►
Description
Fortifying Microservice Security with SPIRE and OPA - Ash Nakar
Microservice architecture although beneficial brings with it unique security challenges around authentication and authorization which become more acute due to the diverse nature of microservice environments.
How do we reliably authenticate and authorize interactions between 10s, 100s, or even 1000s of services at scale while handling 1000 API calls per second?
SPIRE solves authentication by creating an identity plane across varied infrastructure over which cryptographically verifiable identities such as JWTs are delivered securely to workloads. OPA provides a policy engine that can be used to enforce fine-grained authorization policies across the stack.
We will show how SPIRE issued JWT SVID claims created using SPIRE’s OIDC Federation can be used by OPA to enforce service-to-service and end-user access control in microservice environments without compromising on speed and availability.
Don’t miss out! Join us at our upcoming event: KubeCon + CloudNativeCon Europe 2021 Virtual from May 4–7, 2021. Learn more at kubecon.io. The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects.
A
B
A
A
So
let's
get
started
so
just
a
quick
intro
of
the
oppa
community.
The
project
started
in
2016
at
styra,
where
I
work
and
the
goal
of
the
project
has
been
to
unify
policy
enforcement
across
the
stack.
Opa
has
been
used
in
production
by
many
companies
for
cases
like
admission
control,
authorization,
our
back
abac
and
so
on.
A
A
So
the
way
this
typically
works
is
that
imagine
you
have
a
service,
and
this
can
be
any
service
at
all.
It
can
be
a
kubernetes
api
server.
It
can
be
your
own
custom
service,
kafka
onboard
whatever.
Whenever
your
service
gets
a
request,
it's
going
to
ask
oppa
for
a
policy
decision
by
executing
a
query.
A
Real
quick
at
the
core
of
oppa
is
a
high
level
decorative
language
called
rego,
which
allows
you
to
write
policy
decisions
that
are
more
than
billion,
basically
any
json
value,
arrays
objects
and
so
on,
oppa's
written
in
go
and
you
can
deploy
it
as
a
sidecar
host
level.
Daemon,
it's
designed
to
be
as
lightweight
as
possible.
So
all
the
policies
and
data
it
needs
for
evaluation
are
stored
in
memory.
A
It
provides
some
management
apis
which
allow
you
to
fetch
policy
and
data
from
remote
services.
It
can
upload
decision
logs
to
remote
services
and
also
its
status
and
finally,
along
with
the
core
policy
engine
oppa
provides
a
red
set
of
tooling
to
build
test
and
debug
your
policies.
It
provides
a
unit
test
framework
as
well
as
integrations
with
of
ides
like
vs
code
intellij
and
the
lego
playground.
A
A
A
A
So
next,
the
policy
that
we
want
to
demo
says
that
users
with
the
role
billing
manager,
can
view
claims
in
the
invoices
again
the
policy,
the
oppa
policy
that
we
will
see
in
the
demo
says
that
users
with
the
role
billing
manager,
can
view
claims
in
these
invoices
and
so
to
demo.
This
policy
you're
going
to
have
couple
of
users.
One
is
alice,
and
one
is
john,
where
alice
is
a
billings
manager
and
while
john
isn't
enrolling,
and
we
will
see
later
how
this
information
is
being
decoded
from
the
george
s.
A
Oppa
is
going
to
validate
verify,
decode
those
tokens
and
based
on
the
claims
it's
going
to
make
a
decision
on
whether
alice
should
see
her
claims
or
not
and
since
alice
is
a
billings
manager.
Oppa
is
going
to
allow
this
request
to
go
through,
and
so
alice
will
be
able
to
see
her
invoices
with
the
claims
in
them.
A
B
B
Think
of
the
front
end
here
as
an
edge
service
that
is
running
elsewhere,
perhaps
outside
your
infrastructure
in
this
demo,
this
is
going
to
be
my
laptop
and
you're,
trying
to
authenticate
the
user
using
one
of
your
idps,
whether
it's
ping
or
octa,
or
something
like
that.
That
also
gives
you
a
jot
token,
and
you
propagate
this
jaw
token,
as
part
of
your
claim,
a
request
that
you're
doing
to
your
spire
and
you
can
think
of
right
now.
The
only
available
claim
with
that
is
supported
with
inspire
is
the
audience
claim.
B
So
I'm
using
so
we
are
using
the
jar
to
switch
to
be
part
of
that
audience
claim
make
that
request
and
propagate
all
of
this
through
why
we
are
doing
that
is
because
at
the
open.
So
this
is
the
application
part.
Why
do
we
need
the
related
authentication
so
at
the
application
at
the
authorization
server?
That
uber
is
you
are
able
to
integrate
with
the
jocks
uri
and
not
only
validate
all
of
those
chat,
ass
bits
that
are
part
of
that
chain,
but
also
extract.
B
You
know,
like
the
actual
claims
of
that
all
of
this
chain
that
happened
right
right
from
the
user,
to
the
service
one
to
service
n
and
at
each
individual
level
you
you
can
possibly
like
validate
those
from
the
issuer
itself
right.
So
that's
kind
of
the
use
case
here.
Let
me
share
my
screen
here:
real.
B
B
B
We
also
have,
if
you
look
at
this
particular
one.
We
also
have
the
container
the
oidc
provider
right
like
so.
The
oedc
discoverer
is
running
alongside
with
the
spire
server
itself,
and
we
have
deployed
both
the
backend
service
and
which
has
the
actual
data
that
is
consumed
and
the
invoice
service
is
kind
of
like
the
ingress
service.
If
I
may
call
that
which
the
front
end
is
consuming
right
so
over
here
on
this
terminal
here
I
have
alice,
who
is
trying
to
log
in
to
that
application
and.
B
A
B
Alice,
who
has
a
particular
profile
so,
as
we
see
here,
we
have
this
billing
manager
is
the
actual
one
of
the
properties.
One
of
the
claims
within
the
javascript
that
was
provided
by
octa
and
that
particular
user
is
validated,
and
this
is
the
actual
javascript
that
is
coming.
So
we
are
seeing
that
oppa
is
allowing
this
particular
request.
So
we
are
able
to
see
the
claims
information
here,
but
if
I
log
in
as
the
other
user
john
here.
B
B
So
this
is
john.
He
has
a
different
particular
role
and
if
we
go
to
his
particular
dashboard
and
try
to
see
the
invoices,
you
see
that
the
claims
information
again
it's
kind
of
like
a
overloaded
term
here
claims
in
in
the
application.
This
is
kind
of
like
the
insurance
claims,
not
necessarily
to
do
anything
with
the
chart
claims,
but
the
jar
token
itself.
You
can
see
that
opua
denied
information.
So
this
data,
the
claims
insurance
claims
data-
is
coming
from
the
backend
service
and
is
denying
access
to
that
particular
user
there.
B
So
you
see
that
in
the
audience
itself,
so
that
was
the
information
that
is
coming
from
the
jot
s,
vid
that
was
issued
to
the
invoice
service
and
this
particular
information
audience
itself
is
kind
of
like
the
chaining
that
I
was
mentioning.
So
itself
is
the
chart
that
was
issued
by
octa
or
the
identity
provider
right.
B
So,
as
you
can
see
here,
we
have
this
embedded
as
a
claim
within
that
javascript
and
because
we
have
the
oidc
federation
that
is
done
between
the
oppa
authorization
server
and
the
spire
server.
We
are
able
to
like
validate
this
and
also.
Similarly,
we
can
also
write
a
policy,
the
rego
policy,
which
also
can
validate
the
octa
chart
itself,
and
we
have
this
particular
policy
here
and
we
are
verifying
both
the
token
and
also
the
actual
claims
within
the
user
itself
and
making
a
decision
based
on
both.
A
Great
thanks
thanks
madhu,
so
we
do
have
a
question
so
how
granular
can
oppa
control
access,
for
example,
in
this
demo?
What
if
billings
manager
should
be
allowed
to
view
certain
claims
and
enroll
you
to
view
certain
different
claims?
So
that's
a
great
question:
we
can
definitely
do
granular
access
with
oppa.
Like
I
said
you
give
it
any
kind
of
json
value.
Your
policies
can
be
as
granular
as
you
want
to,
and
you
can
you
like.
It
can
decode
your
tokens
like
the
job
s
word
or
any
other
token
that
we
give
it.
A
A
I
have
one
more
question
here:
by
najeeb:
can
oppa
perform
the
static
analysis
of
yaml
manifest
so
yeah,
so
there
is
a
separate
project
in
the
opa
name.
Space
called
contest,
which
is
for
validation
of
kubernetes,
manifests
and
other
kind
of
different
files
like
docker
files,
so
yeah
check
that
project
out
and
it
can
probably
solve
your
use
case.
A
One
more
question:
by
dennis
we've
created
oppa
policies
for
resources
at
the
record
level,
definitely
possible
okay.
So
thanks
thanks
for
validating
that
dennis
I
appreciate
it
yeah
so
again,
thanks
you
all
for
inviting
us
for
this
talk
for
giving
us
the
opportunity,
if
you
have
any
questions
we'll
be
here
and
thanks
amaran
team
and
this
entire
spiffy
inspired
team.
Thank
you.
So
much.