.png)
4 months ago
9
SPIFFE Overview
An overview of the SPIFFE specification
SPIFFE, the Secure Production Identity Framework for Everyone, is a set of open-source standards for securely identifying software systems in dynamic and heterogeneous environments. Systems that adopt SPIFFE can easily and reliably mutually authenticate wherever they are running.
Distributed design patterns and practices such as micro-services, container orchestrators, and cloud computing have led to production environments that are increasingly dynamic and heterogeneous. Conventional security practices (such as network policies that only allow traffic between particular IP addresses) struggle to scale under this complexity. A first-class identity framework for workloads in an organization becomes necessary.
Further, modern developers are expected to understand and play a role in how applications are deployed and managed in production environments. Operations teams require deeper visibility into the applications they are managing. As we move to a more evolved security stance, we must offer better tools to both teams so they can play an active role in building secure, distributed applications.
SPIFFE is a set of open-source specifications for a framework capable of bootstrapping and issuing identity to services across heterogeneous environments and organizational boundaries. The heart of these specifications is the one that defines short lived cryptographic identity documents – called SVIDs via a simple API. Workloads can then use these identity documents when authenticating to other workloads, for example by establishing a TLS connection or by signing and verifying a JWT token.
You can read more about how the SPIFFE APIs are defined and used in the Concepts guide.
SPIFFE comprises many specifications, each providing different parts of the SPIFFE functionality. Software that implements SPIFFE may support some or all of these functionalities. The following tables captures software that’s capable of providing your infrastructure with SPIFFE identities, along with the functionalities they support.
Open Source Software That Implements SPIFFE
| SPIRE | ✔ | ✔ | ✔ | ✔ | ✔ | ✔ | ✔ | ✔ | ✔ | ✔ | ✔ |
| Cert-manager | ✔ | ✔ | ✔ | ✔ | |||||||
| Consul | ✔ | ✔ | ✔ | ✔ | Beta | ||||||
| Dapr | ✔ | ✔ | ✔ | ✔ | ✔ | ||||||
| Istio | ✔ | ✔ | ✔ | ✔ | ✔ | ✔ |
Commercial Software That Implements SPIFFE
| GCP | ✔ | ✔ | ✔ | ✔ | ✔ | ||||||
| Greymatter.io | ✔ | ✔ | ✔ | ✔ | ✔ | ✔ | ✔ | ✔ | ✔ | ||
| SPIRL | ✔ | ✔ | ✔ | ✔ | ✔ | ✔ | ✔ | ✔ | ✔ | ✔ | ✔ |
| Teleport | ✔ | ✔ | ✔ | ✔ | ✔ | ✔ | ✔ | ✔ | ✔ | ||
| Venafi | ✔ | ✔ | ✔ | ✔ |
Explanation of Columns - Software that Implements SPIFFE
X.509 SVID Can generate X.509 SVIDs for workloads JWT SVID Can generate JWT SVIDs for workloads Attestation-based Issuance Leverages node and/or workload attestation for issuing SVIDs Workload API Can serve the Workload API for automatic rotation SDS API Can serve Envoy SDS API SPIFFE Federation Can serve and consume the SPIFFE Federation API OIDC Federation Can serve OIDC Federation API PKI Integration Can leverage existing or external PKI for X.509 SVID issuance Kubernetes Support Supports workloads running in Kubernetes VM and Bare Metal Support Supports workloads running in VMs or on bare metal Serverless Support Supports workloads running in serverless environmentsSPIFFE enjoys a broad ecosystem, with many software projects, products, and platforms providing SPIFFE support in one way or another. While SPIFFE works with any software that knows how to use a JWT or an X.509 certificate, the following list captures software that supports SPIFFE as a first class citizen, along with the level of support they provide.
Open Source Software that Works with SPIFFE
| Envoy | ✔ | ✔ | ✔ | |
| Ghostunnel | ✔ | ✔ | ✔ | |
| Istio | ✔ | ✔ | ✔ | |
| Knox | ✔ | ✔ | ||
| VMware Secrets Manager | ✔ | ✔ | ✔ | |
| SPIKE | ✔ | ✔ | ✔ |
