Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Project Proposal: SPIFFE #68

Merged
merged 3 commits into from Mar 29, 2018
Merged

Project Proposal: SPIFFE #68

merged 3 commits into from Mar 29, 2018

Conversation

suniljames
Copy link
Contributor

@suniljames suniljames commented Nov 15, 2017

As requested during the 7 November 2017 CNCF TOC meeting (meeting minutes), we submit SPIFFE for consideration to be included as a CNCF project.

In addition to the public commentary within this pull request, Scytale is hosting "office hours" (Zoom) twice a week (Tues/Thurs @ 10:30am PDT for 30 minutes) through December 6, 2017.

Note: this is the original Google document where this content was drafted.

As requested during the 7 November 2017 CNCF TOC meeting (https://goo.gl/LoKyV5), we submit SPIFFE for consideration to be included as a CNCF project.

Note: the original Google doc containing this content is available at https://goo.gl/gxjRCx
@jondb
Copy link

@jondb jondb commented Nov 15, 2017

This is a game changer. Managing shared secrets between micro services and distributing private TLS to hosts is an operational problem. It's a point of contention between the security and ops team and it detracts from other valuable security improvements.

@ajessup
Copy link

@ajessup ajessup commented Nov 15, 2017

Workload identity is at the heart of almost every current CNCF project and is a prerequisite of the perimeter-less zero-trust architecture that is a hallmark of cloud native deployments.

SPIFFE, by providing a strong, community supported specification and toolchain for workload identity across heterogeneous computing environments, will be of enormous benefit to organizations looking to adopt such an architecture.

@jainvipin
Copy link

@jainvipin jainvipin commented Nov 15, 2017

standardization of identity format and management would bring security to applications, similar to what OCI/Docker brought to applications.

@mlakewood
Copy link

@mlakewood mlakewood commented Nov 15, 2017

Having secure identity would hugely improve the ability to deliver secure cloud-native applications and systems. SPIFFE in particular strikes a great balance between standing on the shoulder of giants and taking the industry forward.

@jbeda
Copy link
Contributor

@jbeda jbeda commented Nov 15, 2017

In my mind, service identity (LOAS) is the one piece that is missing from the "magic" systems that made Google production platform work. Inside Google it has proven to be an enabler for more secure systems but also as a key to a lot beyond just security. Once you have implicit identity with every action you can start using that as context for so so many things.

SPIFFE/SPIRE is doing a great job of bringing together all the pieces to not just recreate the Google environment to but to take it to new places and new scenarios.

@halap
Copy link

@halap halap commented Nov 15, 2017

Identity framework for micro services that can support multiple cloud environments is a compelling value prop. Eager to see the development.

@peterlamar
Copy link

@peterlamar peterlamar commented Nov 15, 2017

Enterprise engineers need solutions that help them implement defense in depth. They have difficulty implementing security beyond the legacy perimeter mindset, which often means once the perimeter is breached the application is often wide open aka (Equifax et tal).
If Microservice platforms have workload identity built in, a perimeter breach could be less catastrophic for applications built upon them. This effort to make layered security more accessible to developers is a big win for the good guys.

@csepulv
Copy link

@csepulv csepulv commented Nov 15, 2017

We use a lot of microservices (Bastille Networks) and a standard identity approach would certainly help manage the overhead of securing such services.

@MP237
Copy link

@MP237 MP237 commented Nov 15, 2017

Service to service auth is going to be critical in standardizing identity for many use-cases going forward. Multi-cloud, Edge device management, HA etc. Definitely need something like this.

@ramsesm2018
Copy link

@ramsesm2018 ramsesm2018 commented Nov 15, 2017

SPIFFE is a substantive step in defending micro services. Looking forward to seeing the future of this project.

@Black4ciD
Copy link

@Black4ciD Black4ciD commented Nov 16, 2017

The potential embedded in SPIFFE is huge. I'm certain we will see more and more organizations adopt this standard as it provides a simple and elegant solution to a very painful problem. By mitigating the Service Identity problem we will be able to deliver higher security level in both standard cloud and multi-cloud environments.
This would be an awesome CNCF project!

@fbalus
Copy link

@fbalus fbalus commented Nov 16, 2017

This project proposal is an important building block towards application-driven security and zero trust, perimeter-less environment.

@suniljames
Copy link
Contributor Author

@suniljames suniljames commented Nov 16, 2017

We just hung up from the 11/16 "office hours." Since nobody showed up, I am not uploading a video recording.

[REMINDER] Scytale is hosting "office hours" (Zoom) twice a week (Tues/Thurs @ 10:30am PDT for 30 minutes) through December 6, 2017. The next one is on 11/21.

@diogomonica
Copy link

@diogomonica diogomonica commented Nov 16, 2017

I'm a big proponent of SPIFFE and having a strong, portable identity for application to application AAA.

@carstenjacobsen
Copy link

@carstenjacobsen carstenjacobsen commented Nov 16, 2017

SPIFFE is important because it provides a standardized identity framework, which is independent of application types, industies and organisation sizes. It truly is built for everyone.

@randomvariable
Copy link
Contributor

@randomvariable randomvariable commented Nov 17, 2017

Hi @suniljames,

Will be helping out with the due diligence from next week.
Sorry I missed this week's call, will join next Tuesday!

Naadir

@suniljames
Copy link
Contributor Author

@suniljames suniljames commented Nov 17, 2017

Awesome to hear, @randomvariable ! Looking forward to chatting.

@bchav
Copy link

@bchav bchav commented Nov 17, 2017

Here at AWS, SPIFFE is interesting to us for a number of reasons.

First, from a cloud provider perspective, a standard for pod/container identity eases the burden of securely passing secrets like IAM roles or credentials to workloads. We suspect there are other use cases here as well, like correlating AWS level metadata like tags, and granularly configuring security controls like VPC Security Groups.

More broadly speaking, we are excited about the potential for SPIFFE to provide a standard that applies to orchestration systems like Kubernetes, or container runtimes in general, whether that is Docker, CRI-Containerd, or whatever the future brings.

Finally, we sense the opportunity for this project to enhance other CNCF projects, especially in the service discovery and service mesh space. If Istio, Envoy, Linkerd can offload fingerprinting of workloads to SPIFFE, these projects can focus on their core competencies and not worry about underlying secure introduction problem.

@klynch
Copy link

@klynch klynch commented Nov 18, 2017

I am excited for the ability to have true secure identity and communication between my services regardless of deployment locations (on premises, cloud) or orchestrator (VM, iron, K8S). This is huge!

@woloski
Copy link

@woloski woloski commented Nov 19, 2017

Auth0 CTO here 👋 . This problem is very close to our heart :). We've seen customer struggling with how to secure service to service interactions in a micro-services architecture. Having an easy way to agnostically authenticate services would be a big win for the industry.

@suniljames
Copy link
Contributor Author

@suniljames suniljames commented Nov 21, 2017

Gentle reminder that Scytale today is hosting "office hours" (Zoom) at 10:30am PDT for 30 minutes.

@suniljames
Copy link
Contributor Author

@suniljames suniljames commented Nov 21, 2017

As requested by @randomvariable during today's SPIFFE "office hours" (video), please find this link to the repo page detailing the SPIFFE standards.


As we move to a more evolved security stance, we must create technology frameworks that enable the aforementioned to play active roles in easily building secure, distributed applications. **SPIFFE (aka the “Secure Production Identity Framework for Everyone”)** is one such framework.

SPIFFE comprises three (3) components:
Copy link
Contributor

@bgrant0607 bgrant0607 Nov 27, 2017

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Note for the record: We believe we should contribute SPIRE together with SPIFFE, as one project.

One project is simpler, and emphasizes that SPIFFE is not just a spec, but also has a working implementation. TUF also has a reference implementation.

Istio will also have a SPIFFE implementation, which will help ensure that multiple implementations of the spec will remain possible.


*Statement on alignment with CNCF mission*:

We believe aligning on a common representation of workload identity, and proscribing best practices for identity issuance and delivery are critical for widespread adoption of cloud-native architectures. SPIFFE provides exactly this capability.
Copy link
Contributor

@bgrant0607 bgrant0607 Nov 27, 2017

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

s/proscribing/promoting/

Copy link
Contributor

@justincormack justincormack Nov 28, 2017

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think it might be a typo for prescribing but yes promoting is better.

Copy link
Contributor Author

@suniljames suniljames Nov 28, 2017

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Will address this. Thanks for identifying it.

@suniljames
Copy link
Contributor Author

@suniljames suniljames commented Nov 28, 2017

Gentle reminder that Scytale today is hosting "office hours" (Zoom) at 10:30am PDT for 30 minutes.

@justincormack
Copy link
Contributor

@justincormack justincormack commented Dec 1, 2017

I have done a brief technical review of this. There is a lot to review (a lot more than last time I looked some months back), and I haven't had time to review all of it yet, and I am not sure that it really makes sense to do so at this particular point in time, and it makes more sense to continue to review over time. There is definitely a requirement for workload identity in microservice environments. The project is in a much younger state than either of the other CNCF inception projects, for example the specification is not yet finished, but I don't think this is necessarily a blocker. Indeed this seems to be what the inception stage is designed for, and the specification may get more attention in the CNCF than outside.

@suniljames
Copy link
Contributor Author

@suniljames suniljames commented Dec 5, 2017

Gentle reminder that @pragashj is hosting today's SPIFFE "office hours" (Zoom) at 10:30am PDT for 30 minutes. Thanks, JJ!

@pragashj
Copy link
Contributor

@pragashj pragashj commented Dec 5, 2017

@jessfraz
Copy link

@jessfraz jessfraz commented Dec 6, 2017

In my opinion projects should have adoption before being added. Why do you need to be in CNCF? Is it just for status for your commercial interests in selling it?

I also agree with @justincormack on the fact that the spec is not exactly mature. This project is so young. Adding it to the CNCF to get adoption and more visibility is for ALL the wrong reasons imo. Is that what this foundation is for? Marketing of projects for visibility?

@jessfraz
Copy link

@jessfraz jessfraz commented Dec 13, 2017

Thanks!!

@ultrasaurus
Copy link
Member

@ultrasaurus ultrasaurus commented Jan 18, 2018

Sorry to chime in late here -- just catching up on the details of this project and like others, have not completed a detailed technical review.

I agree with @jessfraz that the excitement expressed around SPIFFE is primarily around the problem it is focused on solving, rather than this specific solution (except for folks deeply familiar with the Google system that inspires it).

I'm not speaking for my employer, just chiming in based on my pre-Google experience. There are a lot of disparate identity systems that are pretty challenging to make interoperable without quite a bit of fragile logic. SPIFFE seems like it could solve a key part of the problem, yet would be important for there to be implementations of a complete system that uses SPIFFE/SPIRE and explore how those additional components fit into the CNCF ecosystem.

Also I agree with @monadic that it seems in the spirit of CNCF to adopt SPIRE, which can be used to validate SPIFFE.

@suniljames
Copy link
Contributor Author

@suniljames suniljames commented Jan 26, 2018

Following multiple F2F discussions over the past few weeks with people on (and off) this thread, we started this FAQ to address repeatedly asked questions. Definitely more to come, and we welcome comments (and suggestions).

@pragashj
Copy link
Contributor

@pragashj pragashj commented Jan 27, 2018

On protocol and standards

SPIFFE (unified identity model) is one of the key fundamental component required to enable seamless interoperability amongst heterogenous infrastructure. I also think an intentional standardization on identity will help towards usable security.

On technology

SPIRE is a clean simple code base that allows the community to learn and stabilize SPIFFE. While this isn't a sufficient condition for the production grade readiness, it is definitely a necessary condition.

On community

Having been involved with this from early on, I have seen some people with enthusiasm, some that have solved this problem at scale and some that have real need for this solution come together and chip in to build on SPIFFE. IMO: Being in CNCF can help accelerate this.

@jessfraz
Copy link

@jessfraz jessfraz commented Jan 29, 2018

I just wanted to reiterate that when I said:

I definitely think the systems SPIFFE is based upon obviously give it a firm place in the future of infrastructure

that meant +1 to SPIFFE

@caniszczyk
Copy link
Contributor

@caniszczyk caniszczyk commented Feb 1, 2018

kicked off the official vote for SPIFFE as an inception level project, feel free to vote on the mailing list thread: https://lists.cncf.io/g/cncf-toc/topic/vote_spiffe_project/9616955

@pragashj
Copy link
Contributor

@pragashj pragashj commented Feb 1, 2018

@sublimino
Copy link
Member

@sublimino sublimino commented Feb 1, 2018

+1 (non-binding)

2 similar comments
@ghost
Copy link

@ghost ghost commented Feb 1, 2018

+1 (non-binding)

@eghobo
Copy link

@eghobo eghobo commented Feb 1, 2018

+1 (non-binding)

@fbalus
Copy link

@fbalus fbalus commented Feb 1, 2018

@benschumacher
Copy link

@benschumacher benschumacher commented Feb 1, 2018

+1, non-binding


*Unique Identifier*: spiffe

*License*: ALv2
Copy link

@stevvooe stevvooe Feb 1, 2018

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should this make it clear is this apache?

Copy link
Contributor

@dankohn dankohn Feb 1, 2018

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Apache-2.0 is the SPDX notation.

https://spdx.org/licenses/Apache-2.0.html

@caniszczyk
Copy link
Contributor

@caniszczyk caniszczyk commented Feb 1, 2018

@greggdonovan
Copy link

@greggdonovan greggdonovan commented Feb 2, 2018

+1 (non-binding)

2 similar comments
@aasmall
Copy link

@aasmall aasmall commented Feb 2, 2018

+1 (non-binding)

@kbpawlowski
Copy link

@kbpawlowski kbpawlowski commented Feb 3, 2018

+1 (non-binding)

@feangulo
Copy link

@feangulo feangulo commented Feb 4, 2018

+1, non-binding

@caniszczyk
Copy link
Contributor

@caniszczyk caniszczyk commented Mar 13, 2018

@bgrant0607 is looking for an additional @cncf/toc sponsor, once we have one, we'll move forward and accept SPIFFE into the sandbox.

@bgrant0607
Copy link
Contributor

@bgrant0607 bgrant0607 commented Mar 14, 2018

Ken and Sam will cosponsor.

@caniszczyk
Copy link
Contributor

@caniszczyk caniszczyk commented Mar 15, 2018

final call for any more @cncf/toc sponsors outside of the 2 minimum we have for the sandbox entry, if I don't hear from anyone by next Monday, we will have SPIFFE enter the sandbox


*Sponsor / Advisor from TOC*: Brian Grant <briangrant@google.com>, Sam Lambert <samlambert@github.com>, Ken Owens <ken.owens@mastercard.com>

*Preferred maturity level*: Inception
Copy link
Contributor

@bgrant0607 bgrant0607 Mar 20, 2018

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

s/Inception/Sandbox/

@caniszczyk caniszczyk self-assigned this Mar 23, 2018
@caniszczyk caniszczyk merged commit f0d8741 into cncf:master Mar 29, 2018
1 check was pending
@caniszczyk
Copy link
Contributor

@caniszczyk caniszczyk commented Mar 29, 2018

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

Successfully merging this pull request may close these issues.

None yet