Bridging the Great Divide: SPIFFE/SPIRE for Cross-Cluster Authentication


Authors:   Andrew Harding


The presentation discusses the use of SPIFFE/SPIRE for cross-cluster authentication in Kubernetes.
  • SPIFFE is a set of specifications for getting a cryptographic identity for workloads to authenticate with other workloads
  • SPIRE is a tool that implements SPIFFE specifications
  • Cross-cluster authentication is complicated, but can be solved with SPIFFE/SPIRE
  • The presentation includes a live coding and demo session to show how easy it is to use SPIFFE/SPIRE in Kubernetes workloads
The presenter mentions throwing his back out and not being able to break dance, but quickly moves on to the topic at hand.


Cross-cluster authentication got you down? Losing your hair trying to get mutually authenticated TLS inside, outside, and everywhere in-between? Fret no more! In this talk, Andrew Harding, a maintainer on the SPIFFE and SPIRE projects, will dig deep into a turnkey SPIRE deployment within Kubernetes that provides workloads and proxies with X.509 certificate-based SPIFFE identities. Andrew will demonstrate how to use these identities for cross-cluster authentication by declaring federation relationships between clusters using familiar Kubernetes primitives. On top of that, a live coding and demo session will show just how easy it is to leverage SPIFFE from within Kubernetes workloads with just a few lines of code.