2

I'm in the process of vetting a move to service mesh. While Istio and Consul Connect are certainly still in the cards, I'm leaning towards building up from a bit lower level with Linkerd and SPIFFE/SPIRE.

I want to build a 'hello world' mesh to test this architecture out. In this hello world mesh, I'd like to be able to issue certificates from SPIFFE/SPIRE that encode some kind of role. As you can probably tell, I'm new to service meshes. How would I implement roles? Are there any guides out there to help get me started?

Edwin Buck
  • 69,361
  • 7
  • 100
  • 138
lmonninger
  • 831
  • 3
  • 13

2 Answers2

2

So there isn't any kind of integration with Linkerd and SPIFFE/SPIRE. As of right now there isn't any particular plan for an integration but you can see the existing issue for more details. The next release of Linkerd, 2.11, will include the ability to create server side policy but current versions don't enforce any kind of policy settings.

Jason Morgan
  • 1,055
  • 7
  • 10
1

If you're looking to build from scratch, you might want to start with Envoy rather than LinkerD. The integration between Envoy and SPIRE is much tighter, though of course you'll have to bring your own control plane.

SPIFFE is opinionated about authentication but not authorization. It's up to a workload receiving a SPIFFE-identified connection or message to apply authorization logic once you've authenticated the The ID of sending workload. The ID should denote a workload's logical identity, not its roles or entitlements.

That said, there aren't many constraints on how you structure your SPIFFE IDs, and the ID can be structured in a way that makes subsequent authorization simpler. For example, you might have a SPIFFE ID like:

spiffe://prod.acme.com/<group>/<application>/<service>

For a receiving workload might to apply authorization rule that says "allow connections from any service in the payments group" you'd simply allow any connection that matches:

spiffe://prod.acme.com/payments/.*
Andrew J
  • 1,951
  • 1
  • 14
  • 16
  • This has the drawback that with one SPIFFE ID you can only have one role. For example you couldn't be in both "payments" and "settlement" with the same SVID. – Niels-Ole May 25 '22 at 13:42
  • @Niels-Ole To handle both payments and settlements with the same SVID, one would simply issue a SPIFFE ID of spiffe://prod.acme.com/accounting (as an example) and then accept spiffe://prod.acme.com/accounting The URI here is not a URL, as long as the service accepts the URI, whatever services are being exposed can be used. One can arbitrarily define the ID needed for the organization, so one can arbitrarily define one ID to handle both payments and settlement, at the loss of being able to identify them separately. – Edwin Buck Aug 04 '23 at 16:37