30 Oct 2021
Don’t miss out! Join us at our next event: KubeCon + CloudNativeCon Europe 2022 in Valencia, Spain from May 17-20. Learn more at https://kubecon.io The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects.
AWS OIDC Authentication with SPIFFE at Square - Roy Xu, Square Inc.
As part of Square’s migration to the cloud, we found that we needed an easy way for our datacenter applications to communicate with services in AWS. We were able to use the existing SPIFFE infrastructure that we’re already using for our service-to-service authentication and extend that to AWS with federated identity through OpenID Connect (OIDC). Our AWS OIDC infrastructure provides automated AWS credentials for applications in our datacenter to assume roles in AWS. We leveraged the SPIRE OIDC Discovery Provider provided by SPIRE paired with spiffe-aws-assume-role, a custom open source tool we wrote to exchange SPIFFE JWTs for AWS credentials. Our new process means that app owners only need to make a simple config change to allow their applications to connect to AWS.
AWS OIDC Authentication with SPIFFE at Square - Roy Xu, Square Inc.
As part of Square’s migration to the cloud, we found that we needed an easy way for our datacenter applications to communicate with services in AWS. We were able to use the existing SPIFFE infrastructure that we’re already using for our service-to-service authentication and extend that to AWS with federated identity through OpenID Connect (OIDC). Our AWS OIDC infrastructure provides automated AWS credentials for applications in our datacenter to assume roles in AWS. We leveraged the SPIRE OIDC Discovery Provider provided by SPIRE paired with spiffe-aws-assume-role, a custom open source tool we wrote to exchange SPIFFE JWTs for AWS credentials. Our new process means that app owners only need to make a simple config change to allow their applications to connect to AWS.
- 1 participant
- 12 minutes
30 Oct 2021
Don’t miss out! Join us at our next event: KubeCon + CloudNativeCon Europe 2022 in Valencia, Spain from May 17-20. Learn more at https://kubecon.io The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects.
Changing the SPIFFE ID of Every SPIRE-Enabled Workload at Uber - Challenges and Learnings - Prasad Borole, Uber
This is a story of migration of SPIFFE IDs of workloads deployed across thousands of nodes in Uber. As our identity platform and core constructs in the underlying infrastructure model evolved over time, we had to undertake an initiative to change the format of SPIFFE IDs for varying classes of consumers. In order to roll out a new SPIFFE ID convention across our microservices deployment, we had to understand the landscape of service-to-service authorization mechanisms in use at Uber in order to update all authorization policies referencing SPIFFE IDs. We also had to plan for the potential effects that creating many new registrations could have on the reliability of the SPIRE control plane. There were few challenges we encountered along the way like hard-coded SPIFFE IDs, lack of ways to choose preferred identity from multiple identities etc. Listeners could benefit from this presentation by knowing more about the SPIFFE ID format and selectors we have chosen from learnings and problems we faced during migration and avoid one in future.
Changing the SPIFFE ID of Every SPIRE-Enabled Workload at Uber - Challenges and Learnings - Prasad Borole, Uber
This is a story of migration of SPIFFE IDs of workloads deployed across thousands of nodes in Uber. As our identity platform and core constructs in the underlying infrastructure model evolved over time, we had to undertake an initiative to change the format of SPIFFE IDs for varying classes of consumers. In order to roll out a new SPIFFE ID convention across our microservices deployment, we had to understand the landscape of service-to-service authorization mechanisms in use at Uber in order to update all authorization policies referencing SPIFFE IDs. We also had to plan for the potential effects that creating many new registrations could have on the reliability of the SPIRE control plane. There were few challenges we encountered along the way like hard-coded SPIFFE IDs, lack of ways to choose preferred identity from multiple identities etc. Listeners could benefit from this presentation by knowing more about the SPIFFE ID format and selectors we have chosen from learnings and problems we faced during migration and avoid one in future.
- 1 participant
- 15 minutes
30 Oct 2021
Don’t miss out! Join us at our next event: KubeCon + CloudNativeCon Europe 2022 in Valencia, Spain from May 17-20. Learn more at https://kubecon.io The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects.
Economics of Zero Trust - Frederick Kautz, Sharecare & Ed Warnicke, Cisco
Technology has attempted to endlessly and mindlessly increase the cost of exploits to attackers. This is a losing game, because the *cost to defenders* of increasing the *cost to attackers* has become a game of diminishing returns.
Economics teaches different lessons. It teaches that ultimately the system is about the interplay between costs and benefits. Costs and benefits for the attackers. Costs and benefits for the defenders.
If you really want to understand Zero Trust, come here how to think beyond the technology to the economics of security and learn how SPIFFE can play a critical role in increasing the risk and decreasing the value of attacks.
Economics of Zero Trust - Frederick Kautz, Sharecare & Ed Warnicke, Cisco
Technology has attempted to endlessly and mindlessly increase the cost of exploits to attackers. This is a losing game, because the *cost to defenders* of increasing the *cost to attackers* has become a game of diminishing returns.
Economics teaches different lessons. It teaches that ultimately the system is about the interplay between costs and benefits. Costs and benefits for the attackers. Costs and benefits for the defenders.
If you really want to understand Zero Trust, come here how to think beyond the technology to the economics of security and learn how SPIFFE can play a critical role in increasing the risk and decreasing the value of attacks.
- 1 participant
- 10 minutes
30 Oct 2021
Don’t miss out! Join us at our next event: KubeCon + CloudNativeCon Europe 2022 in Valencia, Spain from May 17-20. Learn more at https://kubecon.io The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects.
Federating Trust in Healthcare with SPIFFE - Sunil Ravipati, Anthem
Healthcare systems and data has been subjected to cyber attacks and ransomware since long time. This session will be about how healthcare systems and data consisting of PHI and PII will be secured with a new paradigm shift in technology using cloud native zero trust solution to have workload identity and trust within healthcare systems and extending zero trust with partner's healthcare systems to securely authenticate and exchange data.
Federating Trust in Healthcare with SPIFFE - Sunil Ravipati, Anthem
Healthcare systems and data has been subjected to cyber attacks and ransomware since long time. This session will be about how healthcare systems and data consisting of PHI and PII will be secured with a new paradigm shift in technology using cloud native zero trust solution to have workload identity and trust within healthcare systems and extending zero trust with partner's healthcare systems to securely authenticate and exchange data.
- 1 participant
- 8 minutes
30 Oct 2021
Don’t miss out! Join us at our next event: KubeCon + CloudNativeCon Europe 2022 in Valencia, Spain from May 17-20. Learn more at https://kubecon.io The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects.
Integrating SPIRE and Istio - Daniel Feldman & Glaucimar Aguiar, HPE
The popular Istio service mesh simplifies many aspects of microservices deployment in Kubernetes, including providing gateways, load balancing, fine-grained authorization, and end-to-end encryption. However, Istio is not natively compatible with SPIRE identities, instead using its own centralized certificate generator. At HPE we developed a modified Istio that uses SPIRE to provide all identities. We have demonstrated this in proof-of-concept environments and are working to deploy it in production, and we are working to upstream this feature into the Istio mainline with help from many key Istio contributors. In this talk we will discuss the motivation for the project, and where we are going with it in the future.
Integrating SPIRE and Istio - Daniel Feldman & Glaucimar Aguiar, HPE
The popular Istio service mesh simplifies many aspects of microservices deployment in Kubernetes, including providing gateways, load balancing, fine-grained authorization, and end-to-end encryption. However, Istio is not natively compatible with SPIRE identities, instead using its own centralized certificate generator. At HPE we developed a modified Istio that uses SPIRE to provide all identities. We have demonstrated this in proof-of-concept environments and are working to deploy it in production, and we are working to upstream this feature into the Istio mainline with help from many key Istio contributors. In this talk we will discuss the motivation for the project, and where we are going with it in the future.
- 2 participants
- 15 minutes
30 Oct 2021
Don’t miss out! Join us at our next event: KubeCon + CloudNativeCon Europe 2022 in Valencia, Spain from May 17-20. Learn more at https://kubecon.io The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects.
Keynote: Cloud & Cloud Native Identity and Access Management: Challenges & Opportunities - Aradhna Chetal, TIAA; Greg Blana, Consultant; Nathanael Coffing & Craig Thomas, Leader C2 Labs
With the adoption of Cloud & Cloud Native technologies and workloads becoming more distributed, the challenge still remains in achieving zero trust. Organizations struggle to enforce rules and policies within today’s complex and heterogeneous multi-cloud hybrid IT environments. Gartner predicts that by 2023, 75% of cloud security failures will result from inadequate management of identities, access, and privileges. Externalizing access decisions/policies from application code, consistently enforcing access policies, leveraging attributes in the access decision making enables fine-grain authorization decisions and provides greater control over data security. In this session, we will discuss different challenges and solutions for Identity and access management in hybrid cloud native environments to achieve continuous identity assurance.
Keynote: Cloud & Cloud Native Identity and Access Management: Challenges & Opportunities - Aradhna Chetal, TIAA; Greg Blana, Consultant; Nathanael Coffing & Craig Thomas, Leader C2 Labs
With the adoption of Cloud & Cloud Native technologies and workloads becoming more distributed, the challenge still remains in achieving zero trust. Organizations struggle to enforce rules and policies within today’s complex and heterogeneous multi-cloud hybrid IT environments. Gartner predicts that by 2023, 75% of cloud security failures will result from inadequate management of identities, access, and privileges. Externalizing access decisions/policies from application code, consistently enforcing access policies, leveraging attributes in the access decision making enables fine-grain authorization decisions and provides greater control over data security. In this session, we will discuss different challenges and solutions for Identity and access management in hybrid cloud native environments to achieve continuous identity assurance.
- 4 participants
- 23 minutes
30 Oct 2021
Don’t miss out! Join us at our next event: KubeCon + CloudNativeCon Europe 2022 in Valencia, Spain from May 17-20. Learn more at https://kubecon.io The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects.
Keynote: Creating with Authenticity & Humility: A SPIFFE Origin Story - Sunil James, HPE
Five years ago, a public Google document proselytized the reasons for SPIFFE's existence. This document, and the people involved in its creation, began a movement that brought together people who contemplated how to tackle a myriad of security challenges as they and their organization move "into the cloud." However, this document didn't start from thin air. Like most great efforts, SPIFFE stands on the shoulders of its predecessors, and moves forward because of those who carry our story into the future. This presentation explores and celebrates the SPIFFE community: a band of authentic and humble engineers, product managers, UI/UX designers, documentation writers, marketers, and more.
Keynote: Creating with Authenticity & Humility: A SPIFFE Origin Story - Sunil James, HPE
Five years ago, a public Google document proselytized the reasons for SPIFFE's existence. This document, and the people involved in its creation, began a movement that brought together people who contemplated how to tackle a myriad of security challenges as they and their organization move "into the cloud." However, this document didn't start from thin air. Like most great efforts, SPIFFE stands on the shoulders of its predecessors, and moves forward because of those who carry our story into the future. This presentation explores and celebrates the SPIFFE community: a band of authentic and humble engineers, product managers, UI/UX designers, documentation writers, marketers, and more.
- 1 participant
- 11 minutes
30 Oct 2021
Don’t miss out! Join us at our next event: KubeCon + CloudNativeCon Europe 2022 in Valencia, Spain from May 17-20. Learn more at https://kubecon.io The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects.
Keynote: Welcome & State of the Union - Evan Gilman, VMware
Keynote: Welcome & State of the Union - Evan Gilman, VMware
- 1 participant
- 6 minutes
30 Oct 2021
Don’t miss out! Join us at our next event: KubeCon + CloudNativeCon Europe 2022 in Valencia, Spain from May 17-20. Learn more at https://kubecon.io The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects.
Managing Kubernetes Webhooks with SPIRE - Faisal Memon, F5 Networks
Webhooks are one of the most useful resources in Kubernetes. They can be used for admission control, validation, and injecting sidecars into Pods. The are also one of the most challenging to operate. You have to manage and rotate a certificate, key, and root CA certificate. With some new features in SPIRE you can now automate certificate management for Webhooks like any other workload. The SPIRE issued certificates for Webhooks are tied into the same trust chain as regular workload certificates.
Managing Kubernetes Webhooks with SPIRE - Faisal Memon, F5 Networks
Webhooks are one of the most useful resources in Kubernetes. They can be used for admission control, validation, and injecting sidecars into Pods. The are also one of the most challenging to operate. You have to manage and rotate a certificate, key, and root CA certificate. With some new features in SPIRE you can now automate certificate management for Webhooks like any other workload. The SPIRE issued certificates for Webhooks are tied into the same trust chain as regular workload certificates.
- 3 participants
- 20 minutes
30 Oct 2021
Don’t miss out! Join us at our next event: KubeCon + CloudNativeCon Europe 2022 in Valencia, Spain from May 17-20. Learn more at https://kubecon.io The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects.
Providing Identities to Serverless Workloads - Agustín Martínez Fayó & Marcos Yacob, Hewlett Packard Enterprise
There are many situations where installing SPIRE Agent is either not possible or not desirable. One of the most common situations is workloads running on serverless computing architectures offered by the cloud providers like AWS Lambda, Google Cloud Functions or Azure Functions. This talk presents how SPIRE could solve the challenges associated with this, through the introduction of the SVIDStore plugin type, enabling SPIRE Agent to store identities in external stores in a secure way, so they are available for consumption by workloads running in an environment where installing an agent is not possible.
Providing Identities to Serverless Workloads - Agustín Martínez Fayó & Marcos Yacob, Hewlett Packard Enterprise
There are many situations where installing SPIRE Agent is either not possible or not desirable. One of the most common situations is workloads running on serverless computing architectures offered by the cloud providers like AWS Lambda, Google Cloud Functions or Azure Functions. This talk presents how SPIRE could solve the challenges associated with this, through the introduction of the SVIDStore plugin type, enabling SPIRE Agent to store identities in external stores in a secure way, so they are available for consumption by workloads running in an environment where installing an agent is not possible.
- 2 participants
- 21 minutes
30 Oct 2021
Don’t miss out! Join us at our next event: KubeCon + CloudNativeCon Europe 2022 in Valencia, Spain from May 17-20. Learn more at https://kubecon.io The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects.
SPIRE Project Updates - Ryan Turner, Uber Technologies, Inc.
SPIRE Project Updates - Ryan Turner, Uber Technologies, Inc.
- 1 participant
- 20 minutes
30 Oct 2021
Don’t miss out! Join us at our next event: KubeCon + CloudNativeCon Europe 2022 in Valencia, Spain from May 17-20. Learn more at https://kubecon.io The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects.
Secure, Efficient API Plane Traversal for Compute Resources on Exascale Super Computers Using SPIRE - Tim Pletcher, HPE
Cray Shasta exascale supercomputers use SPIRE for securing machine-to-machine control plane communication. In this presentation, we’ll discuss the requirements for securing critical communication on these supercomputers and why SPIRE was a good choice for this application.
Secure, Efficient API Plane Traversal for Compute Resources on Exascale Super Computers Using SPIRE - Tim Pletcher, HPE
Cray Shasta exascale supercomputers use SPIRE for securing machine-to-machine control plane communication. In this presentation, we’ll discuss the requirements for securing critical communication on these supercomputers and why SPIRE was a good choice for this application.
- 4 participants
- 22 minutes
30 Oct 2021
Don’t miss out! Join us at our next event: KubeCon + CloudNativeCon Europe 2022 in Valencia, Spain from May 17-20. Learn more at https://kubecon.io The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects.
Securing Edge Systems with TPM 2.0 and SPIRE - Cole Kennedy, TestifySec
The TPM 2.0 device is a secure enclave that is included in most recent servers, workstations, and laptops. We discuss how the TPM 2.0, along with SPIRE can be used to architect secure edge and hybrid systems.
Securing Edge Systems with TPM 2.0 and SPIRE - Cole Kennedy, TestifySec
The TPM 2.0 device is a secure enclave that is included in most recent servers, workstations, and laptops. We discuss how the TPM 2.0, along with SPIRE can be used to architect secure edge and hybrid systems.
- 4 participants
- 18 minutes
30 Oct 2021
Don’t miss out! Join us at our next event: KubeCon + CloudNativeCon Europe 2022 in Valencia, Spain from May 17-20. Learn more at https://kubecon.io The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects.
Supporting Confidential Workloads with SPIRE - Andrey Brito & Matteus Silva, UFCG
The SPIRE community has already perceived the potential benefits of using confidential computing. Confidential computing can protect sensitive workloads by enforcing stronger attestation but also securing SPIRE components themselves, which in turn helps to make other attestation mechanisms more secure. Nevertheless, providing this support is far from trivial. As it changes SPIRE’s current threat model, there are several challenges to be addressed and tradeoffs to be made clear. In this talk, we share our experience in providing confidential computing support in SPIRE, from the challenges in deriving selectors to the benefits of running other SPIRE components within trusted execution environments, all this while minimizing changes in SPIRE operation and application development workflows.
Supporting Confidential Workloads with SPIRE - Andrey Brito & Matteus Silva, UFCG
The SPIRE community has already perceived the potential benefits of using confidential computing. Confidential computing can protect sensitive workloads by enforcing stronger attestation but also securing SPIRE components themselves, which in turn helps to make other attestation mechanisms more secure. Nevertheless, providing this support is far from trivial. As it changes SPIRE’s current threat model, there are several challenges to be addressed and tradeoffs to be made clear. In this talk, we share our experience in providing confidential computing support in SPIRE, from the challenges in deriving selectors to the benefits of running other SPIRE components within trusted execution environments, all this while minimizing changes in SPIRE operation and application development workflows.
- 2 participants
- 20 minutes
30 Oct 2021
Don’t miss out! Join us at our next event: KubeCon + CloudNativeCon Europe 2022 in Valencia, Spain from May 17-20. Learn more at https://kubecon.io The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects.
Working Out SPIFFE Identity for Cilium CNI - Rahul Jadhav, Accuknox
Identity is the basis for authentication and authorization. SPIFFE provides a strong standard-based identity solution that works across heterogeneous environments. Cilium-CNI is an eBPF-powered network policy and observability solution that provides a highly scalable and performant enforcement engine that seamlessly works for L3/L4 and L7 policy enforcement. Cilium effectively uses k8s-labels as an identity for authorization policies. The SPIFFE integration with Cilium-CNI extends the notion of identity by leveraging SPIFFE provisioned identities and then subsequently using those for authorization and accounting purposes. The talk will be about: 1. Explaining/comparing identity marking/transport/representation solutions out there (for e.g., use of k8s-labels (cilium), use of TCP Fast-Open (Aporeto), and use of certificates (SPIFFE) 2. Design considerations/challenges for integrating SPIFFE identity in Cilium 3. Design considerations/challenges for leveraging SPIRE implementation 4. Extended identity use-cases that could now be targeted with Cilium-CNI. For e.g., we can now have policies based on SPIFFE IDs for edge devices outside the realm of k8s (previously, you need to have FQDN or CIDRSet based policies). 5. How is Cilium's integration different from Calico's integration?
Working Out SPIFFE Identity for Cilium CNI - Rahul Jadhav, Accuknox
Identity is the basis for authentication and authorization. SPIFFE provides a strong standard-based identity solution that works across heterogeneous environments. Cilium-CNI is an eBPF-powered network policy and observability solution that provides a highly scalable and performant enforcement engine that seamlessly works for L3/L4 and L7 policy enforcement. Cilium effectively uses k8s-labels as an identity for authorization policies. The SPIFFE integration with Cilium-CNI extends the notion of identity by leveraging SPIFFE provisioned identities and then subsequently using those for authorization and accounting purposes. The talk will be about: 1. Explaining/comparing identity marking/transport/representation solutions out there (for e.g., use of k8s-labels (cilium), use of TCP Fast-Open (Aporeto), and use of certificates (SPIFFE) 2. Design considerations/challenges for integrating SPIFFE identity in Cilium 3. Design considerations/challenges for leveraging SPIRE implementation 4. Extended identity use-cases that could now be targeted with Cilium-CNI. For e.g., we can now have policies based on SPIFFE IDs for edge devices outside the realm of k8s (previously, you need to have FQDN or CIDRSet based policies). 5. How is Cilium's integration different from Calico's integration?
- 1 participant
- 17 minutes