►
From YouTube: TGI Kubernetes 094: SPIFFE and SPIRE
Description
Show notes at https://github.com/vmware-tanzu/tgik/tree/master/episodes/094
SPIFFE/SPIRE content starts at 16:55.
Come hang out with Joe Beda as he does a bit of hands on hacking of Kubernetes and related topics. Some of this will be Joe talking about the things he knows. Some of this will be Joe exploring something new with the audience. Come join the fun, ask questions, comment, and participate in the live chat!
This week we are looking at SPIFFE and SPIRE! These are CNCF projects that help to give workloads identity that can be used across all sorts of infrastructure. Learn about the ideas here, watch me deploy SPIRE to k8s and ask questions about where this stuff is going.
A
Alright,
hello,
everybody
happy
Friday,
my
name
is
Joe
Beda,
and
this
is
TG
I
kubernetes,
a
weekly
ish,
YouTube
stream,
where
I
play
with
or
one
of
the
other
folks
that
I
work
with
plays
with
something
new
or
teaches
something
new
about
the
kubernetes
world.
We
are
on
episode
94
today
we're
going
to
be
covering
spiffy
and
spire,
and
if
you
don't
know
what
those
it
are
don't
worry
about,
it
I'll
tell
you
all
about
it.
A
So,
a
little
bit
about
me,
I'm
at
VMware,
I'm
principal
engineer,
I
also
I
started
doing
TGI
kubernetes
at
the
startup
that
I
found
it
hep
to
you
and
I'm.
Also
one
of
the
folks
who
helped
get
the
kubernetes
project
started
while
at
Google,
and
so
super
excited
to
be
doing
this.
This
this
episode
is
a
long
long,
long
long
time
in
the
making
so
yeah.
So
let's,
let's
jump
in
and
get
started
well.
A
First
of
all,
I
like
to
say
hello
to
all
the
folks
that
are
joining
from
around
the
world
as
I
like
to
say,
this
is
the
absolute
worst
time
for
me
to
be
doing
this
live
stream.
It
sounds
like
a
good
idea
when
you're
on
the
west
coast
of
the
US,
but
for
everybody
else,
they're,
like
you
know,
I
would
drink
it
on
a
Friday
night
or
asleep,
or
it's
like
you
know,
Saturday
mornings,
absolute
worst
time,
but
here
we
go
folks
join
me.
Regardless
we
have
Olav
and
denmark.
A
We
have
Andrew
who
works
on
the
spiffy
project
at
Scytale,
thanks
for
helping
out
Andrew,
get
making
sure
that
everything's
ready
to
go
Rory
from
the
scottish
highlands.
L'm
addy,
who,
like
doesn't
miss
a
show.
I
love
it.
Man,
martin
from
the
netherlands,
and
deep
good,
to
see
you
grant
who
could
just
join
us
here
at
vmware.
Welcome,
grant
brad
from
Virginia
Duffy
who's
done
a
lot
of
TGI
Caze
in
the
past
so
and
Xavier.
Also
one
of
the
one
of
my
co-workers
here:
SF
comp
bought
from
the
site,
l
SF
off-system.
A
Let's
see
Alexander
from
Brazil
Daniel
from
st.
Louis
Nuno
from
Portugal
Steve,
another
coworker
how's
it
going
Steve
Catherine
a
product
designer
over
at
side,
tail
yeah,
I'm,
gonna,
talk
about
the
colors!
Don't
worry
about
that!
Okay,
Elko
from
the
Netherlands
Theo
from
Greece
Shahar
from
Atlanta
Kevin
from
Australia
Mallikarjun
from
India
Daniel
from
Minneapolis
Gregor
from
Moldavia
venkat
from
India
boom
amar
from
New
Jersey.
So
so
welcome.
Welcome
Marcos
from
me
and
Argentina
err.
I
got
to
stop
Aaron
from
Orange
County
who
just
passed
the
certified
kubernetes
application
exam.
A
Congratulations!
There
Erik
from
ctek
down
the
way
steve-o
from
Germany
Gary
from
Florida
Ryan
from
ctek,
also
max
from
Argentina
a
lot
of
folks
from
ctek
Alex
from
IRC.
Okay,
I
have
an
embarrassing
story
about
see:
Jack
Robert
from
Maryland
very
cool
yeah.
So
it
took
me,
I've
been
lived
in
Seattle
for
like
five
years
before
I
realized
that
SeaTac
was
named
after
Seattle
and
Tacoma
I
thought
it
was
some
sort
of
military
thing
like
like
see
tactical
or
something
like
that
totally
like
over
my
head.
Alright,
so
welcome
everybody!
A
A
Okay,
so,
let's
start
going
through
this,
so
the
first
thing
I
want
to
call
attention
to
is:
there's
the
CV
we
talked
about
this
last
time.
This
is
what
the
billion
laughs
I
think
was
the
name
that
they
gave
it,
which
is
essentially
an
expansion,
denial
of
service
attack
for
yamo
right,
and
so
this
stuff
is
all
patched
now,
and
so
it's
called
billion
laughs,
not
million
laughs,
and
so
you
can
like
look
through
all
the
nitty-gritty
details
of
sort
of
like
patched
and
what's
happening
and
all
that
there's
a
lot
here
holding
it's.
A
A
What
did
this
do?
Oh,
oh,
this
is
a
denial
of
service
with
poorly
crafted
x.509
certificate.
So
apparently
this
is
something
to
be
aware
of
also
so
good
to
know.
Okay,
let's
see
we
also
have
a
cig.
Api
Machinery
gave
a
really
good
update
here,
so
in
the
kubernetes
community,
API
machinery
is
a
is
essentially
the
sort
of
core
API
model
the
plumbing.
For
that
this
is
really
where
CR
DS
land,
which
is
our
you
know,
probably
the
core
extensibility
mechanism
for
kubernetes
right
now,
so
they're
now
GA.
A
There
are
some
things
that
folks
need
to
remember
so
structural
schemas,
a
lot
of
technical
details
but
stuff
on
there,
which
is
really
good
admission.
Wed
webhook
also
is
mature.
So
a
lot
of
these
core
things
are
finally
hitting
GA,
which
is
very,
very
exciting.
The
big
effort-
and
this
is
something
that
Daniel
has
been
working
on
for
approximately
forever-
is
the
server
side
apply
stuff.
So
there's
a
lot
of
good
discussion
and
beta
stuff
going
on
there
more
work
on
CR,
DS
upcoming,
so
lots
of
good
stuff
there.
A
One
thing
to
be
aware
of
is
that
a
lot
of
times
when
you're,
generating
your
CR
DS
or
you're
using
something
and
you
need
to
give
a
namespace,
it's
really
tempting
to
do
like
kubernetes
io
as
the
namespace,
because
that's
what
you
see
a
lot
of
the
built-in
objects
using
well
we're
trying
to
lock
those
things
down
and
have
that
just
be
for
the
official
kubernetes
stuff.
And
so
you
should
be
doing
something
for
your
own
stuff.
A
You
should
be
using
your
own
domain
for
name
spacing
these
things,
so
we're
trying
to
get
a
little
bit
more
strict
about
that
over
time,
and
so
there's
a
there's,
a
cap
and
we're
making
it
part
of
the
review
process
here
and
then
yeah.
So
there
you
go
so
this
was
actually
presented
at
the
at
the
the
weekly
kubernetes
meeting,
which
I
encourage
everybody
who's
in
the
kubernetes
community
and
wants
to
learn
about
of
stuff
should
definitely
definitely
check
out.
A
So
that's
every
Thursday
at
10:00
a.m.
I
want
to
say
is
when
it's
at
yeah
it's
a
10:00
a.m.
okay,
1.17
enhancements
are
now
frozen
and
then,
if
you're
worried
about
sort
of
what
the
schedule
looks
like
for
releases,
there's
a
whole
timeline
with
sort
of
like
when
there's
cherry
picks
and
when
the
target
date
is,
and
so
that's
good
to
sort
of
see
that
the
execution
cadence
of
doing
a
release
is
going
on
there.
A
A
What
happens
when
I
when
I
press
that
nothing?
Yet?
Okay?
Okay?
So
it's
a
specification
for
like
describing
it's
like
it's
a
Hamel
schema,
but
the
goal
of
the
ml
schema
is
to
be
able
to
deploy
this
to
to
both
be
simpler
than
kubernetes,
so
not
as
many
capabilities
but
then
also
being
able
to
deploy
this
to
places
other
than
kubernetes
and
then
paired
with
this
is
this
thing
called
rudder,
which
is
the
implementation
for
applying
this
to
kubernetes,
and
so
it's
interesting
I.
Think
I.
A
A
It
was
one
of
these
things
where
we
want
to
have
a
common
format
that
can
be
used
across
multiple
different
implementations,
and
what
we
found
over
time
is
that
there's
inconsistency
for
how
these
things
are
interpreted,
and
then
you
end
up
with
this
annotation
sprawl.
There's
this
interesting
idea
in
the
called
traits,
which
is
to
say
essentially
a
way
of
applying.
A
It's
something
that
I
need
to
actually
dig
into
a
little
bit
more,
but
so
here's
like
a
manual
scalar
trait
that
you
can
apply,
and
then
this
says
that
there's
a
replica
account
object,
and
it's
so
like
do
they
have
an
example
of
like
using
this
I
don't
so.
This
is
interesting.
Stuff
I
need
to
learn
more
about
it.
A
I
think
you
know
looking
sort
of
knowing
how
things
work
in
Microsoft,
I,
believe
and
I'm
guessing
here
that
there's
some
historical
context
where
there
have
been
different
teams
at
Microsoft
that
have
wanted
to
do
stuff
in
the
similar
space,
specifically
the
folks
around
kubernetes.
But
then
Microsoft
has
this
framework
that
they
use
a
lot
internally
called
service
fabric,
and
one
of
the
goals
out
of
this
is
to
actually
have
a
way
of
describing
applications
that
can
actually
deploy
to
either
one
of
those
probably
a
great
thing.
A
So
that's
that
then,
the
other
project
is
this
thing
and
I
haven't
had
a
chance
to
look
at
this
as
closely
called
dapper,
which
is
an
event-driven
portable
runtime
for
building
micro
services
on
cloud
and
edge.
The
idea
this
mean
like,
if
you
like,
like
let's
see
they
have
like
there's
a
diagram
that
I
think
starts
to
show
up
in
the
docs,
and
so
this
is
as
far
as
I've
gotten
really
but
I
think
this
is
something
I
want
to
dig
into
at
some
point
for
sure,
because
it
looks
really
interesting.
A
So
they
generally
when
running
on
kubernetes
they
and
it
is
kubernetes
specific.
They
essentially
run
a
sidecar
to
your
code
and
that
sidecar
manages
actually
driving
the
request
in
and
out
of
the
code,
so
they
essentially
take
a
bunch
of
the
stuff
to
adapt
you
to
be
able
to
consume
and
push
back
and
all
that
for
four
different
data
sources
and
stuff
they
put
that
into
a
sidecar
and
then
Polly
that,
like
keeps
your
code,
super
duper,
simple,
I!
Think
that's
how
it's
supposed
to
work!
I,
don't
know
it's
gonna
be
really
interesting.
That's
something!
A
I
have
to
dig
into
at
some
point
and
learn
a
little
bit
about
it.
Okay,
other
stuff,
that's
interesting
from
around
there's!
This
thing
called
go
to
Goldilocks,
which,
from
the
fairway
knobs
folks
that
used
to
be
called.
Oh
god,
what
was
their
previous
name?
It
was
reactive,
ops,
and
so
this
is
a
thing
that
it
helps.
A
You
use
vertical
Pato
scaling,
which
is
a
way
of
essentially
helping
to
set
your
limits
and
requests
on
your
workloads,
which
is
something
that
a
lot
of
folks
have
problems
with
in
terms
of
setting
those
things
right,
and
so
this
I
don't
know
exactly
what
it
does,
but
it
looks
like
it
helps
you
to
actually
create
a
VP
air
for
each
deployment,
a
namespace
and
automatically
set
some
and
stuff
like
that.
So
works
with.
Maybe
it's
like
a
UI
or
something
that
works
with
VP
a
so
something
I
want
to
dig
into.
A
Also
I
think
it'd
be
really
really
interesting,
that
in
vertical
pod,
auto
scaling
in
general
I
think
would
be
a
good
episode
to
actually
dig
into
because
being
able
to
set
limits
and
request
ends
up
being
a
really
hard
thing.
So
that
looks
really
cool.
Let's
see,
there's
a
couple
other
things
there's
this
Keiko
project,
which
is
a
if
you
look
at
sort
of
the
main
repo
here
it
you
know,
is
a
bunch
of
components
for
helping
to
manage
lifecycle
of
clusters.
A
A
Another
way
of
managing
clusters,
and
is
it
from
Intuit,
is
the
is
the
Keiko
stuff
from
Intuit
Duffey
and
then
cruise
automation
actually
has
this
thing
that
they
open
source
called
K
rail,
which
is
essentially
an
enforcement
tool
for
a
bunch
of
policies
that
you
want
to
do
so
yeah.
So
argo
is
the
argo
project
is
prime
early
sponsored
by
into
it,
which
is
very
cool.
I
want
to
do
another
episode
on
that.
A
Looking
at
the
CD
stuff,
I
didn't
realize
that
the
Keiko
stuff
was
from
them
also
and
Duffy's,
saying
that
a
lot
of
meat
use
of
CRTs
and
operators
I'd
love
to
look
at
that
in
the
context
of
of
cluster
API
overtime,
because
I
think
there's
probably
a
lot
of
a
lot
of
shared
ideas.
There,
ok
and
then
so.
This
does
a
bunch
of
sort
of
like
like
ok.
A
If
you
want
to
do
a
multi-tenant
or
lock
down
kubernetes
cluster,
what
do
you
need
to
do,
and
so
you
know
they
just
open-source
this,
but
this
essentially
brings
together
a
whole
bunch
of
policies.
It's
interesting
to
me
that
this
is
sort
of
us
I
think
this
is
a
separate
program
where
you
essentially
write
go
code
for
this
stuff.
A
lot
of
the
similar
stuff
can
be
done
with
something
like
OPA,
where
you're,
essentially
writing
more
dynamic
rules
there.
A
So
I
think
it'd
be
interesting
to
actually
look
how
many
of
these
policies
could
be
re-implemented
with
OPA.
How
much
should
we
actually
sort
of
take
these
things
and
say
here's
recommendations
outside
of
the
way
that
you
apply
them
so
some,
but
it
looks
like
some
really
good
sort
of
checklist
of
things
that
you
should
be
aware
of.
A
I
just
really
wanted
to
point
that
out:
hello,
Tamiko
how's
it
going
to
Meco
tamiko's
another
co-worker
and
then
kubernetes
forums
which
are
like
I,
don't
know.
Is
it
safe
to
call
mini
cube
cons,
I'm
kubernetes
day
they're?
Essentially,
these
sort
of
like
ways
for
folks
to
get
together
talk
about
kubernetes,
bigger
than
a
meet-up
there's
one
coming
to
Bengaluru
and
Delhi
in
February,
and
so
they're
CFP
is
open
for
that.
A
If
you
want
to,
if
you
want
to
ask
I
check
it
out,
okay,
so
sixteen
minutes
I
try
and
get
through
this
stuff
pretty
fast.
Hopefully,
hopefully,
that's
some
interesting
stuff
for
you
all
to
go
and
check
out.
Okay.
Let's
talk
spiffy
inspire.
Unless
anybody
has
many
cute
con
sounds
about
right:
okay,
good,
unless
folks
have
any
other
things
that
they
want
to
cover
in
terms
of
news
of
the
week
Oh
Sunil
Sunil
is
the
CEO
of
site
tail
who's,
the
the
main
sort
of
startup
sponsor
behind
spiffy
inspire.
A
What's
the
abc123
says,
cube
kanji
and
ego
is
one
month
away
yet
sneaking
up
on
us.
The
conference
season
is
starting.
I
got
like
VMware
world
in
Barcelona,
cube
con
and
reinvent
is
where
I'm
going
to
be
over
the
coming
months,
so
pretty
busy
travel
schedule.
Alright,
so
spiffy
is
an
acronym
that
stands
for
secure
production,
identity
framework
for
everyone.
A
This
is
again
so
I
actually
started
this
thing,
but
I
haven't
been
as
involved
as
I'd
like
to
be
recently.
This
is
a
great
example
of
domain
based
naming,
as
in
I
got
the
domain.
So
that's
the
name,
and
so
the
idea
here
is
to
solve
a
problem
of
you
have
service
a
and
we
say
micro
services
now,
but
you
have
service
a
talking-to
service
B.
How
can
we
make
it
so
that
they
actually
identify
and
trust
each
other,
and
how
can
we
make
that
be
as
transparent
and
automatic
as
possible?
A
Now
this
was
I
started
this
before
we
started
hefty,
oh
and
so.
There's
I
essentially
started
by
writing
a
design
doc
I'm
in
March,
2016
and
I
presented
this
at
Glu
con.
You
can
see
the
original
logo
there
and
it
turns
out
that
if
you
read
that
barcode,
it
actually
says
spiffy
I
thought
that
was
really
cute
but
I.
A
You
know
you
can
look
at
the
slide
deck
and
speaker
notes
for
this,
but
this
was
you
know
roughly
based
on
some
of
the
systems
that
we
had
at
Google
and
in
terms
of
usability
and
some
of
the
qualities
that
we
got
out
of
it.
It's
it's
not
a
exact
clone
of
it,
but
it's
sort
of
inspired
by
the
system
at
Google
called
Louis,
which
stands
for
a
lightweight
something
object,
is
lightweight.
I
authentication
service
or
something.
A
The
idea
here
is
to
make
it
easy
to
give
identity
of
things
and
have
them
be
able
to
prove
identity
to
each
other
and
be
able
to
validate
the
identity
of
other
folks.
Now,
low-overhead
authentication
service
is
the
official
acronym
for
Louis.
The
the
the
idea
here
is.
Let
me
go
back
to
that
to
the
main
page
here
we
talk
about
identity
and
I.
Think
this
is
one
of
those
things
that
it
took
a
while
for
me
working
in
this
world
to
really
sort
of
have
click.
A
For
me
a
lot
of
times
we
we
merge
together
ideas
of
authentication,
authorization,
identity,
access
management
directory.
All
of
these
things
sort
of
often
end
up
working
together,
but
there's
often
a
useful
way,
there's
often
useful
reasons
to
try
and
tease
these
things
apart,
and
so
when
you
talk
about
identity,
that
is
like
what
is,
can
you
give
something?
A
name:
can
you
give
it
a
a
name
who
is
it?
Okay,
you
talk
about
directory
directory
is
well
what
groups
does
this
identity
belong
to
or
give
me
the
list
of
identities.
A
A
That
I
believe
that
that's
the
case
that
they
are
who
they
say.
They
are
that's,
essentially
the
problem
that
we're
trying
to
solve,
and
it's
a
fairly
well
scoped
problem
that
we're
working
on
here
and
then
on
this.
You
can
layer
other
things
like
directory
and
access
management
and
all
the
other
things
that
I
was
talking
about
there,
but
I
think
oftentimes.
We
view
these
things
as
a
as
a
bundle
but
really
I
think
when
you
start
digging
into
it.
A
A
Right,
okay,
so
now,
let's
talk
about
service
meshes,
so
one
of
the
things
that
service
meshes
do
is
when
you
look
at
something
like
especially
sto,
link
or
D.
More
recently,
is
they
really
do
roughly
three
different
things,
so
the
first
thing
that
they
do
I
think
this
is,
you
know
and
different
people
actually
come
in
service
meshes
looking
for
different
benefits.
A
The
first
thing
that
service
meshes
do
is
they
automatically
do
encryption
and
some
level
of
authentication
oftentimes?
This
is
not
exposed
to
the
application,
so
this
all
happens.
Sort
of
at
this
sort
of
service
mesh
layer
without
involving
the
application
I
actually
think
that
that's
a
mistake,
I
think
oftentimes,
knowing
the
identity
of
the
caller's
and
who
you're
talking
to
is
an
important
piece
of
the
of
the
application
level,
but
but
oftentimes
this
has
happens
at
the
surface
mesh
level.
Other
things
that
service
meshes
do
is
they
give
you
a
dynamic
routing?
A
You
can
actually
sort
of
have
a
translation
of
like
well.
This
name
in
this
case
translates
to
this
set
of
services
or
backends
and
make
that
be
much
more
dynamic,
and
then
they
also
offer
a
useful
choke
point
for
doing
any
sort
of
metrics
monitoring
observability
of
what's
happening
through
your
traffic.
A
Now
the
downside
for
service
meshes
is
that
it
tends
to
be
they.
They
have
a
tendency,
and
you
know
this
is
a
technical
term
to
turn
into
a
hairball.
There's
a
lot
bound
into
this,
deploying
them
can
be
very
invasive
and
they
tend
to
feel
like
an
all-or-nothing
type
of
thing.
You're
either
in
the
service
measure,
out
of
the
service,
mesh
and
I.
Think
different
approaches
to
what
a
service
mesh
is
do
actually
provide
different
sort
of
choices
in
terms
of
in
or
out,
but
they're.
A
We
designed
spiffy
so
that
it's
fundamentally
federated
we
designed
spiffy
such
that
it's
much
more
able
to
actually
working
with
applications
that
maybe
legacy
for
working
with
proxies
for
working
with
a
bunch
of
different
scenarios
that
don't
require
the
sort
of
total
buy-in
that
a
serviceman
often
becomes,
if
you
all,
think
I'm
being
unfair
to
servers
mess
just
put
it
in
the
chat.
I'd
love
to
hear
what
you
think
about
that,
but
that's
just
kind
of
my
my
take
on
it
all
right,
so
yeah
so
episode.
A
20
is
about
a
hour
ago
when
it
first
came
out
that
was
already
workflow.
Our
go.
Cd
is
really
something
different
and
I.
Think
looking
at
the
argo
project,
as
it
is
now
with
the
set
of
sort
of
components,
and
it
would
actually
be
an
interesting
thing,
what
do
I
mean
by
federal
I'll
get
to
that
in
a
second,
let's
see?
Okay,
so
if
you
click
on
the
about
spiffy
link
here,
a
spiffy
itself
actually
breaks
down
into
three
different
things.
A
So
the
first
thing
is
a
spiffy
ID.
So
I
said
you
want
to
give
things
an
ID.
What
that
really
boils
down
to
is
a
string.
We
want
to
be
able
to
have
a
string
that
represents
an
identity.
Now
we
could
have
used
something
that
looked
like
an
email
address,
but
what
we
didn't
want
to
do
out.
The
gate
was
actually
have
people
think
that
these
things
had
to
be
email
addresses,
and
so,
when
you
look
at
the
spiffy
ID
spec,
what
you'll
see
here
is
that
it
ends
up
being
something
like
this.
A
A
The
trust
domain
ends
up
being
sort
of,
essentially
the
the
authority
for
this
particular
ID
and
then
path
is
a
string.
It
can
be
whatever
you
mean
and
in
some
places
the
path
may
actually
be.
Based
on
the
service
that
you're
talking
to
the
mice
equal
payments
thing
other
places,
it
may
actually
be
related
to
some
sort
of
infrastructure.
Positioning
like
this
might
be
a
kubernetes
thing
where
we're
talking
about
a
namespace
in
a
service
account,
or
it
could
just
be
completely
opaque,
where
it's
just
a
random-ass
string.
That
means
nothing.
A
Anybody,
but
you,
and
so
so.
That's
all
the
spiffy
ID
here
is
is
a
string.
But
by
having
this
this,
this
trust
domain
here.
What
we
can
do
is,
we
can
actually
say:
I
can
have
my
spiffy,
IDs
and
I
know
they
won't
conflict
with
you
with
your
spiffy
IDs
and
then,
if
we
want
to
start
doing
some
sort
of
cross
trust,
we
know
out
the
gate
that
we're
not
going
to
actually
have
conflicting
things.
So
there
is
no
spiffy
ID
called
administrator
right
that
doesn't
exist.
A
Instead,
what
you
have
is
you
have
a
spiffy
idea
which
is
administrator
in
this
context
of
this
trust
domain.
And
so
then
you
can
decide
to
actually
say
you
know
what
I'm
gonna.
You
know,
I'm
gonna,
you
know
trust.
You
know
any
spiffy
ID
from
example.com,
but
example.com
may
not
trust
50
IDs
from
me
right.
So
there
can
be
an
asymmetrical
type
of
trust
and
that's
what
I
mean
we
mean
by
federated,
oh
and
that
these
things
won't
conflict
and
there's
ways
to
establish
trust
relationships.
A
A
That
represents
who
I
am
and
then
somebody
else
can
verify
that
and
the
person
who's
verifying
it
actually
has
have
the
certificate
authority
for
the
trust
domain
that
you're
talking
about
right.
So
so
the
matter
of
trusting
some
other
trust
domain
means
that
you
have
a
certificate
authority
or
a
certificate
bundle
that
is
used
to
be
established,
trust
for
those
things
so
I'm
throwing
a
lot
of
crypto
at
you
all.
If
this
doesn't
make
sense,
let
me
know,
and
I
can
actually
delve
into
this
into
a
lot
more
detail.
A
All
right:
well,
hopefully,
if
you're
not
following
as
we
as
we
make
more
progress,
it'll
make
some
sense,
okay,
so,
finally,
so,
okay,
so
now
we
have
these
documents
that
you
can
use
to
prove
who
you
are,
and
you
need
to
have
the
certificate
bundle
to
be
able
to
trust
other
people.
Well
now.
The
next
problem
here
is:
how
do
you
get
those
documents
right
like
like?
That's
great
certificates
are
wonderful,
but
the
worst
part
about
any
sort
of
certificates.
Any
sort
of
crypto
is:
how
do
you
distribute
those
keys?
A
What
are
the
identities
you
can
act
as
how
do
you
prove
that,
essentially,
the
the
s
vids,
the
I,
verify
those
50
verification
identity
documents?
How
can
you
actually
prove
that
to
other
people?
So
that's
your
private
material
that
you
can
use
to
prove
who
you
are
and
then
the
final
thing
is
the
certificate
bundles.
What
are
the
CA
bundles
that
you
need
to
be
able
to
validate
other
people's
identity
documents,
and
so
those
certificate
bundles
are
not
there?
A
They
they're
not
the
same
ones
used
in
the
browser
to
be
able
to
validate
HTTPS,
because
it
turns
out
that
web
PKI
is
kind
of
a
mess,
and
so
this
is
essentially
lets
us
establish
a
much
more
curated
public,
key
infrastructure
for
production
identity,
and
we
have
explicit
ways
for
a
centralized
system
to
the
Lynne
deliver
decisions
on
whom
you
should
trust
from
a
programmers
point
of
view
right.
So
this
is
all
about
programs
talking
to
programs,
and
so
we
can
actually
do
things
that
are
API
driven.
That
actually
makes
sense.
Now.
A
The
goal
here
is
that
you
run
a
program
that
program
wakes
up
and
then
it
just
can
automatically
based
on
the
environment
around
it
discover
what
it
needs
to
do
to
actually
a
you
know,
discover
its
identity
and
start
acting
inside
the
rest
of
the
world,
and
one
of
the
things
that
we
actually
say
here
is
that
so
the
workload
API
is
a
and
a
network
ish
endpoint
that
you
can
talk
to
oftentimes.
Will
we
see,
at
least
in
the
UNIX
world,
is
that
this
will
be
a
bind.
A
This
will
be
a
UNIX
domain
socket,
which
is
a
way
to
actually
talk
between
programs
that
doesn't
involve
tcp/ip
and
using
kernel
mechanisms.
You
can
actually
figure
out
who's,
calling
so
we'll
get
to
some
of
that
here,
but
this
is
essentially
a
way
for
the
program
to
wake
up
access.
An
API
say:
Who
am
I,
give
me
proof
of
that
and
then
move
on
its
way,
and
so
there's
no
configuration
that
that
is
that
that
can't
be
automatic
here
around
this
okay.
A
So
that
is
the
three
things
and
there's
here's
what
that
API
looks
like
explicitly.
So
those
are
the
sort
of
the
three
parts
of
what
we
have
so
who
are
you,
which
is
the
spiffy
ID?
How
do
we
encode
that
into
some
sort
of
cryptographic?
Proof
and
then
how
do
we
deliver
that
to
the
workloads
that
the
workload
can
automatically
discover
those
infer
that
information
from
its
environment?
A
Okay-
so
that's
what's
50
is
that's
all
it
is
now.
What
we
find
is
that
some
of
the
service
meshes
out
there
actually
do
implement
spiffy
they'll
use
the
spiffy,
ID
and
they'll
use
the
S
fit
specs
to
be
able
to
actually
represent,
and
so
this
actually
gives
us
hope
that
we
at
some
point
can
start
breaking
down.
Walls
between
service
messages
have
them
communicate
directly,
in
that
case,
where
they
actually
have
some
strong
identity
with
them.
A
So
yes,
so
now
spire
is
the
idea
of
how
do
we
implement
this
workload
API
and
it's
actually
a
lot
harder
than
it
looks,
because
what
we
want
to
be
able
to
do
is
have
a
program
start
up
and
know
that
we're
giving
it
the
right
ID
and
be
able
to
trust
all
the
way
down
to
hardware,
potentially
that
the
right
program
gets
the
right
idea
at
the
right
time,
based
on
the
policies
that
we're
presenting
and
that's
really
where
spire
comes
in.
Ok,
so
so
so
spire.
What
it
essentially
does
is.
A
It
runs
a
server.
It
runs
an
agent
on
each
node
and
and
then
the
workloads.
You
can
talk
the
spiffy
workload
API
to
that
agent
and
say
Who
am
I
what
should
I
get
and
then
this
server
actually
makes
the
decision
of
which
workloads
get
which
identities
and
how
do
I
know
across
the
network
that
these
that
nobody's
lying
to
me.
So
there's
a
real
sort
of
secure
angle
to
this.
A
Let's
see
and
so
Andrew
saying
here
that
the
SEO
project
is
working
with
the
spiffy
folks
such
that
we'll
be
able
to
implement
Federation
between
spire
and
STL,
which
is
really
exciting
stuff.
So
the
core
problem
here
really
comes
down
to
one
of
attestation
and
secure
introduction
as
to
machines
come
up
on
a
network.
How
do
they
establish
bi-directional
trust
between
each
other,
and
this
is
actually
a
super
duper
hard
problem
and
every
time
you
start
boiling
this
down,
there
ends
up
being
a
leap
of
faith
at
some
point
right
so
think
about
it.
A
A
There
ends
up
being
a
leap
of
faith,
and
so
what
the
goal
out
of
something
like
spire
is
to
make
that
leap
of
faith
be
as
explicit
as
as
possible.
So
Gustavo
says
this
is
the
infamous
James
James
Jason
Bourne
security
model,
essentially
like
so
one
of
the
things
that,
like
you
know,
folks
talk
about,
is
that
you
can
have
this
like
security
thing
called
a
TPM,
a
trusted
platform
module.
What
does
it
stand
for,
which
is
essentially
a
piece
of?
Is
it's
a
cryptographic
coprocessors
that
can
be
embedded
in
your
computer?
A
A
So
this
is
a
really
hard
problem,
but
the
idea
is
that,
like
if
we
do
establish
secure
introduction
between
two
machines,
let's
leverage
the
hell
out
of
that.
If
we
have
a
trust
model,
instead
of
actually
having
to
do
sort
of
like
say
when
you're
installing
you
know
the
any
sort
of
distributed
system,
if
you
have
spiffy
installed
first,
if
you
have
spiffy
providing
you
that
chain
of
trust,
then
you
can
use
that
to
actually
bootstrap
trust
between
modules.
This
could
be
the
kubernetes
control
plane.
This
could
be
things
running
on
top
of
kubernetes.
A
A
But
the
idea
is
that,
based
on
policy
in
the
server
based
on
these
adaptations,
we
can
deliver
essentially
identity,
all
the
way
down
to
the
workload
that
can
be
routed
and
hardware.
Okay,
I
am
doing
a
lot
of
talking
here,
let's
go
through
and
actually
try
and
make
this
stuff
work
on
kubernetes
because
we
have
I'm
running
a
kind.
Cluster
Spire
does
have
some
tutorials
for
getting
stuff
working
on
kubernetes
and
Andrew,
and
the
team
over
at
Scytale
and
part
of
this
50
inspire
project
we're
working
hard
to
make
sure
that
this
stuff
actually
worked.
A
So
we
are
going
to
be
good
to
go
and
then
there's
so.
This
is
the
overview
and
I
know
that
there's
some
documentation
improvements
that
the
team's
going
to
be
working
on
moving
forward.
So
the
server
state.
Ok,
so
we're
going
to
run
a
stateful
that
runs
in
the
kubernetes
worker
node.
That's
used
for
running
the
spire
server,
the
agents
run
as
a
daemon
sent
on
every
kubernetes
worker
load,
worker,
node
and
then
everything's
created
in
spire.
We
have
the
spire
server
in
this
buyer
agent.
A
The
agent
uses
host
path
to
buying
mount
for
sharing
the
agents,
api's
UNIX
domain
sockets
with
application
containers
and
we'll
examine
that
as
we
get
there
and
then
all
the
configuration
is
done
via
kubernetes
config
Maps.
The
container
images
for
spire
contain
only
binary,
so
that
seems
good,
ok.
So
what
we
have
here
is
that
we
have
a.
We
can
clone
a
bunch
of
yamo
files
here
versus
downloading
them,
so
we're
gonna
do
this.
Ok,
what
I
have
here
is
I
have
a
kind
cluster
of
no,
not
dr.
nodes.
A
A
A
Alright?
So
so
we
got
that
and
then
we
want
to
do
a
git,
clone,
spire
tutorials
and
then,
if
I
launch
this.
What
we
can
see
here
is
that
we
have
a
bunch
of
kubernetes,
manifest
that
we're
gonna
go
through
and
see
what
they
actually
do.
Ok,
so
the
first
thing
that
we're
going
to
do
here
is
we're
going
to
create
the
namespace,
so
we're
gonna.
Do
a
cap.
A
A
A
We're
gonna
do
we're
gonna
start
with
the
fire
namespace,
okay,
so
that's
just
creating
the
namespace
okay,
so
by
default,
private
keys
and
registration
entries
and
some
other
metadata
end
up
being
stored
into
that
into
that
persistent
volume.
And
then
you
can
configure
a
separate
data
store
or
CA
rather
than
use
one
the
default
line.
So
there's
a
lot
of
configuration
going
on
here,
so
we
have
the
namespace
going
on.
A
A
Server
account
okay,
so
this
is
just
that
okay,
so
these
things
are
really
broken
down.
I'm
gonna
do
CDs
fire
tutorials
into
super
granular
llamó
files.
So
that's
so
so
suggestion
to
the
to
the
to
the
spire
folks
is
that
it
might
be
worthwhile
to
actually
sort
of
bring
some
of
these
things
together
so
that
you
can
do
a
single
yamo
file
to
apply
these
things
account.
A
You
know
there
we
go
okay,
so
we
got
that
and
then
we
end
up
with
a
config
map.
So
this
is
the
server
bundle,
config
map
role
in
cluster
role,
binding
okay,
so
the
the
cluster
role
and
the
role
binding.
Let's
look
at
the
cluster
role.
What
are
we
given?
This
we're,
giving
it
a
token
review
permission
and
then
the
ability
to
patch
get
in
list
config
maps
and
then
the
role
binding?
A
It's
a
cluster
role
binding.
So
one
of
the
things
that
we're
getting
out
of
this
is
that
this
thing
can
actually
read
any
config
map
across
your
cluster
and
I'm
wondering
why?
Maybe
it's
because
we're
not
using
CR
DS
here
I
think
this.
Some
of
this
stuff
really
predates
CR
DS.
For
this
type
of
thing,
and
so
it
might
be
worthwhile
to
think
about
what
would
this
look
like
with
CR
DS,
but
I
think
you
know
using
a
using
a
config
map
instead
of
a
CR.
A
D
is
not
a
crazy
way
to
go,
and
then
token
review
is
a
way
to
it
allows
us
to
make
the
the
the
kubernetes
a
test
or
actually
work
well,
we'll
probably
have
to
trace
through
that
a
little
bit
server,
trust,
binding,
okay,
so
server
trust,
binding
check
out
server
trust
binding.
Where
is
that
the
name
of
the
file?
A
Cluster
right
and
this
will
create
both
of
those
boom.
Okay
and
then
the
next
thing
we're
gonna
be
doing.
Is
this
config
map?
Let's
look
at
this
okay,
so
this
ends
up
being
a
server
comp.
This
language
looks
like
it's
HCl.
Is
this
an
HCl
variant?
It
looks,
or
is
this
something
that
you
all
rolled
your
own.
A
You're
binding
this
registration
path,
so
there's
a
bunch
of
stuff
here,
I
think
I'm
gonna
ignore
a
lot
of
this.
One
of
the
things
that
we're
seeing
here
is
s.
Vid
TTL
is
one
hour.
One
of
the
goals
out
of
out
of
spiffy
was
to
make
everything
API
driven
so
that
we
can
be
continually
reassuring
and
rotating
certificates
oftentimes
in
production
systems.
You'll
rotate
your
secrets,
maybe
once
a
month,
if
you're
actually
really
good
about
it.
A
When
we
look
at
let's
encrypt
it
makes
you
rotate
your
your
your
stuff
every
three
months.
The
goal
here
is:
if
we
make
this
automatic
enough,
we
can
rotate
every
hour
and
when
you're
rotating
every
hour,
you
end
up
with
a
a
there's,
a
tunable
here,
which
is
how
long
do
you
want
to
be
able
to
have
things
continue
to
talk
to
each
other?
A
Even
if
your
control
plane
is
down
versus
how
fast
do
you
want
to
be
able
to
aged
out
any
sort
of
leaked
credentials
or
any
sort
of
compromised
credentials
and
so
being
able
to
say
you
know
what
I
can
turn
that
dial
anywhere
I
want?
It's
a
really
great
property
of
this
API
driven
thing.
Okay,
and
so
here
we're
saying
the
CA
subject
is
just
spiffy
the
plug
in.
We
have
a
sequel,
Lite
datastore
here
that
gets
stored
into
that
persistent
volume.
A
A
We're
going
to
be
using
the
kubernetes
token
review,
API,
which
essentially
the
ax
tester.
That
we're
saying
is
that
if
somebody
has
access
to
a
specific
identity
in
kubernetes,
then
we're
going
to
use
and
they'll
present
to
us
a
jot.
We
can
then
use
that
job,
give
it
to
the
token
review.
Api
that
token
review
API
will
validate
it
and
then
we're
essentially
using
kubernetes
to
establish
trust
in
this
particular
case.
But,
as
you
get
more
advanced
with
spire,
you
can
actually
change
your
sort
of
root
of
trust
into
something
that
I
thought.
A
A
Yes,
this
is
the
hash
of
cork
config
language
that
we're
talking
about
here:
node
resolver,
no
op
key
manager
disk.
So
this
means
we're
running
stuff
on
disk
and
then
the
gates
bundle,
notifier,
I,
don't
know
what
that
is,
but
we'll
figure
that
out,
okay,
so
I
changed.
The
was
I
write
to
change
the
let's
see.
Do
we
say
the
config
map,
okay,
so
and
twice?
A
Isn't
that,
where
the
agent
server
share
the
same
cluster
aspire
can
be
configured
to
automatically
generates
these
certificates
on
a
periodic
basis
and
update
the
config
map
with
contents
of
the
certificate
to
do
that,
the
server
needs
the
ability
to
get
in
patch
a
config
Mac
object
in
the
spire
namespace.
So
we
have
the
config
map.
We
do
that
trust
role,
and
so
this
aspire.
Oh,
that
was
I'm
looking
at
the
wrong
one.
This
is
fire
bundle
config
there
we
go
okay,
and
this
is
okay.
A
The
spire
bundle
config
map,
okay,
so
we're
gonna
create
a
blank
blank
config
map
there,
okay,
and
so
we
did
that
now
the
server
config
map
the
server
can
is
configured
in
the
kubernetes
config
map,
blah
blah
blah,
which
specifies
a
number
of
important
directories
to
create
it.
We
do
that
I
renamed.
It
am
I
getting
the
problem
with
renaming
it
we'll
see
and
then
we'll
go
through
and
that
server
config
map.
A
That's
the
thing
that
I
just
modified
so
we're
good
to
go,
and
then
we
create
a
stateful
set,
deploy
the
server
by
applying
the
configuration
server.
Stateful
set.
Ok,
so
we're
gonna
do
something
a
little
bit
interesting
here.
What
are
we
gonna?
Do
we're
gonna
I'm
gonna,
look
at
the
did.
I
save
this!
Oh
yeah
I
did
okay,
so
we
have
server
stateful
set
okay,
so
we're
doing
one
replica
just
remember:
to
set
the
cluster
name
before
deploying
the
agent
config
map.
Okay,
so
we'll
do
the
same
thing
in
the
agent
config.
A
Now
so
here's
we're
saying
here's
where
the
config
map
is
here.
We
have
some
volume
mounts
and
stuff,
there's
a
health
check,
all
sorts
of
good
stuff,
and
then
we
have
the
volume
claim
templates
called
spire
data,
a
read,
write
mode.
So
here's
what
I'm
gonna
do
is
I.
Think
I
want
to
run.
I
want
to
run
this
on
my
control,
plane,
node,
because
the
way
there's
a
issue
with
kind
with
persistent
volumes
that
I
believe
if
the
volume
actually
the
volume
will
only
be
available
on
one
node.
A
A
A
A
A
A
A
Wait
we're
looking
in
yeah,
so
it's
actually
running
woohoo
Bradley
how's
it
going
thanks
for
joining
us.
Okay.
So
now
we
have
the
the
server
running
and
we
created
the
stateful
set.
We
got
the
config
volume
and
the
data
volume
for
the
sequel
like
database
and
stuff,
we'll
create
the
service
yeah.
So
we
could,
you
guys
are
super
verbose
about
this
stuff.
Most
people
are
like
just
run.
This
yamo
file,
we're
all
good
okay,
so
this
is
actually
gonna,
create
a
spire
bundle,
config
map.
What
Aspire
bundled
wait?
Why
did
I
do
the
wrong
thing?
A
Their
server
service?
Where
did
this
fire
bundle?
Config
map
come
from,
did
I
not
run
that
before
did
I
forget
to
run
that
okay
but
anyways.
So
this
is
a
node
port
service,
4G
RPC
for
the
spire
server.
So
that
means
that
we
can
hit
this
from
the
outside.
Also,
it
probably
doesn't
need
to
be
a
node
port,
but
I
think
we'll
probably
be
fine,
so
we're
good
to
go
there.
Oh.
A
A
A
A
A
Authorization
or
access
management
is.
What
can
you
do
and
so
we're
really
just
about?
Who
are
you
and
then
the
idea
of
like
what
you
can
do?
Well,
there's
a
gazillion
ways
to
actually
solve
that
problem,
and
so
this
would
actually
go
through
and
be
complimentary
to
something
like
OPA,
because
this
ends
up
being
a
critical
key
into
some
sort
of
access
policy.
A
Ok,
so
we
got
that
and
so
we're
gonna
do
the
account
cluster
role.
Config
daemon
set,
and
we
should
be
up
and
running
the
daemon
set.
We
we
we
also
want.
We
want
to
run
the
daemon
set.
Let's
see,
spec
containers
volumes,
we
probably
want
to
have
the
taint
the
Toleration
on
this.
Also
do
you
want
to?
We
probably
want
to
run
the
daemon
set
on
on
the
same
on
every
node?
Ok,
so
let's
go
ahead
and
do
that.
A
A
A
Agent
config
map
and
agent
Damon
said
okay,
and
this
is
what
we
expect.
So
we
have
the
cluster
role,
the
cluster
role
binding.
Oh,
we
didn't
actually
check
out
the
cholesterol.
What
does
it
actually
do?
Agent
cluster
role?
It
gives
you
access
to
pods
nodes
and
nodes
proxy
so
that
you
can
get
so
the
nodes
proxy
essentially
I,
wonder
what
that
does.
What
does
that
actually
do?
But
it
lets
you
like
list,
notes,
get
notes
and
pods
read
information
about
stuff.
A
So
this
is
a
way
so
that
the
agent
can
actually
buy
believe
and
correct
me
if
I'm
wrong,
the
agent
actually
can
go
through
and
talk
to
kubernetes
to
understand
which
pods
are
running
on
which
nodes,
and
so
if
some
process
actually
comes
through
and
says,
hey
I'm,
you
know
I,
you
know
I
think
I
should
be.
You
know,
identity
fubar.
A
This
thing
should
be
like
no
you're,
not
you're,
not
actually
on
this
particular
node.
So
this
is
how
actually
no
no.
This
is
how,
when
a
workload
talks
to
the
workload
API,
the
I
believe
this
actually
lets.
The
spire
agent,
then
figure
out.
Oh
you're
now
part
of
this
pod
and
then
it's
up
to
the
rules
from
the
from
the
from
the
server
to
be
able
to
actually
bootstrap
that
up
into
a
real
identity.
A
A
A
A
A
A
A
A
A
A
Cool
so
now
we
can
debug
this,
and
so
this
is
essentially
the
certificate.
The
CA
u.s.
Biffy
were
up
into
the
open
to
the
right
here:
okay,
cool
all
right.
So
now,
by
this
time
we
should
have
Q
control
ends
by
our
get
pods
everything's
running
we're
up
and
running
awesome,
very
cool,
okay.
So
now
so
now
we
essentially
have
spiffy
installed.
A
Let's
see
we're
going
to
be
going
through
and
in
order
to
enable
spiffy
to
perform
workload
attestation,
we
need
to
create
a
registration
entry
for
the
nodes
best
to
find
the
spiffy
ID
to
allocate
the
node.
And
so
let's
go
ahead
and
run
this
so
we're
going
to
essentially
login
to
the
spire
server
and
run
a
command
locally
they're
telling
it
to.
A
A
A
The
side
steps
the
issue
of
like
how
do
I
thought.
You
know
this
could
be
a
Web
API
within
that
as
like.
Well,
how
do
I
assign
ik
eight
to
the
thing?
That's
actually
providing
authentication,
so
I
think
there's
just
this
assumption
that
if
you
can
actually
log
in
there
and
communicate
with
it-
and
it
says
that
the
spire
server
right-
ok,
so
let's
actually
copy
this
into
vs
code,
because
we're
going
to
be
modifying
stuff
all
right.
So.
A
A
Let's
see
the
there
in
the
spire
namespace
and
the
they
have
access
to
the
spire
service
account
is
that
is
that
right,
that's
I
think
what
we're
saying.
Ok,
so
we're
gonna
go
ahead
and
we'll
paste
that
so
the
entry
ID
we
get
a
good
there.
Ttl
3,600
is
that
for
rotation,
I,
assume
and
now.
Okay,
so
so
that's
cool
and
then
we're
gonna
do
another
one
for
the
workload
now.
The
idea
is
that
some
of
this
stuff
can
be
automated.
There's
sort
of
a
lot
of
flexible
policy
here
based
on
these
selectors.
A
So
now
we're
actually
do
the
same
thing
and
we're
gonna
say
that
the
default
default
service
account
gets
mapped
in
ok.
So
if
you
are
in
the
default
namespace
with
the
default
service
account,
then
you
get
access
to
a
spiffy.
Id
called
this
ok,
and
so
you
could
run
another
helper
agent
that
essentially
synchronizes
data
from
kubernetes
into
spire.
We're
not
running
that
right
now,
so
we
have
to
do
these
things
these
mappings
manually,
and
now
we
can
configure
a
workload
to
access
spire,
and
so
we
have
client
deployment
here.
A
A
Okay,
we're
running
the
spire
agent
container,
but
all
we're
running
is
sleep,
so
this
is
like
just
a
random
container
that
has
some
tools
on
it:
okay,
we're
not
actually
running
the
agent
and
then
one
of
the
things
that
we're
doing
is
we're
mapping
in
the
this
host
path
directory.
Now
this
is
the
type
of
thing
that
you
could
set
up
some
sort
of
policy,
some
sort
of.
A
Some
sort
of
admission
controller
that
would
automatically
inject
this
into
all
your
workloads,
because
this
is
the
thing
that
we're
going
to
connect
to
to
actually
talk
the
workload
API
all
right.
So
this
looks
totally
reasonable.
You
control
apply,
wait,
let's
go
here,
keep
control
apply
client
to
plumbing.
This
is
gonna
run.
A
A
A
Let's
see
if
the
agent
is
not
running,
you'll
see
an
error
message
such
as
connection
refused.
If
the
agent
is
running,
you'll
see
a
list
s
vids,
oopps
fires,
the
prompt
string,
okay,
that
confused
me
okay,
so
this
is
what
we're
doing
there.
Okay,
so
we're
saying
we're
calling
spire
agent
API
fetch.
This
is
a
utility
where
the
socket
path
is
this
okay,
and
what
this
is
doing
is
this
is
essentially
making
a
G.
Rpc
call
saying
give
me
my
yes
Fitz
and
what
we're
getting
is.
A
A
The
question
is:
how
do
you
actually
go
ahead
and
use
this,
and
so
I
think
you
know
we're
running
out
of
time
here
so
I
don't
want
to
actually
go
too
deep
on
this,
but
I
think
the
next
thing
would
be
here
is
how
can
I
actually
go
through
and
write
a
write,
a
program
that
can
actually
take
advantage
of
this
in
some
real
way
and
I'm
wondering?
If
do
we
have
any
examples
of
applications
that
take
advantage
of
this.
A
A
A
A
There's
apk
openness,
so
there
we
go
okay,
okay,
we
got
that
now,
okay,
cool,
so
now
we
can
actually.
So
we
have
a
bunch
of
stuff
here,
so
we
have
bundle
PEM.
So
this
is
actually
going
to
be
the
same
sort
of
root
certificate
that
we're
talking
about
right,
so
OpenSSL.
What
was
the
command
that
we
actually
did
x.509
and
bundle
text,
so
this
is
essentially
the
the
root
certificate
that
we're
talking
about,
and
then
oh
and
the
interesting
thing
here
is
that
there's
actually
a
this
is,
for
example,
data
work.
A
This
is
where
things
get
interesting,
because
now
we
actually
essentially
have
a.
We
have
a
certificate
that
says:
okay,
this
is
who
we
are
so
we're
actually
using
the
subject:
alternative
name
stone.
So
there's
a
lot
of
sort
of
compatibility,
hacks
here
to
actually
make
this
work
with
x.509,
because
x.509
is
like
super
generic.
A
You
can
do
a
lot
of
stuff
with
it,
but
a
lot
of
the
libraries
that
actually
work
with
x.509
are
really
problematic,
and
so
one
of
the
things
that
we
could
do
here
is
that
we
could
use
this
certificate
as
the
client
certificate
when
establishing
a
mutual
TLS
connection
to
some
other
server.
So
we
could
actually
take
this
certificate
here
then,
and
the.
A
A
So,
let's
see
what
else
do
we
have
here
so
that
I
think
is
is
is
as
far
as
we
can
actually
get
today.
I
think.
The
interesting
thing
here
is
that
at
this
point,
from
the
workloads
point
of
view,
you
could
have
a
library
that
makes
it
really
easy
to
establish
connections
using
these
IDs.
So
that's
one
thing
that
you
can
do.
A
The
next
thing
you
can
do
is
that
you
can
actually
go
through
and
you
could
make
this
available
to
some
sort
of
proxy,
but
that
would
be
a
proxy
that
you
control
it
wouldn't
be
part
of
a
service
mesh.
So
it'd
be
something
that's
very
specific
to
you
that
implements
the
ability
to
actually
be
able
to
represent
this.
A
This
type
of
certificate
on
both
sides
and
and
then
the
mapping
of
sort
of
like
which
IDs
do
you
want
to
use
spiffy,
also
allows
you
to
have
multiple
IDs,
and
so
that
way
you
can
actually
present
with
some
IDs
to
some
folks
and
some
IDs
to
other
folks,
which
also
gives
you
flexibility
when
you're
deploying
this
into
production.
So
hopefully
that
gives
everybody
a
good
outline
of
sort
of
what
spiffy
is.
We
got
a
certificate.
A
I
think
you
know
a
suggestion
for
the
spiffy
folks
is
that
it
would
be
great
to
get
to
the
point
where
and
I
know
you
all
have
done
this
in
the
past,
where
you
essentially
are
maybe
running
like
an
Aston
thing
between
two
pods,
where
they're
actually
representing
who
they
are.
That
would
actually
be
yeah
they're
a
tutorial
okay,
so
you
have
a
tutorial
with
spire
with
envoy
and
how
this
works
as
a
okay,
so
that
the
the
the
URL
didn't
come
through.
So
oh
here
we
go
no.
A
Is
that
yeah
the
URLs
get
blacklisted
in
the
chat?
That's
one
of
the
downsides
for
this
unless,
unless
there's
another
way
to
get
it
to
me,
yeah
so
envoy
actually
speaks
a
different
protocol.
So
there's
this
thing
called
the
spiffy
envoy
agent
that
essentially
talks
the
workload
API
to
spiffy
and
then
actually
exposes
this
thing
called
SDS
to
envoy.
A
So
that's
a
sort
of
translator
there
for
that
stuff.
Okay,
so
there's
a
D
there's
a
okay,
here's,
a
sort
of
detailed
thing
on
sort
of
how
to
actually
sort
of
do
this
type
of
thing.
So
that's
actually
pretty
cool
all
right.
So
I'm
gonna
put
that
in
the
notes
here.
I
think
it's
probably
too
much
to
actually
get
into
this
right
now.
A
A
A
A
Is
the
world
we're
living
in
trying
to
give
me
a
second
here,
I'm
trying
to
remember,
sell,
implement
a
and
go,
and
if
you
look
at
I
believe
there's
validate
I,
don't
know,
I
have
to
find
it,
but
but
if
you
start
looking
at
the
the
implementation
for
go
and
TLS
and
I
forget
which
package
it's
in
it's,
it's
hilariously
sort
of
like
some
of
the
comments
in
these
things.
So,
let's
see
if
we
can
actually
go
and
look
at
that.
A
A
This
is
I,
think
just
sort
of
the
the
best
example,
in
my
mind,
of
where
we
see
these
things.
This
is
like
the
the
comment
that
shows
the
history
of
just
like
why
this
stuff
is
busted
and
so
there's
a
bunch
of
places
across
all
of
like
there's
XO
x.509
as
it's
specified
and
then
there's
x.509
and
web
PKI
in
the
real
world
and
those
things
do
diverge
and
it's
kind
of
unfortunate.
A
A
A
A
A
A
It
maps
the
process
ID
to
the
container,
slash
pod.
So
we
can.
Then
the
spire
agent
can
now
know
hey.
This
particular
process
is
part
of
this
pod
and
once
it
does
that
it
can
then
attest
to
the
spire
server.
Hey
I
grovelled
around
I
talked
to
the
kernel.
I
know
the
person
I'm
talking
to
right
now.
I
can
attest
that
they
are
part
of
this
particular
pod
and
then
those
rules
that
we
actually
put
into
the
spire
server
essentially
say.
Well
anybody
who's
part
of
this
pod
gets
access
to
this
particular
namespace
so
like.
A
If
you
are,
if
you're
in
a
pod
and
that
pod
has
access
to
this
service
account,
then
we're
going
to
give
you
access
to
this
particular
spiffy
ID,
and
so
it's
that
sort
of
bootstrapping,
of
like
the
spire
agent,
knew
that
who's
calling
based
on
actually
talking
to
the
Linux
kernel,
talk
to
the
kubernetes
api
cubelet
api
to
be
able
to
map
that
to
a
pod
and
then
told
the
server
about
that.
And
then
the
server
said
well
based
on
rules.
A
I
have
I'm
going
to
give
you
this
ID,
and
so
you
end
up
with
sort
of
this
chain
of
mappings
to
be
able
to
actually
select
who
should
get
which
IDs
and
it's
an
incredibly
flexible
system
for
how
you
actually
assign
a
date
IDs.
It
works
both
inside
of
kubernetes,
but
there's
also
a
tutorial
that
you
saw
as
I
was
paging
around
where
this
can
work
with
Linux.
A
You
can
use
something
like
you
know:
kubernetes
api
service
account
access
to
be
able
to
attest,
who
you
are
from
the
node
level,
or
you
can
use
ec2
metadata
where
you
can
use
TPM.
So
there's
like
there's
a
bunch
of
options
to
actually
continually
lock
this
down
and
have
this
apply
to
a
lot
more
tuitions
beyond
just
kubernetes
okay,
so
that's
I'm
gonna
wrap
up
here.
So
that's
about
an
hour
and
a
half,
hopefully
I
that
made
sense.
This
is
a
pretty
deep
topic.
A
A
Spire
is
getting
much
more
mature,
I'm
gonna
be
really
interested
to
see
if
we
can
actually
start
having
this
appear
in
more
programming
frameworks
and
more
systems
like
kubernetes
itself,
but
also
other
places
that
need
to
do
this
and
I
think
this
could
be
a
primitive
that
helps
us
to
start
teasing
apart
those
different
aspects
of
a
service
mesh.
So
that
they
can
actually
be
used
in
in
more
flexible
ways,
so
that
is
some
pretty
deep
stuff
there,
but
hopefully
useful
for
folks.
A
Thank
you
for
everybody
that
stuck
with
me
and
I
will
see
you
next
week,
I'm
hoping
next
week
that
I
know
the
queue
folks
for
the
configuration
language
they've
been
working
on
doing
some
some
better
documentation,
hopefully
they're
ready
for
me
to
be
able
to
do
Q.
If
so,
that's
that's
something
that
I'd
be
looking
forward
to
doing
next
week.
All
right,
everybody
have
a
good
weekend
and
I
will
see
you
later.