►
From YouTube: How SPIFFE Helps Istio in Service Mesh Federation - Yonggang Liu & Wencheng Lu, Google
Description
Join us for Kubernetes Forums Seoul, Sydney, Bengaluru and Delhi - learn more at kubecon.io
Don't miss KubeCon + CloudNativeCon 2020 events in Amsterdam March 30 - April 2, Shanghai July 28-30 and Boston November 17-20! Learn more at kubecon.io. The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects
How SPIFFE Helps Istio in Service Mesh Federation - Yonggang Liu & Wencheng Lu, Google
This proposal resolves the fundamental identity federation problem between different trust domains, using the trust domain and bundle standard proposed by SPIFFE. As an important collaborator of SPIFFE/SPIRE, Istio adopts this standard to support federations with SPIRE and other identity systems. The newly proposed standard enables multiple service meshes to securely establish trusts for cross-mesh secure communications. In this talk, we will explain how this new standard can help on federated service meshes and how Istio supports the standard. Finally, we will demonstrate how the federation can be set up between Istio and SPIRE systems.
https://sched.co/NrpL
A
Let
me
start
with
the
lady
the
background
introduction.
So
SEO
is
mostly
known
as
a
surf
smash
to
be
most
specific.
It's
an
over
service
platform
to
manage
the
service
interactions
across
workloads
running
from
everywhere,
kubernetes
VM
on
purim
public
cloud.
It
assaults
three
major
problems
for
service
communication.
First
of
visibility.
It
provides
your
uniform
visibility
into
what's
happening
to
your
service.
Who
is
accessing
your
service
was
the
latency
words
error
rates,
which
method
is
called
and
second
operation
operational
agility.
A
Instead,
as
advanced
loader
balancing
traffic
shifting
traffic
shaping
to
help,
you
manage
the
traffic
easily
and
roll
out
a
new
version
of
service
safely.
The
third
panelist
is
power,
Stevens
securities.
They
provide
the
Colorado
policy,
allows
you
to
describe
your
intent
and
easier
enforce
the
desired
security
for
you.
It
has
features
like
mutual
chairs
to
encrypt
data
in
transit.
Also
provides
you
cheaper
protection
against
your
service,
which
refers
to
authentication
or
senegal
hook.
It's
access.
Your
service
authorized.
Allow
you
to
conchagua
to
allow
to
access
your
service
and
audience.
A
Next
is
about
spiffy
spiffy,
it's
basically,
a
set
of
open
source
standards
that
help
you
build.
Secure
production
at
any
different
work
in
a
heterogeneous
environment,
like
is,
do
like
a
VN
cuban
air
is
unplanned
and
adding
environments
and
spiffy
standards
include
two
parts.
First,
as
VI
d
that
defines
what
is
PV
identity
is
and
how
speaker
identity
is
presented
in
the
x.509
certificate.
A
A
A
A
A
Main
point
of
smash
Federation's
provide
interoperability
between
two
different
matches
and
the
message
came
from
come
from
different
organizations
from
different
departments
in
the
same
organizations
or
you
may
have
one
match
on
cran
another
match
on
public
cloud
or
you
have
one
match:
that's
purely
for
Kira
Nerys
workloads,
another
man.
She
is
for
VM
workloads
and
service
and
match.
Federation
allows
you
to
make
these
workloads
talk
to
each
other.
A
The
manage
challenges
on
service
met,
identity,
Federation
service
discovery,
Federation
and
also
absorb
ility
Federation.
For
this
presentation
we
are
about
to
focus
on
identity,
Federation
and
the
two
fundamental
challenges.
First,
we
need
to
build
a
trust
between
matches
like
when
you
receive
requests
from
another
match
how
to
adjust
to
identities.
So
I
can
apply
a
pro
appropriate
policy
to
give
it
the
right
privileges
allow
this
identity
to
access
your
service
and
second,
challenge
identity.
Isolations
I,
don't
want
the
other
match
to
issue
the
same
identity
as
I
didn't
hit
my
match.
B
Thank
you
and
Joan
in
the
following
slides
I'm,
going
to
talk
about
the
technical
details
and
various
approaches
that
we
recommend
for
their
services
service
Federation's,
going
back
to
the
question
of
what
is
a
service,
mesh
and
trust
domain
right
in
terms
of
security
in
the
currency,
currently
steel,
the
applications
in
a
service
match.
They
share
the
common
roots
of
trust
and
they
are
within
the
same
trust
domain.
A
trust
Omen
could
represent
an
individual
organization,
environment
or
department
under
their
own
independent
CBP
infrastructure.
B
The
trust
domain
is
encoded
in
their
East
eo8
annotates,
which
is
compliant
with
a
spiffy
standard
in
the
following
format.
The
spiffy
colon,
slash,
slash,
trust
domain
and
slash
namespace
slash
their
service
account,
so
indeed
slides.
We
are
talking
about
their
identity
Federation,
specifically
so
in
terms
of
the
Federation
of
the
mesh
aids
for
the
applications
in
two
different
service
meshes
to
authenticate
each
other.
We
need
to
verify
each
other's
duplicates
using
their
own
trust
routes.
So,
for
example,
in
this
following,
it
is
following
graph.
B
We
have
service
mesh
one
which
is
with
their
trust,
domain
phu,
kham
and
service
mesh.
Two
with
the
trust
domain
marcom,
for
example,
if
you
want
a
service
in
service
mesh,
one
to
authenticate
a
service
in
service
mesh
to
you,
need
to
have
this
service,
be
able
to
authenticate
the
certificate
presented
by
the
other
and
using
its
own
root
of
trust.
B
B
B
Each
of
the
intermediate
Xia
is
responsible
for
issuing
certificates
for
the
services
that
are
running
in
their
own
mash.
So
in
this
case,
CA
Y
is
eating
certificate
for
service.
A
and
C
a2
is
issuing
certificate
for
service
B.
Both
service,
a
and
service
B,
are
trusting
in
the
route
c8
certificate.
B
So
through
this
complete
certification
chain,
they
can
easily
authenticate
to
each
other
right.
Beyond
that,
our
recommendation
is
intermediacy.
A
name
constraints
can
be
helpful
for
isolating
the
trust
domains.
For
example,
if
you
apply
the
name
constraint
for
intermediacy
a1
to
only
issuing
certificate
for
team,
one
dot,
phu
kham,
if
this
one
is
compromised
it,
for
example,
it
you
should
dedicate
for
team
2,
which
is
belongs.
Learning
to
this
part
service
B.
We
are
very
fighters
named
constraint
and
decline.
This
connection.
B
B
The
root
CA
is
signing
certificate
for
their
services
running
in
their
own,
so
mesh,
and
you
can
see
the
service.
The
services
are
trusting
their
own
root,
CA
certificates,
talking
about
their
service
and
Federation,
their
mash
Federation.
Some
of
the
you
might
think
about.
Okay,
we
might
be
able
to
cross
sy
the
root
certificates
so
that
we
can
build
up
a
different
certification
chain
to
enable
their
mutual
trust,
so
how
this
works?
B
B
In
this
graph
we
are
showing
the
the
it's
the
same,
loosely
a
signing
certificate
for
service.
A
you
see
a
two
significant
first
service
too.
But
beyond
that
you
will
notice
in
the
red
box.
There's
our
trust
for
food.
Comm
only
use
this
red
certificate,
which
means
the
root
CA
one
certificate
to
verify
it
and
bar.com.
You
should
only
use
their
roots,
they
tooth
certificate
to
verify
it.
B
How
this
entire
thing
works,
be
patient
I
will
talk
about
it
in
the
following
slides,
ok,
so
first
let
me
spend
one
minute
to
talk
about
the
CBP
transponder.
The
CBP
transponder
is
an
RFC
75
y7
compliant
GW
case
that
continuing
are
trans
domains,
cryptographic
keys
for
the
validation
of
the
certificates
issued
in
that
trust
domain.
If
some
of
you
are
familiar
with
their
tina
bouquet
as
standard,
you
will
figure
out
how
this
works,
but
here
I'm
going
to
give
you
an
example.
B
Further
trans
bundle,
you
will
have
kids
representing
the
certificates
for
this
trust
domain.
It's
an
array,
so
that
means
you
may
have
multiple
kids,
that
you
can
use
to
verify
the
certificates
in
that
trust
domain.
The
youth
part
it's
required
for
CPC
standard
to
be
x.509
as
the
ID
as
the
ID
means
a
spiffy,
verifiable
identity
document.
B
The
x5c
this
part
is
critical.
It
carries
the
base64
encoded
dur
of
there
expel
the
night
certificate
that
you
use
to
verify
the
certificates
for
that
trans
domain
and
one
more
interesting
field.
Is
this
one
beefy
refresh
hint,
which
means
this
bundle
will
be
valid
for
10
minutes
600
seconds
right,
the
key
type
and
those
four
fields
are
redundant
here.
They
are
more
useful
for
dot
type
trust
bundles.
So
one
thing
to
note
here
is
the
CBP.
B
Trust
bundle
not
only
serves
for
their
x.509
certificate,
but
it
also
serves
for
setting
up
the
trust
for
tokens.
So
in
that
case
you
won't
have
their
ex
levels
see.
You
will
use
this
one
to
verify
their
to
obtain
the
public
key.
We
put
it
here
because
this
is
a
mandatory
field
for
dirty
wks
standard.
B
B
The
consuming
part
e
still
at
me
is
to
configure
a
mapping
from
the
trans
domain
to
the
end
point
and
then,
when
II
still
gas
that
mapping
it
authenticates
the
end
point
and
retrieves
the
bundle
from
it
and
then
it
will
build
up
message,
including
the
straddle
trust
domain
and
bundle
to
oppose
and
propagate
them
to
their
workloads,
and
the
workloads
can
use
it
in
the
certificate.
Verification
to
give
you
more
vivid,
explained.
Explanation
of
this
flow
I
taught
this
down
into
their
pictures.
B
This
is
an
example.
On
the
left
side
you
will
have
Citadel,
so
there
is
their
CA
in
east
eel
on
the
right
side.
It's
the
spire
server,
which
is
the
CA
in
CB
v
standard
implemented
by
their
sky
trail
company.
Suppose
you
want
to
feather
it
in
the
left
side
with
the
right
side
and
for
this
to
work.
You
will
have
a
transponder
management
module
running
in
Seville
and
spire
server.
This
module
is
in
charge
of
both
publishing
their
trust,
bundle
and
point
and
also
consuming
the
transponder
from
their
other
end
points.
B
B
B
After
that,
the
serial
side
will
create
a
trust,
mundo
message:
mapping
from
phu
kham
with
its
own
routes.
The
packet
and
bar
comm,
with
the
certificate
from
the
sparrow
server
side
and
propagated
it
to
service
a
and,
on
the
other
side,
the
same
now
service
a
will
have
the
trust,
bundle
and
service.
B
will
have
a
very
similar
transponder
on
each
side
service.
A
can
use
bar
comm
mapped
root
certificate,
which
is
the
green
one
to
authenticate
service,
B
and
service
B
will
use
the
red
certificate.
B
Mapped
from
foo.com
to
authenticate
serves
a
so
that's
basically
about
this
flow
about
the
isolation,
identity.
Isolation
right
supports
in
a
scenario
the
spiral
server
is
compromised.
So
what
will
happen
if
the
service
server,
the
spire
server,
is
issuing
a
certificate
for,
for
example,
food
comm?
What
will
happen
is
the
source?
A
will
gather
service,
beats
defecate
and
exam
its
trust
domain,
and
it
will
figure
out.
Oh
it's
from
food
calm
which
is
wrong
right
and
then
it
will
use
the
trust.
Don't
trust
bundle,
see
the
trans
bundle
and
see
Oh
food
Oh
calm.
B
We
should
use
this
red
certificate
to
verify,
and
then
it
will
try
to
use
this
guy.
This
is
on
root
certificate
and
it
will
figure
out.
Oh
it's
wrong.
It's
actually
not
working,
it's
not
signed
by
this
guy.
Then
this
handshake
will
fail.
So
that's
how
their
identity
isolation
works
in
there,
either
in
their
service.
Federation.
C
B
A
good
question,
so
his
question
is:
there's
a
600
seconds.
Expericence,
further
trust,
bundle
and
I
didn't
show
in
this
picture.
So
basically
go
back
this
one.
This
retrieving
transponders,
it's
periodic
every
you
should
have
have
it
in.
In
that
case,
it's
a
600
seconds
and
you
retrieve
this
new
transponder
and
compare
it
with
the
transponder
that
you
cashed.
If
it's
any
difference,
you
will
propagate
new
transponders
to
their
workloads.
C
B
So
the
question
is
for
this
encoding:
what's
there
how
its
work,
how
its
encoded
right
yeah,
so
that
fellow
cx-5
see
certificate
it's
encoded
in
base64,
so
it's
not
using
a
public
key,
but
this
one.
This
public
key
is
the
same
with
there's
the
public
key
in
the
certificate
it's
kind
of
redundant
here,
just
because
this
is
required
by
their
twk
as
standard.
We
have
to
put
something
there,
but
beyond
that,
if
you
have
x.509
dot
suppose
their
transponder
is
for
chart,
you
won't
have
this
field,
and
in
that
case
this
will
will
be
meaningful.
B
C
B
E
A
B
A
good
question,
so
if
this
refresh
second,
if
this
is
smart
and
it's
changed
right
there,
TLS
handshake
will
detect,
will
verify
the
certificates
only
at
the
beginning
of
the
connection,
and
currently
we
don't
have
a
renegotiation
mechanism
implemented
in
my
by
default
in
you
steal.
So
if
you
created
the
connection
before
this
changes,
it
will
still
work
be
working
unless
you
disconnect
and
then
you
try
to
redo
the
handshake,
and
if
this
is
changed
and
it's
not
valid
anymore,
you
will
fail.
A
A
The
other
case
is
orthogonal
to
Federation
and
the
key
is
you
want
to
understand.
Who
is
calling
you
which
identity
is
being
used,
and
then
you
can
apply
policy
to
that
identity?
The
things
that
is
specific
to
mesh
Federation
is
that
when
identity
come
from
another
idea,
another
mesh,
they
trust
domain
in
which
you
can
use
to
identify
which
I
don't
which
matches
are
in
the
come
from
so
in
the
know,
I
am
policy.