November 24, 2019

215 words 2 mins read

Securing Communication Between Meshes and Beyond with SPIFFE Federation

Securing Communication Between Meshes and Beyond with SPIFFE Federation

One of the hottest features that Istio brings to the table is transparent, mutually-authenticated TLS between all workloads running on it. Under the covers, it relies on SPIFFE to provide the cryptogr …

Talk Title Securing Communication Between Meshes and Beyond with SPIFFE Federation
Speakers Evan Gilman (Engineer, Scytale), Oliver Liu (Senior Software Engineer, Google)
Conference KubeCon + CloudNativeCon North America
Conf Tag
Location San Diego, CA, USA
Date Nov 15-21, 2019
URL Talk Page
Slides Talk Slides
Video

One of the hottest features that Istio brings to the table is transparent, mutually-authenticated TLS between all workloads running on it. Under the covers, it relies on SPIFFE to provide the cryptographic identity that is used to perform this mutual authentication.SPIFFE relies on an authority to issue identity. In an Istio mesh, Istio Citadel (CA) issues certificates to workloads by default… but, what happens when you have more than one Istio mesh, and hence more than one Citadel? Or Istio workloads talking to external services?Enter SPIFFE federation. It allows SPIFFE identity issuers to peer with each other, enabling workloads in disparate domains to securely authenticate and communicate with each other. In this talk, we will describe the challenges involved here and how SPIFFE addresses them, as well as demonstrate SPIFFE federation between Istio mesh and SPIRE.

comments powered by Disqus