Workload Identity Part 2: How Cilium Implements Its Mutual Auth Leveraging SPIFFE and SPIRE
The classic mTLS implementation using sidecars is resource-intensive, slow, and poorly suited to microservices. The Cilium’s approach is to do away with sidecars and instead leverage eBPF which provides native performance. It has also split mTLS’s traditional mutual authentication and encryption into separate features that users can opt-in individually based on their requirements. To manage workload identity and their short-lived certificates, Cilium has embraced SPIFFE and SPIRE. In this episode, we will take a deep dive look at how Cilium has achieved this integration and how their lightweight pod mutual authentication works.
Video script files:
https://github.com/gary-RR/myYouTube_video_Cilium_Mutual_auth
Timecodes
0:00 - Intro.
1:51 - Overview of classic mTLS.
10:34 - Cilium's vision for mTLS and channel encryption.
15:46 - SPIFFE Overview.
20:14 - SPIRE architecture.
22:39 - Kubernetes/Cilium/SPIRE Integration to implement Cilium's Mutual Auth.
39:57 - Demos.
My other videos:
►Workload Identity Part 1: Introduction to SPIFFE and SPIRE - YouTube
► Encrypt Client Communication to Kubernetes Services Leveraging Cert-Manage and Let’s Encrypt
https://youtu.be/pXEFZYl2Gu0
►Kubernetes Security, Part 4: Kubernetes Authentication (Part B: Open ID Connect Auth)
https://youtu.be/M9KABid_sCY
►Kubernetes Security, Part 3: Kubernetes Auth (Part A: Overview and X509 Client Certificate auth)
https://youtu.be/WZvPIoUyErM
►Kubernetes Security, Part 2: Managing POD Run Time Security
https://youtu.be/NNE9whCTp0g
► Istio Ambient Service Mesh
https://youtu.be/WPLVvwPGJvw
► Kubernetes Security, Part 1: Kubernetes Security Overview and Role-Based Access Control (RBAC) in Detail
https://youtu.be/Qwkix9z8ywU
► Cilium Service Mesh
https://www.youtube.com/watch?v=-o6E8bYj-xw
► Cilium Kubernetes CNI Provider: Part 4, IP Routing Modes (Direct and Encapsulated)
https://youtu.be/j2aox7K-7wU
► Cilium Kubernetes CNI Provider, Part 3: Cluster Mesh
https://youtu.be/gkrPt0ZcCfo
►Cilium Kubernetes CNI Provider, Part 2: Security Policies and Observability Leveraging Hubble
https://youtu.be/5EcVrm01rAU
► Cilium Kubernetes CNI Provider, Part 1: Overview of eBPF and Cilium and the Installation Process https://youtu.be/aLq3O3l2LF4
► What is VXLAN and How is it used as an Overlay Network in Kubernetes?
https://youtu.be/WMLSD2y2Ig4
► Managing Linux Log-ins, Users, and Machines in Active Directory (AD): Part 2- Join Linux Machines to AD:
https://youtu.be/1tgqdz3lw-k
► Managing Linux Log-ins, Users, and Machines in Active Directory (AD): Part 1- Setup AD:
https://youtu.be/ftxxO381-_Q
► Sharing Resources between Windows and Linux:
https://youtu.be/MzHX6eUlZfs
► Kubernetes kube-proxy Modes: iptables and ipvs, Deep Dive:
https://youtu.be/lkXLsD6-4jA
►Kubernetes: Configuration as Data: Environment Variables, ConfigMaps, and Secrets:
https://youtu.be/mjcNIaRDAsc
►Configuring and Managing Storage in Kubernetes:
https://youtu.be/U11YjaRvCd4
► Istio Service Mesh – Securing Kubernetes Workloads:
https://youtu.be/GFXjlPBsykM
► Istio Service Mesh – Intro
https://youtu.be/x_HRl-Ehvb8
► Understanding Kubernetes Networking. Part 6: Calico Network Policies:
https://youtu.be/sxB9-td1-F8
► Understanding Kubernetes Networking. Part 5: Intro to Kubernetes Network Policies:
https://youtu.be/vjhA9TJWw-k
► Understanding Kubernetes Networking. Part 4: Kubernetes Services:
https://youtu.be/BZk2HUKsxAQ
► Understanding Kubernetes Networking Part 3: Calico Kubernetes CNI Provider in depth:
https://youtu.be/vOo__3GqyxM
► Understanding Kubernetes Networking. Part 2: POD Network, CNI, and Flannel CNI: Plug-in:
https://www.youtube.com/watch?v=U35C0EPSwoY
►Understanding Kubernetes Networking. Part 1: Container Networking:
https://www.youtube.com/watch?v=ApeX6IAOfOc
► Setup a Linux-Windows (Calico-based) Hybrid Kubernetes Cluster to Host .NET Containers:
https://youtu.be/DMKS43POa5s
► A Docker and Kubernetes tutorial for beginners:
A Docker and Kubernetes tutorial for beginners. - YouTube
Видео Workload Identity Part 2: How Cilium Implements Its Mutual Auth Leveraging SPIFFE and SPIRE канала The Learning Channel
Video script files:
https://github.com/gary-RR/myYouTube_video_Cilium_Mutual_auth
Timecodes
0:00 - Intro.
1:51 - Overview of classic mTLS.
10:34 - Cilium's vision for mTLS and channel encryption.
15:46 - SPIFFE Overview.
20:14 - SPIRE architecture.
22:39 - Kubernetes/Cilium/SPIRE Integration to implement Cilium's Mutual Auth.
39:57 - Demos.
My other videos:
►Workload Identity Part 1: Introduction to SPIFFE and SPIRE - YouTube
► Encrypt Client Communication to Kubernetes Services Leveraging Cert-Manage and Let’s Encrypt
https://youtu.be/pXEFZYl2Gu0
►Kubernetes Security, Part 4: Kubernetes Authentication (Part B: Open ID Connect Auth)
https://youtu.be/M9KABid_sCY
►Kubernetes Security, Part 3: Kubernetes Auth (Part A: Overview and X509 Client Certificate auth)
https://youtu.be/WZvPIoUyErM
►Kubernetes Security, Part 2: Managing POD Run Time Security
https://youtu.be/NNE9whCTp0g
► Istio Ambient Service Mesh
https://youtu.be/WPLVvwPGJvw
► Kubernetes Security, Part 1: Kubernetes Security Overview and Role-Based Access Control (RBAC) in Detail
https://youtu.be/Qwkix9z8ywU
► Cilium Service Mesh
https://www.youtube.com/watch?v=-o6E8bYj-xw
► Cilium Kubernetes CNI Provider: Part 4, IP Routing Modes (Direct and Encapsulated)
https://youtu.be/j2aox7K-7wU
► Cilium Kubernetes CNI Provider, Part 3: Cluster Mesh
https://youtu.be/gkrPt0ZcCfo
►Cilium Kubernetes CNI Provider, Part 2: Security Policies and Observability Leveraging Hubble
https://youtu.be/5EcVrm01rAU
► Cilium Kubernetes CNI Provider, Part 1: Overview of eBPF and Cilium and the Installation Process https://youtu.be/aLq3O3l2LF4
► What is VXLAN and How is it used as an Overlay Network in Kubernetes?
https://youtu.be/WMLSD2y2Ig4
► Managing Linux Log-ins, Users, and Machines in Active Directory (AD): Part 2- Join Linux Machines to AD:
https://youtu.be/1tgqdz3lw-k
► Managing Linux Log-ins, Users, and Machines in Active Directory (AD): Part 1- Setup AD:
https://youtu.be/ftxxO381-_Q
► Sharing Resources between Windows and Linux:
https://youtu.be/MzHX6eUlZfs
► Kubernetes kube-proxy Modes: iptables and ipvs, Deep Dive:
https://youtu.be/lkXLsD6-4jA
►Kubernetes: Configuration as Data: Environment Variables, ConfigMaps, and Secrets:
https://youtu.be/mjcNIaRDAsc
►Configuring and Managing Storage in Kubernetes:
https://youtu.be/U11YjaRvCd4
► Istio Service Mesh – Securing Kubernetes Workloads:
https://youtu.be/GFXjlPBsykM
► Istio Service Mesh – Intro
https://youtu.be/x_HRl-Ehvb8
► Understanding Kubernetes Networking. Part 6: Calico Network Policies:
https://youtu.be/sxB9-td1-F8
► Understanding Kubernetes Networking. Part 5: Intro to Kubernetes Network Policies:
https://youtu.be/vjhA9TJWw-k
► Understanding Kubernetes Networking. Part 4: Kubernetes Services:
https://youtu.be/BZk2HUKsxAQ
► Understanding Kubernetes Networking Part 3: Calico Kubernetes CNI Provider in depth:
https://youtu.be/vOo__3GqyxM
► Understanding Kubernetes Networking. Part 2: POD Network, CNI, and Flannel CNI: Plug-in:
https://www.youtube.com/watch?v=U35C0EPSwoY
►Understanding Kubernetes Networking. Part 1: Container Networking:
https://www.youtube.com/watch?v=ApeX6IAOfOc
► Setup a Linux-Windows (Calico-based) Hybrid Kubernetes Cluster to Host .NET Containers:
https://youtu.be/DMKS43POa5s
► A Docker and Kubernetes tutorial for beginners:
A Docker and Kubernetes tutorial for beginners. - YouTube
Видео Workload Identity Part 2: How Cilium Implements Its Mutual Auth Leveraging SPIFFE and SPIRE канала The Learning Channel
Показать
Комментарии отсутствуют
Информация о видео
Другие видео канала
Configuring and Managing Storage (volumes) in Kubernetes
Understanding Kubernetes Networking. Part 5: Kubernetes Network Policies intro
Cilium Kubernetes CNI Provider, Part 2: Security Policies and Observability Leveraging Hubble
Kubernetes Security, Part 3: Kubernetes Auth (Part A: Overview and X509 Client Certificate auth)
Istio Ambient Service Mesh
Cilium Service Mesh
Kubernetes Security, Part 2: Managing POD Run Time Security
Kubernetes Security, Part 1: Kubernetes Security Overview and Role Based Access Control (RBAC)
A Docker and Kubernetes tutorial for beginners
Workload Identity Part 1: Introduction to SPIFFE and SPIRE
Encrypt Client Communication to Kubernetes Services Leveraging Cert-Manage and Let’s Encrypt
Kubernetes Security, Part 4: Kubernetes Authentication (Part B: Open ID Connect Auth)
Sharing Resources between Windows and Linux
Managing Linux Logins, Users, and Machines in AD: Part 1- Setup AD
Setup Azure Kubernetes Private Clusters with API Server Vnet Integration
Setup a "Docker-less" Multi-node Kubernetes Cluster On Ubuntu Server.
Istio Service Mesh – Securing Kubernetes Workloads
Managing Linux Logins, Users, and Machines in AD: Part 2- Join Linux Machines to AD
Setup and Configure CentOS Linux Server on Hyper-V
Cilium Kubernetes CNI Provider, Part 3: Cluster Mesh