SlideShare une entreprise Scribd logo

SPIFFE Meetup Tokyo #2 - Attestation Internals in SPIRE - Shingo Omura

Preferred Networks
Preferred Networks

In SPIRE, attestation is the essential process because it certifies a node or workload, i.e. it asserts the identities of them. This talk describes how SPIRE implement this process and make it flexible. Moreover, it explains the detail of how spire-server and spire-agent (running at a node) interacts in the attestation process.

Logiciels
1  sur  26
Télécharger pour lire hors ligne
Shingo Omura, Preferred Networks, Inc. SPIFFE Meetup Tokyo #2 2019-10-02 Attestation Internals in SPIRE Icons made by Freepik from www.flaticon.com 💚

Shingo Omura ● ML Platform Engineer, Preferred Networks, Inc. ○ On-Prem GPU(2000+) k8s clusters ○ kubernetes org member (sig-scheduling) ○ kubeflow contributor ● @everpeace
Recap: SPIFFE Standardizations • SPIFFE ID − identity namespace and defines how services identify themselves to each other • SVID (SPIFFE Verification Itenditity Document) − defines verifiable representation of issued identities (in X.509 and JWT format) • Workload API − defines API for issuing and/or retrieving another workload’s SVID
example of SPIFFE ID based authentication spiffe://dev.acme.com/payments/web scheme=spiffe Trust Domain Path Recap: SPIFFE ID spiffe://dev.acme.com/payments/api spiffe://dev.acme.com/payments/db
Recap: SVID (SPIFFE Verification Identity Document) Icons made by Freepik from www.flaticon.com Trust Domain (spiffe://dev.acme.com/) As Signing Authority • consists of – SPIFFE ID – valid signature – public key(optional) • supported format – X509-SVID, JWT-SVID • typically short-lived SVID SPIFFE Bundle Provides Trust Bundle • used for validating SVIDs • contains a trust domain's public keys or X.509 CA certificate in JWK Set format
SVIDResponse Recap: Workload API WorkloadAPI Workload (Src) ● grpc with unix domain socket (aka Workload API Endpoint) ● no authentication for avoiding bootstrapping Transport SVIDRequest Icons made by Freepik, photo3idea_studio, Pixel Buddha from www.flaticon.com SVIDs Workload (Dst) SPIFFE Bundles SVIDRequest SVIDResponse verify src SVID by SPIFFE Bundle Identify the Caller - kernel introspection - orchestrator interrogation may contain Federated Bundles (bundles for other trust domains)
Overview of SPIRE: SPIFFE Runtime Environment Icons made by Freepik, photo3idea_studio, Pixel Buddha, srip from www.flaticon.com spire-agent Workload API Work load Work load spire-agent Workload API Work load Work load spire-server Node API Registration API ● Identity Mapping ● Node Attestation ● SVID IssuanceCLI API ● Workload Attestation ● Workload API
● workload identities must be registered first ● entries defines a mapping of workload <--> SPIFFE ID via workload selectors ● entries has hierarchy. note that this hierarchy is independent to one of SPIFFE ID’s path Identity(Workload) Registration spire-server Node API Registration API CLI API SPIFFE ID spiffe://dev.acme.com/payments/web Parent ID spiffe://dev.acme.com/k8s/cluster/foo Selectors k8s:ns:payments k8s:sa:payment-web k8s:container-image:payments Workload Registration Entry of /payments/web Icons made by Freepik from www.flaticon.com type value
Identity(Node) Registration spire-server Node API Registration API CLI API SPIFFE ID spiffe://dev.acme.com/k8s/cluster/foo Parent ID spiffe://dev.acme.com/ Selectors k8s_psat:custer:foo k8s_psat:agent_ns:spire k8s_psat:agent_sa:agent Node Registration Entry of /k8s/cluster/foo ● node identities registration enables to assign one workload SPIFFE ID across multiple nodes ● registration entries defines a mapping of node(agent) <--> SPIFFE ID via node selectors
What is Attestation in SPIRE? Attestation is the process of certifying that something is true. spire-server spire-agent Workload API Work load Node API Node Attestation • verifying the identity of the node the workload is running on • runs when booting spire-agent Workload Attestation • verifying the workload on the node
Overview: How SPIRE issue SVIDs spire server spire agent Work load 1. register entries 2.0 attest node 2.3 node SVIDs Cloud Providers (k8s, instance metadata, etc.) 2.1 verify node identity kernel/orchestrators (e.g. kubelet/docker) 3.3 workload identity 3.1 verify workload identity Icons made by Freepik from www.flaticon.com 3.2 obtaining workload info 3.0 attest workload 3.4 workload SVIDs 3.5 workload SVIDs
Node Attestation Internals (based on version 0.8.1) spire server spire agent 2.0 attest node 2.3 node SVIDs Cloud Providers (k8s, instance metadata, etc.) 2.1 verify node identity
Node Attestation • Both server & agent participate in node attestation • Only one node attestor can be configured in spire agent – multiple node attestors can be configured in spire server • Node attestor is pluggable – join_token, aws, azure, k8s, etc. (supported plugins list) spire serverspire agent Node Attestor Plugin Node Attestor PluginNode Attestor PluginNode Attestor Plugin
Before: Node Attestation Icons made by Freepik, photo3idea_studio, Pixel Buddha, srip from www.flaticon.com spire-server CLI API
Node Attestation Internals (based on version 0.8.1) spire serverspire agent Booting... … Booted Icons made by Freepik, Pixel Buddha, Smashicons from www.flaticon.com 0. generate key-pair for this node 1. plugin makes proof of the node identity 2. make certificate signing request 3. send node identity and signing request 4.1 perform challenge & response in arbitrary number of rounds 5. issue node SVID (sign the signing request) CA’s key pair SPIFFE Bundle 6. send node SVID transport is secured by using upstream CA 4. verify the proof 4.2 issue node SPIFFE ID and its selectors
Example of AWS Node Attestor Plugin spire serverspire agent AWS Node Attestor Plugin AWS Node Attestor Plugin Instance Identity Document SPIFFE ID /aws_iid/{acctID}/{region}/{instanceID} Selectors AWS Node Resolver Plugin aws_iid:tag:name:value aws_iid:sg:id:sg-01234567 aws_iid:sg:name:sg-name aws_iid:iamrole:arn:aws... instance metadata service Icons made by Freepik, Pixel Buddha, Smashicons from www.flaticon.com
mTLS with node SVID spire server Sync all the registration entries match ● selectors of the node SVIDs ● and their descendants ● (subset match included) Completing Agent Bootup Icons made by Freepik from www.flaticon.com spire agent node(base) SVID (/aws_iid/acct/reg/instanceID) Node SVID Rotator refresh when rotatedrotate SVID/Bundle/ RegistrationEntries Synchronizer /aws_iid/acct/reg/instanceID aws_iid:tag:name:value aws_iid:sg:id:sg-01234567 aws_iid:sg:name:sg-name aws_iid:iamrole:arn:aws... /cluster/payments MATCH! /payments/api /payments/web /payments/db entries
After: Booting Up Agent Completely Icons made by Freepik, photo3idea_studio, Pixel Buddha, srip from www.flaticon.com spire-agent Workload API spire-agent Workload API spire-server CLI API
Workload Attestation Internals (based on version 0.8.1) spire server spire agent Work load kernel/orchestrators (e.g. kubelet/docker) 3.3 workload identity 3.1 verify workload identity 3.2 obtaining workload info 3.0 attest workload 3.4 workload SVIDs 3.5 workload SVIDs
entries Workload Attestation • Only agent participates in workload attestation – synchronizer is responsible for fetching workload SVIDs/Bundles • Multiple workload attestors can be configured in spire agent • Workload attestor is also pluggable – unix, docker, k8s etc. (supported plugins list) spire agent Workload spire server Worload Attestor Plugin Worload Attestor Plugin Worload Attestor Plugin WorkloadAPI
Before: Workload Attestation Completed Icons made by Freepik, photo3idea_studio, Pixel Buddha, srip from www.flaticon.com spire-agent Workload API Work load Work load spire-agent Workload API Work load Work load spire-server CLI API
Workload Attestation Internals (based on version 0.8.1) spire server spire agent Icons made by Freepik, Pixel Buddha, Smashicons from www.flaticon.com Synchronizer mTLS with node SVID entries Work load kernel/orchestrators (e.g. kubelet/docker) Worload Attestor Plugin WorkloadEndpoint(unixsocket) 0. attestation request 1.2 obtain workload info 2. request syncing entries matched to merged selectors 3. request to issue their SVIDs (synchronizer generates key-pairs) 1.1 each attestor verify workload identity (pid) and transform it to selectors 4. matched SVIDs & Bundles unix:uid, unix:gid docker:image_id, docker:label k8s:ns, k8s:sa, k8s:pod-name etc. 1. attest in all attestors
Ready to Authenticate Workload Each Other!! Icons made by Freepik, photo3idea_studio, Pixel Buddha, srip from www.flaticon.com spire-agent Workload API Work load Work load spire-agent Workload API Work load Work load spire-server CLI API
Quick Start • Rercommended: SPIRE101 in spire repo – you can try spire environment in docker-compose • !!CAUTION!! – this does NOT work on 0.8.1 or later – this works in 0.8.0 – ref: spiffe/spire#1155
Custom Attestation Plugin? • Just implementing several interafaces • Node Attestation Plugin (server, agent interface) • Node Resolver Plugin(server interface) • Workload Attestation Plugin (agent interface) • And plumbing to make it gRPC server • But, no comprehensive document right now – github.com/spiffe/plugin-template is obsolete • Official document points to reference custom plugin implementations
Icons made by Vincent Le Moign from https://icon-icons.com/ licensed by CC 3.0 BY Thank you for Listening!! Any Questions?

Recommandé

Cloud Native Identity with SPIFFE
Cloud Native Identity with SPIFFECloud Native Identity with SPIFFE
Cloud Native Identity with SPIFFEPrabath Siriwardena
 
Schema Registry 101 with Bill Bejeck | Kafka Summit London 2022
Schema Registry 101 with Bill Bejeck | Kafka Summit London 2022Schema Registry 101 with Bill Bejeck | Kafka Summit London 2022
Schema Registry 101 with Bill Bejeck | Kafka Summit London 2022HostedbyConfluent
 
[OpenStack 스터디] OpenStack With Contrail
[OpenStack 스터디] OpenStack With Contrail[OpenStack 스터디] OpenStack With Contrail
[OpenStack 스터디] OpenStack With ContrailOpenStack Korea Community
 
Building Trust Between Modern Distributed Systems with SPIFFE
Building Trust Between Modern Distributed Systems with SPIFFEBuilding Trust Between Modern Distributed Systems with SPIFFE
Building Trust Between Modern Distributed Systems with SPIFFEQAware GmbH
 
Building Multi-Site and Multi-OpenStack Cloud with OpenStack Cascading
Building Multi-Site and Multi-OpenStack Cloud with OpenStack CascadingBuilding Multi-Site and Multi-OpenStack Cloud with OpenStack Cascading
Building Multi-Site and Multi-OpenStack Cloud with OpenStack CascadingJoe Huang
 
Issues of OpenStack multi-region mode
Issues of OpenStack multi-region modeIssues of OpenStack multi-region mode
Issues of OpenStack multi-region modeJoe Huang
 
Hashicorp Vault ppt
Hashicorp Vault pptHashicorp Vault ppt
Hashicorp Vault pptShrey Agarwal
 
Real-time Data Streaming from Oracle to Apache Kafka
Real-time Data Streaming from Oracle to Apache Kafka Real-time Data Streaming from Oracle to Apache Kafka
Real-time Data Streaming from Oracle to Apache Kafka confluent
 

Recommandé

Cloud Native Identity with SPIFFE
Cloud Native Identity with SPIFFECloud Native Identity with SPIFFE
Cloud Native Identity with SPIFFEPrabath Siriwardena
 
Schema Registry 101 with Bill Bejeck | Kafka Summit London 2022
Schema Registry 101 with Bill Bejeck | Kafka Summit London 2022Schema Registry 101 with Bill Bejeck | Kafka Summit London 2022
Schema Registry 101 with Bill Bejeck | Kafka Summit London 2022HostedbyConfluent
 
[OpenStack 스터디] OpenStack With Contrail
[OpenStack 스터디] OpenStack With Contrail[OpenStack 스터디] OpenStack With Contrail
[OpenStack 스터디] OpenStack With ContrailOpenStack Korea Community
 
Building Trust Between Modern Distributed Systems with SPIFFE
Building Trust Between Modern Distributed Systems with SPIFFEBuilding Trust Between Modern Distributed Systems with SPIFFE
Building Trust Between Modern Distributed Systems with SPIFFEQAware GmbH
 
Building Multi-Site and Multi-OpenStack Cloud with OpenStack Cascading
Building Multi-Site and Multi-OpenStack Cloud with OpenStack CascadingBuilding Multi-Site and Multi-OpenStack Cloud with OpenStack Cascading
Building Multi-Site and Multi-OpenStack Cloud with OpenStack CascadingJoe Huang
 
Issues of OpenStack multi-region mode
Issues of OpenStack multi-region modeIssues of OpenStack multi-region mode
Issues of OpenStack multi-region modeJoe Huang
 
Hashicorp Vault ppt
Hashicorp Vault pptHashicorp Vault ppt
Hashicorp Vault pptShrey Agarwal
 
Real-time Data Streaming from Oracle to Apache Kafka
Real-time Data Streaming from Oracle to Apache Kafka Real-time Data Streaming from Oracle to Apache Kafka
Real-time Data Streaming from Oracle to Apache Kafka confluent
 
Self-issued OpenID Provider_OpenID Foundation Virtual Workshop
Self-issued OpenID Provider_OpenID Foundation Virtual Workshop Self-issued OpenID Provider_OpenID Foundation Virtual Workshop
Self-issued OpenID Provider_OpenID Foundation Virtual Workshop Kristina Yasuda
 
Reusable, composable, battle-tested Terraform modules
Reusable, composable, battle-tested Terraform modulesReusable, composable, battle-tested Terraform modules
Reusable, composable, battle-tested Terraform modulesYevgeniy Brikman
 
Cloud Native Bern 05.2023 — Zero Trust Visibility
Cloud Native Bern 05.2023 — Zero Trust VisibilityCloud Native Bern 05.2023 — Zero Trust Visibility
Cloud Native Bern 05.2023 — Zero Trust VisibilityRaphaël PINSON
 
Azure Key Vault
Azure Key VaultAzure Key Vault
Azure Key Vaultjunichi anno
 
Optimizing Kubernetes Resource Requests/Limits for Cost-Efficiency and Latenc...
Optimizing Kubernetes Resource Requests/Limits for Cost-Efficiency and Latenc...Optimizing Kubernetes Resource Requests/Limits for Cost-Efficiency and Latenc...
Optimizing Kubernetes Resource Requests/Limits for Cost-Efficiency and Latenc...Henning Jacobs
 
Salesforce enabling real time scenarios at scale using kafka
Salesforce enabling real time scenarios at scale using kafkaSalesforce enabling real time scenarios at scale using kafka
Salesforce enabling real time scenarios at scale using kafkaThomas Alex
 
CRI, OCI, and CRI-O
CRI, OCI, and CRI-OCRI, OCI, and CRI-O
CRI, OCI, and CRI-OChe-Chia Chang
 
KubeMonkey를 통한 Chaos Engineering 실전 운영하기 - 윤석찬 (AWS 테크에반젤리스트)
KubeMonkey를 통한 Chaos Engineering 실전 운영하기 - 윤석찬 (AWS 테크에반젤리스트)KubeMonkey를 통한 Chaos Engineering 실전 운영하기 - 윤석찬 (AWS 테크에반젤리스트)
KubeMonkey를 통한 Chaos Engineering 실전 운영하기 - 윤석찬 (AWS 테크에반젤리스트)Channy Yun
 
[오픈소스컨설팅] Open Stack Ceph, Neutron, HA, Multi-Region
[오픈소스컨설팅] Open Stack Ceph, Neutron, HA, Multi-Region[오픈소스컨설팅] Open Stack Ceph, Neutron, HA, Multi-Region
[오픈소스컨설팅] Open Stack Ceph, Neutron, HA, Multi-RegionJi-Woong Choi
 
Aws auto scalingによるwebapサーバbatchサーバの構成例
Aws auto scalingによるwebapサーバbatchサーバの構成例Aws auto scalingによるwebapサーバbatchサーバの構成例
Aws auto scalingによるwebapサーバbatchサーバの構成例Takeshi Mikami
 
Using Vault to decouple MySQL Secrets
Using Vault to decouple MySQL SecretsUsing Vault to decouple MySQL Secrets
Using Vault to decouple MySQL SecretsDerek Downey
 
Room 1 - 7 - Lê Quốc Đạt - Upgrading network of Openstack to SDN with Tungste...
Room 1 - 7 - Lê Quốc Đạt - Upgrading network of Openstack to SDN with Tungste...Room 1 - 7 - Lê Quốc Đạt - Upgrading network of Openstack to SDN with Tungste...
Room 1 - 7 - Lê Quốc Đạt - Upgrading network of Openstack to SDN with Tungste...Vietnam Open Infrastructure User Group
 
Room 2 - 4 - Juncheng Anthony Lin - Redhat - A Practical Approach to Traditio...
Room 2 - 4 - Juncheng Anthony Lin - Redhat - A Practical Approach to Traditio...Room 2 - 4 - Juncheng Anthony Lin - Redhat - A Practical Approach to Traditio...
Room 2 - 4 - Juncheng Anthony Lin - Redhat - A Practical Approach to Traditio...Vietnam Open Infrastructure User Group
 
Elastic-Engineering
Elastic-EngineeringElastic-Engineering
Elastic-EngineeringAraf Karsh Hamid
 
해외 사례로 보는 Billing for OpenStack Solution
해외 사례로 보는 Billing for OpenStack Solution해외 사례로 보는 Billing for OpenStack Solution
해외 사례로 보는 Billing for OpenStack SolutionNalee Jang
 
Zero-Trust SASE DevSecOps
Zero-Trust SASE DevSecOpsZero-Trust SASE DevSecOps
Zero-Trust SASE DevSecOpsAraf Karsh Hamid
 
HashiCorp's Vault - The Examples
HashiCorp's Vault - The ExamplesHashiCorp's Vault - The Examples
HashiCorp's Vault - The ExamplesMichał Czeraszkiewicz
 
Disaster Recovery Plans for Apache Kafka
Disaster Recovery Plans for Apache KafkaDisaster Recovery Plans for Apache Kafka
Disaster Recovery Plans for Apache Kafkaconfluent
 
[Confluent] 실시간 하이브리드, 멀티 클라우드 데이터 아키텍처로 빠르게 혀...
[Confluent] 실시간 하이브리드, 멀티 클라우드 데이터 아키텍처로 빠르게 혀...[Confluent] 실시간 하이브리드, 멀티 클라우드 데이터 아키텍처로 빠르게 혀...
[Confluent] 실시간 하이브리드, 멀티 클라우드 데이터 아키텍처로 빠르게 혀...confluent
 
How to Lock Down Apache Kafka and Keep Your Streams Safe
How to Lock Down Apache Kafka and Keep Your Streams SafeHow to Lock Down Apache Kafka and Keep Your Streams Safe
How to Lock Down Apache Kafka and Keep Your Streams Safeconfluent
 
アプリで簡単にスタンプを販売するためのAPI開発
アプリで簡単にスタンプを販売するためのAPI開発アプリで簡単にスタンプを販売するためのAPI開発
アプリで簡単にスタンプを販売するためのAPI開発LINE Corporation
 
Serhiy Kalinets "Building Service Mesh with .NET Core"
Serhiy Kalinets "Building Service Mesh with .NET Core"Serhiy Kalinets "Building Service Mesh with .NET Core"
Serhiy Kalinets "Building Service Mesh with .NET Core"Fwdays
 

Contenu connexe

Tendances

Self-issued OpenID Provider_OpenID Foundation Virtual Workshop
Self-issued OpenID Provider_OpenID Foundation Virtual Workshop Self-issued OpenID Provider_OpenID Foundation Virtual Workshop
Self-issued OpenID Provider_OpenID Foundation Virtual Workshop Kristina Yasuda
 
Reusable, composable, battle-tested Terraform modules
Reusable, composable, battle-tested Terraform modulesReusable, composable, battle-tested Terraform modules
Reusable, composable, battle-tested Terraform modulesYevgeniy Brikman
 
Cloud Native Bern 05.2023 — Zero Trust Visibility
Cloud Native Bern 05.2023 — Zero Trust VisibilityCloud Native Bern 05.2023 — Zero Trust Visibility
Cloud Native Bern 05.2023 — Zero Trust VisibilityRaphaël PINSON
 
Optimizing Kubernetes Resource Requests/Limits for Cost-Efficiency and Latenc...
Optimizing Kubernetes Resource Requests/Limits for Cost-Efficiency and Latenc...Optimizing Kubernetes Resource Requests/Limits for Cost-Efficiency and Latenc...
Optimizing Kubernetes Resource Requests/Limits for Cost-Efficiency and Latenc...Henning Jacobs
 
Salesforce enabling real time scenarios at scale using kafka
Salesforce enabling real time scenarios at scale using kafkaSalesforce enabling real time scenarios at scale using kafka
Salesforce enabling real time scenarios at scale using kafkaThomas Alex
 
KubeMonkey를 통한 Chaos Engineering 실전 운영하기 - 윤석찬 (AWS 테크에반젤리스트)
KubeMonkey를 통한 Chaos Engineering 실전 운영하기 - 윤석찬 (AWS 테크에반젤리스트)KubeMonkey를 통한 Chaos Engineering 실전 운영하기 - 윤석찬 (AWS 테크에반젤리스트)
KubeMonkey를 통한 Chaos Engineering 실전 운영하기 - 윤석찬 (AWS 테크에반젤리스트)Channy Yun
 
[오픈소스컨설팅] Open Stack Ceph, Neutron, HA, Multi-Region
[오픈소스컨설팅] Open Stack Ceph, Neutron, HA, Multi-Region[오픈소스컨설팅] Open Stack Ceph, Neutron, HA, Multi-Region
[오픈소스컨설팅] Open Stack Ceph, Neutron, HA, Multi-RegionJi-Woong Choi
 
Aws auto scalingによるwebapサーバbatchサーバの構成例
Aws auto scalingによるwebapサーバbatchサーバの構成例Aws auto scalingによるwebapサーバbatchサーバの構成例
Aws auto scalingによるwebapサーバbatchサーバの構成例Takeshi Mikami
 
Using Vault to decouple MySQL Secrets
Using Vault to decouple MySQL SecretsUsing Vault to decouple MySQL Secrets
Using Vault to decouple MySQL SecretsDerek Downey
 
Room 1 - 7 - Lê Quốc Đạt - Upgrading network of Openstack to SDN with Tungste...
Room 1 - 7 - Lê Quốc Đạt - Upgrading network of Openstack to SDN with Tungste...Room 1 - 7 - Lê Quốc Đạt - Upgrading network of Openstack to SDN with Tungste...
Room 1 - 7 - Lê Quốc Đạt - Upgrading network of Openstack to SDN with Tungste...Vietnam Open Infrastructure User Group
 
Room 2 - 4 - Juncheng Anthony Lin - Redhat - A Practical Approach to Traditio...
Room 2 - 4 - Juncheng Anthony Lin - Redhat - A Practical Approach to Traditio...Room 2 - 4 - Juncheng Anthony Lin - Redhat - A Practical Approach to Traditio...
Room 2 - 4 - Juncheng Anthony Lin - Redhat - A Practical Approach to Traditio...Vietnam Open Infrastructure User Group
 
해외 사례로 보는 Billing for OpenStack Solution
해외 사례로 보는 Billing for OpenStack Solution해외 사례로 보는 Billing for OpenStack Solution
해외 사례로 보는 Billing for OpenStack SolutionNalee Jang
 
Disaster Recovery Plans for Apache Kafka
Disaster Recovery Plans for Apache KafkaDisaster Recovery Plans for Apache Kafka
Disaster Recovery Plans for Apache Kafkaconfluent
 
[Confluent] 실시간 하이브리드, 멀티 클라우드 데이터 아키텍처로 빠르게 혀...
[Confluent] 실시간 하이브리드, 멀티 클라우드 데이터 아키텍처로 빠르게 혀...[Confluent] 실시간 하이브리드, 멀티 클라우드 데이터 아키텍처로 빠르게 혀...
[Confluent] 실시간 하이브리드, 멀티 클라우드 데이터 아키텍처로 빠르게 혀...confluent
 
How to Lock Down Apache Kafka and Keep Your Streams Safe
How to Lock Down Apache Kafka and Keep Your Streams SafeHow to Lock Down Apache Kafka and Keep Your Streams Safe
How to Lock Down Apache Kafka and Keep Your Streams Safeconfluent
 

Tendances (20)

Self-issued OpenID Provider_OpenID Foundation Virtual Workshop
Self-issued OpenID Provider_OpenID Foundation Virtual Workshop Self-issued OpenID Provider_OpenID Foundation Virtual Workshop
Self-issued OpenID Provider_OpenID Foundation Virtual Workshop
 
Reusable, composable, battle-tested Terraform modules
Reusable, composable, battle-tested Terraform modulesReusable, composable, battle-tested Terraform modules
Reusable, composable, battle-tested Terraform modules
 
Cloud Native Bern 05.2023 — Zero Trust Visibility
Cloud Native Bern 05.2023 — Zero Trust VisibilityCloud Native Bern 05.2023 — Zero Trust Visibility
Cloud Native Bern 05.2023 — Zero Trust Visibility
 
Azure Key Vault
Azure Key VaultAzure Key Vault
Azure Key Vault
 
Optimizing Kubernetes Resource Requests/Limits for Cost-Efficiency and Latenc...
Optimizing Kubernetes Resource Requests/Limits for Cost-Efficiency and Latenc...Optimizing Kubernetes Resource Requests/Limits for Cost-Efficiency and Latenc...
Optimizing Kubernetes Resource Requests/Limits for Cost-Efficiency and Latenc...
 
Salesforce enabling real time scenarios at scale using kafka
Salesforce enabling real time scenarios at scale using kafkaSalesforce enabling real time scenarios at scale using kafka
Salesforce enabling real time scenarios at scale using kafka
 
CRI, OCI, and CRI-O
CRI, OCI, and CRI-OCRI, OCI, and CRI-O
CRI, OCI, and CRI-O
 
KubeMonkey를 통한 Chaos Engineering 실전 운영하기 - 윤석찬 (AWS 테크에반젤리스트)
KubeMonkey를 통한 Chaos Engineering 실전 운영하기 - 윤석찬 (AWS 테크에반젤리스트)KubeMonkey를 통한 Chaos Engineering 실전 운영하기 - 윤석찬 (AWS 테크에반젤리스트)
KubeMonkey를 통한 Chaos Engineering 실전 운영하기 - 윤석찬 (AWS 테크에반젤리스트)
 
[오픈소스컨설팅] Open Stack Ceph, Neutron, HA, Multi-Region
[오픈소스컨설팅] Open Stack Ceph, Neutron, HA, Multi-Region[오픈소스컨설팅] Open Stack Ceph, Neutron, HA, Multi-Region
[오픈소스컨설팅] Open Stack Ceph, Neutron, HA, Multi-Region
 
Aws auto scalingによるwebapサーバbatchサーバの構成例
Aws auto scalingによるwebapサーバbatchサーバの構成例Aws auto scalingによるwebapサーバbatchサーバの構成例
Aws auto scalingによるwebapサーバbatchサーバの構成例
 
Using Vault to decouple MySQL Secrets
Using Vault to decouple MySQL SecretsUsing Vault to decouple MySQL Secrets
Using Vault to decouple MySQL Secrets
 
Room 1 - 7 - Lê Quốc Đạt - Upgrading network of Openstack to SDN with Tungste...
Room 1 - 7 - Lê Quốc Đạt - Upgrading network of Openstack to SDN with Tungste...Room 1 - 7 - Lê Quốc Đạt - Upgrading network of Openstack to SDN with Tungste...
Room 1 - 7 - Lê Quốc Đạt - Upgrading network of Openstack to SDN with Tungste...
 
Room 2 - 4 - Juncheng Anthony Lin - Redhat - A Practical Approach to Traditio...
Room 2 - 4 - Juncheng Anthony Lin - Redhat - A Practical Approach to Traditio...Room 2 - 4 - Juncheng Anthony Lin - Redhat - A Practical Approach to Traditio...
Room 2 - 4 - Juncheng Anthony Lin - Redhat - A Practical Approach to Traditio...
 
Elastic-Engineering
Elastic-EngineeringElastic-Engineering
Elastic-Engineering
 
해외 사례로 보는 Billing for OpenStack Solution
해외 사례로 보는 Billing for OpenStack Solution해외 사례로 보는 Billing for OpenStack Solution
해외 사례로 보는 Billing for OpenStack Solution
 
Zero-Trust SASE DevSecOps
Zero-Trust SASE DevSecOpsZero-Trust SASE DevSecOps
Zero-Trust SASE DevSecOps
 
HashiCorp's Vault - The Examples
HashiCorp's Vault - The ExamplesHashiCorp's Vault - The Examples
HashiCorp's Vault - The Examples
 
Disaster Recovery Plans for Apache Kafka
Disaster Recovery Plans for Apache KafkaDisaster Recovery Plans for Apache Kafka
Disaster Recovery Plans for Apache Kafka
 
[Confluent] 실시간 하이브리드, 멀티 클라우드 데이터 아키텍처로 빠르게 혀...
[Confluent] 실시간 하이브리드, 멀티 클라우드 데이터 아키텍처로 빠르게 혀...[Confluent] 실시간 하이브리드, 멀티 클라우드 데이터 아키텍처로 빠르게 혀...
[Confluent] 실시간 하이브리드, 멀티 클라우드 데이터 아키텍처로 빠르게 혀...
 
How to Lock Down Apache Kafka and Keep Your Streams Safe
How to Lock Down Apache Kafka and Keep Your Streams SafeHow to Lock Down Apache Kafka and Keep Your Streams Safe
How to Lock Down Apache Kafka and Keep Your Streams Safe
 

Similaire à SPIFFE Meetup Tokyo #2 - Attestation Internals in SPIRE - Shingo Omura

アプリで簡単にスタンプを販売するためのAPI開発
アプリで簡単にスタンプを販売するためのAPI開発アプリで簡単にスタンプを販売するためのAPI開発
アプリで簡単にスタンプを販売するためのAPI開発LINE Corporation
 
Serhiy Kalinets "Building Service Mesh with .NET Core"
Serhiy Kalinets "Building Service Mesh with .NET Core"Serhiy Kalinets "Building Service Mesh with .NET Core"
Serhiy Kalinets "Building Service Mesh with .NET Core"Fwdays
 
Building trust between modern distributed systems with spiffe
Building trust between modern distributed systems with spiffeBuilding trust between modern distributed systems with spiffe
Building trust between modern distributed systems with spiffeajessup
 
Araport Workshop Tutorial 2: Authentication and the Agave Profiles Service
Araport Workshop Tutorial 2: Authentication and the Agave Profiles ServiceAraport Workshop Tutorial 2: Authentication and the Agave Profiles Service
Araport Workshop Tutorial 2: Authentication and the Agave Profiles Servicestevemock
 
Cloud Foundry Meetup Stuttgart 2017 - Spring Cloud Development
Cloud Foundry Meetup Stuttgart 2017 - Spring Cloud DevelopmentCloud Foundry Meetup Stuttgart 2017 - Spring Cloud Development
Cloud Foundry Meetup Stuttgart 2017 - Spring Cloud DevelopmentAndreas Falk
 
(ARC401) Cloud First: New Architecture for New Infrastructure
(ARC401) Cloud First: New Architecture for New Infrastructure(ARC401) Cloud First: New Architecture for New Infrastructure
(ARC401) Cloud First: New Architecture for New InfrastructureAmazon Web Services
 
Introduction and hacking OpenStack, Pycon India
Introduction and hacking OpenStack, Pycon IndiaIntroduction and hacking OpenStack, Pycon India
Introduction and hacking OpenStack, Pycon IndiaAtul Jha
 
ОЛЕКСАНДР ЛИПКО «Graceful Shutdown Node.js + k8s» Online WDDay 2021
ОЛЕКСАНДР ЛИПКО «Graceful Shutdown Node.js + k8s» Online WDDay 2021ОЛЕКСАНДР ЛИПКО «Graceful Shutdown Node.js + k8s» Online WDDay 2021
ОЛЕКСАНДР ЛИПКО «Graceful Shutdown Node.js + k8s» Online WDDay 2021WDDay
 
IVS CTO Night And Day 2018 Winter - [re:Cap] Serverless & Mobile
IVS CTO Night And Day 2018 Winter - [re:Cap] Serverless & MobileIVS CTO Night And Day 2018 Winter - [re:Cap] Serverless & Mobile
IVS CTO Night And Day 2018 Winter - [re:Cap] Serverless & MobileAmazon Web Services Japan
 
API First Workflow: How could we have better API Docs through DevOps pipeline
API First Workflow: How could we have better API Docs through DevOps pipelineAPI First Workflow: How could we have better API Docs through DevOps pipeline
API First Workflow: How could we have better API Docs through DevOps pipelinePronovix
 
Telerik AppBuilder Presentation for TelerikNEXT Conference
Telerik AppBuilder Presentation for TelerikNEXT ConferenceTelerik AppBuilder Presentation for TelerikNEXT Conference
Telerik AppBuilder Presentation for TelerikNEXT ConferenceJen Looper
 
Canadian CNCF: "Emissary-ingress 101: An introduction to the CNCF incubation-...
Canadian CNCF: "Emissary-ingress 101: An introduction to the CNCF incubation-...Canadian CNCF: "Emissary-ingress 101: An introduction to the CNCF incubation-...
Canadian CNCF: "Emissary-ingress 101: An introduction to the CNCF incubation-...Daniel Bryant
 
使用 Prometheus 監控 Kubernetes Cluster
使用 Prometheus 監控 Kubernetes Cluster 使用 Prometheus 監控 Kubernetes Cluster
使用 Prometheus 監控 Kubernetes Cluster inwin stack
 
Continuous Integration e Delivery per (r)innovare lo sviluppo software e la g...
Continuous Integration e Delivery per (r)innovare lo sviluppo software e la g...Continuous Integration e Delivery per (r)innovare lo sviluppo software e la g...
Continuous Integration e Delivery per (r)innovare lo sviluppo software e la g...Amazon Web Services
 
SoftLayer API 12032015
SoftLayer API 12032015SoftLayer API 12032015
SoftLayer API 12032015Nacho Daza
 
Meet the Forge Runtime
Meet the Forge RuntimeMeet the Forge Runtime
Meet the Forge RuntimeAtlassian
 
Amazon API Gateway
Amazon API GatewayAmazon API Gateway
Amazon API GatewayMark Bate
 
Keystone - Openstack Identity Service
Keystone - Openstack Identity Service Keystone - Openstack Identity Service
Keystone - Openstack Identity Service Prasad Mukhedkar
 
Extend Your Use of JIRA by Solving Your Unique Concerns: An Exposé of the New...
Extend Your Use of JIRA by Solving Your Unique Concerns: An Exposé of the New...Extend Your Use of JIRA by Solving Your Unique Concerns: An Exposé of the New...
Extend Your Use of JIRA by Solving Your Unique Concerns: An Exposé of the New...Atlassian
 

Similaire à SPIFFE Meetup Tokyo #2 - Attestation Internals in SPIRE - Shingo Omura (20)

アプリで簡単にスタンプを販売するためのAPI開発
アプリで簡単にスタンプを販売するためのAPI開発アプリで簡単にスタンプを販売するためのAPI開発
アプリで簡単にスタンプを販売するためのAPI開発
 
Serhiy Kalinets "Building Service Mesh with .NET Core"
Serhiy Kalinets "Building Service Mesh with .NET Core"Serhiy Kalinets "Building Service Mesh with .NET Core"
Serhiy Kalinets "Building Service Mesh with .NET Core"
 
Building trust between modern distributed systems with spiffe
Building trust between modern distributed systems with spiffeBuilding trust between modern distributed systems with spiffe
Building trust between modern distributed systems with spiffe
 
Araport Workshop Tutorial 2: Authentication and the Agave Profiles Service
Araport Workshop Tutorial 2: Authentication and the Agave Profiles ServiceAraport Workshop Tutorial 2: Authentication and the Agave Profiles Service
Araport Workshop Tutorial 2: Authentication and the Agave Profiles Service
 
Cloud Foundry Meetup Stuttgart 2017 - Spring Cloud Development
Cloud Foundry Meetup Stuttgart 2017 - Spring Cloud DevelopmentCloud Foundry Meetup Stuttgart 2017 - Spring Cloud Development
Cloud Foundry Meetup Stuttgart 2017 - Spring Cloud Development
 
(ARC401) Cloud First: New Architecture for New Infrastructure
(ARC401) Cloud First: New Architecture for New Infrastructure(ARC401) Cloud First: New Architecture for New Infrastructure
(ARC401) Cloud First: New Architecture for New Infrastructure
 
CloudStack EC2 Configuration
CloudStack EC2 ConfigurationCloudStack EC2 Configuration
CloudStack EC2 Configuration
 
Introduction and hacking OpenStack, Pycon India
Introduction and hacking OpenStack, Pycon IndiaIntroduction and hacking OpenStack, Pycon India
Introduction and hacking OpenStack, Pycon India
 
ОЛЕКСАНДР ЛИПКО «Graceful Shutdown Node.js + k8s» Online WDDay 2021
ОЛЕКСАНДР ЛИПКО «Graceful Shutdown Node.js + k8s» Online WDDay 2021ОЛЕКСАНДР ЛИПКО «Graceful Shutdown Node.js + k8s» Online WDDay 2021
ОЛЕКСАНДР ЛИПКО «Graceful Shutdown Node.js + k8s» Online WDDay 2021
 
IVS CTO Night And Day 2018 Winter - [re:Cap] Serverless & Mobile
IVS CTO Night And Day 2018 Winter - [re:Cap] Serverless & MobileIVS CTO Night And Day 2018 Winter - [re:Cap] Serverless & Mobile
IVS CTO Night And Day 2018 Winter - [re:Cap] Serverless & Mobile
 
API First Workflow: How could we have better API Docs through DevOps pipeline
API First Workflow: How could we have better API Docs through DevOps pipelineAPI First Workflow: How could we have better API Docs through DevOps pipeline
API First Workflow: How could we have better API Docs through DevOps pipeline
 
Telerik AppBuilder Presentation for TelerikNEXT Conference
Telerik AppBuilder Presentation for TelerikNEXT ConferenceTelerik AppBuilder Presentation for TelerikNEXT Conference
Telerik AppBuilder Presentation for TelerikNEXT Conference
 
Canadian CNCF: "Emissary-ingress 101: An introduction to the CNCF incubation-...
Canadian CNCF: "Emissary-ingress 101: An introduction to the CNCF incubation-...Canadian CNCF: "Emissary-ingress 101: An introduction to the CNCF incubation-...
Canadian CNCF: "Emissary-ingress 101: An introduction to the CNCF incubation-...
 
使用 Prometheus 監控 Kubernetes Cluster
使用 Prometheus 監控 Kubernetes Cluster 使用 Prometheus 監控 Kubernetes Cluster
使用 Prometheus 監控 Kubernetes Cluster
 
Continuous Integration e Delivery per (r)innovare lo sviluppo software e la g...
Continuous Integration e Delivery per (r)innovare lo sviluppo software e la g...Continuous Integration e Delivery per (r)innovare lo sviluppo software e la g...
Continuous Integration e Delivery per (r)innovare lo sviluppo software e la g...
 
SoftLayer API 12032015
SoftLayer API 12032015SoftLayer API 12032015
SoftLayer API 12032015
 
Meet the Forge Runtime
Meet the Forge RuntimeMeet the Forge Runtime
Meet the Forge Runtime
 
Amazon API Gateway
Amazon API GatewayAmazon API Gateway
Amazon API Gateway
 
Keystone - Openstack Identity Service
Keystone - Openstack Identity Service Keystone - Openstack Identity Service
Keystone - Openstack Identity Service
 
Extend Your Use of JIRA by Solving Your Unique Concerns: An Exposé of the New...
Extend Your Use of JIRA by Solving Your Unique Concerns: An Exposé of the New...Extend Your Use of JIRA by Solving Your Unique Concerns: An Exposé of the New...
Extend Your Use of JIRA by Solving Your Unique Concerns: An Exposé of the New...
 

Plus de Preferred Networks

PodSecurityPolicy からGatekeeper に移行しました / Kubernetes Meetup Tokyo #57
PodSecurityPolicy からGatekeeper に移行しました / Kubernetes Meetup Tokyo #57PodSecurityPolicy からGatekeeper に移行しました / Kubernetes Meetup Tokyo #57
PodSecurityPolicy からGatekeeper に移行しました / Kubernetes Meetup Tokyo #57Preferred Networks
 
Optunaを使ったHuman-in-the-loop最適化の紹介 - 2023/04/27 W&B 東京ミートアップ #3
Optunaを使ったHuman-in-the-loop最適化の紹介 - 2023/04/27 W&B 東京ミートアップ #3Optunaを使ったHuman-in-the-loop最適化の紹介 - 2023/04/27 W&B 東京ミートアップ #3
Optunaを使ったHuman-in-the-loop最適化の紹介 - 2023/04/27 W&B 東京ミートアップ #3Preferred Networks
 
Kubernetes + containerd で cgroup v2 に移行したら "failed to create fsnotify watcher...
Kubernetes + containerd で cgroup v2 に移行したら "failed to create fsnotify watcher...Kubernetes + containerd で cgroup v2 に移行したら "failed to create fsnotify watcher...
Kubernetes + containerd で cgroup v2 に移行したら "failed to create fsnotify watcher...Preferred Networks
 
深層学習の新しい応用と、 それを支える計算機の進化 - Preferred Networks CEO 西川徹 (SEMICON Japan 2022 Ke...
深層学習の新しい応用と、 それを支える計算機の進化 - Preferred Networks CEO 西川徹 (SEMICON Japan 2022 Ke...深層学習の新しい応用と、 それを支える計算機の進化 - Preferred Networks CEO 西川徹 (SEMICON Japan 2022 Ke...
深層学習の新しい応用と、 それを支える計算機の進化 - Preferred Networks CEO 西川徹 (SEMICON Japan 2022 Ke...Preferred Networks
 
Kubernetes ControllerをScale-Outさせる方法 / Kubernetes Meetup Tokyo #55
Kubernetes ControllerをScale-Outさせる方法 / Kubernetes Meetup Tokyo #55Kubernetes ControllerをScale-Outさせる方法 / Kubernetes Meetup Tokyo #55
Kubernetes ControllerをScale-Outさせる方法 / Kubernetes Meetup Tokyo #55Preferred Networks
 
Kaggle Happywhaleコンペ優勝解法でのOptuna使用事例 - 2022/12/10 Optuna Meetup #2
Kaggle Happywhaleコンペ優勝解法でのOptuna使用事例 - 2022/12/10 Optuna Meetup #2Kaggle Happywhaleコンペ優勝解法でのOptuna使用事例 - 2022/12/10 Optuna Meetup #2
Kaggle Happywhaleコンペ優勝解法でのOptuna使用事例 - 2022/12/10 Optuna Meetup #2Preferred Networks
 
最新リリース:Optuna V3の全て - 2022/12/10 Optuna Meetup #2
最新リリース:Optuna V3の全て - 2022/12/10 Optuna Meetup #2最新リリース:Optuna V3の全て - 2022/12/10 Optuna Meetup #2
最新リリース:Optuna V3の全て - 2022/12/10 Optuna Meetup #2Preferred Networks
 
Optuna Dashboardの紹介と設計解説 - 2022/12/10 Optuna Meetup #2
Optuna Dashboardの紹介と設計解説 - 2022/12/10 Optuna Meetup #2Optuna Dashboardの紹介と設計解説 - 2022/12/10 Optuna Meetup #2
Optuna Dashboardの紹介と設計解説 - 2022/12/10 Optuna Meetup #2Preferred Networks
 
スタートアップが提案する2030年の材料開発 - 2022/11/11 QPARC講演
スタートアップが提案する2030年の材料開発 - 2022/11/11 QPARC講演スタートアップが提案する2030年の材料開発 - 2022/11/11 QPARC講演
スタートアップが提案する2030年の材料開発 - 2022/11/11 QPARC講演Preferred Networks
 
Deep Learningのための専用プロセッサ「MN-Core」の開発と活用(2022/10/19東大大学院「 融合情報学特別講義Ⅲ」)
Deep Learningのための専用プロセッサ「MN-Core」の開発と活用(2022/10/19東大大学院「 融合情報学特別講義Ⅲ」)Deep Learningのための専用プロセッサ「MN-Core」の開発と活用(2022/10/19東大大学院「 融合情報学特別講義Ⅲ」)
Deep Learningのための専用プロセッサ「MN-Core」の開発と活用(2022/10/19東大大学院「 融合情報学特別講義Ⅲ」)Preferred Networks
 
PFNにおける研究開発(2022/10/19 東大大学院「融合情報学特別講義Ⅲ」)
PFNにおける研究開発(2022/10/19 東大大学院「融合情報学特別講義Ⅲ」)PFNにおける研究開発(2022/10/19 東大大学院「融合情報学特別講義Ⅲ」)
PFNにおける研究開発(2022/10/19 東大大学院「融合情報学特別講義Ⅲ」)Preferred Networks
 
自然言語処理を 役立てるのはなぜ難しいのか(2022/10/25東大大学院「自然言語処理応用」)
自然言語処理を 役立てるのはなぜ難しいのか(2022/10/25東大大学院「自然言語処理応用」)自然言語処理を 役立てるのはなぜ難しいのか(2022/10/25東大大学院「自然言語処理応用」)
自然言語処理を 役立てるのはなぜ難しいのか(2022/10/25東大大学院「自然言語処理応用」)Preferred Networks
 
Kubernetes にこれから入るかもしれない注目機能!(2022年11月版) / TechFeed Experts Night #7 〜 コンテナ技術を語る
Kubernetes にこれから入るかもしれない注目機能!(2022年11月版) / TechFeed Experts Night #7 〜 コンテナ技術を語るKubernetes にこれから入るかもしれない注目機能!(2022年11月版) / TechFeed Experts Night #7 〜 コンテナ技術を語る
Kubernetes にこれから入るかもしれない注目機能!(2022年11月版) / TechFeed Experts Night #7 〜 コンテナ技術を語るPreferred Networks
 
Matlantis™のニューラルネットワークポテンシャルPFPの適用範囲拡張
Matlantis™のニューラルネットワークポテンシャルPFPの適用範囲拡張Matlantis™のニューラルネットワークポテンシャルPFPの適用範囲拡張
Matlantis™のニューラルネットワークポテンシャルPFPの適用範囲拡張Preferred Networks
 
PFNのオンプレ計算機クラスタの取り組み_第55回情報科学若手の会
PFNのオンプレ計算機クラスタの取り組み_第55回情報科学若手の会PFNのオンプレ計算機クラスタの取り組み_第55回情報科学若手の会
PFNのオンプレ計算機クラスタの取り組み_第55回情報科学若手の会Preferred Networks
 
続・PFN のオンプレML基盤の取り組み / オンプレML基盤 on Kubernetes 〜PFN、ヤフー〜 #2
続・PFN のオンプレML基盤の取り組み / オンプレML基盤 on Kubernetes 〜PFN、ヤフー〜 #2続・PFN のオンプレML基盤の取り組み / オンプレML基盤 on Kubernetes 〜PFN、ヤフー〜 #2
続・PFN のオンプレML基盤の取り組み / オンプレML基盤 on Kubernetes 〜PFN、ヤフー〜 #2Preferred Networks
 
Kubernetes Service Account As Multi-Cloud Identity / Cloud Native Security Co...
Kubernetes Service Account As Multi-Cloud Identity / Cloud Native Security Co...Kubernetes Service Account As Multi-Cloud Identity / Cloud Native Security Co...
Kubernetes Service Account As Multi-Cloud Identity / Cloud Native Security Co...Preferred Networks
 
KubeCon + CloudNativeCon Europe 2022 Recap / Kubernetes Meetup Tokyo #51 / #k...
KubeCon + CloudNativeCon Europe 2022 Recap / Kubernetes Meetup Tokyo #51 / #k...KubeCon + CloudNativeCon Europe 2022 Recap / Kubernetes Meetup Tokyo #51 / #k...
KubeCon + CloudNativeCon Europe 2022 Recap / Kubernetes Meetup Tokyo #51 / #k...Preferred Networks
 
KubeCon + CloudNativeCon Europe 2022 Recap - Batch/HPCの潮流とScheduler拡張事例 / Kub...
KubeCon + CloudNativeCon Europe 2022 Recap - Batch/HPCの潮流とScheduler拡張事例 / Kub...KubeCon + CloudNativeCon Europe 2022 Recap - Batch/HPCの潮流とScheduler拡張事例 / Kub...
KubeCon + CloudNativeCon Europe 2022 Recap - Batch/HPCの潮流とScheduler拡張事例 / Kub...Preferred Networks
 
独断と偏見で選んだ Kubernetes 1.24 の注目機能と今後! / Kubernetes Meetup Tokyo 50
独断と偏見で選んだ Kubernetes 1.24 の注目機能と今後! / Kubernetes Meetup Tokyo 50独断と偏見で選んだ Kubernetes 1.24 の注目機能と今後! / Kubernetes Meetup Tokyo 50
独断と偏見で選んだ Kubernetes 1.24 の注目機能と今後! / Kubernetes Meetup Tokyo 50Preferred Networks
 

Plus de Preferred Networks (20)

PodSecurityPolicy からGatekeeper に移行しました / Kubernetes Meetup Tokyo #57
PodSecurityPolicy からGatekeeper に移行しました / Kubernetes Meetup Tokyo #57PodSecurityPolicy からGatekeeper に移行しました / Kubernetes Meetup Tokyo #57
PodSecurityPolicy からGatekeeper に移行しました / Kubernetes Meetup Tokyo #57
 
Optunaを使ったHuman-in-the-loop最適化の紹介 - 2023/04/27 W&B 東京ミートアップ #3
Optunaを使ったHuman-in-the-loop最適化の紹介 - 2023/04/27 W&B 東京ミートアップ #3Optunaを使ったHuman-in-the-loop最適化の紹介 - 2023/04/27 W&B 東京ミートアップ #3
Optunaを使ったHuman-in-the-loop最適化の紹介 - 2023/04/27 W&B 東京ミートアップ #3
 
Kubernetes + containerd で cgroup v2 に移行したら "failed to create fsnotify watcher...
Kubernetes + containerd で cgroup v2 に移行したら "failed to create fsnotify watcher...Kubernetes + containerd で cgroup v2 に移行したら "failed to create fsnotify watcher...
Kubernetes + containerd で cgroup v2 に移行したら "failed to create fsnotify watcher...
 
深層学習の新しい応用と、 それを支える計算機の進化 - Preferred Networks CEO 西川徹 (SEMICON Japan 2022 Ke...
深層学習の新しい応用と、 それを支える計算機の進化 - Preferred Networks CEO 西川徹 (SEMICON Japan 2022 Ke...深層学習の新しい応用と、 それを支える計算機の進化 - Preferred Networks CEO 西川徹 (SEMICON Japan 2022 Ke...
深層学習の新しい応用と、 それを支える計算機の進化 - Preferred Networks CEO 西川徹 (SEMICON Japan 2022 Ke...
 
Kubernetes ControllerをScale-Outさせる方法 / Kubernetes Meetup Tokyo #55
Kubernetes ControllerをScale-Outさせる方法 / Kubernetes Meetup Tokyo #55Kubernetes ControllerをScale-Outさせる方法 / Kubernetes Meetup Tokyo #55
Kubernetes ControllerをScale-Outさせる方法 / Kubernetes Meetup Tokyo #55
 
Kaggle Happywhaleコンペ優勝解法でのOptuna使用事例 - 2022/12/10 Optuna Meetup #2
Kaggle Happywhaleコンペ優勝解法でのOptuna使用事例 - 2022/12/10 Optuna Meetup #2Kaggle Happywhaleコンペ優勝解法でのOptuna使用事例 - 2022/12/10 Optuna Meetup #2
Kaggle Happywhaleコンペ優勝解法でのOptuna使用事例 - 2022/12/10 Optuna Meetup #2
 
最新リリース:Optuna V3の全て - 2022/12/10 Optuna Meetup #2
最新リリース:Optuna V3の全て - 2022/12/10 Optuna Meetup #2最新リリース:Optuna V3の全て - 2022/12/10 Optuna Meetup #2
最新リリース:Optuna V3の全て - 2022/12/10 Optuna Meetup #2
 
Optuna Dashboardの紹介と設計解説 - 2022/12/10 Optuna Meetup #2
Optuna Dashboardの紹介と設計解説 - 2022/12/10 Optuna Meetup #2Optuna Dashboardの紹介と設計解説 - 2022/12/10 Optuna Meetup #2
Optuna Dashboardの紹介と設計解説 - 2022/12/10 Optuna Meetup #2
 
スタートアップが提案する2030年の材料開発 - 2022/11/11 QPARC講演
スタートアップが提案する2030年の材料開発 - 2022/11/11 QPARC講演スタートアップが提案する2030年の材料開発 - 2022/11/11 QPARC講演
スタートアップが提案する2030年の材料開発 - 2022/11/11 QPARC講演
 
Deep Learningのための専用プロセッサ「MN-Core」の開発と活用(2022/10/19東大大学院「 融合情報学特別講義Ⅲ」)
Deep Learningのための専用プロセッサ「MN-Core」の開発と活用(2022/10/19東大大学院「 融合情報学特別講義Ⅲ」)Deep Learningのための専用プロセッサ「MN-Core」の開発と活用(2022/10/19東大大学院「 融合情報学特別講義Ⅲ」)
Deep Learningのための専用プロセッサ「MN-Core」の開発と活用(2022/10/19東大大学院「 融合情報学特別講義Ⅲ」)
 
PFNにおける研究開発(2022/10/19 東大大学院「融合情報学特別講義Ⅲ」)
PFNにおける研究開発(2022/10/19 東大大学院「融合情報学特別講義Ⅲ」)PFNにおける研究開発(2022/10/19 東大大学院「融合情報学特別講義Ⅲ」)
PFNにおける研究開発(2022/10/19 東大大学院「融合情報学特別講義Ⅲ」)
 
自然言語処理を 役立てるのはなぜ難しいのか(2022/10/25東大大学院「自然言語処理応用」)
自然言語処理を 役立てるのはなぜ難しいのか(2022/10/25東大大学院「自然言語処理応用」)自然言語処理を 役立てるのはなぜ難しいのか(2022/10/25東大大学院「自然言語処理応用」)
自然言語処理を 役立てるのはなぜ難しいのか(2022/10/25東大大学院「自然言語処理応用」)
 
Kubernetes にこれから入るかもしれない注目機能!(2022年11月版) / TechFeed Experts Night #7 〜 コンテナ技術を語る
Kubernetes にこれから入るかもしれない注目機能!(2022年11月版) / TechFeed Experts Night #7 〜 コンテナ技術を語るKubernetes にこれから入るかもしれない注目機能!(2022年11月版) / TechFeed Experts Night #7 〜 コンテナ技術を語る
Kubernetes にこれから入るかもしれない注目機能!(2022年11月版) / TechFeed Experts Night #7 〜 コンテナ技術を語る
 
Matlantis™のニューラルネットワークポテンシャルPFPの適用範囲拡張
Matlantis™のニューラルネットワークポテンシャルPFPの適用範囲拡張Matlantis™のニューラルネットワークポテンシャルPFPの適用範囲拡張
Matlantis™のニューラルネットワークポテンシャルPFPの適用範囲拡張
 
PFNのオンプレ計算機クラスタの取り組み_第55回情報科学若手の会
PFNのオンプレ計算機クラスタの取り組み_第55回情報科学若手の会PFNのオンプレ計算機クラスタの取り組み_第55回情報科学若手の会
PFNのオンプレ計算機クラスタの取り組み_第55回情報科学若手の会
 
続・PFN のオンプレML基盤の取り組み / オンプレML基盤 on Kubernetes 〜PFN、ヤフー〜 #2
続・PFN のオンプレML基盤の取り組み / オンプレML基盤 on Kubernetes 〜PFN、ヤフー〜 #2続・PFN のオンプレML基盤の取り組み / オンプレML基盤 on Kubernetes 〜PFN、ヤフー〜 #2
続・PFN のオンプレML基盤の取り組み / オンプレML基盤 on Kubernetes 〜PFN、ヤフー〜 #2
 
Kubernetes Service Account As Multi-Cloud Identity / Cloud Native Security Co...
Kubernetes Service Account As Multi-Cloud Identity / Cloud Native Security Co...Kubernetes Service Account As Multi-Cloud Identity / Cloud Native Security Co...
Kubernetes Service Account As Multi-Cloud Identity / Cloud Native Security Co...
 
KubeCon + CloudNativeCon Europe 2022 Recap / Kubernetes Meetup Tokyo #51 / #k...
KubeCon + CloudNativeCon Europe 2022 Recap / Kubernetes Meetup Tokyo #51 / #k...KubeCon + CloudNativeCon Europe 2022 Recap / Kubernetes Meetup Tokyo #51 / #k...
KubeCon + CloudNativeCon Europe 2022 Recap / Kubernetes Meetup Tokyo #51 / #k...
 
KubeCon + CloudNativeCon Europe 2022 Recap - Batch/HPCの潮流とScheduler拡張事例 / Kub...
KubeCon + CloudNativeCon Europe 2022 Recap - Batch/HPCの潮流とScheduler拡張事例 / Kub...KubeCon + CloudNativeCon Europe 2022 Recap - Batch/HPCの潮流とScheduler拡張事例 / Kub...
KubeCon + CloudNativeCon Europe 2022 Recap - Batch/HPCの潮流とScheduler拡張事例 / Kub...
 
独断と偏見で選んだ Kubernetes 1.24 の注目機能と今後! / Kubernetes Meetup Tokyo 50
独断と偏見で選んだ Kubernetes 1.24 の注目機能と今後! / Kubernetes Meetup Tokyo 50独断と偏見で選んだ Kubernetes 1.24 の注目機能と今後! / Kubernetes Meetup Tokyo 50
独断と偏見で選んだ Kubernetes 1.24 の注目機能と今後! / Kubernetes Meetup Tokyo 50
 

Dernier

CALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female service
CALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female serviceCALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female service
CALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female serviceanilsa9823
 
How To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.jsHow To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.jsAndolasoft Inc
 
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...ICS
 
Hand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptxHand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptxbodapatigopi8531
 
TECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providerTECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providermohitmore19
 
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️anilsa9823
 
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsUnveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsAlberto González Trastoy
 
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AISyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AIABDERRAOUF MEHENNI
 
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...MyIntelliSource, Inc.
 
A Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docxA Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docxComplianceQuest1
 
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...OnePlan Solutions
 
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdfThe Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdfkalichargn70th171
 
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Steffen Staab
 
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...harshavardhanraghave
 
How To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected WorkerHow To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected WorkerThousandEyes
 
5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdf5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdfWave PLM
 
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...panagenda
 
Diamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with PrecisionDiamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with PrecisionSolGuruz
 
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...Health
 
HR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.comHR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.comFatema Valibhai
 

Dernier (20)

CALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female service
CALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female serviceCALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female service
CALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female service
 
How To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.jsHow To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.js
 
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
 
Hand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptxHand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptx
 
TECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providerTECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service provider
 
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
 
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsUnveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
 
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AISyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
 
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
 
A Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docxA Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docx
 
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
 
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdfThe Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
 
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
 
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
 
How To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected WorkerHow To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected Worker
 
5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdf5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdf
 
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
 
Diamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with PrecisionDiamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with Precision
 
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
 
HR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.comHR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.com
 

SPIFFE Meetup Tokyo #2 - Attestation Internals in SPIRE - Shingo Omura

  • 1. Shingo Omura, Preferred Networks, Inc. SPIFFE Meetup Tokyo #2 2019-10-02 Attestation Internals in SPIRE Icons made by Freepik from www.flaticon.com 💚

  • 2. Shingo Omura ● ML Platform Engineer, Preferred Networks, Inc. ○ On-Prem GPU(2000+) k8s clusters ○ kubernetes org member (sig-scheduling) ○ kubeflow contributor ● @everpeace
  • 3. Recap: SPIFFE Standardizations • SPIFFE ID − identity namespace and defines how services identify themselves to each other • SVID (SPIFFE Verification Itenditity Document) − defines verifiable representation of issued identities (in X.509 and JWT format) • Workload API − defines API for issuing and/or retrieving another workload’s SVID
  • 4. example of SPIFFE ID based authentication spiffe://dev.acme.com/payments/web scheme=spiffe Trust Domain Path Recap: SPIFFE ID spiffe://dev.acme.com/payments/api spiffe://dev.acme.com/payments/db
  • 5. Recap: SVID (SPIFFE Verification Identity Document) Icons made by Freepik from www.flaticon.com Trust Domain (spiffe://dev.acme.com/) As Signing Authority • consists of – SPIFFE ID – valid signature – public key(optional) • supported format – X509-SVID, JWT-SVID • typically short-lived SVID SPIFFE Bundle Provides Trust Bundle • used for validating SVIDs • contains a trust domain's public keys or X.509 CA certificate in JWK Set format
  • 6. SVIDResponse Recap: Workload API WorkloadAPI Workload (Src) ● grpc with unix domain socket (aka Workload API Endpoint) ● no authentication for avoiding bootstrapping Transport SVIDRequest Icons made by Freepik, photo3idea_studio, Pixel Buddha from www.flaticon.com SVIDs Workload (Dst) SPIFFE Bundles SVIDRequest SVIDResponse verify src SVID by SPIFFE Bundle Identify the Caller - kernel introspection - orchestrator interrogation may contain Federated Bundles (bundles for other trust domains)
  • 7. Overview of SPIRE: SPIFFE Runtime Environment Icons made by Freepik, photo3idea_studio, Pixel Buddha, srip from www.flaticon.com spire-agent Workload API Work load Work load spire-agent Workload API Work load Work load spire-server Node API Registration API ● Identity Mapping ● Node Attestation ● SVID IssuanceCLI API ● Workload Attestation ● Workload API
  • 8. ● workload identities must be registered first ● entries defines a mapping of workload <--> SPIFFE ID via workload selectors ● entries has hierarchy. note that this hierarchy is independent to one of SPIFFE ID’s path Identity(Workload) Registration spire-server Node API Registration API CLI API SPIFFE ID spiffe://dev.acme.com/payments/web Parent ID spiffe://dev.acme.com/k8s/cluster/foo Selectors k8s:ns:payments k8s:sa:payment-web k8s:container-image:payments Workload Registration Entry of /payments/web Icons made by Freepik from www.flaticon.com type value
  • 9. Identity(Node) Registration spire-server Node API Registration API CLI API SPIFFE ID spiffe://dev.acme.com/k8s/cluster/foo Parent ID spiffe://dev.acme.com/ Selectors k8s_psat:custer:foo k8s_psat:agent_ns:spire k8s_psat:agent_sa:agent Node Registration Entry of /k8s/cluster/foo ● node identities registration enables to assign one workload SPIFFE ID across multiple nodes ● registration entries defines a mapping of node(agent) <--> SPIFFE ID via node selectors
  • 10. What is Attestation in SPIRE? Attestation is the process of certifying that something is true. spire-server spire-agent Workload API Work load Node API Node Attestation • verifying the identity of the node the workload is running on • runs when booting spire-agent Workload Attestation • verifying the workload on the node
  • 11. Overview: How SPIRE issue SVIDs spire server spire agent Work load 1. register entries 2.0 attest node 2.3 node SVIDs Cloud Providers (k8s, instance metadata, etc.) 2.1 verify node identity kernel/orchestrators (e.g. kubelet/docker) 3.3 workload identity 3.1 verify workload identity Icons made by Freepik from www.flaticon.com 3.2 obtaining workload info 3.0 attest workload 3.4 workload SVIDs 3.5 workload SVIDs
  • 12. Node Attestation Internals (based on version 0.8.1) spire server spire agent 2.0 attest node 2.3 node SVIDs Cloud Providers (k8s, instance metadata, etc.) 2.1 verify node identity
  • 13. Node Attestation • Both server & agent participate in node attestation • Only one node attestor can be configured in spire agent – multiple node attestors can be configured in spire server • Node attestor is pluggable – join_token, aws, azure, k8s, etc. (supported plugins list) spire serverspire agent Node Attestor Plugin Node Attestor PluginNode Attestor PluginNode Attestor Plugin
  • 14. Before: Node Attestation Icons made by Freepik, photo3idea_studio, Pixel Buddha, srip from www.flaticon.com spire-server CLI API
  • 15. Node Attestation Internals (based on version 0.8.1) spire serverspire agent Booting... … Booted Icons made by Freepik, Pixel Buddha, Smashicons from www.flaticon.com 0. generate key-pair for this node 1. plugin makes proof of the node identity 2. make certificate signing request 3. send node identity and signing request 4.1 perform challenge & response in arbitrary number of rounds 5. issue node SVID (sign the signing request) CA’s key pair SPIFFE Bundle 6. send node SVID transport is secured by using upstream CA 4. verify the proof 4.2 issue node SPIFFE ID and its selectors
  • 16. Example of AWS Node Attestor Plugin spire serverspire agent AWS Node Attestor Plugin AWS Node Attestor Plugin Instance Identity Document SPIFFE ID /aws_iid/{acctID}/{region}/{instanceID} Selectors AWS Node Resolver Plugin aws_iid:tag:name:value aws_iid:sg:id:sg-01234567 aws_iid:sg:name:sg-name aws_iid:iamrole:arn:aws... instance metadata service Icons made by Freepik, Pixel Buddha, Smashicons from www.flaticon.com
  • 17. mTLS with node SVID spire server Sync all the registration entries match ● selectors of the node SVIDs ● and their descendants ● (subset match included) Completing Agent Bootup Icons made by Freepik from www.flaticon.com spire agent node(base) SVID (/aws_iid/acct/reg/instanceID) Node SVID Rotator refresh when rotatedrotate SVID/Bundle/ RegistrationEntries Synchronizer /aws_iid/acct/reg/instanceID aws_iid:tag:name:value aws_iid:sg:id:sg-01234567 aws_iid:sg:name:sg-name aws_iid:iamrole:arn:aws... /cluster/payments MATCH! /payments/api /payments/web /payments/db entries
  • 18. After: Booting Up Agent Completely Icons made by Freepik, photo3idea_studio, Pixel Buddha, srip from www.flaticon.com spire-agent Workload API spire-agent Workload API spire-server CLI API
  • 19. Workload Attestation Internals (based on version 0.8.1) spire server spire agent Work load kernel/orchestrators (e.g. kubelet/docker) 3.3 workload identity 3.1 verify workload identity 3.2 obtaining workload info 3.0 attest workload 3.4 workload SVIDs 3.5 workload SVIDs
  • 20. entries Workload Attestation • Only agent participates in workload attestation – synchronizer is responsible for fetching workload SVIDs/Bundles • Multiple workload attestors can be configured in spire agent • Workload attestor is also pluggable – unix, docker, k8s etc. (supported plugins list) spire agent Workload spire server Worload Attestor Plugin Worload Attestor Plugin Worload Attestor Plugin WorkloadAPI
  • 21. Before: Workload Attestation Completed Icons made by Freepik, photo3idea_studio, Pixel Buddha, srip from www.flaticon.com spire-agent Workload API Work load Work load spire-agent Workload API Work load Work load spire-server CLI API
  • 22. Workload Attestation Internals (based on version 0.8.1) spire server spire agent Icons made by Freepik, Pixel Buddha, Smashicons from www.flaticon.com Synchronizer mTLS with node SVID entries Work load kernel/orchestrators (e.g. kubelet/docker) Worload Attestor Plugin WorkloadEndpoint(unixsocket) 0. attestation request 1.2 obtain workload info 2. request syncing entries matched to merged selectors 3. request to issue their SVIDs (synchronizer generates key-pairs) 1.1 each attestor verify workload identity (pid) and transform it to selectors 4. matched SVIDs & Bundles unix:uid, unix:gid docker:image_id, docker:label k8s:ns, k8s:sa, k8s:pod-name etc. 1. attest in all attestors
  • 23. Ready to Authenticate Workload Each Other!! Icons made by Freepik, photo3idea_studio, Pixel Buddha, srip from www.flaticon.com spire-agent Workload API Work load Work load spire-agent Workload API Work load Work load spire-server CLI API
  • 24. Quick Start • Rercommended: SPIRE101 in spire repo – you can try spire environment in docker-compose • !!CAUTION!! – this does NOT work on 0.8.1 or later – this works in 0.8.0 – ref: spiffe/spire#1155
  • 25. Custom Attestation Plugin? • Just implementing several interafaces • Node Attestation Plugin (server, agent interface) • Node Resolver Plugin(server interface) • Workload Attestation Plugin (agent interface) • And plumbing to make it gRPC server • But, no comprehensive document right now – github.com/spiffe/plugin-template is obsolete • Official document points to reference custom plugin implementations
  • 26. Icons made by Vincent Le Moign from https://icon-icons.com/ licensed by CC 3.0 BY Thank you for Listening!! Any Questions?