Can SPIFFE/SPIRE Server be installed on GKE's any node? If yes, one node out of other nodes in cluster will have server and agents both installed. Is it required to have agent running on that node also who is running SPIRE Server?
Please explain.
Asked
Active
Viewed 311 times
0
Edwin Buck
- 69,361
- 7
- 100
- 138
Dean Winchester
- 352
- 3
- 7
-
Have you checked this tutorial https://spiffe.io/spire/try/getting-started-k8s/ ? – Serhii Rohoza Feb 06 '20 at 12:15
-
Yes. Its just tells about installation of SPIRE on kubernetes. I had posted this question on SPIRE slack as well and I have got response there. Posting the same as a answer. – Dean Winchester Feb 06 '20 at 18:24
2 Answers
1
As per the comment received on SPIRE Slack
On GKE (and other hosted k8s) you only get worker nodes, so there's no way to deploy to the master anyway. But, In the end, there's pluses (potential security) and minuses (scalability) to running SPIRE server on the master. In practice it's probably less likely than likely, but it's a fair debate. Typically, you would deploy SPIRE server as a StatefulSet to some number of nodes consistent with scalability and availability goals, and deploy SPIRE agent as a DaemonSet where it's going to run on every node in the cluster. Unless you are doing some very specific targeted deployments via the k8s scheduler, such as separate node pools or subsets of nodes scheduled via label selectors for very specific use-cases (where you won't run any SPIFFE workloads), that's the way I'd approach it - put SPIRE agent on all nodes so it's available for all workloads.
Dean Winchester
- 352
- 3
- 7
0
There is no need to run the SPIRE server in the Kubernetes management plane, or on the Kubernetes management nodes.
Run your SPIRE Server(s) on the worker nodes, ensuring you have a sufficient number of Servers to meet your fault tolerance needs. Use a Kubernetes Service object to distribute your SPIRE agent's connections across your server pool.
Edwin Buck
- 69,361
- 7
- 100
- 138