Defend Zero Day Attacks

Garner holistic visibility across development and deployment life cycle. Mitigate risks proactively to foil attacks with our most advanced and sophisticated CNAPP product.

Open Source

cspm

Tailor made to secure SaaS and private cloud environments

cwpp

Observability & Enforcement for K8s, VMs, Container workloads

Code to Cloud Security

Comprehensive security from development to deployment

AccuKnox is the first 5G Security-ORAN to be published on Nephio

From fortifying the control plane to addressing vulnerabilities in the data plane, read the white paper and discover the crucial steps we need to take in order to enhance the security of 5G networks.

Cloud Native Security Redefined

Accelerate your cloud journey with our battle-tested expertise, delivering a comprehensive zero trust framework that safeguards cloud infrastructure and applications from targeted attacks.

Open Source

KubeArmor is now certified Redhat Openshift Operator

Embracing the Power of Open Source: We are proud to contribute to the open-source community, allowing businesses to leverage the strength of KubeArmor to safeguard their containerized environments.

SPIFFE Workload Identity Integration with Cilium

by | Oct 28, 2021

Reading Time: 3 minutes

SPIFFE provides a strong identity base flexible for most scenarios. Integrating SPIFFE natively in the Cilium CNI has advantages, since integration does not change any data-path.

SPIFFE is now capable of supporting delegation Identity APIs, that allows privileged process to request SVIDs on behalf of the workload, wherein privileged process needs to be on the same node but not in the same pod.

Briefly about Cilium…

eBPF-based Networking, Observability, and Security

eBPF_based_Networking_Observability_Security

Cilium: Identity Aware

  • Cilium derives numeric Identity from k8s labels
  • Identity is used in eBPF data-plane and can enforce L3/L4 authz on per packet basis
    • No use of iptables/netfilter
  • Identity is synchronized using a KVStore
key_value_store

Components of Identity?

components_of_identity

Our need for SPIFFE

  • Consistent Identity across the eco-system not just k8s-workloads
  • Ability to federate identity with third party services
  • Single Identity across all policy enforcement engines {network, system, data}
  • Ability to use TPMs/Enclaves for secure attestation
TPMs_or_Enclaves_Secure_Attestation

Integration Challenges

  • Cilium deploys Envoy in Node-Singleton Model
    • Does not use side-car model
    • Advantages, Disadvantages?
Typical_Side_Car_Model

Need for SPIRE Delegation APIs

  • Implications of Envoy node-singleton model used by Cilium
    • SPIRE’s k8s-workload attestation model expects the attestation API to be called
      from the same cgroups of the workload
    • Envoy is no more co-located within the workload pods, thus no access to cgroups
  • Delegated Identity APIs: Allow a privileged process to fetch SVID on behalf of the
    workload process outside of the cgroups
Need for SPIRE Delegation APIs

Ensuring appropriate API access

  • Guardrails for appropriate access to these delegation APIs?
    • Only local node-scope access allowed
    • Caller has to be registered with SPIRE-Agent
    • Use selectors that can only be attested by privileged process
Ensuring appropriate API access

Use SPIFFE ID for L3/L4 authz

  • Creating SPIFFE ID as a k8s label allowed for L3/L4 authz based on SPIFFE ID
  • Thus, allows use of classic Cilium Identity model for L3/L4 authz
Use SPIFFE ID for L3orL4 authz

Upgrading to secure connections

  • TLS origination and termination support
TLS-origination-and-termina

Other perks of using SPIFFE

  • Integrated certificate management solution
    • Integrates well with existing CA providers
    • Nested SPIRE allows hard-isolation of resources
  • Readily integrates with Vault for secrets management
  • Active developer community

Summary

  • SPIFFE provides a strong identity base flexible for most scenarios
    • Integrating SPIFFE natively in the Cilium CNI has advantages
    • Integration didn’t change any data-path eBPF handling in Cilium
  • SPIFFE now support Delegation Identity APIs
    • allowing privileged process to request SVIDs on behalf of the workload
    • privileged process needs to be on the same node but not in the same pod
  • Cilium next todos
    • Using the SPIFFE provisioned certs for IPSec/WireGuard
    • Extending for the use JWTs

Credits

  • Code contributions from
    • @mauriciovasquezbernal (Mauricio)
    • @rscampos (Raphael)
    • @navarrothiago (Thiago)
  • Detailed reviews from
    • @jrajahalme (Jarno),
    • @joestringer (Joe),
    • @evan2645 (Evan),
    • @azdagron (Andrew)
    • Awesome SPIRE/SPIFFE and Cilium community

References

View the presentation here

Let us know if you are seeking additional guidance in planning your cloud security program.

Please enable JavaScript in your browser to complete this form.
We protect your organization against current and emerging threats with Zero Trust Cloud Security Solutions