2024-07-30 Meeting notes

Owned by Tom Kivlin
Jul 30, 2024
1 min read

Date

Jul 30, 2024 

Attendees

  • @Tom Kivlin 

  • @Prashant 

  • @Byung-Woo Jun 

  • @Shiv Bhagavatula 

  • @Wim Henderickx 

Goals

  • TODO (from last weeks call)

    • Nail down the SPIFFE ID format

    • Registration of the SVIDs - package variants / Secrets schema ?

    • Tornjak for Nephio ?

Discussion items

Time

Item

Who

Notes

Time

Item

Who

Notes

40m

Update from last weeks TODOs

Prashant, Shiv

  • Shared overview of workload reconciler in management cluster

  • SPIRE agent installed on all nodes via DaemonSet - how is registration of new nodes handled at scale?

    • The SA token is applied to SPIRE agent, and each node knows which cluster it is part of - all nodes in a cluster are then "detected" by the workload reconciler using same cluster ID

  • spire-bundle is contained in a configmap for the spire agents to talk to the spire server

  • Currently all nodes in a cluster have the same SPIFFE ID but this can be changed - separate deep dive needed on this - can be per cluster, namespace, node, workload

  • Wim will share notes or link on how to request a token with restricted permissions from the workload cluster instead of using kubeconfig



Demo

Prashant, Shiv

  • Should not be possible to spoof the SPIFFE ID - Spire OIDC verifies JWTs from Vault

  • Q from Wim - is there some sort of consistency check to avoid SVID being spoofied if the token / key has been accessed. Default expiry of JWT is 5 minutes, which is the main mitigation.



Action items