4 Dec 2020
10 Lessons From Migrating to SPIFFE After 10 Years Of Service Identity at Square - Mat Byczkowski
At Square we have developed our own service identity system a few years ago that served us well in our datacenters, but as we increasingly started adopting the cloud, we decided to implement SPIFFE to provide seamless service identity system that would span many environments. In this talk I would like to briefly present how we built a migration process and what we learned from it.
Don’t miss out! Join us at our upcoming event: KubeCon + CloudNativeCon Europe 2021 Virtual from May 4–7, 2021. Learn more at kubecon.io. The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects.
At Square we have developed our own service identity system a few years ago that served us well in our datacenters, but as we increasingly started adopting the cloud, we decided to implement SPIFFE to provide seamless service identity system that would span many environments. In this talk I would like to briefly present how we built a migration process and what we learned from it.
Don’t miss out! Join us at our upcoming event: KubeCon + CloudNativeCon Europe 2021 Virtual from May 4–7, 2021. Learn more at kubecon.io. The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects.
- 2 participants
- 26 minutes
4 Dec 2020
Attestation and identity provisioning to Intel SGX workloads - Andrey Brito
Using workload attestation mechanisms to provision identity to workloads adds a huge value to this identity, especially in multi-cloud environments. Strong identities simplify policy management and help integration between services. However, attesting workloads based on properties collected from the Linux Kernel or the orchestrator is just the beginning. With confidential computing mechanisms reaching public cloud providers, there is an opportunity to raise the bar on the supported threat model and the strength of the application identities using technologies such as Intel SGX.
In this talk, I will explain how having an SGX Attestor could lead to identities that reflect not only where code is running, but also reflect the code of application that was actually loaded and the configuration of the filesystem that supports it. Next, I will discuss the benefits of such an attestor, which include enabling the seamless integration between sensitive workloads in untrusted environments with workloads on trusted environments with almost no additional burden on the developer.
Don’t miss out! Join us at our upcoming event: KubeCon + CloudNativeCon Europe 2021 Virtual from May 4–7, 2021. Learn more at kubecon.io. The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects.
Using workload attestation mechanisms to provision identity to workloads adds a huge value to this identity, especially in multi-cloud environments. Strong identities simplify policy management and help integration between services. However, attesting workloads based on properties collected from the Linux Kernel or the orchestrator is just the beginning. With confidential computing mechanisms reaching public cloud providers, there is an opportunity to raise the bar on the supported threat model and the strength of the application identities using technologies such as Intel SGX.
In this talk, I will explain how having an SGX Attestor could lead to identities that reflect not only where code is running, but also reflect the code of application that was actually loaded and the configuration of the filesystem that supports it. Next, I will discuss the benefits of such an attestor, which include enabling the seamless integration between sensitive workloads in untrusted environments with workloads on trusted environments with almost no additional burden on the developer.
Don’t miss out! Join us at our upcoming event: KubeCon + CloudNativeCon Europe 2021 Virtual from May 4–7, 2021. Learn more at kubecon.io. The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects.
- 2 participants
- 19 minutes
4 Dec 2020
Community Integrations and other Works in Progress - Umair Khan
This session would cover new community integrations and initiatives being worked on by community members. Guest speakers, along with their topics, include:
Extending Authentication for Istio with SPIRE – Doron Chen, IBM
Securing user privacy with transitive identity – Andrew Jessup, HPE
Leveraging certificate transparency to strengthen audibility in SPIRE - Ruide Zhang, ByteDance
Parsec and SPIFFE – Paul Howard, Arm
Don’t miss out! Join us at our upcoming event: KubeCon + CloudNativeCon Europe 2021 Virtual from May 4–7, 2021. Learn more at kubecon.io. The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects.
This session would cover new community integrations and initiatives being worked on by community members. Guest speakers, along with their topics, include:
Extending Authentication for Istio with SPIRE – Doron Chen, IBM
Securing user privacy with transitive identity – Andrew Jessup, HPE
Leveraging certificate transparency to strengthen audibility in SPIRE - Ruide Zhang, ByteDance
Parsec and SPIFFE – Paul Howard, Arm
Don’t miss out! Join us at our upcoming event: KubeCon + CloudNativeCon Europe 2021 Virtual from May 4–7, 2021. Learn more at kubecon.io. The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects.
- 6 participants
- 31 minutes
4 Dec 2020
Fortifying Microservice Security with SPIRE and OPA - Ash Nakar
Microservice architecture although beneficial brings with it unique security challenges around authentication and authorization which become more acute due to the diverse nature of microservice environments.
How do we reliably authenticate and authorize interactions between 10s, 100s, or even 1000s of services at scale while handling 1000 API calls per second?
SPIRE solves authentication by creating an identity plane across varied infrastructure over which cryptographically verifiable identities such as JWTs are delivered securely to workloads. OPA provides a policy engine that can be used to enforce fine-grained authorization policies across the stack.
We will show how SPIRE issued JWT SVID claims created using SPIRE’s OIDC Federation can be used by OPA to enforce service-to-service and end-user access control in microservice environments without compromising on speed and availability.
Don’t miss out! Join us at our upcoming event: KubeCon + CloudNativeCon Europe 2021 Virtual from May 4–7, 2021. Learn more at kubecon.io. The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects.
Microservice architecture although beneficial brings with it unique security challenges around authentication and authorization which become more acute due to the diverse nature of microservice environments.
How do we reliably authenticate and authorize interactions between 10s, 100s, or even 1000s of services at scale while handling 1000 API calls per second?
SPIRE solves authentication by creating an identity plane across varied infrastructure over which cryptographically verifiable identities such as JWTs are delivered securely to workloads. OPA provides a policy engine that can be used to enforce fine-grained authorization policies across the stack.
We will show how SPIRE issued JWT SVID claims created using SPIRE’s OIDC Federation can be used by OPA to enforce service-to-service and end-user access control in microservice environments without compromising on speed and availability.
Don’t miss out! Join us at our upcoming event: KubeCon + CloudNativeCon Europe 2021 Virtual from May 4–7, 2021. Learn more at kubecon.io. The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects.
- 2 participants
- 17 minutes
4 Dec 2020
Keynote: Introduction to SPIFFE by Kelsey Hightower
Kelsey will be taking a look at SPIFFE and SPIRE from a beginners point of view and through a set of live demos demonstrate how to leverage SPIFFE in your own applications.
Don’t miss out! Join us at our upcoming event: KubeCon + CloudNativeCon Europe 2021 Virtual from May 4–7, 2021. Learn more at kubecon.io. The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects.
Kelsey will be taking a look at SPIFFE and SPIRE from a beginners point of view and through a set of live demos demonstrate how to leverage SPIFFE in your own applications.
Don’t miss out! Join us at our upcoming event: KubeCon + CloudNativeCon Europe 2021 Virtual from May 4–7, 2021. Learn more at kubecon.io. The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects.
- 2 participants
- 26 minutes
4 Dec 2020
Making Your First Contribution to SPIRE (optional session) - Ryan Turner
Don’t miss out! Join us at our upcoming event: KubeCon + CloudNativeCon Europe 2021 Virtual from May 4–7, 2021. Learn more at kubecon.io. The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects.
Don’t miss out! Join us at our upcoming event: KubeCon + CloudNativeCon Europe 2021 Virtual from May 4–7, 2021. Learn more at kubecon.io. The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects.
- 1 participant
- 6 minutes
4 Dec 2020
Passport App: The role of SPIFFE and SPIRE in a return to work solution - Frederick Kautz
In this session, Frederick demonstrates a SPIFFE/SPIRE enabled solution which will help employers manage there return to work strategy. We will do a quick deep dive on how SPIRE allows us to accomplish our mission and what it may enable us to do in the future.
Don’t miss out! Join us at our upcoming event: KubeCon + CloudNativeCon Europe 2021 Virtual from May 4–7, 2021. Learn more at kubecon.io. The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects.
In this session, Frederick demonstrates a SPIFFE/SPIRE enabled solution which will help employers manage there return to work strategy. We will do a quick deep dive on how SPIRE allows us to accomplish our mission and what it may enable us to do in the future.
Don’t miss out! Join us at our upcoming event: KubeCon + CloudNativeCon Europe 2021 Virtual from May 4–7, 2021. Learn more at kubecon.io. The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects.
- 2 participants
- 20 minutes
4 Dec 2020
SPIFFE Project Updates - Evan Gilman
Don’t miss out! Join us at our upcoming event: KubeCon + CloudNativeCon Europe 2021 Virtual from May 4–7, 2021. Learn more at kubecon.io. The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects.
Don’t miss out! Join us at our upcoming event: KubeCon + CloudNativeCon Europe 2021 Virtual from May 4–7, 2021. Learn more at kubecon.io. The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects.
- 2 participants
- 15 minutes
4 Dec 2020
SPIFFE and SPIRE: Architecture Deep Dive - Andrew Harding, VMware + Evan Gilman, Scytale
Don’t miss out! Join us at our upcoming event: KubeCon + CloudNativeCon Europe 2021 Virtual from May 4–7, 2021. Learn more at kubecon.io. The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects.
Don’t miss out! Join us at our upcoming event: KubeCon + CloudNativeCon Europe 2021 Virtual from May 4–7, 2021. Learn more at kubecon.io. The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects.
- 2 participants
- 33 minutes
4 Dec 2020
SPIFFE at GitHub - Eric Lee
We’ve been rolling SPIFFE out internally at GitHub to empower teams to manage interoperable Production Identity documents. In this talk we’ll give a brief overview of how we’ve deployed SPIRE and leveraged its plugin system to integrate with our internal systems and tooling.
Don’t miss out! Join us at our upcoming event: KubeCon + CloudNativeCon Europe 2021 Virtual from May 4–7, 2021. Learn more at kubecon.io. The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects.
We’ve been rolling SPIFFE out internally at GitHub to empower teams to manage interoperable Production Identity documents. In this talk we’ll give a brief overview of how we’ve deployed SPIRE and leveraged its plugin system to integrate with our internal systems and tooling.
Don’t miss out! Join us at our upcoming event: KubeCon + CloudNativeCon Europe 2021 Virtual from May 4–7, 2021. Learn more at kubecon.io. The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects.
- 2 participants
- 26 minutes
4 Dec 2020
SPIRE Project Updates - Agustín Martínez Fayó
Don’t miss out! Join us at our upcoming event: KubeCon + CloudNativeCon Europe 2021 Virtual from May 4–7, 2021. Learn more at kubecon.io. The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects.
Don’t miss out! Join us at our upcoming event: KubeCon + CloudNativeCon Europe 2021 Virtual from May 4–7, 2021. Learn more at kubecon.io. The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects.
- 2 participants
- 19 minutes
4 Dec 2020
Securing Kafka with SPIFFE at TransferWise - Jonathan Oddy, Levani Kokhreidze
For a long time in order to achieve mutual TLS between Kafka brokers and its clients we had to use long-lived certificates which is a nightmare to manage at large scale. At TransferWise, we have around 300 microservices and most of them use Kafka for the async communication, stream processing, event sourcing, etc. We wanted to implement Kafka security in a way that reduced the maintenance burden on platform teams, while making migration of diverse clients as simple as possible. In this talk we will describe how we have achieved that goal using SPIFFE with SPIRE and Envoy, requiring zero code changes on the client side.
Don’t miss out! Join us at our upcoming event: KubeCon + CloudNativeCon Europe 2021 Virtual from May 4–7, 2021. Learn more at kubecon.io. The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects.
For a long time in order to achieve mutual TLS between Kafka brokers and its clients we had to use long-lived certificates which is a nightmare to manage at large scale. At TransferWise, we have around 300 microservices and most of them use Kafka for the async communication, stream processing, event sourcing, etc. We wanted to implement Kafka security in a way that reduced the maintenance burden on platform teams, while making migration of diverse clients as simple as possible. In this talk we will describe how we have achieved that goal using SPIFFE with SPIRE and Envoy, requiring zero code changes on the client side.
Don’t miss out! Join us at our upcoming event: KubeCon + CloudNativeCon Europe 2021 Virtual from May 4–7, 2021. Learn more at kubecon.io. The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects.
- 3 participants
- 20 minutes
4 Dec 2020
Using DevIDs and TPMs for Node Attestation - Adriane Cardozo, Marcos Yedro
In this session we will present a proposal and demonstration for a TPM Node Attestor plugin following the TCG draft just published “TPM 2.0 Keys for Device Identity and Attestation” that applies the “IEEE Standard for Local and Metropolitan Area Networks, Secure Device Identity (802.1AR)“device identity module definition and formatting to keys protected by a TPM 2.
Don’t miss out! Join us at our upcoming event: KubeCon + CloudNativeCon Europe 2021 Virtual from May 4–7, 2021. Learn more at kubecon.io. The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects.
In this session we will present a proposal and demonstration for a TPM Node Attestor plugin following the TCG draft just published “TPM 2.0 Keys for Device Identity and Attestation” that applies the “IEEE Standard for Local and Metropolitan Area Networks, Secure Device Identity (802.1AR)“device identity module definition and formatting to keys protected by a TPM 2.
Don’t miss out! Join us at our upcoming event: KubeCon + CloudNativeCon Europe 2021 Virtual from May 4–7, 2021. Learn more at kubecon.io. The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects.
- 5 participants
- 14 minutes
4 Dec 2020
Using SPIRE in Production at Uber - Andrew Moore
In this session we will provide an overview of how Uber uses SPIFFE and SPIRE for workload authentication and authentication in a diverse deployment environment. We will highlight the deployment architecture, operational practices, and benefits achieved.
Don’t miss out! Join us at our upcoming event: KubeCon + CloudNativeCon Europe 2021 Virtual from May 4–7, 2021. Learn more at kubecon.io. The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects.
In this session we will provide an overview of how Uber uses SPIFFE and SPIRE for workload authentication and authentication in a diverse deployment environment. We will highlight the deployment architecture, operational practices, and benefits achieved.
Don’t miss out! Join us at our upcoming event: KubeCon + CloudNativeCon Europe 2021 Virtual from May 4–7, 2021. Learn more at kubecon.io. The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects.
- 2 participants
- 16 minutes
4 Dec 2020
Using a CRD to better integrate SPIRE and Kubernetes - Faisal Memon
In this talk we will discuss the Custom Resource Definition (CRD) for SPIRE we created. With the CRD we can better support automatic and manual generation of certificates, as well as integrate with kubectl.
Don’t miss out! Join us at our upcoming event: KubeCon + CloudNativeCon Europe 2021 Virtual from May 4–7, 2021. Learn more at kubecon.io. The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects.
In this talk we will discuss the Custom Resource Definition (CRD) for SPIRE we created. With the CRD we can better support automatic and manual generation of certificates, as well as integrate with kubectl.
Don’t miss out! Join us at our upcoming event: KubeCon + CloudNativeCon Europe 2021 Virtual from May 4–7, 2021. Learn more at kubecon.io. The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects.
- 2 participants
- 16 minutes
4 Dec 2020
“Solving the Bottom Turtle”: Writing a book on SPIFFE in 10 days using Book Sprints - Barbara Ruehling, Umair Khan
Don’t miss out! Join us at our upcoming event: KubeCon + CloudNativeCon Europe 2021 Virtual from May 4–7, 2021. Learn more at kubecon.io. The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects.
Don’t miss out! Join us at our upcoming event: KubeCon + CloudNativeCon Europe 2021 Virtual from May 4–7, 2021. Learn more at kubecon.io. The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects.
- 3 participants
- 8 minutes