In SPIRE, attestation is the essential process because it certifies a node or workload, i.e. it asserts the identities of them. This talk describes how SPIRE implement this process and make it flexible. Moreover, it explains the detail of how spire-server and spire-agent (running at a node) interacts in the attestation process.

1. Shingo Omura, Preferred Networks, Inc.
SPIFFE Meetup Tokyo #2 2019-10-02
Attestation Internals
in SPIRE
Icons made by Freepik from www.flaticon.com
💚

2. Shingo Omura
● ML Platform Engineer, Preferred Networks, Inc.
○ On-Prem GPU(2000+) k8s clusters
○ kubernetes org member (sig-scheduling)
○ kubeflow contributor
● @everpeace

3. Recap: SPIFFE Standardizations
• SPIFFE ID
− identity namespace and defines how services identify themselves
to each other
• SVID (SPIFFE Verification Itenditity Document)
− defines verifiable representation of issued identities
(in X.509 and JWT format)
• Workload API
− defines API for issuing and/or retrieving another workload’s SVID

4. example of SPIFFE ID based authentication
spiffe://dev.acme.com/payments/web
scheme=spiffe Trust Domain Path
Recap: SPIFFE ID
spiffe://dev.acme.com/payments/api
spiffe://dev.acme.com/payments/db

5. Recap: SVID (SPIFFE Verification Identity Document)
Icons made by Freepik from www.flaticon.com
Trust Domain
(spiffe://dev.acme.com/)
As Signing Authority
• consists of
– SPIFFE ID
– valid signature
– public key(optional)
• supported format
– X509-SVID, JWT-SVID
• typically short-lived
SVID
SPIFFE Bundle
Provides Trust Bundle • used for validating SVIDs
• contains a trust domain's public
keys or X.509 CA certificate
in JWK Set format

6. SVIDResponse
Recap: Workload API
WorkloadAPI
Workload
(Src)
● grpc with unix domain socket (aka Workload API Endpoint)
● no authentication for avoiding bootstrapping
Transport
SVIDRequest
Icons made by Freepik, photo3idea_studio, Pixel Buddha from www.flaticon.com
SVIDs
Workload
(Dst)
SPIFFE
Bundles
SVIDRequest
SVIDResponse
verify src SVID
by SPIFFE Bundle
Identify the Caller
- kernel introspection
- orchestrator interrogation
may contain Federated Bundles
(bundles for other trust domains)

7. Overview of SPIRE: SPIFFE Runtime Environment
Icons made by Freepik, photo3idea_studio, Pixel Buddha, srip from www.flaticon.com
spire-agent
Workload API
Work
load
Work
load
spire-agent
Workload API
Work
load
Work
load
spire-server
Node API
Registration API ● Identity Mapping
● Node Attestation
● SVID IssuanceCLI API
● Workload Attestation
● Workload API

8. ● workload identities must be registered first
● entries defines a mapping of
workload <--> SPIFFE ID via workload selectors
● entries has hierarchy. note that this hierarchy is
independent to one of SPIFFE ID’s path
Identity(Workload) Registration
spire-server
Node API
Registration API
CLI API
SPIFFE ID spiffe://dev.acme.com/payments/web
Parent ID spiffe://dev.acme.com/k8s/cluster/foo
Selectors
k8s:ns:payments
k8s:sa:payment-web
k8s:container-image:payments
Workload Registration Entry of /payments/web
Icons made by Freepik from www.flaticon.com
type value

9. Identity(Node) Registration
spire-server
Node API
Registration API
CLI API
SPIFFE ID spiffe://dev.acme.com/k8s/cluster/foo
Parent ID spiffe://dev.acme.com/
Selectors
k8s_psat:custer:foo
k8s_psat:agent_ns:spire
k8s_psat:agent_sa:agent
Node Registration Entry of /k8s/cluster/foo
● node identities registration enables to assign
one workload SPIFFE ID across multiple nodes
● registration entries defines a mapping of
node(agent) <--> SPIFFE ID via node selectors

10. What is Attestation in SPIRE?
Attestation is the process of certifying that something is true.
spire-server
spire-agent
Workload API
Work
load
Node API
Node Attestation
• verifying the identity of the node the
workload is running on
• runs when booting spire-agent
Workload Attestation
• verifying the workload on the node

11. Overview: How SPIRE issue SVIDs
spire
server
spire
agent
Work
load
1. register entries
2.0 attest node
2.3 node SVIDs
Cloud Providers
(k8s, instance metadata, etc.)
2.1 verify
node
identity
kernel/orchestrators
(e.g. kubelet/docker)
3.3 workload identity
3.1 verify
workload
identity
Icons made by Freepik from www.flaticon.com
3.2 obtaining
workload
info
3.0 attest
workload
3.4 workload SVIDs
3.5 workload
SVIDs

12. Node Attestation Internals
(based on version 0.8.1)
spire
server
spire
agent
2.0 attest node
2.3 node SVIDs
Cloud Providers
(k8s, instance metadata, etc.)
2.1 verify
node
identity

13. Node Attestation
• Both server & agent participate in node attestation
• Only one node attestor can be configured in spire agent
– multiple node attestors can be configured in spire server
• Node attestor is pluggable
– join_token, aws, azure, k8s, etc. (supported plugins list)
spire serverspire agent
Node
Attestor Plugin
Node
Attestor PluginNode
Attestor PluginNode
Attestor Plugin

14. Before: Node Attestation
Icons made by Freepik, photo3idea_studio, Pixel Buddha, srip from www.flaticon.com
spire-server
CLI API

15. Node Attestation Internals (based on version 0.8.1)
spire serverspire agent
Booting...
…
Booted
Icons made by Freepik, Pixel Buddha, Smashicons from www.flaticon.com
0. generate key-pair
for this node
1. plugin makes
proof of the node
identity
2. make certificate
signing request
3. send node identity
and signing request
4.1 perform challenge & response
in arbitrary number of rounds
5. issue node SVID
(sign the signing request)
CA’s key pair
SPIFFE Bundle
6. send node SVID
transport is secured by using upstream CA
4. verify the proof
4.2 issue node SPIFFE ID
and its selectors

16. Example of AWS Node Attestor Plugin
spire serverspire agent
AWS
Node Attestor
Plugin
AWS
Node Attestor
Plugin
Instance Identity
Document
SPIFFE ID
/aws_iid/{acctID}/{region}/{instanceID}
Selectors
AWS
Node Resolver
Plugin
aws_iid:tag:name:value
aws_iid:sg:id:sg-01234567
aws_iid:sg:name:sg-name
aws_iid:iamrole:arn:aws...
instance metadata service
Icons made by Freepik, Pixel Buddha, Smashicons from www.flaticon.com

17. mTLS with node SVID
spire server
Sync all the registration entries match
● selectors of the node SVIDs
● and their descendants
● (subset match included)
Completing Agent Bootup
Icons made by Freepik from www.flaticon.com
spire agent
node(base) SVID
(/aws_iid/acct/reg/instanceID)
Node SVID
Rotator
refresh when rotatedrotate
SVID/Bundle/
RegistrationEntries
Synchronizer
/aws_iid/acct/reg/instanceID
aws_iid:tag:name:value
aws_iid:sg:id:sg-01234567
aws_iid:sg:name:sg-name
aws_iid:iamrole:arn:aws...
/cluster/payments
MATCH!
/payments/api
/payments/web
/payments/db
entries

18. After: Booting Up Agent Completely
Icons made by Freepik, photo3idea_studio, Pixel Buddha, srip from www.flaticon.com
spire-agent
Workload API
spire-agent
Workload API
spire-server
CLI API

19. Workload Attestation Internals
(based on version 0.8.1)
spire
server
spire
agent
Work
load
kernel/orchestrators
(e.g. kubelet/docker)
3.3 workload identity
3.1 verify
workload
identity
3.2 obtaining
workload
info
3.0 attest
workload
3.4 workload SVIDs
3.5 workload
SVIDs

20. entries
Workload Attestation
• Only agent participates in workload attestation
– synchronizer is responsible for fetching workload SVIDs/Bundles
• Multiple workload attestors can be configured in spire agent
• Workload attestor is also pluggable
– unix, docker, k8s etc. (supported plugins list)
spire agent
Workload
spire
server
Worload
Attestor Plugin
Worload
Attestor Plugin
Worload
Attestor Plugin
WorkloadAPI

21. Before: Workload Attestation Completed
Icons made by Freepik, photo3idea_studio, Pixel Buddha, srip from www.flaticon.com
spire-agent
Workload API
Work
load
Work
load
spire-agent
Workload API
Work
load
Work
load
spire-server
CLI API

22. Workload Attestation Internals (based on version 0.8.1)
spire
server
spire agent
Icons made by Freepik, Pixel Buddha, Smashicons from www.flaticon.com
Synchronizer
mTLS with node SVID
entries
Work
load
kernel/orchestrators
(e.g. kubelet/docker)
Worload
Attestor Plugin
WorkloadEndpoint(unixsocket)
0. attestation
request
1.2 obtain
workload info
2. request syncing entries
matched to merged selectors
3. request to issue their SVIDs
(synchronizer generates key-pairs)
1.1 each attestor verify
workload identity (pid)
and transform it to selectors
4. matched
SVIDs
& Bundles
unix:uid, unix:gid
docker:image_id, docker:label
k8s:ns, k8s:sa, k8s:pod-name
etc.
1. attest in
all attestors

23. Ready to Authenticate Workload Each Other!!
Icons made by Freepik, photo3idea_studio, Pixel Buddha, srip from www.flaticon.com
spire-agent
Workload API
Work
load
Work
load
spire-agent
Workload API
Work
load
Work
load
spire-server
CLI API

24. Quick Start
• Rercommended: SPIRE101 in spire repo
– you can try spire environment in docker-compose
• !!CAUTION!!
– this does NOT work on 0.8.1 or later
– this works in 0.8.0
– ref: spiffe/spire#1155

25. Custom Attestation Plugin?
• Just implementing several interafaces
• Node Attestation Plugin (server, agent interface)
• Node Resolver Plugin(server interface)
• Workload Attestation Plugin (agent interface)
• And plumbing to make it gRPC server
• But, no comprehensive document right now
– github.com/spiffe/plugin-template is obsolete
• Official document points to
reference custom plugin implementations

26. Icons made by Vincent Le Moign from https://icon-icons.com/ licensed by CC 3.0 BY
Thank you for Listening!!
Any Questions?