Linux Foundation subsidiary Cloud Native Computing Foundation has promoted security projects SPIFFE and SPIRE into its incubator, where they join the likes of container runtime cri-o, registry Harbor, Argo, the Open Policy Agent, and service mesh linkerd.
SPIFFE, a framework and specification for “identifying and securing communications between web-based services”, was initially dreamed up by Kubernetes co-creator Joe Beda in 2016. According to his initial project draft, Beda wanted the project to support developers in “playing an active role in building securable applications”.
It was planned to provide “plumbing” to obtain “sets of certificates and private keys to prove identities that the workload has access to” and “root certificates along with data for which identities those certificates apply to”. SPIFFE officially launched in late 2017, before – along with its implementation SPIRE – it joined the CNCF sandbox a couple of months later.
The latter step was meant to provide the project with a vendor neutral home and help both projects get the attention of a wider public. This worked surprisingly well, given that Bloomberg, Pinterest, and Uber are amongst its users, and its contributors include Amazon and Google. Nevertheless, the project is mainly driven by Scytale, a startup which is also recognised as being a founding contributor to SPIFFE/SPIRE. It became part of HPE earlier this year.
During its time in the sandbox, SPIRE was fitted with integrations for other well-known cloud-native projects such as Kubernetes, Envoy, and Docker, and security projects such as HashiCorp’s Vault. It is now able to work with bare metal, AWS, GCP, and Azure environments, and has learned to scale servers horizontally with client-side load balancing and discovery. It also supports authenticating against OpenID Connect-compatible validators as well as workloads not aware of SPIFFE.
The new status was awarded to the projects because they could document successful production use, and had a good number of committers, a clear versioning scheme, and a stable flow of commits and megred contributions. If all works well, their graduations won’t take the expected two years, since the projects have already bagged some of the prerequisites for the next steps. Amongst other things, SPIFFE/SPIRE have already attained a core infrastructure initiative best practice badge and conducted security assessments where no critical issues were found.