Istio 如何实现 SPIFFE 的这个规范点?
How does Istio implement this spec point of SPIFFE?
Since a workload in its early stages may have no prior knowledge of
its identity or whom it should trust, it is very difficult to secure
access to the endpoint. As a result, the SPIFFE Workload Endpoint
SHOULD be exposed through a local endpoint, and implementers SHOULD
NOT expose the same endpoint instance to more than one host.
能否请您解释一下这是什么意思以及 Istio 是如何实现的?
实际上,Istio mesh services adopt SPIFFE standard policies through Istio Security mechanisms using the same identity document SVID. Istio Citadel是安全配置各种身份并提供凭据管理的关键组件。
在不久的将来在 Istio 网格中使用 Node agent 以通过 Envoy 秘密发现服务 (SDS) API 发现相关服务是可行的,这种方法与 SPIRE 设计非常相似.
SPIRE设计的关键概念,在官方文档中有所描述,您可以在下面找到:
SPIRE consists of two components, an agent and a server.
The server provides a central registry of SPIFFE IDs, and the
attestation policies that describe which workloads are entitled to
assume those identities. Attestation policies describe the properties
that the workload must exhibit in order to be assigned an identity,
and are typically described as a mix of process attributes (such as a
Linux UID) and infrastructure attributes (such as running in a VM that
has a particular EC2 label).
The agent runs on any machine (or, more formally, any kernel) and
exposes the local workload API to any process that needs to retrieve a
SPIFFE ID, key, or trust bundle. On *nix systems, the Workload API is
exposed locally through a Unix Domain Socket. By verifying the
attributes of a calling workload, the workload API avoids requiring
the workload to supply a secret to authenticate.
SPIRE 有望成为工作负载身份验证机制的主要贡献者,但到目前为止,它仍处于开发阶段,希望未来在生产部署中实施。
Since a workload in its early stages may have no prior knowledge of its identity or whom it should trust, it is very difficult to secure access to the endpoint. As a result, the SPIFFE Workload Endpoint SHOULD be exposed through a local endpoint, and implementers SHOULD NOT expose the same endpoint instance to more than one host.
能否请您解释一下这是什么意思以及 Istio 是如何实现的?
实际上,Istio mesh services adopt SPIFFE standard policies through Istio Security mechanisms using the same identity document SVID. Istio Citadel是安全配置各种身份并提供凭据管理的关键组件。
在不久的将来在 Istio 网格中使用 Node agent 以通过 Envoy 秘密发现服务 (SDS) API 发现相关服务是可行的,这种方法与 SPIRE 设计非常相似.
SPIRE设计的关键概念,在官方文档中有所描述,您可以在下面找到:
SPIRE consists of two components, an agent and a server.
The server provides a central registry of SPIFFE IDs, and the attestation policies that describe which workloads are entitled to assume those identities. Attestation policies describe the properties that the workload must exhibit in order to be assigned an identity, and are typically described as a mix of process attributes (such as a Linux UID) and infrastructure attributes (such as running in a VM that has a particular EC2 label).
The agent runs on any machine (or, more formally, any kernel) and exposes the local workload API to any process that needs to retrieve a SPIFFE ID, key, or trust bundle. On *nix systems, the Workload API is exposed locally through a Unix Domain Socket. By verifying the attributes of a calling workload, the workload API avoids requiring the workload to supply a secret to authenticate.
SPIRE 有望成为工作负载身份验证机制的主要贡献者,但到目前为止,它仍处于开发阶段,希望未来在生产部署中实施。