To do cloud-native computing, you need to identify all your workloads, and, more importantly, they need the ability to identify each other, so they can work together in automated chains. To aid in this task, the Cloud Native Computing Foundation has adopted the open source SPIFFE specification and its associated SPIRE runtime. SPIFFE provides a standard for securely identifying software components in heterogeneous IT systems and SPIRE is the engine that can make it happen (and, in this setup, CNCF’s Open Policy Agent [OPA] can enforce the authorization duties).
If you feel all this is a bit much to take in, then you are not alone. For our latest “pancakes and podcast” edition of the The New Stack Analysts — recorded live at the Kubecon + CloudNativeCon Europe 2018 on May 3 — we focused our panel discussion on SPIFFE, and the room was filled with those curious about this topic (and/or hungry for delicious pancakes).
We discussed the specification, and its associated SPIRE runtime could do to help secure microservices, as well as the broader security implications for identity management in the cloud-native era. Panelists included Krishna Ganugapati, VMware vice president of R&D for cloud native applications at VMware; Andrew Jessup, Scytale Head of Product; Maya Kaczoworski, Google Product Manager; Tom Petrocelli, Amalgam Insights Analyst; and Andreas Zitzelsberger, QAware principal software architect.
In this Edition:
4:07: What have been the concepts we’ve been working within traditional IT environments?
14:56: Exploring service mesh projects such as Istio
23:51: Running SPIFFE on multiple clusters
33:49: Identity as a complex problem in security
39:04: Addressing SPIFFE as a specification and formal verification
42:08: What is the community doing to ensure the security of Kubernetes features