►
From YouTube: Untangling the Multi-Cloud Identity and Access Problem With SPIFFE Tornjak - B Lum & M Sabath
Description
Don’t miss out! Join us at our next event: KubeCon + CloudNativeCon Europe 2022 in Valencia, Spain from May 17-20. Learn more at https://kubecon.io The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects.
Untangling the Multi-Cloud Identity and Access Problem With SPIFFE Tornjak - Brandon Lum & Mariusz Sabath, IBM
When an organization moves to a multi-cloud environment, one of the first questions a developer will ask is “How do I access my S3 bucket in AWS from my GCP cluster?” (or any other permutations thereof cloud services/providers). This is an unsurprising request. However, the solutions to these problems today are surprisingly inadequate, especially when security and compliance are considered. This problem stems from cloud providers/services each having their own notion of workload identity and schema, which makes federation difficult. This talk proposes a shift in the perspective of workload identity from being “platform specific” to “organization wide” using SPIFFE/SPIRE and the new SPIFFE Tornjak project to provide a consistent and secure organization-wide management plane for workload identity and access across multiple clouds. After all, user identities are managed on the organization level (e.g. LDAP, etc.), why should our handling of workload identities be any different?
A
So
before
we
go
ahead,
a
little
quick
introduction,
my
name
is
brandon
and
I'm
here
with
my
colleague
marush
and
we
are
both
from
ibm
research
and
today
we
are
going
to
start
by
telling
you
a
bit
more
about
workload:
identity,
how
it
works
in
a
cloud
provider.
We're
then
going
to
bring
this
into
multi-cloud
context
and
we're
going
to
talk
about
solutions
that
work
today
and
some
of
their
limitations.
A
So
each
of
them
have
has
an
identity
provider
that
comes
in
the
form
of
a
root
of
trust
or
certificate
authority.
This
certificate
authority,
then
issues
identities
through
the
form
of
usually
some
kind
of
infrastructure.
Service,
such
as
you
know,
for
aws
example,
would
be
the
aws
metadata
service.
A
So
we
then
have
a
workload,
that's
running
on,
let's
say
kubernetes
or
openshift,
this
container
that
wants
to
access
a
service
such
as
a
database.
What
they
have
to
do
is
then
they
have
to
talk
to
the
service
to
obtain
a
workload,
identity
that
comes
in
the
form
of
usually
a
x,
509
certificate
or
jw
key
token.
A
A
A
So
let's
talk
about
how
this
is
done
today
right,
so
the
first
method
is
using
long
live
credentials.
This
is
probably
something
that
most
have
had
done
before
myself
included,
and
what
this
involves
is
you
know,
for
example,
if
I
want
to
access
azure
cosmos,
eb
as
a
resource
for
ibm
cloud,
what
I
would
do
is
I'll
go
up
to
the
azure
service
say:
please
create
an
api
key
for
me,
or
some
long
live
credential
and
myself
as
an
administrator,
would
take
this
api
key,
which
is
just
a
bunch
of
bytes.
A
I'm
gonna
create
a
kubernetes
secret.
I'm
gonna
mount
it
into
my
workload
and
my
workload
will
then
be
able
to
access
the
service.
So
this
technique
is
is
great
because
it's
very
simple:
it's
really
easy
to
get
started.
Unfortunately,
it
comes
with
several
caveats,
so
one
of
which
is,
we
are
using
a
long
life
credential.
That
means
that
it's
very
difficult
to
manage
the
risk.
If
there's
a
there's,
an
incident
that
happens
it's
difficult
to
measure
the
blast
radius.
A
So
the
next
method
of
doing
this
is
through
cloud
federation.
The
idea
behind
federation
is
fairly
simple.
It
means
that
we
want
to
teach
an
im
system
for
one
cloud:
how
to
interpret
and
how
to
authenticate
identities
from
another
right.
This
is
usually
done
by
protocols
such
as
oidc
or
taking
the
trust,
bundles
or
certificate
authorities,
and
then
moving
them
to
the
next
cloud,
and
this
is
great
right,
because
we
are
still
using
the
short-lived
credentials
from
the
cloud.
We
don't
need
administrators
or
any
intermediaries
that
come,
and
you
know,
handle
these
credentials.
A
Awesome
talks
over,
unfortunately,
that
this
is
not
the
case,
so
there
are
several
problems
with
federation
today.
So
the
first
is
that
federation
support
kind
of
varies
within
within
the
clouds.
If
I
want
to
access
a
gcp
resource
from
aws
with
google
cloud's
identity
pool
service-
and
this
can
be
done
fairly
easily,
however,
if
you
want
to
do
the
opposite,
this
is
a
fairly
involved
process
and
this
blog
post
linked
here
actually
describes.
You
know
what
you
need
to
do.
It's
you
need
to
install
a
bunch
of
things.
You
know
kubernetes,
cluster
and
so
on.
A
A
The
issue
with
this
is
that
some
of
these
fields
may
not
have
meaning
in
other
clouds,
for
example,
aws
security
group
ids
when
we
see
it
from
in
ibm
cloud
perspective
or
zero
perspective,
don't
really
have
any
meaning
and
what
this
results
in
is.
It
becomes
difficult
to
manage
identities
or
to
create
meaningful
access
policies
across
clouds
within
your
organization
and,
lastly,
comes
the
problem
of
scale.
A
We
think
about
john
from
development,
he's
a
funny
guy.
You
know
he
he
has
access
to
these
bunch
of
clouds
right
and
so
the
question
is:
why
don't
we
treat
our
identities
the
same
way
right?
Applications
and
services
are,
after
all,
organizational
constructs
right.
Why
are
we
married
to
this
idea
that
workflow
identity
has
to
be
tied
to
the
platform?
A
A
We
can
see
it
has
the
name
of
the
organization
it
has
a
region,
so
maybe,
if
you
use
compliance
or
compliance
controls,
whether
it's
dev
staging
prod
and
also
the
department
or
the
project
in
which
the
workload
belongs
to
another
part
of
creating
an
organization,
a
wide
vocal
identity.
Is
you
want
to
really
minimize
the
points
of
federation?
A
A
It's
also
as
important
that
we
make
sure
that
workloads
get
the
correct
credentials
and
the
workloads
with
the
correct
credentials
really
have
been
attested,
and
we
can
prove
that
it
is,
they
are
who
they
say
and
last
but
not
least
because
after
all,
we
want
to
alleviate
the
the
management
problem.
We
want
to
have
a
single
point
of
federation
to
all
the
cloud
services
and
how
we're
going
to
do
this
is
we're
going
to
use
spiffy,
spire
and
tonyank.
A
A
It
is
kind
of
like
the
identity
spec,
it
defines
how
workflows
can
securely
obtain
their
identities.
We
have
spire,
that
is
the
implementation
and
implementation
of
spiffy.
In
this
case
it
provides
the
zero
trust
associations
of
the
workloads
and
the
infrastructure,
as
well
as,
together
with
the
oidc
discovery.
Service
provides
a
final
federation,
and,
last
but
not
least,
we
have
tonya,
which
is
a
control
plane,
slash
ui
for
spire
and
together
with
the
kubernetes
workflow
registrar,
it
provides
a
way
to
define
the
universal
workload,
identity
and
enforce
it.
A
B
B
B
B
B
B
Good
okay,
so,
let's
start
with
the
tourniquet
interface.
So
if
you
look
at
the
navigation
bar,
we
have
a
management
for
clusters,
agents
we
can
list
and
manage
the
entries.
There
is
a
section
for
server
information
and
the
dashboard
tourniac
dashboard.
So
let
me
just
go
to
the
clusters,
and
here
we
go.
We
manage
six
different
clusters
and
they
are
deployed
in
different
locations,
different
clouds.
So,
for
example,
we
have
here
amazon.
B
This
is
azure
and
there
are
a
few
in
ibm
cloud.
Some
of
them
are
openshift
and
others
are
just
a
native
kubernetes.
Okay,
if
we
click
here
on
tornack
info,
you
can
see
that
this
spire
server
is
defined
with
node,
attesters
and
right
here
we
have
one
for
kubernetes,
there's
one
for
amazon
and
azure.
Okay,
if
we
click
here
on
the
dashboard
oops.
Sorry,
when
you
click
here
on
dashboard,
we
can
view
here,
agents,
workloads
and
all
the
clusters.
B
So
let's
go
to
one
of
the
clusters:
we're
going
to
use
the
tsi
cube01,
which
is
in
ibm
cloud
right
here.
Details-
and
here
we
go.
We
have
three
nodes
with
three
different
agents.
They
are
all
are
tested.
You
can
see
here,
let's
look
at
the
entries,
so
there
is
one
entry
here.
This
is
the
workload
registrar
that
automates
the
entries
for
all
the
workloads
that
would
be
created
here.
B
Okay,
so
before
I
show
the
demo
on
the
how
we
create
the
workloads
and
get
the
access,
let
me
just
show
you
quickly
what
we've
done
on
amazon
site.
So
here
is
our
mars
bucket.
It's
called
mars
spire
and
there
is
a
special
file
called
mars
txt,
which
is
the
sensitive
file
that
we
want
to
protect.
So
this
is
what
we
want
to
govern.
B
B
I
guess
that's
it
at
the
provider.
Okay
done
so
we
just
created
ourselves
our
sales
identity
provider.
So
let
me
look
all
of
them.
You
see
that
all
of
them-
okay,
this
is
the
guy
spacex
o3.
Okay,
so
we've
done
this
already
earlier.
So
let
me
show
you
how
we
define
policies
so
there's
one
xo5
that
we
would
be
using
further.
So,
let's
click
on
the
roles.
B
Okay,
what
roles
do
they
basically
tie
the
policies
with
the
identity
providers?
So
let
me
show
you
how
the
policy
looks
like
come
on
all
right,
so
there
is
a
policy
that
defines
read
access
to
the
mars
spire
bucket,
the
one
that
I
showed
you
earlier
and
let's
look
at
the
trust
relationship
for
this
identity
provider.
B
The
region
must
be
us,
so
it
has
to
begin
with
the
us
prefix
and
the
cluster
name
mars.
I'm
sorry
mission,
namespace,
elon,
musk
service
account
and
mars
mission,
the
pod
name,
okay,
so
we're
done
here
now,
let's
go
to
the
to
the
cluster,
so
this
is
the
blue
cluster.
This
is
the
ibm
cluster.
So
from
here
let
me
show
you
there's
nothing
running
yet
all
right.
B
B
B
So
let's
do
that,
and
here
is
the
identity
in
a
text
format.
Let's
take
a
look
at
edit,
so
we
have
open
shift
space
x,
that's
the
domain!
That's
the
organization
region
is
running
in
u.s,
south
cluster
name,
tsi,
cube01,
namespace
mission,
elon
musk
as
a
service
account
and
the
pad
name.
Okay.
So
in
theory
that
should
comply
with
the
policy
that
we
created
earlier
and
this
chunk
over
here.
That's
the
gwd
token.
So
let's
retrieve
this
guy
into
a
file.
B
All
right
it's
done
now.
We
can
invoke
the
call
to
a
aws
to
copy
the
file
from
this
bucket.
So
let's
do
this.
As
you
can
see,
we
are
using
the
royal
mars
mission.
We
pass
the
ident,
the
jwd
token
that
was
captured
a
minute
ago
and
we're
just
simply
asking
for
a
file
and
copy
it
locally.
So,
let's
see
if
it
was
delivered,
it's
done.
Let's
just
look:
what's
inside
and
here
you
go,
you
have
a
recipe
for
the
concentrated
dark
matter
from
the
rick
and
morty
series.
B
B
Okay,
so
in
our
demo,
you
could
see
how
easy
it
is
to
get
identities
in
one
place
from
all
the
multiple
clusters.
Multiple
different
clouds
and
one
policy
allows
access
enforcement
for
several
dynamically
created
workloads,
in
fact,
in
our
multi-cluster
organization.
If
you
invoke
the
same
calls
in
any
of
the
clusters,
you
should
get
exactly
the
same
results
in
theory,
assuming
that
policy
complies
with
the
identity
of
the
workload
okay,
so
we
also
have
a
demo
that
shows
the
same
concept,
but
this
time
using
vault
and
for
retrieving
secrets
from
vault.
B
B
A
A
A
There's
a
lot
of
cool
things
to
that
we're
going
to
work
on
such
as
you
know,
integrating
with
the
the
policies
as
well
as
aggregating
logs,
we're
open
to
a
lot
of
feedback.
Tell
us
what
you
think
as
well
as
if
you
liked
what
you
saw
in
the
demo
the
marriage
gave.
We
have
help
charts
to
kind
of
like
help.
You
redeploy
the
whole
thing
as
well,
as
we
have
a
bunch
of
youtube
videos
that
kind
of
show
a
little
bit
more
than
what
we
have
time
to
show
today.