Skip to content

SVID verification workflow

The SVID verification workflow is a process used to validate that workload identities are correctly issued by [[spire|SPIRE]] (SPIFFE Runtime Environment) rather than the default Istio CA, within a Kubernetes environment.^[400-devops__07-Monitoring-and-Observability__k8s-istio__samples__security__spire__README.md]

This workflow typically occurs after deploying SPIRE and Istio with a custom configuration that enables Envoy's SDS API integration.^[400-devops__07-Monitoring-and-Observability__k8s-istio__samples__security__spire__README.md]

Verification Process

The verification process involves extracting the from a target workload's proxy and inspecting its contents to confirm the issuer.

  1. Identify the target pod: Determine the name of the Pod running the workload you wish to verify (e.g., the sleep service).^[400-devops__07-Monitoring-and-Observability__k8s-istio__samples__security__spire__README.md]
  2. Retrieve the certificate chain: Use the istioctl proxy-config secret command (or istioctl pc secret) to dump the current secret configuration of the Pod in JSON format.^[400-devops__07-Monitoring-and-Observability__k8s-istio__samples__security__spire__README.md]
  3. Extract and decode the certificate: Parse the JSON output to isolate the certificateChain.inlineBytes field from the dynamic active secrets, then decode it from base64.^[400-devops__07-Monitoring-and-Observability__k8s-istio__samples__security__spire__README.md]
  4. Inspect the issuer: Use a tool like openssl to read the decoded certificate and check the Subject field.^[400-devops__07-Monitoring-and-Observability__k8s-istio__samples__security__spire__README.md]

Example Validation

When using openssl x509 -in <cert_file> -text, successful verification is indicated by finding SPIRE in the certificate's details.^[400-devops__07-Monitoring-and-Observability__k8s-istio__samples__security__spire__README.md]

For example, the Subject line should reflect the Organization (O) as SPIRE: 

Subject: C = US, O = [SPIRE](<./spire.md>), CN = sleep-5d6df95bbf-kt2tt
^[400-devops__07-Monitoring-and-Observability__k8s-istio__samples__security__spire__README.md]

Sources

  • 400-devops__07-Monitoring-and-Observability__k8s-istio__samples__security__spire__README.md