You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The Secure Production Identity Framework For Everyone (SPIFFE) Project defines a framework and set of standards for identifying and securing communications between application services.
SPIFFE spec recommends adding a unique identifier in the identity document.
In the case of Athenz, the identity document is a X.509 certificate and SPIFFE id is added in SanURI. Today ZTS adds a SPIFFE URI for service identity certificates and role certificates.
The current document is primarily concentrated on service identity certificates.
According to SPIFFE specification, SPIFFE URI takes a following format - spiffe://{trust_domain}/{path}
But SPIFFE specification does not mandate using a specific convention to represent identities.
Current convention adopted by Athenz:
Service identity certificate: spiffe://{athenz-domain}/sa/{athenz-service}
Role certificate: spiffe://{athenz-domain}/ra/{athenz-role}
The current SPIFFE naming convention satisfies the secure naming requirements, but the Istio community made a recommendation about the SPIFFE format involving using the trust domain of the SPIFFE URI.
Trust Domain Validation implementation in Istio rejects the requests from outside trust domains or if it's not in the TrustDomainAliases specified in the MeshConfig. So with the current convention, Istio service mesh would reject all requests coming from an Athenz service of a different domain than the target service’s Athenz domain, without further configuration.
To make using Istio service mesh simpler and easier, we can consider revising our SPIFFE trust domain convention.
The Secure Production Identity Framework For Everyone (SPIFFE) Project defines a framework and set of standards for identifying and securing communications between application services.
SPIFFE spec recommends adding a unique identifier in the identity document.
In the case of Athenz, the identity document is a X.509 certificate and SPIFFE id is added in SanURI. Today ZTS adds a SPIFFE URI for service identity certificates and role certificates.
The current document is primarily concentrated on service identity certificates.
According to SPIFFE specification, SPIFFE URI takes a following format - spiffe://{trust_domain}/{path}
But SPIFFE specification does not mandate using a specific convention to represent identities.
Current convention adopted by Athenz:
The current SPIFFE naming convention satisfies the secure naming requirements, but the Istio community made a recommendation about the SPIFFE format involving using the trust domain of the SPIFFE URI.
Istio relies on the following format:
Trust Domain Validation implementation in Istio rejects the requests from outside trust domains or if it's not in the TrustDomainAliases specified in the MeshConfig. So with the current convention, Istio service mesh would reject all requests coming from an Athenz service of a different domain than the target service’s Athenz domain, without further configuration.
To make using Istio service mesh simpler and easier, we can consider revising our SPIFFE trust domain convention.
According to the SPIFFE specification about trust domains, a trust domain represents a trust root of the system backed by cryptographic keys.
Recommended full SPIFFE URI format
Treat the company as a single trust domain - with a valid dns entry e.g. athenz.io
Service Certificates:
spiffe://{athenz-trust-domain}/ns/{namespace}/sa/{athenz-domain}.{athenz-service}
For non-k8s workloads (e.g. EC2 instances) use "default" as the namespace name
Some examples:
The text was updated successfully, but these errors were encountered: