-
Notifications
You must be signed in to change notification settings - Fork 486
SPIRE Use Cases
Andrés Vega edited this page Aug 4, 2020
·
1 revision
This is list of the prioritized use cases that the project team intends to support with SPIRE.
Use Case | Description | Method | What does a user need to know? |
---|---|---|---|
SPIFFE to SPIFFE authentication using an in-application client library | Two SPIFFE-identitifed workloads need to authenticate and establish an mTLS connection between each other. This method can't be used when a Layer 7 load balancer or web application firewall is between the two workloads. | Java client library or C client library or Go client library | How to install a SPIRE Server on their target environment (Linux or Kubernetes) How to install a SPIRE Agent on their target environment, and configure Node Attestation (Linux or Kubernetes) How to configure workload attestation to identify their target workload (Linux or Kubernetes) How to retrieve and validate X.509-SVIDs from their workload in their language of choice, or using their proxy of choice |
SPIFFE to SPIFFE authentication with JWT tokens and using an in-application client library | Two SPIFFE-identitifed workloads need to authenticate. This method can usually be used when a Layer 7 load balancer or web application firewall is between the two workloads, but doesn't provide encryption/confidentiality. | Java client library or C client library or Go client library | As for "SPIFFE to SPIFFE authentication using mTLS" but also: Why they might choose to use JWTs to authenticate workloads How to retrieve and validate JWT-SVIDs from their workload in their language of choice, or using their proxy of choice |
SPIFFE to SPIFFE workload authentication with mTLS and using the Envoy proxy | Two SPIFFE-identitifed workloads need to authenticate and establish an mTLS connection to authenticate the channel. This method can't be used when a Layer 7 load balancer or web application firewall is between the two workloads. | Envoy proxy | As for "SPIFFE to SPIFFE authentication using mTLS" but also: How to retrieve and validate JWT-SVIDs from their workload in their language of choice, or using their proxy of choice |
SPIFFE to SPIFFE workload authentication with JWT and using the Envoy proxy | Two SPIFFE-identitifed workloads need to authenticate. This method can usually be used when a Layer 7 load balancer or web application firewall is between the two workloads, but doesn't provide encryption/confidentiality. | Envoy proxy | As for "SPIFFE to SPIFFE authentication using mTLS" but also: Why they might choose to use JWTs to authenticate workloads How to retrieve and validate JWT-SVIDs from their workload in their language of choice, or using their proxy of choice |
SPIFFE to SPIFFE authentication using JWTs | Two SPIFFE-identitifed workloads need to authenticate. This method can usually be used when a Layer 7 load balancer or web application firewall is between the two workloads, but doesn't provide encryption/confidentiality. | Java client library C client library Go client library Envoy proxy | As for "SPIFFE to SPIFFE authentication using mTLS" but also: Why they might choose to use JWTs to authenticate workloads How to retrieve and validate JWT-SVIDs from their workload in their language of choice, or using their proxy of choice |
Authenticating to a datastore - MySQL | A SPIFFE-identified workload is authenticating to MySQL using an SVID-X.509, and should assume a set of entitlements in MySQL when it does. | X.509 authentication (configuration specific to MySQL) | As for "SPIFFE to SPIFFE authentication using mTLS" but also: How to configure a "Bundle Pusher" on MySQL How to configure MySQL to allow authentication using X.509-SVIDs How to configure a MySQL client to use the X.509-SVID and key to authenticate to MySQL |
Authenticating to a cloud platform - AWS | A SPIFFE-identified workload is authenticating to Amazon Web Services (note: not a workload running on AWS), and should assume a specific AWS IAM role when it does. See also: Walkthrough from Engineering | OIDC federation to AWS and JWT authentication | As for "SPIFFE to SPIFFE authentication using JWTs" but also: How to configure the SPIFFE Federation endpoint in the context of OIDC How to configure Amazon Web Services to consume the Federation Endpoint How to configure Amazon Web Services to associate AWS IAM roles with a SPIFFE ID How to exchange a retrieved SVID for an AWS STS token |
Authenticating to a workload running in an Istio service mesh | A customer wishes to authenticate a SPIFFE-identified workload that was identified by a SPIRE server to a workload running in an Istio cluster, and vice-versa.. | (likely) SPIFFE Federation | To be determined |
Authenticating two workloads on two different SPIRE installations | A customer wishes to authenticate two SPIFFE-identified workload workloads that are identified by two different SPIRE Servers. | SPIFFE Federation | As for "SPIFFE to SPIFFE authentication using JWTs" but also: How to configure each server to expose it's SPIFFE Federation endpoint using ACME How to configure each server to retrieve trust bundles from the other server (using the federate_with configuration option) How to modify registration entires so that they are federated with other trust domains |
Authenticating to a cloud platform - Azure | A SPIFFE-identified workload is authenticating to Azure (note: not a workload running on Azure), and should assume a specific set of MSP entitlements when it does. | OIDC federation to Azure and JWT authentication | Likely similar to "Authenticating to a cloud platform - AWS" |
Authenticating to a cloud platform - Google Cloud Platform | A SPIFFE-identified workload is authenticating to Google Cloud Platform (note: not a workload running on Azure), and should assume a specific IAM role when it does. | OIDC federation to GCP and JWT authentication | Likely similar to "Authenticating to a cloud platform - AWS" |
Authenticating to a secret store - Hashicorp Vault | A SPIFFE-identified workload is authenticating to Vault using an SVID, and should assume a specific Vault role when it does. | To be determined | To be determined |
Authenticating to a datastore - Postgres | A SPIFFE-identified workload is authenticating to Postgres using an SVID-X.509, and should assume a set of entitlements in Postgres when it does. | X.509 authentication (configuration specific to Postgres) | To be determined |
Authenticating to a message queue - RabbitMQ | A SPIFFE-identified workload is authenticating to RabbitMQ using an SVID-X.509, and should assume a set of entitlements in RabbitMQ when it does. | X.509 authentication (configuration specific to RabbitMQ) | To be determined |
Attesting only signed workloads using Notary | A customer wishes to only issue SPIFFE identities to a container that has been signed by with a Notary signature that indicates it has been processed by the customers' CI/CD system | Configuring a Notary workload attestor | To be determined |
Using SPIRE with Envoy and OPA for access policy management | A customer wishes to use SPIRE in conjunction with Open Policy Agent and either the Envoy proxy or in-application client libraries for turn-key authentication and authorization. | Envoy proxy + OPA sidecar in Kubernetes | To be determined |
Use SPIRE to authenticate Kubernetes human operators securely to a Kubernetes cluster | Users of Kubernetes need to authenticate to the cluster as a user when they run their kubeproxy or kubectl tools. SPIRE could issue JWTs or X.509 certificates that could be used to identify users to the cluster. The JWTs could be based on a combination of existing user identity (eg. an OIDC directory) and node identity (eg. via a ubikey). Some OSS projects also enable this in limited forms (eg. kube-oidc-proxy and Jenkins SSO operator) | To be determined | To be determined |
Use SPIRE to securely bootstrap the components of a distributed Kubernetes cluster | Setting up a Kubernetes cluster requires trust (in the form of X.509 certificates) to be established between member nodes. While there are tools (eg. kubeadm/kops) to automate this, customers may wish to leverage SPIRE attestation to do this based on stronger roots of trust (eg. TPMs) | To be determined | To be determined |
Visit spiffe.io to learn how to use SPIRE.