Working Out SPIFFE Identity for Cilium CNI

Explore the integration of SPIFFE identity with Cilium CNI in this informative conference talk from KubeCon + CloudNativeCon Europe 2022. Dive into the world of identity-based authentication and authorization in cloud-native environments. Learn about the advantages of SPIFFE's standard-based identity solution and how it complements Cilium's eBPF-powered network policy enforcement. Discover design considerations, challenges, and extended use cases for integrating SPIFFE with Cilium. Compare identity marking and transport solutions, including k8s-labels, TCP Fast-Open, and certificates. Gain insights into the unique aspects of Cilium's integration compared to Calico's approach. Explore topics such as Envoy deployment models, API access security, TLS support, and the benefits of using SPIFFE for certificate management and integration with existing CA providers and Vault for secrets management.

Intro
Briefly about Cilium...
Cilium: Identity Aware
Components of Identity?
Our need for SPIFFE
Integration Challenges • Cilium deploys Envoy in Node-Singleton Model Does not use side-car model Advantages, Disadvantages?
Ensuring appropriate API access spiff
Upgrading to secure connections • TLS origination and termination support
Other perks of using SPIFFE • Integrated certificate management solution Integrates well with existing CA providers Nested SPIRE allows hard-isolation of resources • Readily integrates with Vault for secrets management • Active developer community
To sum up...
Credits
References