The Production Identity Control Plane - Recommended Practices for SPIFFE-SPIRE at Scale

Explore recommended practices for implementing SPIFFE/SPIRE at scale in this 25-minute conference talk from KubeCon + CloudNativeCon Europe 2021. Dive into the concept of a "production identity control plane" and learn how to establish trusted bi-directional communication in distributed systems. Discover solutions for common identity challenges, including credential rotation, federation with other systems, and policy implementation. Gain insights on leveraging the identity control plane for service-to-service communication in complex, heterogeneous environments. Examine topics such as PKI/Auth pain points, SPIFFE and SPIRE components, trust domains, security boundaries, deployment strategies, and considerations for scaling your identity infrastructure.

Intro
Credits: Solving the Bottom Turtle Booksprint
Agenda
Solving for the Bottom Turtle
PKI/Auth Pain points in Modern Applicatio
Reasons to use SPIFFE and SPIRE
SPIFFE in a turtleshell
Trust domains
SPIRE Server
SPIRE Agent
SPIRE Plugin Architecture
Node attestation
Workload Attestation
Security Boundaries: Workload Agent
Security Boundaries: Agent Server
Security Boundaries: Server Server
Single Trust Domain Deployment
Single Trust Domain High Availability
Nested SPIRE Deployment
Federated SPIRE
Enabling software thru SPIFFE-Aware Prom
Automated Registration Entries
Independent Islands vs Bridged Islands
Other Considerations for Scale