2024-07-30 Meeting notes

Date

30 Jul 2024

TODO (from last weeks call)
- Nail down the SPIFFE ID format
- Registration of the SVIDs - package variants / Secrets schema ?
- Tornjak for Nephio ?

Time	Item	Who	Notes
40m	Update from last weeks TODOs	Prashant, Shiv	Shared overview of workload reconciler in management cluster SPIRE agent installed on all nodes via DaemonSet - how is registration of new nodes handled at scale? The SA token is applied to SPIRE agent, and each node knows which cluster it is part of - all nodes in a cluster are then "detected" by the workload reconciler using same cluster ID spire-bundle is contained in a configmap for the spire agents to talk to the spire server Currently all nodes in a cluster have the same SPIFFE ID but this can be changed - separate deep dive needed on this - can be per cluster, namespace, node, workload Wim will share notes or link on how to request a token with restricted permissions from the workload cluster instead of using kubeconfig
	Demo	Prashant, Shiv	Should not be possible to spoof the SPIFFE ID - Spire OIDC verifies JWTs from Vault Q from Wim - is there some sort of consistency check to avoid SVID being spoofied if the token / key has been accessed. Default expiry of JWT is 5 minutes, which is the main mitigation.