Skip to main content

SPIRE

SPIRE is a production-ready solution based on SPIFFE APIs. It solves the problem of workload identity and fires the SPIFFE API to issue and validate the identity of different workloads.

SPIRE Architecture:

A SPIRE deployment is composed of a SPIRE Server and one or more SPIRE Agents. Here, WL refers to workload

image

SPIRE Concepts

  • Workload Registration

    We need to register the workload with the SPIRE server for it to identify that workload. A registration entry maps an identity – in the form of a SPIFFE ID – to a set of properties known as selectors that the workload must possess in order to be issued a particular identity.

  • Attestation

    Attestation, here, is asserting the identity of a workload. SPIRE performs attestation in two phases:

    • first node attestation - in which the identity of the node the workload is running on is verified
    • workload attestation - in which the workload on the node is verified

  • Node Attestation

    SPIRE requires that each agent authenticate and verify itself when it first connects to a server; this process is called node attestation. During node attestation, the agent and server together verify the identity of the node the agent is running on. The result of a successful node attestation is that the agent receives a unique SPIFFE ID. The agent’s SPIFFE ID then serves as the “parent” of the workloads it’s in charge of.

How the Node Attestation is done :

For example purposes, we are using AWS here.

  1. The agent AWS node attestor plugin queries AWS for proof of the node’s identity and gives that information to the agent.

  2. The agent passes this proof of identity to the server. The server passes this data to its AWS node attestor.

  3. The server AWS node attestor validates proof of identity independently, or by calling out to an AWS API, using the information it obtained in step 2. The node attestor also creates a SPIFFE ID for the agent, and passes this back to the server process, along with any node selectors it discovered.

  4. The server sends back an SVID (SPIFFE Verification Identity Document) for the agent node.

image

SPIRE is used By:

  • The Envoy proxy
  • Pinterest Knox
  • The Ghostunnel proxy