spiffe-enable is a Kubernetes admission webhook to auto-inject components that enable SPIFFE for workloads, including applications that are not SPIFFE-native. The purpose of the project is to provide seamless automation and easily onboard workloads to a SPIFFE-enabled environment (eg SPIRE via cofidectl or Cofide's Connect platform), using components, including:
- spiffe-helper
- Envoy proxy
- A
spiffe-enableUI to debug a workload's SVID credentials
In order to use the admission webhook:
- the workload's namespace requires a
spiffe.cofide.io/enabled: truelabel to 'opt in' to the auto-injection; - components are auto-injected on a per-pod basis using the
spiffe.cofide.io/injectannotation (value is a comma-delimited list of components).
The modes that are currently available:
| Mode | Description |
|---|---|
csi |
A SPIFFE CSI volume is injected and mounted to all application containers (i.e., those in spec.containers), and the SPIFFE_ENDPOINT_SOCKET environment variable is set in them. |
helper |
A spiffe-helper sidecar container will be injected to retrieve and automatically renew the SVID and bundle. csi mode is implicitly enabled. |
proxy |
An Envoy sidecar container will be injected. csi mode is implicitly enabled. Note: this is used in conjuction with Cofide's Connect Agent |
When using the proxy component, the log level for the Envoy sidecar can be configured using the spiffe.cofide.io/envoy-log-level annotation.
spiffe-enable also provides a basic UI to help user's debug the configuration and credentials that have been received by the workload identity provider - eg the SVID and the trust bundle.
To use the debug UI. add the annotation spiffe.cofide.io/debug: true to the template of the pod you wish to debug. By default, the UI serves on the container port 8080; use port-forward to connect to it (you may wish to choose a different local port):
kubectl port-forward [pod-name] 8080 You can now browse to http://localhost:8080 to use the UI.
spiffe-enable is a Kubernetes mutating admission webhook. It is used with a Kubernetes cluster in which there is a SPIFFE-compliant workload identity provider. The easiest method to enable SPIFFE in a cluster is to use cofidectl, Cofide's CLI for Kubernetes workload identity. Cofide also provides Connect for production use cases.
To install spiffe-enable in a cluster, it is recommended to use the Helm chart provided by Cofide:
helm repo add cofide https://charts.cofide.dev
helm install \
spiffe-enable cofide/spiffe-enable \
--namespace cofide \
--create-namespacespiffe-enable depends on cert-manager to issue TLS certificates to secure the webhook. Ensure cert-manager is installed, following the installation documentation. By default, spiffe-enable assumes a self-signed Issuer called selfsigned but this is configurable in the Helm chart (values).
spiffe-enable is a Kubernetes mutating admission webhook that is built on controller-runtime. The webhook is implemented in webhook and the spiffe-helper and proxy injection in internal/helper and internal/proxy, respectively.
- go version v1.24.0+
- docker version 17.03+.
- kubectl version v1.11.3+.
- Access to a Kubernetes v1.11.3+ cluster.
spiffe-enable is a project developed and maintained by Cofide. We're building a workload identity platform that is seamless and secure for multi and hybrid cloud environments. If you have a production use case with need for greater flexibility, control and visibility, with enterprise-level support, please speak with us to find out more about the Cofide early access programme 👀.