►
From YouTube: Keynote: Introduction to SPIFFE by Kelsey Hightower
Description
Keynote: Introduction to SPIFFE by Kelsey Hightower
Kelsey will be taking a look at SPIFFE and SPIRE from a beginners point of view and through a set of live demos demonstrate how to leverage SPIFFE in your own applications.
Don’t miss out! Join us at our upcoming event: KubeCon + CloudNativeCon Europe 2021 Virtual from May 4–7, 2021. Learn more at kubecon.io. The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects.
A
Awesome
well
for
me,
it's
been
for
me:
it's
been
a
great
learning
opportunity.
You
know
I
am
not
an
expert
in
this
particular
space
or
this
particular
domain.
Even
like
most
of
you
I
have
to
you
know:
security
is
just
a
part
of
the
job,
there's
no
way
to
escape
it.
So
I
take
every
opportunity
to
dive
a
little
bit
further.
So
what
I'm
going
to
try
to
do
today
is
just
take
a
beginner's
look
at
this
whole
spiffy
thing
I
remember
when
the
project
was
announced.
A
I
didn't
know
what
the
hell
they
were
talking
about,
but
somehow
it's
found
its
way
into
things
like
istio,
and
I
see
it
popping
up
in
other
systems.
So,
like
you
all,
I'm
curious
to
why
so
one
thing
that
I
did
I'm
going
to
share
my
laptop
and
there
probably
won't
be
a
lot
of
slides,
I'm
just
going
to
walk
you
through
kind
of
a
similar
approach
that
I
took
for
understanding
things
like
most
people.
A
I
just
went
to
the
spiffy
website
and
it's
a
universal
control
plane
for
distributed
systems
or
identity
control
plane
for
distributed
systems.
So,
in
order
to
really
understand
that
you
have
to
kind
of
look
at
the
whole
package
like
spire
is
one
good
implementation
where
you
know
it
gives
you
the
full
suite
of
things
for
trusting
workloads,
assigning
their
identity
and
doing
all
the
things
to
give
you
a
complete
system.
But
I
was
always
curious
about
like
how
does
it
all
work?
A
A
One
thing
that
has
been
a
challenge:
I've
been
doing
this
for
about
15
years
and
whether
you're
talking
about
minting
ssl
certificate
or
doing
tls,
mutual
off
or
some
other
form
of
authentication
or
credentials.
It's
been
real
hard
to
identify
services
in
a
way
that
scales
well
across
multiple
systems
and
we've
all
tried
it
throughout
our
careers.
A
But
when
spiffy
came
out,
it
seems
very
complex
and
I'm
pretty
sure
I
may
be
oversimplifying
things,
but
here's
the
thing
that
made
it
click
for
me
once
I
really
took
the
time
to
understand
what
is
a
spiffy
id
naming.
Things
is
hard,
but
the
way
they've
chosen
to
go
about
identifying
the
service
so
we're
going
to
get
to
a
couple
of
things.
One
is:
what
is
a
service
identity?
A
A
Can
it
really
be
as
simple
as
this
string?
Spiffy
is
the
kind
of
url.
Then
there's
this
trust
domain
like
example.org
and
then
the
workload
you're
talking
about
it
could
be
your
payments
workload.
It
could
be
your
api
or
it
could
be
a
calculator
app
that
does
add
functions
but
either
way,
they've
simplified.
This
whole
thing
down
to
string,
and
this
string
has
a
lot
of
information
that
it
can
communicates
very
succinctly.
This
can
actually
help
you
make
work
with
different
applications
and
different
domains.
You
can
have
different
service
polls,
you
get
the
idea.
A
So
looking
at
this
simple
string
is
I
ask
myself
like
what
do
I
do
with
it?
Wouldn't
it
be
crazy
if
just
any
app
could
take
this
string
and
give
it
to
another
app
and
say:
hey
trust
me.
This
is
who
I
want
to
be
that
typically
doesn't
work.
You
need
to
kind
of
earn
your
credentials.
So
how
do
we
do
that?
A
So
we
understand
this
string,
but
now
we've
got
to
figure
out
how
to
create
them
and
hand
them
out
to
applications
or
workloads
that
deserve
it.
Now,
if
you're
using
spire
and
there's
going
to
be
plenty
of
talk
throughout
the
rest
of
the
day
about
spire,
they
have
a
really
good
implementation
of
doing
this.
By
making
sure
only
the
right
workload
gets
the
right
spiffy
id,
but
we're
going
to
roll
things
by
hand
just
so
we
can
get
a
little
bit
deeper
in
details
of
how
it
would
work.
A
So
just
like
most
good
projects,
there's
a
lot
of
documentation
about
the
details.
So
what
most
people
do
is
when
they
think
about
spiffy.
You
can
embed
them
into
a
tls
certificate
if
you
use
something
like
istio
and
you're
doing
tls
mutual
auth,
where
app
a
wants
to
talk
to
app
b,
well,
app
a
can
present
its
ssl
certificate
and
have
a
spiffy
id
embedded
in
one
of
the
subject.
Alternative
names
and
that's
cool
because
then
proxies
and
other
tools
can
extract
that
and
decide
to
trust
that
you
have
that
identity.
A
And
let
you
do
things
in
this
case,
though
I'm
actually
sitting
behind
a
proxy
that
doesn't
allow
tls
mutual
off.
Actually,
I've
made
things
a
little
bit
harder
for
myself.
I'm
actually
running
inside
of
a
serverless
platform
called
cloud
run,
no
kubernetes,
no
vms,
none
of
the
environmental
things
that
I'm
used
to.
If
I
was
doing
on
some
vms,
this
would
be
a
whole
lot
easier
to
solve,
but
I'm
not
so.
I
have
to
solve
this
problem
in
a
slightly
different
way.
A
A
That's
your
identity,
but
we
need
to
mint
one
only
for
the
workload
that's
supposed
to
have
it
in
a
way
that
other
workloads
can
trust.
So
with
that
I'm
going
to
use
what
they
call
a
s,
fit
or
secure
verifiable
identity
document,
and
you
can
use
certificates
or,
in
this
case
a
jot
token.
We've
all
used
them
before.
A
A
What
I
can
then
do
is
map
a
set
of
spiffy
ids
to
google
cloud
service
accounts.
I'm
going
to
show
you
how
that
works.
Real,
quick,
so
first
thing
I'm
going
to
do.
Is
I've
deployed
this
service
into
the
cloud?
The
thing
I
want
to
do
now
is:
I
want
to
get
a
token
from
it,
but
in
order
to
get
a
token,
I
have
to
prove
my
identity
by
getting
something
that
this
off
service
trusts.
So
I
have
a
little
command
called
get
token
and
what
it
does
is
it
gets
my
gcp
project.
A
I
get
the
url
of
the
cloud
run
service
you
can
see
here,
so
I
know
who
to
exchange
this
other
token
with
and
then
I'm
just
going
to
use
the
google
cloud
command
line
tool
to
generate
an
id
token,
I'm
going
to
impersonate
the
service
call
calculator.
So
basically,
what
I'm
doing
here
is.
I
have
a
calculator
app
that
can
call
a
back-end
to
add
some
numbers
for
me,
but
the
ad
service
only
wants
to
allow
only
a
calculator
to
do
it
now.
What
I
don't
want
to
do
is
rely
on
google
service
accounts.
A
The
thing
is
those
only
work
for
things
that
understand
how
to
verify
them
with
google,
but
you
might
want
to
run
things
on
vm
or
on-prem.
So
this
is
where
this
whole
spiffy
thing
becomes
super
important,
it's
pretty
portable
across
all
the
cloud
providers.
So
what
I'm
going
to
do
is
I'm
going
to
generate
an
id
token
by
calling
the
the
google
cloud
iam
service
and
I'm
mimicking
what
I
would
do
in
a
deployed
application.
A
So
once
I
get
an
id
token
from
there,
I'm
going
to
pass
that
id
token
to
the
serverless
off
service
and
see
what
comes
back
so
we're
just
going
to
run
this
really
quick
called
git
token
and
again,
I'm
getting
iam
token
id
token
and
I'm
going
to
use
it
to
connect
to
the
serverless
application
and
what
that
service
application
is
going
to
do
is
going
to
mit
me
a
token
now
when
I
call
this
command.
If
everything
is
working,
come
on
internet
guides
move
a
little
faster.
A
You
can
see,
I'm
impersonating
this
account
and
I'm
getting
back
a
token.
So
let's
look
at
this
token
now
what
I'm
about
to
show
you
is
dangerous.
So
don't
be
doing
this
in
production
with
your
real
tokens,
but
for
this
example
token
it's
okay,
I'm
going
to
go
to
jwt.io
and
I'm
going
to
post
this
token
now
be
careful,
there's
a
header,
the
actual
jot
token
and
the
signature.
These
can
be
replayed
if
you
do
this
with
the
live
token,
to
get
access
to
resources.
But
this
is
for
testing.
So
I'm
not
too
worried
here.
A
You
can
see
the
contents
of
the
payload.
I
could
verify
this
using
the
private
key
from
this
particular
service,
but
you're,
seeing
here
that
when
I
authenticated,
I
got
back
this
audience.
That
means
I
can
actually
pass
it
to
the
addition
service
and
then
the
issuer
is
my
off
service
running
in
my
domain
and
look.
It
gave
it
a
subject
back
of
spiffy
hightower
labs
calculator.
A
Now
one
thing
we're
going
to
do
is
I'm
going
to
show
you
how
I
actually
made
this
work?
Well,
there's
a
couple
of
things
so
bin
I'm
going
to
run
a
command
and
I'm
going
to
show
you
my
registry.
So
in
my
custom
implementation,
that's
minting
tokens.
I
also
implemented
a
in-memory
registry
and
the
way
it
works
is
I
can
actually
send
registry
entries
up
to
a
in-memory
database.
So
basically
the
registry
basically
says
for
this
given
id.
A
A
I
have
a
mapping
that
maps
this
calculator
iam
service
account.
You
can
see
its
unique
id
and
I
will
find
that
unique
id
in
the
registry
and
if
I
don't
no
tokens
for
you,
so
this
is
an
easy
way
for
me
to
map
jot
tokens
using
something
that
I
trust.
So
I
verify
the
dot
token
from
google
make
sure
it
was
issued
by
google
verify
the
public
key
and
then
extract
the
subject
from
the
google
service
account
and
mint
a
new
token
with
those
attributes
like
we
see
here
so
great.
A
A
A
Well,
if
you
know
anything
about
jot
tokens,
you
know
that
that
off
service
can
also
serve
up
the
public
keys
that
can
be
used
to
verify
things
or
you
can
embed
that
public
key.
So
here,
I'm
following
the
spiffy
documentation
saying
that
the
use
of
this
public
key
is
for
validating
svids
and
here's
the
public
key
that
you
can
verify
that
this
was
signed
by
this
off
provider.
Now,
one
last
thing
you
got
to
do
here,
so
we
set
up
the
first
two
stages.
A
Next
thing
we
got
to
do
here
is
figure
out.
How
do
you
use
it?
What's
the
purpose
of
having
this
identity,
if
you're
not
going
to
use
it
for
anything
when
you
think
about
service
mesh
and
all
the
features
you
want
to
do,
and
most
security
models
they're
all
hinged
on
ids?
Who
are
you,
then?
What
can
you
do,
and
this
is
when
we
bring
in
something
like
open
policy
agent-
and
this
is
the
last
component
of
the
demo,
so
what
we
can
do
with
open
policy
agent?
A
Let's
see
if
I
can
screen
my
screen
down
here
and
what
opa
allows
us
to
do
is
basically
do
auth
z
for
what
we
can
do
with
this
identity.
So
I
know
who
you
are,
but
what
can
you
do?
So
if
you
look
at
this,
I
have
a
package
for
this
is
a
rego
file.
Don't
worry
about
the
syntax.
Now
just
know
it's
a
way
for
me
to
communicate
policies.
I
also
have
an
open
policy
agent
running
as
a
serverless
app.
A
So
here
it
is,
it's
running
in
a
container
and
cloud
runs
serverlessly
and
I've
populated
it
with
this
policy
that
I'm
going
to
walk
you
through.
So
by
default,
I'm
going
to
deny
everything,
but
when
you
make
a
request,
you
can
say
hey
from
your
application.
So
let's
say
you
were
the
ad
service.
You
would
go
off
to
the
backend
and
say:
hey
open
policy
agent.
Here's
some
metadata
about
my
request.
A
A
The
nice
thing
about
this
is:
I
can
use
that
information
in
the
token,
in
that
jot
token,
with
the
spiffy
id
to
make
policy
decisions,
do
I
allow
you
to
add
the
numbers
that
you're
requesting
so
from
my
service?
I
need
to
put
in
some
data
and
what
I'm
going
to
do
with
my
input
data
I'm
going
to
check
for
some
matches.
Is
this
a
post
request?
A
If
all
of
those
things
are
true,
then
I'll
respond
either
yes
or
no,
and
we're
going
to
do
the
last
piece
here,
I'm
going
to
show
you
what
it
looks
like
I'm
going
to
use
curl
to
do
this,
so
we
can
get
a
clear
picture
now.
I
could
have
deployed
all
the
apps
to
do
this,
but
I
want
to
give
you
a
peek
at
how
this
works
underneath
the
covers.
A
So
the
way
that
request
looks
like
on
my
file
system
is
basically
a
post,
the
method,
the
path
and
the
token
I'm
going
to
submit
this,
and
let's
see
what
response
we
get
then
and
we'll
do
a
validate
request.
Again,
I'm
simulating
the
addition
app
assuming
that
the
calculator
front
end
is
calling
it
so
we'll
run
this
now
and
what
should
happen
is
I
should
get
a
response
from
the
backend,
so
it's
saying,
hey
method
is
get
or
allow
equals.
A
True
method
was
git
path
was
add,
and
here's
this
token,
so
I
know
we're
getting
low
on
time.
So
I'm
going
to
stop
here,
but
basically
this
shows
you
full
circle,
one.
We
have
a
root
of
truss.
In
this
case
google
cloud
iam.
A
We
have
a
custom
service,
that's
minting
jot
tokens
by
trusting
service,
account
tokens
and
mapping
them
to
a
registry
id
and
yielding
back
a
job
token
that
meets
the
spiffy
requirements.
That
token
now
can
then
be
used
with
other
systems
that
can
also
delegate
off
z
to
back
ends
like
open
policy
agent.
I'm
going
to
stop
there
see
if
we
have
any
questions,
and
hopefully
that
kind
of
explains
this
thing
at
a
high
level.
For
you
all.
B
Hi
everyone,
if
you
have
any
questions
at
this
point,
please
feel
free
to
put
them
in
the
chat
window
or
raise
your
hand
for
kelsey.
Thank
you
so
much
kelsey
for
doing
this.
A
A
A
So
if
you're
in
the
kubernetes
space,
I
would
encourage
you
just
to
look
at
tools
like
spire.
That
does
all
of
this,
for
you
with
way
more
robustness,
but
I
think
there's
going
to
be
a
world
where,
if
this
thing
takes
off,
I
can
see
almost
every
tool
being
able
to
trust
this
identity,
and
it's
actually
a
lot
simpler
than
I
thought
before.
So
I'm
hoping
more
systems
integrated
natively.
So
we
can
all
standardize
on
what
a
service
id
actually
means.
A
I'll
read
one
so
here's
one:
how
do
you
know
that
iem
token
can
receive
the
token
for
the
off
calculator?
So
when
I
deployed
I'm
gonna,
I
think
I'm
still
sharing
my
screen
right
yeah.
So
when
I
deployed
this
jwt
off
service,
I
had
to
do
a
few
things.
One
is.
I
said
that
when
I
deployed
it
that
it
must
not
allow
wide
open,
authentication,
so
services
off
bin
deploy.
A
So
the
first
thing
is,
I
don't
allow
authentication
by
default.
The
next
thing
is
that
means
you
have
to
present
me
a
google
cloud
iam
id
token
right.
You
have
to
get
that
from
the
metadata
service
once
you
do
that.
I
also
have
another
thing
that
says
I
granted
permissions
to
the
calculator
service
account
to
be
able
to
even
invoke
this
jwtsvid
service.
So
this
is
an
iem
policy
where
I
have
a
binding
that
says
if
a
caller
were
to
present
a
jot
token
signed
by
this
service
account,
it
can
invoke
this
function.
A
A
I
can
take
that
jot
token
and
use
google's
public
certificates
to
also
validate
it
and
then
once
it's
validated,
I
can
then
extract
the
id
because
that's
going
to
be
in
the
subject
field
of
the
id
token,
and
then
I
have
my
own
internal
registry
right
and
all
I'm
doing
to
add
things
to
the
registry
are
just
all
I'm
doing
here
is
just
basically
collecting
enough
data
about
the
service
account
id
and
I'm
just
posting
it
again
by
authenticating
to
my
off
service,
so
checks
and
balances
end
to
end.
B
Yeah,
I
think
so
I
don't
see
anything
chat
live
here.
Do
you
have?
I
think
you
had
one
more
question
in
there
about.
A
Our
picture
diagram,
so
let
me
go
here,
there's
a
couple
yeah
so
service,
so
the
architecture
diagram.
I
think
this
turned
out
to
be
a
pretty
good
demo,
so
I
am
going
to
publish
this
whole
thing
on
github,
it's
in
a
private
repo.
Now
but
I'll
add
the
architecture
diagram
and
some
of
the
trade-offs
I'm
making
and
what
you'll
find
in
that
github
repository
most
of
the
code
is
already
there
there's
a
custom,
jose
implementation
of
jws
and
also
all
the
keys.
A
One
thing
I
tried
to
make
it
easy
to
do
also
is
to
make
sure
that
this
works
in
a
real
world.
So
if
you
ever
have
to
validate
these
tokens
across
other
systems,
I
do
implement
most
of
the
standards
so
that
you
can
actually
verify
these
using
the
public
keys
that
you
can
get
from
the
auth
back
in
we'll
spit
this
one
out
here
in
a
second
and
so
that'll,
be
on
github
soon
and
maybe
I'll
tweet
out
when
it's
done
so
I'll
just
say,
hey
my
spiffy
demo
is
now
on
github.
A
You
can
go
run
it
yourself.
The
next
thing
is,
is
the
toku
is
the
token
issue
or
something
we
have
to
build
ourselves
and
if
not,
if
we're
not
on
a
managed
cloud
or
in
a
pre-print
on-prem
kubernetes
offering
right.
So
if
you're
using
spire,
it's
going
to
do
a
good
job
of
dealing
with,
probably
you
know,
x509
certificates,
tls
mutual
auth
is
probably
the
path
you
want
to
go
if
you're
on
prem,
with
kubernetes
just
go,
get
spire
and
certs
that
way,
that
will
probably
be
much
easier
than
what
I'm
doing
here
now.
A
I'm
not
sure
aspire
supports
jot
tokens
at
the
moment.
So
if
you
have
a
use
case
similar
to
mine,
we're
going
to
be
going
through
a
low
bouncer
that
won't
be
able
to
handle
tls
mutual
off
the
way
to
think
about.
This
is
maybe
something
like
ping
identity
or
off
zero.
If
they
allow
you
to
have
some
metadata
where,
when
you
authenticate,
typically,
what
you
can
do
is
you
can
set
custom
fields
using
some
kind
of
template
that
when
you
return
back
a
response,
they'll
have
a
jot
token.
A
So,
ideally,
most
of
the
standard
tools
for
minting
jot
tokens
should
work.
You
just
got
to
make
sure
that
those
tools
are
configurable
based
on
the
original
identity,
whether
it's
basic
off
or
some
other
factor,
then
you
can
actually
say
hey
based
on
that
identity.
Here's
what
should
be
in
these
fields
when
I
return
a
jot
token,
so
my
guess
is
standard.
Things
will
work,
but
if
you're
not
using
jot,
go
check
out
spire
and
do
it.
Oh,
it
turns
out
that
spider
has
support
for
both
x509
and
jot.
A
B
Yeah
we
are,
we
have
time
for
one
more
question:
kelsey,
which
one
can
you
answer?
First.
A
All
right
so
well,
so
the
next
one
I'll
end
with
this
one,
how
is
multi-cluster
and
federation
supported
in
this
kind
of
use
case?
So
I
think
this
is
what
this
whole
thing
is
about.
One
thing:
that's
nice
about
x509
in
general,
it
does
allow
each
of
the
servers
to
have
a
certificate
signed
by
authority.
We
trust
and
we
can
trust
lots
of
authorities.
If
you
look
at
your,
you
know
your
tls
certificate
bundle
for
cas
on
your
file
system.
A
A
So
when
you
start
thinking
about
multi-cluster
and
federation,
what
we're
doing
is
we
have
this
detached
way
of
saying
here's,
a
bunch
of
public
keys
inside
of
our
clusters,
give
them
to
your
app,
so
they
can
actually
trust
things
and
then,
when
that
jot
token
shows
up,
you
may
not
necessarily
need
to
call
out
to
another
service.
You
can
actually
use
your
public
key
or
something
like
open
policy
agent
that
is
configured
to
be
able
to
decode
and
verify
these
tokens,
and
that's
going
to
give
you
that
decentralized,
federated
method.
B
A
Yeah,
so
do
that
and
I'll
answer
one
more
since
we
have
one
more
one
more
minute
or
so
so
can
we
use
an
app
in
one
cloud
to
talk
to
an
app
in
another
cloud
using
spiffy
as
a
single
trust
provider,
and
I
think
that's
where
things
get
super
interesting,
because
in
my
off
service
I
could
trust
multiple
identities,
multiple
backends.
This
is
something
that
spire
does
really
well.
It
gives
you
a
universal
way
of
saying.
I
trust
all
these
things
so
imagine
if
you're
using
spire
spire
can
be
configured
to
trust,
amazon's
metadata
service.
A
So
when
you
get
your
identity
document
from
amazon's
metadata
service,
so
you're
running
on
a
vm,
you
can
exchange
that
or
use
that
to
get
a
different
token
or
x
509
certificate
and
I
can
use
a
whole
different
trust
model
inside
of
gcp.
But
at
the
end
of
the
day
you
end
up
with
these
identity
documents
that
are
standardized
that
keep
a
common
spiffy
id,
so
maybe
you're
all
in
the
same
domain,
even
across
multiple
cloud
providers.
You
can
look
at
that
domain
to
say,
hey
we're
all
in
the
same
app
domain
slash.
A
A
A
Hasn't
it
yeah,
I
mean
yeah,
there's
people
that
are
already
using
this.
You
see
this,
it's
a
hidden
thing,
the
bad
thing
about
it.
It
just
works.
So
this
is
why
there's
no
hype
train!
That's!
Why
there's
probably
not
a
bunch
of
10
000
people
conferences,
it
just
works
so
much
that
most
people
kind
of
take
it
for
granted
that
this
kind
of
complex
problems
being
solved
in
a
very
clever
and
simple
way.