我的书签
添加书签
移除书签SPIRE
This integration with SPIRE provides flexible attestation options not available with the default Istio identity management while harnessing Istio’s powerful service management. For example, SPIRE’s plugin architecture enables diverse workload attestation options beyond the Kubernetes namespace and service account attestation offered by Istio. SPIRE’s node attestation extends attestation to the physical or virtual hardware on which workloads run.
For a quick demo of how this SPIRE integration with Istio works, see Integrating SPIRE as a CA through Envoy’s SDS API.
Note that this integration requires version 1.14 for both and the data plane.
The integration is compatible with Istio upgrades.
Istio provides a basic sample installation to quickly get SPIRE up and running:
This will deploy SPIRE into your cluster, along with two additional components: the SPIFFE CSI Driver — used to share the SPIRE Agent’s UNIX Domain Socket with the other pods throughout the node — and the , a facilitator that performs automatic workload registration within Kubernetes. See Install Istio to configure Istio and integrate with the SPIFFE CSI Driver.
Option 2: Configure a custom SPIRE installation
See the SPIRE’s Quick start for Kubernetes guide to get started deploying SPIRE into your Kubernetes environment. See for more information on configuring SPIRE to integrate with Istio deployments.
SPIRE CA Integration Prerequisites
To integrate your SPIRE deployment with Istio, configure SPIRE:
Access the and configure the SPIRE Agent socket path to match the Envoy SDS defined socket path.
socket_path = "/run/secrets/workload-spiffe-uds/socket"
Share the SPIRE Agent socket with the pods within the node by deploying the SPIFFE CSI Driver.
See to configure Istio to integrate with the SPIFFE CSI Driver.
Note that you must deploy SPIRE before installing Istio into your environment so that Istio can detect it as a CA.
Install Istio
.
-
$ istioctl install --skip-confirmation -f - <<EOFapiVersion: install.istio.io/v1alpha1kind: IstioOperatormetadata:namespace: istio-systemspec:profile: defaultmeshConfig:trustDomain: example.orgvalues:global:# This is used to customize the sidecar templatesidecarInjectorWebhook:templates:spire: |spec:containers:- name: istio-proxyvolumeMounts:- name: workload-socketmountPath: /run/secrets/workload-spiffe-udsreadOnly: truevolumes:- name: workload-socketcsi:driver: "csi.spiffe.io"components:ingressGateways:- name: istio-ingressgatewayenabled: truelabel:istio: ingressgatewayk8s:overlays:- apiVersion: apps/v1kind: Deploymentname: istio-ingressgatewaypatches:- path: spec.template.spec.volumes.[name:workload-socket]value:csi:driver: "csi.spiffe.io"- path: spec.template.spec.containers.[name:istio-proxy].volumeMounts.[name:workload-socket]value:name: workload-socketmountPath: "/run/secrets/workload-spiffe-uds"readOnly: trueEOF
This will share the
spiffe-csi-driverwith the Ingress Gateway and the sidecars that are going to be injected on workload pods, granting them access to the SPIRE Agent’s UNIX Domain Socket. Use sidecar injection to inject the
istio-proxycontainer into the pods within your mesh. See for information on how to apply the custom defined template intoistio-proxy. This allows for the CSI driver to mount the UDS on the sidecars.Check Ingress-gateway pod state:
$ kubectl get pods -n istio-systemNAME READY STATUS RESTARTS AGEistio-ingressgateway-5b45864fd4-lgrxs 0/1 Running 0 17sistiod-989f54d9c-sg7sn 1/1 Running 0 23s
Data plane containers will only reach Ready if a corresponding registration entry is created for them on the SPIRE Server. Then, Envoy will be able to fetch cryptographic identities from SPIRE. See Register workloads to register entries for services in your mesh.
This section describes the options available for registering workloads in a SPIRE Server.
By deploying along with a SPIRE Server, new entries are automatically registered for each new pod that is created.
See Verifying that identities were created for workloads to check issued identities.
Note that SPIRE workload registrar is used in the section.
Option 2: Manual Registration
To improve workload attestation security robustness, SPIRE is able to verify against a group of selector values based on different parameters. Skip these steps if you installed SPIRE by following the since it uses automatic registration.
Generate an entry for an Ingress Gateway with a set of selectors such as the pod name and pod UID:
$ INGRESS_POD=$(kubectl get pod -l istio=ingressgateway -n istio-system -o jsonpath="{.items[0].metadata.name}")$ INGRESS_POD_UID=$(kubectl get pods -n istio-system $INGRESS_POD -o jsonpath='{.metadata.uid}')
Get the spire-server pod:
$ SPIRE_SERVER_POD=$(kubectl get pod -l app=spire-server -n spire -o jsonpath="{.items[0].metadata.name}")
Register an entry for the SPIRE Agent running on the node:
Register an entry for the Ingress-gateway pod:
$ kubectl exec -n spire $SPIRE_SERVER_POD -- \/opt/spire/bin/spire-server entry create \-spiffeID spiffe://example.org/ns/istio-system/sa/istio-ingressgateway-service-account \-parentID spiffe://example.org/ns/spire/sa/spire-agent \-selector k8s:sa:istio-ingressgateway-service-account \-selector k8s:ns:istio-system \-selector k8s:pod-uid:$INGRESS_POD_UID \-dns $INGRESS_POD \-dns istio-ingressgateway.istio-system.svc \-socketPath /run/spire/sockets/server.sockEntry ID : 6f2fe370-5261-4361-ac36-10aae8d91ff7SPIFFE ID : spiffe://example.org/ns/istio-system/sa/istio-ingressgateway-service-accountParent ID : spiffe://example.org/ns/spire/sa/spire-agentRevision : 0TTL : defaultSelector : k8s:ns:istio-systemSelector : k8s:pod-uid:63c2bbf5-a8b1-4b1f-ad64-f62ad2a69807Selector : k8s:sa:istio-ingressgateway-service-accountDNS name : istio-ingressgateway.istio-system.svcDNS name : istio-ingressgateway-5b45864fd4-lgrxs
Deploy an example workload:
$ istioctl kube-inject --filename @samples/security/spire/sleep-spire.yaml@ | kubectl apply -f -
Note that the workload will need the SPIFFE CSI Driver volume to access the SPIRE Agent socket. To accomplish this, you can leverage the
spirepod annotation template from the Install Istio section or add the CSI volume to the deployment spec of your workload. Both of these alternatives are highlighted on the example snippet below:apiVersion: apps/v1kind: Deploymentmetadata:name: sleepspec:replicas: 1selector:matchLabels:app: sleeptemplate:metadata:labels:app: sleep# Injects custom sidecar templateannotations:spec:terminationGracePeriodSeconds: 0serviceAccountName: sleep- name: sleepimage: curlimages/curlcommand: ["/bin/sleep", "3650d"]imagePullPolicy: IfNotPresentvolumeMounts:- name: tmpmountPath: /tmpsecurityContext:runAsUser: 1000volumes:- name: tmpemptyDir: {}# CSI volume- name: workload-socketcsi:driver: "csi.spiffe.io"
Get pod information:
$ SLEEP_POD=$(kubectl get pod -l app=sleep -o jsonpath="{.items[0].metadata.name}")$ SLEEP_POD_UID=$(kubectl get pods $SLEEP_POD -o jsonpath='{.metadata.uid}')
Register the workload:
$ kubectl exec -n spire spire-server-0 -- \/opt/spire/bin/spire-server entry create \-spiffeID spiffe://example.org/ns/default/sa/sleep \-parentID spiffe://example.org/ns/spire/sa/spire-agent \-selector k8s:ns:default \-selector k8s:pod-uid:$SLEEP_POD_UID \-dns $SLEEP_POD \-socketPath /run/spire/sockets/server.sock
SPIFFE IDs for workloads must follow the Istio SPIFFE ID pattern: spiffe://<trust.domain>/ns/<namespace>/sa/<service-account>
See the to learn how to create new entries for workloads and get them attested using multiple selectors to strengthen attestation criteria.
Verifying that identities were created for workloads
Use the following command to confirm that identities were created for the workloads:
Check the Ingress-gateway pod state:
$ kubectl get pods -n istio-systemNAME READY STATUS RESTARTS AGEistio-ingressgateway-5b45864fd4-lgrxs 1/1 Running 0 60sistiod-989f54d9c-sg7sn 1/1 Running 0 45s
After registering an entry for the Ingress-gateway pod, Envoy receives the identity issued by SPIRE and uses it for all TLS and mTLS communications.
Retrieve sleep’s SVID identity document using the istioctl proxy-config secret command:
$ istioctl proxy-config secret $SLEEP_POD -o json | jq -r \'.dynamicActiveSecrets[0].secret.tlsCertificate.certificateChain.inlineBytes' | base64 --decode > chain.pem
Inspect the certificate and verify that SPIRE was the issuer:
$ openssl x509 -in chain.pem -text | grep SPIRESubject: C = US, O = SPIRE, CN = sleep-5f4d47c948-njvpk
SPIRE Servers are able to authenticate SPIFFE identities originating from different trust domains. This is known as SPIFFE federation.
SPIRE Agent can be configured to push federated bundles to Envoy through the Envoy SDS API, allowing Envoy to use to verify peer certificates and trust a workload from another trust domain. To enable Istio to federate SPIFFE identities through SPIRE integration, consult SPIRE Agent SDS configuration and set the following SDS configuration values for your SPIRE Agent configuration file.
This will allow Envoy to get federated bundles directly from SPIRE.
Create federated registration entries
If using the SPIRE Kubernetes Workload Registrar, create federated entries for workloads by adding the pod annotation
spiffe.io/federatesWithto the service deployment spec, specifying the trust domain you want the pod to federate with:podAnnotations:spiffe.io/federatesWith: "<trust.domain>"
Cleanup SPIRE
If you installed SPIRE using the quick start SPIRE deployment provided by Istio, use the following commands to remove those Kubernetes resources:
$ kubectl delete CustomResourceDefinition spiffeids.spiffeid.spiffe.io$ kubectl delete -n spire serviceaccount spire-agent$ kubectl delete -n spire configmap spire-agent$ kubectl delete -n spire deployment spire-agent$ kubectl delete csidriver csi.spiffe.io$ kubectl delete -n spire configmap spire-server$ kubectl delete -n spire service spire-server$ kubectl delete -n spire serviceaccount spire-server$ kubectl delete -n spire statefulset spire-server$ kubectl delete clusterrole spire-server-trust-role spire-agent-cluster-role$ kubectl delete clusterrolebinding spire-server-trust-role-binding spire-agent-cluster-role-binding
