Spiffe Integration

[rscampos]

What is this?

This PR contains the Cilium-SPIFFE integration that has been proposed in this design document. This PR covers the "Identity Generation Hardening" part of such proposal. We already have some prototypes of the "Upgrading connections to mTLS" part but we prefer start discussing only the former one to keep it more scoped.

How to test?

If you want to test it by yourself you can follow these steps. Otherwise you can watch this recorded demo.

0. Download, compile and install cilium-agent based on this PR
1. Add the --enable-spiffe flag to cilium-agent
2. Deploy Spire. I prepared a yaml manifest with all components needed to deploy it. It's based on the spire k8s quickstart tutorial but uses a custom spire-agent image that implements a POC of the spire privileged API.

$ kubectl apply -f https://gist.githubusercontent.com/rscampos/1e1e537c5183ccc32f2f64a949f37f41/raw/c5543cd286be7dda5d3940a09129378465de0dac/spire.yaml

3. Check that spire pods are running

$ kubectl get pods -n spire
NAME                READY   STATUS    RESTARTS   AGE
spire-agent-rqsp9   1/1     Running   0          14s
spire-server-0      1/1     Running   0          14s

4. Create some registration entries. This creates some registration entries for testing.

$ ./create_registration_entries.sh

5. Create some pods

$ kubectl run podubuntu --image=ubuntu:latest -- sleep 1000000
$ kubectl run podpraqma --image=praqma/network-multitool:latest -- sleep 100000

6. Restrict all egress traffic

$ kubectl apply -f https://gist.githubusercontent.com/rscampos/1e1e537c5183ccc32f2f64a949f37f41/raw/c5543cd286be7dda5d3940a09129378465de0dac/deny-all-egress.yaml

7. Check that ping is failing

$ kubectl exec podpraqma -- ping <podubuntu IP>

8. Deploy image based policy that allows those two pods to talk to each other

$ kubectl apply -f https://gist.githubusercontent.com/rscampos/1e1e537c5183ccc32f2f64a949f37f41/raw/c5543cd286be7dda5d3940a09129378465de0dac/image-based.yaml

9. Ping now works

$ kubectl exec podpraqma -- ping <podubuntu IP>
PING 10.11.0.173 (10.11.0.173) 56(84) bytes of data.
64 bytes from 10.11.0.173: icmp_seq=1 ttl=63 time=0.124 ms

TODO

• Update code once Spire "privileged" PR is ready (Proposal: Add a Privileged Attestation API spiffe/spire#2246 & proto/agent: add Delegated Identity API spiffe/spire-api-sdk#8 & RFC: Delegated Identity API implementation spiffe/spire#2481)
• Improve label validation (undo validation relax done for this POC)
• Rebase once vendor: bump etcd to v3.5.0 and grpc to v1.39.0 #15123 is merged
• Rebase once pkg/identity: Add missing labels to well-known identities #16585 is merged
• Spiffe label format - use spiffe as source in Spiffe label - discussed here RFC: Spiffe Integration #16626
• Tests (both unit and integration)
• Documentation
• How to deploy spire. Create helm templates?, leave it up to the user?
• How to initialize the spiffe watcher in a lazy way (avoid trying to connect to it when spire is not deployed yet)

ref #4016
old PR #16626

cc @nyrahul @jrajahalme @jrfastab @navarrothiago @mauriciovasquezbernal

[rscampos]

Folks,

Just sent a commit updating to the last version of Delegated Identity API. Also, this commit introduces the single watch approach: for each endpoint, one stream between Cilium and Spire is created to get X509-SVID updates.

[aanm]

@rscampos can you rebase against master? I assume this PR can be marked for review? If it's in draft, people will tend to ignore it unless it is marked as ready :-)

[rscampos]

Hello @aanm, I'm sorry for the delay... I did a rebase and organize all the commits in an easier way.
Besides that, do you folks think that would be good to send the second part (Upgrading connections to mTLS) later on or can we add together with the current PR?

I'll mark for review, feel free to ping me any time,

tks :)

[HighWatersDev]

I've been looking forward to this integration. Just curious if you have any estimate on when this could get merged?

[thylong]

Hey @aanm !
Since this is tagged as high priority, I apologise for duplicating @HighWatersDev's message but is it still a high priority?
Do you have any news to share that would go in this PR direction or another initiative toward Spiffe integration?

I believe we're numerous to look for this feature (as highlighted in the recent cilium blog post).

[navarrothiago]

@thylong, regarding the initiative toward Spiffe integration, take a look at https://github.com/accuknox/cilium-spire-tutorials if you want to try it out. Maybe this could help to understand a little bit more about the integration.

[thylong]

Thanks for your insights @navarrothiago , definitely appreciated !
I'll take a look at it 😊

[github-actions]

This pull request has been automatically marked as stale because it
has not had recent activity. It will be closed if no further activity
occurs. Thank you for your contributions.

[tklauser]

It seems this PR hasn't seen activity in a while and picked up several merge conflicts in the meantime. I'll thus convert it to draft status.

@navarrothiago/@rscampos please feel free to move it out of draft again once the conflicts are resolved and the PR is ready for review again.

[github-actions]

This pull request has been automatically marked as stale because it
has not had recent activity. It will be closed if no further activity
occurs. Thank you for your contributions.

[github-actions]

This pull request has not seen any activity since it was marked stale.
Closing.

[securitysamurai]

Is the Spiffe integration occurring anywhere else? Been looking forward to this going through.

[elinesterov]

Hey folks, what is missing for the integration here? Happy to figure out how to help and move this forward.

[nyrahul]

Let me put forward the status here based on what I know:

1. The changes to SPIRE SDK and other spire accessory tooling that was necessary is in place and upstreamed. (the links are in the main comment).
2. The changes in this PR were done during 1.9.x rev and the code base has substantially changed since then. However, the links to the document/design should still hold.
3. Note that It would still be a substantial effort to handle the changes and upstream it.

If anyone wants to take this forward, here would be the steps:

1. Reproduce the setup following this tutorial.
2. Check with the cilium community if there is any other effort underway
3. Rebase the code from this PR and fix the conflicts. This step is the most imp and non-trivial. If the cilium code base has changed significantly or any of its earlier design principles in the core have changed then this could be a major rework. This is the primary analysis that has to be done to get this integration done based on this PR.
4. Reproduce the setup from step 1 with the code from step 3. If all goes well till this point, most of the work will be in place. You might need to add more tests and get the reviews from the community.

Even though some of the folks developing this PR have now moved on to do something else, I am hoping I should be able to check and pull some of them together in a discussion/call if anyone is interested to take this forward.