The SPIFFE (Secure Production Identity Framework For Everyone) specification defines a standard to authenticate software services in cloud native environments through the use of platform-agnostic, cryptographic identities. SPIRE (the SPIFFE Runtime Environment) is the code that implements the SPIFFE specification on a wide variety of platforms and enforces multi-factor attestation for the issuance of identities. In practice, this reduces the reliance on hard-coded secrets when authenticating application services.
“The underpinning of zero trust is authenticated identity,” said Andrew Harding, SPIRE maintainer and principal software engineer at Hewlett Packard Enterprise. “SPIFFE standardizes how cryptographic, immutable identity is conveyed to a workload. SPIRE leverages SPIFFE to help organizations automatically authenticate and deliver these identities to workloads spanning cloud and on-premise environments. CNCF has long understood the transformational value of these projects to the cloud native ecosystem, and continues to serve as a great home for our growing community.”
The projects are used by and integrated with multiple cloud native technologies, including Istio, and CNCF projects Envoy, and gRPC, and Open Policy Agent (OPA). SPIFFE and SPIRE also provide the basis for cross-authentication between Kubernetes-hosted workloads and workloads hosted on any other platform.
“Most traditional network-based security tools were not designed for the complexity and sheer scale of microservices and cloud-based architectures,” Justin Cormack, security lead at Docker and TOC member. “This makes a standard like SPIFFE, and the SPIRE runtime, essential for modern application development. The projects have shown impressive growth since entering the CNCF sandbox, adding integrations and support for new projects, and showing growing adoption.”
Since joining CNCF, the projects have grown in popularity and have been deployed by notable companies such as Bloomberg, Bytedance, Pinterest, Square, Uber, and Yahoo Japan. SPIRE has a thriving developer community, with an ongoing flow of commits and merged contributions from organizations such as Amazon, Bloomberg, Google, Hewlett-Packard Enterprise, Pinterest, Square, TransferWise, and Uber.
Since admittance into CNCF as a sandbox level project, SPIRE has added the following key features:
- Support for bare metal, AWS, GCP, Azure and more
- Integrations with Kubernetes, Docker, Vault, MySQL, Envoy, and more
- Support for both nested and federated SPIRE deployment topologies
- Support for JWT-based SPIFFE identities, in addition to x.509 documents
- Horizontal server scaling with client-side load balancing and discovery
- Support for authenticating against OIDC-compatible validators
- Support for non-SPIFFE-aware workloads
“SPIFFE and SPIRE address a gap that has existed in security by enabling a modern standardized form of secure identity for cloud native workloads,” said Chris Aniszczyk, CTO/COO of Cloud Native Computing Foundation. “We are excited to work with the community to continue to evolve the specification and implementation to improve the overall security of our ecosystem.”
Earlier this year, the CNCF SIG Security conducted a security assessment of SPIFFE and SPIRE. They did not find any critical issues and commended its design with respect to security. SPIFFE and SPIRE have made a significant impact and play a pivotal role in enabling a more secure cloud native ecosystem.
“In addition to mitigating the risk of unauthorized access in the case of a compromise, a strong cryptographically-proven identity reduces the risk of bad configuration. It’s not uncommon for developers to try to test against production, which can be dubious,” said Tyler Julian, security engineer at Uber and SPIRE maintainer. “You have proof. You have cryptographic documents to prove who the service is. In reducing the amount of trust in the system, you reduced your assumption of behavior. Both good for the reliability of your system and the security of the data.”
“At Square, we have heterogeneous platforms that take advantage of cloud native technologies like Kubernetes and serverless offerings, as well as traditional server-based infrastructure,” said Matthew McPherrin, security engineer at Square and SPIRE maintainer. “SPIFFE and SPIRE are enabling us to build a shared service identity, underlying our Envoy service mesh that spans multiple datacenters and cloud providers in an interoperable way.”
Joining CNCF incubation-level projects like OpenTracing, gRPC, CNI, Notary, NATS, Linkerd, Rook, etcd, OPA, CRI-O, TiKV, CloudEvents, Falco, Argo, and Dragonfly, SPIFFE and SPIRE are part of a neutral foundation aligned with its technical interests, as well as the larger Linux Foundation, which provides governance, marketing support, and community outreach.
Every CNCF project has an associated maturity level: sandbox, incubating, or graduated. For more information on maturity requirements for each level, please visit the CNCF Graduation Criteria v.1.3. SPIFFE and SPIRE entered the CNCF sandbox in March 2018.
To learn more about SPIFFE and SPIRE, visit spiffe.io.