cards and passwords? Frankly, your sock shopping addiction should be nobody's business. Luckily I found the cert-manager project. As if by magic, this clever controller made my security woes fold away. What about secrets? API and service account keys. This highly sensitive data must be bolted to your pod to ensure it can access databases, api-servers and more. After accidentally committing raw secrets to Github (nobody got time for that), I grew tired. I crawled away into the wonders of Google Cloud Workload Identity. But wait? Haven't I given up on the wonder of multi-cloud Kubernetes? If only identity could come batteries included. As an encore in the machine identity space, cert-manager now leverages SPIFFE to solve this problem. Pods are empowered to enter the VIP lounge of their choice in whatever cloud, provided they are on the guest list. Don't believe me? Call me on my bluff. Join me as I explore how this industry problem has been solved using the same magic that gave us TLS on Kubernetes only a few short years ago.