2024-07-30 Meeting notes

Date

 

Attendees

Goals

  • TODO (from last weeks call)
    • Nail down the SPIFFE ID format
    • Registration of the SVIDs - package variants / Secrets schema ?
    • Tornjak for Nephio ?

Discussion items

TimeItemWhoNotes
40mUpdate from last weeks TODOsPrashant, Shiv
  • Shared overview of workload reconciler in management cluster
  • SPIRE agent installed on all nodes via DaemonSet - how is registration of new nodes handled at scale?
    • The SA token is applied to SPIRE agent, and each node knows which cluster it is part of - all nodes in a cluster are then "detected" by the workload reconciler using same cluster ID
  • spire-bundle is contained in a configmap for the spire agents to talk to the spire server
  • Currently all nodes in a cluster have the same SPIFFE ID but this can be changed - separate deep dive needed on this - can be per cluster, namespace, node, workload
  • Wim will share notes or link on how to request a token with restricted permissions from the workload cluster instead of using kubeconfig

DemoPrashant, Shiv
  • Should not be possible to spoof the SPIFFE ID - Spire OIDC verifies JWTs from Vault
  • Q from Wim - is there some sort of consistency check to avoid SVID being spoofied if the token / key has been accessed. Default expiry of JWT is 5 minutes, which is the main mitigation.


Action items

  •