SPIFFE Workload Identity Integration with Cilium

SPIFFE provides a strong identity base flexible for most scenarios. Integrating SPIFFE natively in the Cilium CNI has advantages, since integration does not change any data-path.

SPIFFE is now capable of supporting delegation Identity APIs, that allows privileged process to request SVIDs on behalf of the workload, wherein privileged process needs to be on the same node but not in the same pod.

Briefly about Cilium...

eBPF-based Networking, Observability, and Security

eBPF_based_Networking_Observability_Security

Cilium: Identity Aware

  • Cilium derives numeric Identity from k8s labels
  • Identity is used in eBPF data-plane and can enforce L3/L4 authz on per packet basis
    • No use of iptables/netfilter
  • Identity is synchronized using a KVStore

key_value_store

Components of Identity?

components_of_identity

Our need for SPIFFE

  • Consistent Identity across the eco-system not just k8s-workloads
  • Ability to federate identity with third party services
  • Single Identity across all policy enforcement engines {network, system, data}
  • Ability to use TPMs/Enclaves for secure attestation
TPMs_or_Enclaves_Secure_Attestation

Integration Challenges

  • Cilium deploys Envoy in Node-Singleton Model
    • Does not use side-car model
    • Advantages, Disadvantages?

Typical_Side_Car_Model          Cilium_Node_Singleton_Model

Need for SPIRE Delegation APIs

  • Implications of Envoy node-singleton model used by Cilium
    • SPIRE’s k8s-workload attestation model expects the attestation API to be called
      from the same cgroups of the workload
    • Envoy is no more co-located within the workload pods, thus no access to cgroups
  • Delegated Identity APIs: Allow a privileged process to fetch SVID on behalf of the
    workload process outside of the cgroups

Need for SPIRE Delegation APIs

 

Ensuring appropriate API access

  • Guardrails for appropriate access to these delegation APIs?
    • Only local node-scope access allowed
    • Caller has to be registered with SPIRE-Agent
    • Use selectors that can only be attested by privileged process

Ensuring appropriate API access

Use SPIFFE ID for L3/L4 authz

  • Creating SPIFFE ID as a k8s label allowed for L3/L4 authz based on SPIFFE ID
  • Thus, allows use of classic Cilium Identity model for L3/L4 authz

Use SPIFFE ID for L3orL4 authz

Upgrading to secure connections

  • TLS origination and termination support

TLS origination-and-termination support

Other perks of using SPIFFE

  • Integrated certificate management solution
    • Integrates well with existing CA providers
    • Nested SPIRE allows hard-isolation of resources
  • Readily integrates with Vault for secrets management
  • Active developer community

Summary

  • SPIFFE provides a strong identity base flexible for most scenarios
    • Integrating SPIFFE natively in the Cilium CNI has advantages
    • Integration didn’t change any data-path eBPF handling in Cilium
  • SPIFFE now support Delegation Identity APIs
    • allowing privileged process to request SVIDs on behalf of the workload
    • privileged process needs to be on the same node but not in the same pod
  • Cilium next todos
    • Using the SPIFFE provisioned certs for IPSec/WireGuard
    • Extending for the use JWTs

Credits

  • Code contributions from
    • @mauriciovasquezbernal (Mauricio)
    • @rscampos (Raphael)
    • @navarrothiago (Thiago)
  • Detailed reviews from
    • @jrajahalme (Jarno),
    • @joestringer (Joe),
    • @evan2645 (Evan),
    • @azdagron (Andrew)
    • Awesome SPIRE/SPIFFE and Cilium community

References

View the presentation here

spiffe_spire_presentation_kubecon 2021

Let us know if you are seeking additional guidance in planning your cloud security program.

We protect your organization against current and emerging threats with Zero Trust Security Solutions