►
From YouTube: Istio Spire Integration with Workloads on K8S & VMs
Description
Interested in using Spire as your identity provider for your Istio service mesh? How does it work with your workloads running on Kubernetes and/or VMs? In this hoot livestream, Max Lambrecht and Christian Posta will join Lin to discuss all things you need to know about the newly added Spire integration to Istio 1.14 release.
#istio #spire #servicemesh #kubernetes #cloudnative #security
00:05 welcome + speakers intro
2:39 service mesh and Istio news
4:40 discussion around Spire integration with Istio Service Mesh
15:28 Istio Spire integration architecture
22:20 Live DEMO + answer live questions
41:10 Discussion around Spire + Istio + VM
45:15 wrap up
A
Welcome
to
today's
hoots
live
stream
interested
in
using
style
as
your
identity
provider
for
istio
service
mesh.
How
does
it
work
with
your
workloads
running
on
kubernetes
or
maybe
even
on
vms?
In
this
whole
live
stream?
Max
and
christian
will
join
me
to
discuss
all
the
things
you
need
to
learn
about.
The
newly
added
spell
integration
to
the
upcoming
is
your
1.14
release
sometime
in
may.
A
B
Sure
hello,
thank
you
for
having
me
on
I'm
a
senior
software
engineer
at
hpe,
so
I
joined
cycle
in
2018
and
started
working
on
spiffy
and
spire
projects
and
libraries
become
maintainer
of
the
spf
library
and
then
some
years
later,
cypher
was
acquired
by
hpe
and
started
working
on
project
mithril.
This
is
the
code
name
for
this
project
whose
main
goal
is
integrating
spire
into
eastern
identity
control,
plane
and
before
all
this,
I
I've
mostly
been
on
java
server
developer
for
many,
probably
in
too
many
years.
C
Yeah
thanks
for
joining
us
here
max
and
thanks
for
anyone
on
the
live
stream,
or
anybody
that
watches
this
afterward,
but
I'm
christian
posta,
I'm
the
global
field
cto
here
at
solo,
I've
been
here
for
quite
quite
a
long
time
been
involved
with
istio
since
the
very
beginning
and
recently
just
published
a
book.
Actually
I
happen
to
have
it
right
here,
istio
in
action
that
came
out
a
few
weeks
ago
about
a
month
ago,
now
so
yeah
look.
I'm
super
excited
about
this
contribution
max.
A
A
A
The
second
news
I
want
to
share
is
vmware
has
published
an
interesting
report
on
kubernetes
is
here
to
stay,
and
why
so
they've
done
a
state
of
kubernetes
surveys
so
totally
check
this
out.
One
thing
really
interesting
in
this
survey,
though
I
thought
was:
security-
is
still
a
top
priority,
as
even
as
kubernetes
getting
easier
and
multi-cluster
multi-team
for
security
is
continue
to
be
a
top
priority
for
organization.
Many
of
them
still
have
concerns
in
this
area.
A
I
think
this
is
exactly
what
we
are
doing
in
istio
and
what
solo
is
driving
around
the
service
smash
ecosystem
too.
The
third
news
I
want
to
quickly
share
is
our
next
episode
has
been
announced,
so
we're
going
to
talk
to
the
special
spectral
cloud
team
during
to
talk
about
the
declarative,
kubernetes
lifecycle,
management
across
multi-cluster
and
multi-cloud
with
cluster
api.
So
very
excited.
You
learn
more
about
cluster
api
from
the
spectral
cloud
team.
A
B
Well,
it
was
a
whole
learning
experience
not
just
for
me,
but
for
a
whole
team
here
at
hpe.
But
istio
is
not
my
area
of
expertise.
Really.
We
haven't
had
much
experience
with
history
internals
before
so.
For
some
time
we
explore
the
code,
the
internals
of
istio,
to
understand
all
the
components,
architecture,
how
everything
works
and
is
connected
and
started
thinking
about
where
this
integration
with
spire
could
be
achieved.
So
we
did
a
proof
of
concepts.
B
Then,
basically,
we
wrote
proposal
document
and
started
joining
the
istio
networking
and
security
working
group
meetings
to
discuss
it,
so
we
got
feedback
and
suggestions
to
rework
the
approach
and
to
improve
the
integration.
And
finally,
after
a
couple
of
months,
we
we
were
able
to
submit
this
pull
request
with
integration
to
instill
incogripo.
B
It
received
very
good
stigma
from
the
community,
so
we
worked
through
many
comments.
Many
useful
comments
to
improve
the
implementation
until
we
finally
got
the
approvals
we
needed
to
to
to
merge
the
dpr,
so
it
was
finally
merged
and
we
are
very
happy.
I
think
it's
very
important
for
foreign
spire
projects.
It's
something,
sorry
that
the
speedy
community
had
been
looking
forward
to
for
four
years.
At
least
it's
a
it's
a
big
deal
really,
and
I
want
to
thank
you,
lynn
and
all
the
ac
maintainers
for
your
support
pushing
this
forward.
A
A
B
C
A
C
Now
we
have,
you
know
a
a
separate
and
more
complete
way
of
looking
at
identity
that
is
not
tied
to
kubernetes
but
includes
and
can
use
coup
and
be
a
part
of
kubernetes
that
can
extend
out
to
all
of
these
different
ways
for
integrating
vms
attesting
their
identity
and
testing
those
workloads
and
and
continuing
to
play
nicely
within
the
the
istio
model
of
security.
So
I
would
say:
that's
the
leading:
that's
that's
one
of
the
most
important
and
most
exciting
parts,
and
most
you
know
widely.
C
A
lot
of
people
were
waiting
for
this.
Now
I
would
say
that
you
know
using
istio
and
vms
is,
is
still
very
much
possible.
We
have
a
lot
of
people
that
are
that
are
doing
that.
They
just
kind
of
contorted,
I
would
say
their
automation
and
and
the
way
they
they
bootstrapped
the
vms
and
integrated
them
with
the
with
the
with
the
service
mesh
to
these
constraints
and
assumptions
that
were
already
there.
But
now
this
this
opens
up.
The
things
are
far
more
flexible
in
this.
This
way.
A
Yeah
totally,
I
I
remember
going
through
the
vm
documentation.
We
have
in
istio
io
right.
It's
just
a
lot
of
manual
steps.
Users
have
concern
to
transfer
the
keys
and
search
over
the
wire
to
the
vm,
so
I
totally
agree
on
that
perspective
max.
What's
your
perspective
on
what
problem?
This
is
solving
forward
user.
B
Yeah,
from
my
perspective,
I
I
think
inspire
enables
a
vast
array
of
features.
Some
flexibility
so
aspire
is
the
completing
implementation
of
the
spf
specifications
so
specific
spec
this
that
defines
the
spfid
that
was
already
using
by
used
by
by
istio,
and
it
also
defines
the
vocal
api,
the
spifferation,
the
truss
bundle
usb
this
spf
verifiable
identity
documents.
B
Inspire
is
implemented
using
a
plugin
oriented
architecture,
so
it's
very
extensible
and
on
what
spire
I
think
brings
to
the
table
is
strongly
attested
identities.
So
spire
leverage
is
a
powerful
multi-factor
station
engine
to
determine
with
certainty
the
issuance
of
identities
and
this
multi-factor
station.
So
it's
extensible.
You
can
combine
different
station
mechanisms
to
determine
if
our
global
calling
the
conspire
it
should
be
given
an
identity,
and
I
think
that
the
main
tenet
here
is
that
a
certain
trust
through
multiple
independent
mechanisms
provides
a
greater
assertion
of
trust.
B
So
you
get
robust,
attested
identities,
so
you
can
define
a
policy
to
assign
an
individual
service
based
on
selectors
that
may
come
from
kubernetes
docker
unix
kernel,
so
you
can
combine
different
station
mechanisms
different
a
tester,
and
there
are
many
that
spire
comes
and
spy
provides
out
of
the
box.
You
can
and
you
can
create
your
own
testos
based
on
your
needs,
your
platform,
your
configurations
and
I
would
say
that
strong
identities
through
multi-factor
extensive
attestation
is
the
main
capability
aspire
brings
to
the
table.
B
There
are
there
are,
as
we
mentioned.
Sometimes
you
may
need
to
integrate
with
system
pki
with
existing
certificate
authorities,
so
you
can
use
a
plugin
to
integrate
with
an
existing
certificate
authority
or
maybe
you
you
may
have
specific
requirements
for
storing
your
private
keys.
So
you
can
use,
for
example,
spire
key
management
plugin
to
store
your
product
keys
in
aws,
or
you
can
implement
your
own
key
management
system
or
sometimes
you
want
to,
or
you
may
be
required
to
use
hardware
based
at
the
station.
B
So
you
can
use
tpm
tester,
that's
by
device,
or
you
can
also
implement
your
your
own
at
the
station
model
and
yeah.
There
are
spy,
for
example,
can
help
improve
the
observability
of
your
whole
infrastructure,
as
you
can
have
logs
and
events
like
critical
events
like
identity
issuance
identity,
registration
view,
registrations,
certificate
rotations,
and
I
think
all
this
can
help
provide
a
more
complete
view
of
your
infrastructure.
B
A
D
B
B
In
a
default
ec
configuration
ico
connects
to
the
installation
for
the
sds
communication
to
get
there,
it's
secretive
as
a
certificate
to
get
this
identity.
Now
it
will
connect
to
this
socket
on
this
fixed
path.
So
we
have
changed
with
our
implementation.
The
envoy
bootstrap
configuration
file
to
always
connect
to
this
fixed
path.
B
This
fixed
socket
path,
so
it
will
be
either
installation
or
other
ca
or
could
be
aspire
and
mount
in
this
socket
for
providing
the
sds
api
in
this
case
in
this
diagram
envoy
is
connecting
to
this
socket
is
asking
expiration
through
the
sds
api
for
its
identity,
and
you
will
get
all
the
certificates,
the
trust,
bundle,
the
ex-finance
certificates
and
private
key.
That
envoy
needs
to
do
secure
communication
in
a
data
plane,
and
here
it
takes
place
a
very
important
process,
that
is
the
local
attack
station.
B
So,
when
envoy
proceed
calls
the
sds
api
inspiration,
the
process
is
attested
using
all
the
workload
attestation
mechanisms
configured
inspire,
checking,
possibly
multiple
selectors,
like
docker
images
running
in
the
pod
docker
image,
calling
the
spiration
the
unix
user
id
or
group
id
of
the
process
running
the
the
move
proxy.
Also
kubernetes,
nine
space
or
service
account
can
be
used.
So
all
this
information
can
be
used
combined
to
decide
whether
to
give
an
identity
to
a
particular
android
proxy
calling
the
sds
api
inspiration.
B
C
B
No,
that's
a
matching
of
all
these
through
workload
station
expiration
with
other
evidence,
selectors
of
that
workload
a
and
with
the
registration
entries
these
policy
identity,
mappings
will
define
which
identity
to
give
to
that
and
we
proxy
that's
calling
the
expiration.
I
will
show
that
in
the
in
the
demo
sure
how
these
identity
policies
are
defined
with
different
selectors,
so
aspire
can
know
which
identity
to
give
to
a
specific
android
proxy.
B
So
and,
and
then
once
the
envoy,
god
its
secrets
from
inspiration,
it
will
connect
to
a
situation
for
all
the
dynamic
configuration
for
the
clusters,
listeners
and
endpoints
that
are
generated
by
history
and
are
provided
by
by
institution
starting
the
xds
server,
as
is
usually
done
by
by
issue.
We.
We
didn't
change
that.
B
D
B
A
B
B
The
side
cycle
injector
I'm
mounting
through
using
a
csi
driver,
I'm
mounting
the
the
socket
the
spiration
socket
on
this
path,
and
that's
the
only
thing
that
I'm
doing
with
this
integration,
that
in
the
descent
and
the
integration,
so
if
the
socket
is
mounted
on
the
part,
the
issue
is
situation
when
detected,
and
you
will
let
anybody
process
connect
to
that
socket
and
that's
the
magic
of
all
this
integration
that
you
don't
need.
Any
special
configuration.
A
B
C
A
That's
a
great
point:
yeah,
I'm
sending
the
issues
pr
to
our
chat.
So
if
you
are
interested,
please
help
us
review
and
even
test
the
steps
the
pr
is
currently
under
active
review.
Now
we
have
another
question
from
our
friend
faye:
do
you
need
special
linux
capability,
privilege,
long
route
etc?
To
run
spell
agent.
B
A
C
B
B
D
B
B
B
B
It's
using
a
kubernetes
psat,
a
tester
to
establish
trust
between
inspiration
and
spy
server,
and
I'm
here,
I'm
defining
five
selector,
a
six
selectors
for
mapping
this
identity
to
a
to
a
to
a
process.
So,
for
example,
the
docker
image
do
calling
the
expiration
sds
api
should
have
this
docker
image
id
with
this
sha
2
56,
the
name
space
quantizing
space
will
be
default
and
there
should
be
a
second
docker
container
docker
image
container
running.
B
This
will
be
the
actual
local
image
of
the
book
info
details
service
and
then
there
should
be
a
label
on
that
port.
With
details,
a
service
account
should
be
this
and
the
pros
unix
user
id
of
the
process
calling
the
the
expiration
sds
api
should
be
this
one.
So
expiration
will
be
combining
all
these
six
selectors
to
that
that
match
that
should
match
the
process.
Calling
the
envoy
proxy
calling
the
the
api
it's
just
one
selector
of
this
six
is
that
it
doesn't
match.
You
will
not
get
the
the
identity
so.
A
D
A
B
B
So
for
that
period
it
will
inspiration,
will
cash
the
certificates
and
will
provide
a
certificates
to
workloads
from
the
from
the
cache
and
before
the
certificate
expire
aspire.
It
will
ask
the
spy
server
for
the
new
ones,
so
the
the
certificate
will
be
provided
in
a
very
fast
way,
very
quickly
and
very
efficient
way.
D
A
B
A
B
A
That's
great,
this
is
so
exciting.
I
I
guess
I
want
to
pick
christians
foreign
next
to
you
know
to
ask
you
christian
what
if
I
have
workloads
running
on
vm
and
I
want
to
use
spell
as
my
identity
provider.
Do
you
see
that
as
a
common
user
cases,
I
know
you
recently,
you've
done
a
lot
of
work
in
their
area
or
anything
you
want
to
share
with
our
audience.
C
C
E
C
So
you
know
running
the
istio
proxy
in
a
white
box
mode
just
means
hey,
everyone
can
see
it
and
if
you're
going
to
use
the
service
mesh,
the
workloads
running
locally
have
to
communicate
directly
with
the
proxy
right.
Instead
of
talking
to
example,
you
know
servicea.example.com
they'll
talk
to
localhost
colon
7001
or
something
right.
They
are
specifically
talking
to
the
proxy
or
maybe
you're
using
the
hdb
proxy,
but
you
know
you're
forcing
the
app
to
do
it
that
way,
but
nevertheless,
redirection
happens
explicitly
to
the
white
box
mode
proxy.
C
The
proxy
is
getting
its
certificates
from
the
spire
agent
and
you
know
there's
some
setup
that
has
to
go
in.
You
know
registering
the
the
agent
a
little
bit
ahead
of
time
and
that
kind
of
stuff,
but
but
then
you
get
the
spire
issued
spiffy
identities
that
are
then
compatible
with
the
istio
running
in
the
in
the
cluster,
the
kubernetes
clusters,
as
well
as
the
vms.
So,
like
I
said
I'm
this
close,
I
didn't
have
the
time
to
to
figure
out
that
dns
thing
that
I
was
seeing.
A
A
Users,
well
as
identity
provider.
I
think
that's
super
interesting
yeah.
Well,
that's
a
fantastic
demo
max!
You
showed,
I
feel,
like
I've
learned
quite
a
lot
today,
like
there's
no
change
to
the
control
plane
of
istio
right.
The
only
change
is
in
the
data
plane
to
enable
this.
The
change
to
issue
is
really
simple.
You
just
change
the
cycle,
template
to
add
the
the
new
socket
and
then
deploy
the
spell
agent
and
spell
server
and
then
you're
pretty
much
ready
to
go,
and
then
you
can
craft
your
attestation
registration
rules.
A
B
Yeah,
I
would
like
to
mention
that
when
you
have
a
cluster
with
a
lot
of
identities
to
map,
there
is
an
extension
of
spire
server.
This
is
fire
kubernetes,
vocal
register
that
implements
a
validation
and
mission
record,
and
this
facilitates
automatic
workload.
Registration
within
kubernetes,
so
entries
is
the
registration
entry.
This
identity
policies
will
be
automatically
created
for
pots,
and
so
you,
you
will
have
more
or
less
flexibility
how
to
define
these
identities
based
on
the
on
the
mode
you
you
use
with
this
registrar.
C
E
D
B
Yeah
you
can
reach
me
out
on
spfislac,
I'm
on
speaker,
slag
or
and
you're
enjoying
also
speeches
luck,
and
there
is,
it's
also
a
great
place
to
ask
questions,
and
there
are
a
lot
of
amazing
people
who
are
willing
to
help
you
out.
So
please
don't
hesitate
to
ask
questions
or
ask
for
help
on
this
if
you
like
a
special
slag
or
just
send
me
a
dm
on
speedy
vloggers
with
the
initial
slack,
I
really
more
than
willing
to
to
help
you
and
also
let
me
get
in
on
twitter.
A
That's
awesome:
we
got
exposure
comment
about
interested
in
the
deploy
spell
file
you
made
so
max.
I
will
work
with
you.
Offline,
maybe
publish
the
demo
instructions
you
have
today.
Certainly
we
got
a
lot
of
interest
from
our
audience
today
with
that.
I
want
to
thank
our
wonderful
speakers,
especially
max
for
pulling
out
a
demo
explaining
us
the
architecture
and
everything
I
feel
personally.
I've
learned
quite
a
lot
today
too.
So
thank
you
so
much
and
thank
you
for
christian
for
discussing
this
work
and
we
look
forward
to
your
vm
demo
too.
A
So
folks,
I
want
to
you
know,
thank
you,
everyone
for
joining
and
I'm
super
grateful
for
everyone
who
liked
our
past
hood
live
stream,
who
subscribed
to
our
channel
so
really
really
appreciate
that
please
hit
the
subscribe
button.
If
you
don't
want
me
any
of
our
future
episodes
and
happy
learning,
we'll
see
you
next
tuesday
thanks
everyone.