Production Identity Day: SPIFFE + SPIRE North America 2021

Identity is the basis for authentication and authorization. SPIFFE provides a strong standard-based identity solution that works across heterogeneous environments. Cilium-CNI is an eBPF-powered network policy and observability solution that provides a highly scalable and performant enforcement engine that seamlessly works for L3/L4 and L7 policy enforcement. Cilium effectively uses k8s-labels as an identity for authorization policies. The SPIFFE integration with Cilium-CNI extends the notion of identity by leveraging SPIFFE provisioned identities and then subsequently using those for authorization and accounting purposes. The talk will be about: 1. Explaining/comparing identity marking/transport/representation solutions out there (for e.g., use of k8s-labels (cilium), use of TCP Fast-Open (Aporeto), and use of certificates (SPIFFE) 2. Design considerations/challenges for integrating SPIFFE identity in Cilium 3. Design considerations/challenges for leveraging SPIRE implementation 4. Extended identity use-cases that could now be targeted with Cilium-CNI. For e.g., we can now have policies based on SPIFFE IDs for edge devices outside the realm of k8s (previously, you need to have FQDN or CIDRSet based policies). 5. How is Cilium's integration different from Calico's integration?