Overview: Implement a cross-cloud identity framework with SPIFFE/Spire on OpenShift
Zero Trust is becoming a norm as organizations look to enhance the security posture of their workloads in cloud environments. A core principle of the zero trust approach is the ability to prove and verify identity for all–whether these entities are inside or outside the organization’s security perimeter. This necessitates solutions that ensure identities are associated with workloads and deployments and access is authorized and granted only when required.
Red Hat OpenShift, as well as upstream Kubernetes, supports methods for assigning identities to applications running on the platform. OpenShift integrates with several cloud providers, such as Amazon Web Services (AWS), Google Cloud Platform (GCP), and Microsoft Azure, to consume workload identities provided by the identity and access management (IAM) solution of these cloud providers. However, this becomes a challenge in hybrid cloud environments where each cloud provider has their its identity solution with varying support for workload identity federation, different definitions of workload identities, identity interpretation issues, and difficulty establishing universal trust relationships. Even more difficult is operating within environments where there is no support that establishes workload identities whatsoever, such as a physical datacenter.
For organizations seeking a single identity framework across their hybrid cloud environments, the SPIFFE (Secure Production Identity Framework For Everyone) and SPIRE (SPIFFE Runtime Environment) framework provides a single root of trust that can be associated with workloads across on-premise and cloud platforms.
In this learning path, we will explain how you can integrate the SPIFFE/SPIRE framework with OpenShift to address your workload identity concerns. We will provide an introductory use case that demonstrates the benefits of the SPIFFE/SPIRE framework and discuss how you can extend the framework beyond this use case for securing your platform and applications.
This learning path is a collaboration between members of the IBM Research and Red Hat teams. We intend to not only demonstrate upstream SPIFFE/SPIRE capabilities with the OpenShift platform, but also help solve real-world customer concerns around workload identity.
Prerequisites:
- A GitHub account.
- Cloud resources:
- An OpenShift 4.13 or higher environment (in our example, we used IBM Cloud ROKS.
- The ability to manage AWS IAM.
- Additional utilities to facilitate the deployment and configuration
git
helm
kubectl
oroc
aws command-line interface (CLI)
openssl
sed
envsubst
(included in most Linux distributions and installable on macOS with Homebrew using thebrew install gettext
command)
In this learning path, you will:
- Learn about cross-cloud workload identity and its challenges.
- Achieve cross-cloud workload identity with SPIRE and Tornjak on OpenShift.
- Deploy and configure a practical use case.