Cross-cloud identity framework with SPIFFE/Spire on OpenShift

Learning path | 5 resources | Published on July 16, 2024
Mariusz Sabath Andrew Block Trilok Geer Anjali Telang

Address cross-cloud identity challenges with SPIFFE/SPIRE on OpenShift by deploying and working with applications in a no-cost OpenShift cluster.

Access the Developer Sandbox

  1. Overview: Implement a cross-cloud identity framework with SPIFFE/Spire on OpenShift
  2. Achieve cross-cloud identity on OpenShift with SPIRE and Tornjak Page
  3. Install SPIRE on standard OpenShift or IBM Cloud OpenShift clusters Page
  4. Configure AWS services Page
  5. Access AWS S3 from a sample application Page

Overview: Implement a cross-cloud identity framework with SPIFFE/Spire on OpenShift

SPIFFE_SPIRE_feature_image

Zero Trust is becoming a norm as organizations look to enhance the security posture of their workloads in cloud environments. A core principle of the zero trust approach is the ability to prove and verify identity for all–whether these entities are inside or outside the organization’s security perimeter. This necessitates solutions that ensure identities are associated with workloads and deployments and access is authorized and granted only when required.

Red Hat OpenShift, as well as upstream Kubernetes, supports methods for assigning identities to applications running on the platform. OpenShift integrates with several cloud providers, such as Amazon Web Services (AWS), Google Cloud Platform (GCP), and Microsoft Azure, to consume workload identities provided by the identity and access management (IAM) solution of these cloud providers. However, this becomes a challenge in hybrid cloud environments where each cloud provider has their its identity solution with varying support for workload identity federation, different definitions of workload identities, identity interpretation issues, and difficulty establishing universal trust relationships. Even more difficult is operating within environments where there is no support that establishes workload identities whatsoever, such as a physical datacenter.

For organizations seeking a single identity framework across their hybrid cloud environments, the SPIFFE (Secure Production Identity Framework For Everyone) and SPIRE (SPIFFE Runtime Environment) framework provides a single root of trust that can be associated with workloads across on-premise and cloud platforms.

In this learning path, we will explain how you can integrate the SPIFFE/SPIRE framework with OpenShift to address your workload identity concerns. We will provide an introductory use case that demonstrates the benefits of the SPIFFE/SPIRE framework and discuss how you can extend the framework beyond this use case for securing your platform and applications. 

This learning path is a collaboration between members of the IBM Research and Red Hat teams. We intend to not only demonstrate upstream SPIFFE/SPIRE capabilities with the OpenShift platform, but also help solve real-world customer concerns around workload identity.

Prerequisites:

  • A GitHub account.
  • Cloud resources:
    • An OpenShift 4.13 or higher environment (in our example, we used IBM Cloud ROKS
    • The ability to manage AWS IAM. 
  • Additional utilities to facilitate the deployment and configuration
    • git
    • helm
    • kubectl or oc 
    • aws command-line interface (CLI)
    • openssl 
    • sed
    • envsubst (included in most Linux distributions and installable on macOS with Homebrew using the brew install gettext command)

In this learning path, you will:

  • Learn about cross-cloud workload identity and its challenges.
  • Achieve cross-cloud workload identity with SPIRE and Tornjak on OpenShift.
  • Deploy and configure a practical use case.