Securing Edge Workloads With Cert-Manager And SPIFFE

The talk discusses how to manage security at the edge using cert-manager and utilizing SPIFFE as a way to manage and distribute trust.

• Workloads are moving from data centers to the edge, and Kubernetes has been adopted to run these workloads.
• The challenge is to secure these workloads and manage certificates and renewals at scale.
• Cert-manager and SPIFFE can be used to manage security at the edge and distribute trust.
• The talk demonstrates how to provision and renew certificates for both ingress and mTLS use cases using cert-manager on a Raspberry Pi.

The talk starts with an anecdote about a financial institution that faced challenges in securing workloads and managing payments and refunds. The institution had to deal with lost and repurposed terminals, as well as fraud. This illustrates the need for a standard way of generating identities for workloads across clusters and building trust.

Workloads are moving from data centers to the edge more than ever. As workloads migrate to the cloud many enterprise IT firms are seeing compute resources moving closer to where the data is created. Edge computing models have become far more attractive to many industries like telecom, farming, public safety, retail, medical, etc., because of the ability to minimize network latency and to put essential functions closer to the technology consumer. The rate at which Kubernetes has been adopted to run these workloads have been exponentially increasing as is seen with 5G network deployments. How do we secure these workloads? Be it ingress, pod to pod (mTLS) security, and trust domains. How do we manage certificates and renewals at scale? How do we enable security policies and postures on edge locations? The talk will go through how to manage security at the edge using cert-manager and utilizing SPIFFE as a way to manage and distribute trust. We will run cert-manager on a raspberry pi and look at provisioning and renewing certificates for both ingress and mTLS use cases.