New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Project Proposal: SPIFFE #68

Merged
merged 3 commits into from Mar 29, 2018

Conversation

@suniljames
Copy link
Contributor

suniljames commented Nov 15, 2017

As requested during the 7 November 2017 CNCF TOC meeting (meeting minutes), we submit SPIFFE for consideration to be included as a CNCF project.

In addition to the public commentary within this pull request, Scytale is hosting "office hours" (Zoom) twice a week (Tues/Thurs @ 10:30am PDT for 30 minutes) through December 6, 2017.

Note: this is the original Google document where this content was drafted.

Project Proposal: SPIFFE
As requested during the 7 November 2017 CNCF TOC meeting (https://goo.gl/LoKyV5), we submit SPIFFE for consideration to be included as a CNCF project.

Note: the original Google doc containing this content is available at https://goo.gl/gxjRCx
@jondb

This comment has been minimized.

Copy link

jondb commented Nov 15, 2017

This is a game changer. Managing shared secrets between micro services and distributing private TLS to hosts is an operational problem. It's a point of contention between the security and ops team and it detracts from other valuable security improvements.

@ajessup

This comment has been minimized.

Copy link

ajessup commented Nov 15, 2017

Workload identity is at the heart of almost every current CNCF project and is a prerequisite of the perimeter-less zero-trust architecture that is a hallmark of cloud native deployments.

SPIFFE, by providing a strong, community supported specification and toolchain for workload identity across heterogeneous computing environments, will be of enormous benefit to organizations looking to adopt such an architecture.

@jainvipin

This comment has been minimized.

Copy link

jainvipin commented Nov 15, 2017

standardization of identity format and management would bring security to applications, similar to what OCI/Docker brought to applications.

@mlakewood

This comment has been minimized.

Copy link

mlakewood commented Nov 15, 2017

Having secure identity would hugely improve the ability to deliver secure cloud-native applications and systems. SPIFFE in particular strikes a great balance between standing on the shoulder of giants and taking the industry forward.

@jbeda

This comment has been minimized.

Copy link
Contributor

jbeda commented Nov 15, 2017

In my mind, service identity (LOAS) is the one piece that is missing from the "magic" systems that made Google production platform work. Inside Google it has proven to be an enabler for more secure systems but also as a key to a lot beyond just security. Once you have implicit identity with every action you can start using that as context for so so many things.

SPIFFE/SPIRE is doing a great job of bringing together all the pieces to not just recreate the Google environment to but to take it to new places and new scenarios.

@halap

This comment has been minimized.

Copy link

halap commented Nov 15, 2017

Identity framework for micro services that can support multiple cloud environments is a compelling value prop. Eager to see the development.

@peterlamar

This comment has been minimized.

Copy link

peterlamar commented Nov 15, 2017

Enterprise engineers need solutions that help them implement defense in depth. They have difficulty implementing security beyond the legacy perimeter mindset, which often means once the perimeter is breached the application is often wide open aka (Equifax et tal).
If Microservice platforms have workload identity built in, a perimeter breach could be less catastrophic for applications built upon them. This effort to make layered security more accessible to developers is a big win for the good guys.

@csepulv

This comment has been minimized.

Copy link

csepulv commented Nov 15, 2017

We use a lot of microservices (Bastille Networks) and a standard identity approach would certainly help manage the overhead of securing such services.

@MP237

This comment has been minimized.

Copy link

MP237 commented Nov 15, 2017

Service to service auth is going to be critical in standardizing identity for many use-cases going forward. Multi-cloud, Edge device management, HA etc. Definitely need something like this.

@ramsesm2018

This comment has been minimized.

Copy link

ramsesm2018 commented Nov 15, 2017

SPIFFE is a substantive step in defending micro services. Looking forward to seeing the future of this project.

@Black4ciD

This comment has been minimized.

Copy link

Black4ciD commented Nov 16, 2017

The potential embedded in SPIFFE is huge. I'm certain we will see more and more organizations adopt this standard as it provides a simple and elegant solution to a very painful problem. By mitigating the Service Identity problem we will be able to deliver higher security level in both standard cloud and multi-cloud environments.
This would be an awesome CNCF project!

@fbalus

This comment has been minimized.

Copy link

fbalus commented Nov 16, 2017

This project proposal is an important building block towards application-driven security and zero trust, perimeter-less environment.

@suniljames

This comment has been minimized.

Copy link
Contributor

suniljames commented Nov 16, 2017

We just hung up from the 11/16 "office hours." Since nobody showed up, I am not uploading a video recording.

[REMINDER] Scytale is hosting "office hours" (Zoom) twice a week (Tues/Thurs @ 10:30am PDT for 30 minutes) through December 6, 2017. The next one is on 11/21.

@diogomonica

This comment has been minimized.

Copy link

diogomonica commented Nov 16, 2017

I'm a big proponent of SPIFFE and having a strong, portable identity for application to application AAA.

@carstenjacobsen

This comment has been minimized.

Copy link

carstenjacobsen commented Nov 16, 2017

SPIFFE is important because it provides a standardized identity framework, which is independent of application types, industies and organisation sizes. It truly is built for everyone.

@randomvariable

This comment has been minimized.

Copy link
Contributor

randomvariable commented Nov 17, 2017

Hi @suniljames,

Will be helping out with the due diligence from next week.
Sorry I missed this week's call, will join next Tuesday!

Naadir

@suniljames

This comment has been minimized.

Copy link
Contributor

suniljames commented Nov 17, 2017

Awesome to hear, @randomvariable ! Looking forward to chatting.

@bchav

This comment has been minimized.

Copy link

bchav commented Nov 17, 2017

Here at AWS, SPIFFE is interesting to us for a number of reasons.

First, from a cloud provider perspective, a standard for pod/container identity eases the burden of securely passing secrets like IAM roles or credentials to workloads. We suspect there are other use cases here as well, like correlating AWS level metadata like tags, and granularly configuring security controls like VPC Security Groups.

More broadly speaking, we are excited about the potential for SPIFFE to provide a standard that applies to orchestration systems like Kubernetes, or container runtimes in general, whether that is Docker, CRI-Containerd, or whatever the future brings.

Finally, we sense the opportunity for this project to enhance other CNCF projects, especially in the service discovery and service mesh space. If Istio, Envoy, Linkerd can offload fingerprinting of workloads to SPIFFE, these projects can focus on their core competencies and not worry about underlying secure introduction problem.

@klynch

This comment has been minimized.

Copy link

klynch commented Nov 18, 2017

I am excited for the ability to have true secure identity and communication between my services regardless of deployment locations (on premises, cloud) or orchestrator (VM, iron, K8S). This is huge!

@woloski

This comment has been minimized.

Copy link

woloski commented Nov 19, 2017

Auth0 CTO here 👋 . This problem is very close to our heart :). We've seen customer struggling with how to secure service to service interactions in a micro-services architecture. Having an easy way to agnostically authenticate services would be a big win for the industry.

@suniljames

This comment has been minimized.

Copy link
Contributor

suniljames commented Nov 21, 2017

Gentle reminder that Scytale today is hosting "office hours" (Zoom) at 10:30am PDT for 30 minutes.

@suniljames

This comment has been minimized.

Copy link
Contributor

suniljames commented Nov 21, 2017

As requested by @randomvariable during today's SPIFFE "office hours" (video), please find this link to the repo page detailing the SPIFFE standards.


As we move to a more evolved security stance, we must create technology frameworks that enable the aforementioned to play active roles in easily building secure, distributed applications. **SPIFFE (aka the “Secure Production Identity Framework for Everyone”)** is one such framework.

SPIFFE comprises three (3) components:

This comment has been minimized.

@bgrant0607

bgrant0607 Nov 27, 2017

Contributor

Note for the record: We believe we should contribute SPIRE together with SPIFFE, as one project.

One project is simpler, and emphasizes that SPIFFE is not just a spec, but also has a working implementation. TUF also has a reference implementation.

Istio will also have a SPIFFE implementation, which will help ensure that multiple implementations of the spec will remain possible.


*Statement on alignment with CNCF mission*:

We believe aligning on a common representation of workload identity, and proscribing best practices for identity issuance and delivery are critical for widespread adoption of cloud-native architectures. SPIFFE provides exactly this capability.

This comment has been minimized.

@bgrant0607

bgrant0607 Nov 27, 2017

Contributor

s/proscribing/promoting/

This comment has been minimized.

@justincormack

justincormack Nov 28, 2017

Contributor

I think it might be a typo for prescribing but yes promoting is better.

This comment has been minimized.

@suniljames

suniljames Nov 28, 2017

Contributor

Will address this. Thanks for identifying it.

@suniljames

This comment has been minimized.

Copy link
Contributor

suniljames commented Nov 28, 2017

Gentle reminder that Scytale today is hosting "office hours" (Zoom) at 10:30am PDT for 30 minutes.

@justincormack

This comment has been minimized.

Copy link
Contributor

justincormack commented Dec 1, 2017

I have done a brief technical review of this. There is a lot to review (a lot more than last time I looked some months back), and I haven't had time to review all of it yet, and I am not sure that it really makes sense to do so at this particular point in time, and it makes more sense to continue to review over time. There is definitely a requirement for workload identity in microservice environments. The project is in a much younger state than either of the other CNCF inception projects, for example the specification is not yet finished, but I don't think this is necessarily a blocker. Indeed this seems to be what the inception stage is designed for, and the specification may get more attention in the CNCF than outside.

@suniljames

This comment has been minimized.

Copy link
Contributor

suniljames commented Dec 5, 2017

Gentle reminder that @pragashj is hosting today's SPIFFE "office hours" (Zoom) at 10:30am PDT for 30 minutes. Thanks, JJ!

@pragashj

This comment has been minimized.

Copy link
Contributor

pragashj commented Dec 5, 2017

@jessfraz

This comment has been minimized.

Copy link

jessfraz commented Dec 6, 2017

In my opinion projects should have adoption before being added. Why do you need to be in CNCF? Is it just for status for your commercial interests in selling it?

I also agree with @justincormack on the fact that the spec is not exactly mature. This project is so young. Adding it to the CNCF to get adoption and more visibility is for ALL the wrong reasons imo. Is that what this foundation is for? Marketing of projects for visibility?

@ultrasaurus

This comment has been minimized.

Copy link
Contributor

ultrasaurus commented Jan 18, 2018

Sorry to chime in late here -- just catching up on the details of this project and like others, have not completed a detailed technical review.

I agree with @jessfraz that the excitement expressed around SPIFFE is primarily around the problem it is focused on solving, rather than this specific solution (except for folks deeply familiar with the Google system that inspires it).

I'm not speaking for my employer, just chiming in based on my pre-Google experience. There are a lot of disparate identity systems that are pretty challenging to make interoperable without quite a bit of fragile logic. SPIFFE seems like it could solve a key part of the problem, yet would be important for there to be implementations of a complete system that uses SPIFFE/SPIRE and explore how those additional components fit into the CNCF ecosystem.

Also I agree with @monadic that it seems in the spirit of CNCF to adopt SPIRE, which can be used to validate SPIFFE.

@suniljames

This comment has been minimized.

Copy link
Contributor

suniljames commented Jan 26, 2018

Following multiple F2F discussions over the past few weeks with people on (and off) this thread, we started this FAQ to address repeatedly asked questions. Definitely more to come, and we welcome comments (and suggestions).

@pragashj

This comment has been minimized.

Copy link
Contributor

pragashj commented Jan 27, 2018

On protocol and standards

SPIFFE (unified identity model) is one of the key fundamental component required to enable seamless interoperability amongst heterogenous infrastructure. I also think an intentional standardization on identity will help towards usable security.

On technology

SPIRE is a clean simple code base that allows the community to learn and stabilize SPIFFE. While this isn't a sufficient condition for the production grade readiness, it is definitely a necessary condition.

On community

Having been involved with this from early on, I have seen some people with enthusiasm, some that have solved this problem at scale and some that have real need for this solution come together and chip in to build on SPIFFE. IMO: Being in CNCF can help accelerate this.

@jessfraz

This comment has been minimized.

Copy link

jessfraz commented Jan 29, 2018

I just wanted to reiterate that when I said:

I definitely think the systems SPIFFE is based upon obviously give it a firm place in the future of infrastructure

that meant +1 to SPIFFE

@caniszczyk

This comment has been minimized.

Copy link
Contributor

caniszczyk commented Feb 1, 2018

kicked off the official vote for SPIFFE as an inception level project, feel free to vote on the mailing list thread: https://lists.cncf.io/g/cncf-toc/topic/vote_spiffe_project/9616955

@pragashj

This comment has been minimized.

Copy link
Contributor

pragashj commented Feb 1, 2018

@sublimino

This comment has been minimized.

Copy link

sublimino commented Feb 1, 2018

+1 (non-binding)

2 similar comments
@ddunstan

This comment has been minimized.

Copy link

ddunstan commented Feb 1, 2018

+1 (non-binding)

@eghobo

This comment has been minimized.

Copy link

eghobo commented Feb 1, 2018

+1 (non-binding)

@fbalus

This comment has been minimized.

Copy link

fbalus commented Feb 1, 2018

@benschumacher

This comment has been minimized.

Copy link

benschumacher commented Feb 1, 2018

+1, non-binding


*Unique Identifier*: spiffe

*License*: ALv2

This comment has been minimized.

@stevvooe

stevvooe Feb 1, 2018

Should this make it clear is this apache?

This comment has been minimized.

@dankohn

dankohn Feb 1, 2018

Contributor

Apache-2.0 is the SPDX notation.

https://spdx.org/licenses/Apache-2.0.html

@caniszczyk

This comment has been minimized.

Copy link
Contributor

caniszczyk commented Feb 1, 2018

@greggdonovan

This comment has been minimized.

Copy link

greggdonovan commented Feb 2, 2018

+1 (non-binding)

2 similar comments
@aasmall

This comment has been minimized.

Copy link

aasmall commented Feb 2, 2018

+1 (non-binding)

@kbpawlowski

This comment has been minimized.

Copy link

kbpawlowski commented Feb 3, 2018

+1 (non-binding)

@feangulo

This comment has been minimized.

Copy link

feangulo commented Feb 4, 2018

+1, non-binding

@caniszczyk

This comment has been minimized.

Copy link
Contributor

caniszczyk commented Mar 13, 2018

@bgrant0607 is looking for an additional @cncf/toc sponsor, once we have one, we'll move forward and accept SPIFFE into the sandbox.

@bgrant0607

This comment has been minimized.

Copy link
Contributor

bgrant0607 commented Mar 14, 2018

Ken and Sam will cosponsor.

@caniszczyk

This comment has been minimized.

Copy link
Contributor

caniszczyk commented Mar 15, 2018

final call for any more @cncf/toc sponsors outside of the 2 minimum we have for the sandbox entry, if I don't hear from anyone by next Monday, we will have SPIFFE enter the sandbox

*Sponsor / Advisor from TOC*: Brian Grant <briangrant@google.com>, Sam Lambert <samlambert@github.com>, Ken Owens <ken.owens@mastercard.com>
*Preferred maturity level*: Inception

This comment has been minimized.

@bgrant0607

bgrant0607 Mar 20, 2018

Contributor

s/Inception/Sandbox/

@caniszczyk caniszczyk self-assigned this Mar 23, 2018

@caniszczyk caniszczyk added bug sandbox and removed bug labels Mar 23, 2018

@caniszczyk caniszczyk merged commit f0d8741 into cncf:master Mar 29, 2018

1 check was pending

code-review/pullapprove Approval required by benh, bgrant0607, jonboulle, kenowens12, monadic, skamille
Details
@caniszczyk

This comment has been minimized.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment