Skip to content

SPIRE

SPIRE (the SPIFFE Runtime Environment) is a production-ready implementation of the SPIFFE specifications.^[400-devops-07-monitoring-and-observability-k8s-istio-samples-security-spire-readme.md] It is commonly used to issue identities to workloads and integrates with platforms like Kubernetes and service meshes such as Istio via Envoy's [[Secret Discovery Service (SDS) API|SDS]] API.^[400-devops-07-monitoring-and-observability-k8s-istio-samples-security-spire-readme.md]

In the context of service meshes, SPIRE can act as a Certificate Authority (CA).^[400-devops-07-monitoring-and-observability-k8s-istio-samples-security-spire-readme.md] It manages the issuance of [[SVID]]s (SPIFFE Verifiable Identity Documents), allowing workloads to cryptographically verify their identity.^[400-devops-07-monitoring-and-observability-k8s-istio-samples-security-spire-readme.md]

Components

  • SPIRE Server: The central component that issues identities.
  • SPIRE Agent: Runs on each node, attests the workloads, and issues workload identities to the local agents.
  • k8s-workload-registrar: A plugin that syncs Kubernetes Pod data to SPIRE, enabling automatic workload registration.^[400-devops-07-monitoring-and-observability-k8s-istio-samples-security-spire-readme.md]

Integration with Istio

When integrating with Istio, SPIRE serves as an external CA.^[400-devops-07-monitoring-and-observability-k8s-istio-samples-security-spire-readme.md] A critical deployment requirement is that SPIRE must be deployed before Istio to ensure proper socket injection.^[400-devops-07-monitoring-and-observability-k8s-istio-samples-security-spire-readme.md]

The integration process generally involves: 1. Deploying SPIRE using a configuration like spire-quickstart.yaml.^[400-devops-07-monitoring-and-observability-k8s-istio-samples-security-spire-readme.md] 2. Installing Istio with a specific profile (e.g., istio-spire-config.yaml) that connects the istio-agent to the SPIRE Agent.^[400-devops-07-monitoring-and-observability-k8s-istio-samples-security-spire-readme.md] 3. Deploying workloads with sidecar injection enabled, which allows the workload to fetch its identity document from SPIRE.^[400-devops-07-monitoring-and-observability-k8s-istio-samples-security-spire-readme.md]

  • SPIFFE
  • [[Zero Trust Security]]
  • [[Mutual TLS (mTLS)]]

Sources

  • 400-devops-07-monitoring-and-observability-k8s-istio-samples-security-spire-readme.md