A Kubernetes Controller manager which facilitates the registration of workloads and establishment of federation relationships.
The ClusterSPIFFEID resource is a cluster scoped CRD that describes the shape of the identity that is applied to workloads, as well as selectors that describe which workloads the identity applies to.
The ClusterFederatedTrustDomain resource is a cluster scoped CRD that describes a federation relationship for the cluster.
To facilitate workload registration, the SPIRE Controller manager registers controllers against the following resources:
When changes are detected on these resources, a workload reconciliation process is triggered. This process determines which SPIRE entries should exist based on the existing Pods and ClusterSPIFFEID resources which apply to those pods. It creates, updates, and deletes entries on SPIRE server as appropriate to match the declared state.
To facilitate federation, the SPIRE Controller manager registers controllers against the following resources:
When changes are detected on these resources, a federation relationship reconciliation process is triggered. This process determines which SPIRE federation relationships should exist based on the existing ClusterFederatedTrustDomain resources. It creates, updates, and deletes federation relationships as appropriate to match the declared state.
The SPIRE Controller Manager is designed to be deployed in the same pod as the SPIRE Server. It communicates with the SPIRE Server API using a private Unix Domain Socket within a shared volume. It requires configuration for the environment where it is being deployed.
The demo includes sample configuration for deploying the SPIRE Controller Manager, SPIRE, and the SPIFFE CSI driver, including requisite RBAC and Webhook configuration.
Define a ClusterSPIFFEID that applies to the workload pod.
Adjust the ClusterSPIFFEID selectors.
Check the ClusterSPIFFEID status for entry render failures. Check logs to determine why the rendering failed.
Check logs for API failures talking to SPIRE Server.
Define a ClusterFederatedTrustDomain for the target trust domain.
Ensure each ClusterFederatedTrustDomain resource has a unique trust domain. The controller will only ignore all but the oldest ClusterFederatedTrustDomain resource with a conflicting trust domain.
Check the ClusterSPIFFEID for the workload. The federatesWith field must include the federated trust domain.
Vulnerabilities can be reported by sending an email to security@spiffe.io. A confirmation email will be sent to acknowledge the report within 72 hours. A second acknowledgement will be sent within 7 days when the vulnerability has been positively or negatively confirmed.