Am I me? Are you you? The existential crisis of containers, not of Camus, and SPIFFE
Grade 9 French. Assigned Albert Camus' "L'Étranger" to read. We all came back as one and had understood the words but not the meaning. Hippy french teacher then decides we really needed to understand existentialism. A few lessons later, tl;dr: something about a beach?
There is a crisis of identity in the highly-orchestrated field of containers (e.g. Kubernetes). They come and go, willy nilly. The number is fluctuating up and down. Firewalls are nigh impossible so one must just trust that the client, the server, are who they say they are. IP's are private, so you are not able to use public CA infrastructure like Let's Encrypt. Sure you can run your own CA, but that is hard. Even harder is mutual TLS, knowing the originator is also who they say they are.
Lets think about this in the real world. Your phone rings, its your bank. There's been some suspicious activity on your account. Before they can talk more they need to verify you are the account holder. Except, how do you know its your bank?
Now imagine that you are one of a large pool of itinerant workers who share this bank account, and, that the bank is actually an ever changing set of corporations buying/selling your account to each other, and moving their call-centre around the world. So you can't know each other, you are each always changing. Sounds tough right?
Enter SPIFFE. You secretly knew technology was the answer to this problem right? Its a standard that:
Distributed design patterns and practices such as microservices, container orchestrators, and cloud computing have led to production environments that are increasingly dynamic and heterogenous. Conventional security practices (such as network policies that only allow traffic between particular IP addresses) struggle to scale under this complexity. A first-class identity framework for workloads in an organization becomes necessary.
Further, modern developers are expected to understand and play a role in how applications are deployed and managed in production environments. Operations teams require deeper visibility into the applications they are managing. As we move to a more evolved security stance, we must offer better tools to both teams so they can play an active role in building secure, distributed applications.
The Secure Production Identity Framework For Everyone (SPIFFE) standard provides a specification for a framework capable of bootstrapping and issuing identity to services across heterogeneous environments and organizational boundaries. At its heart, SPIFFE is:
- A standard defining how services identify themselves to each other. These are called SPIFFE IDs and are implemented as Uniform Resource Identifiers (URIs).
- A standard for encoding SPIFFE IDs in a cryptographically-verifiable document called a SPIFFE Verifiable Identity Document or SVIDs.
- An API specification for issuing and/or retrieving SVIDs. This is the Workload API.
In a nutshell it allows each end of a conversation to identify who they are, and assert what they can do, in a safe, verifiable way.