4 CNCF Projects For Key Management
The nuances of cloud-native architecture necessitate some new approaches to security. Not only are container-based microservices inherently distributed, but there is a rising number of dependencies within the software supply chain. As a result, developers are faced with storing and accessing many types of secrets, including API keys, encryption keys, JSON Web Tokens (JWTs) and others when building cloud-native applications based on containers and running on platforms like Kubernetes. But, leaving such secrets exposed within your codebase goes against security best practices, as an attacker could easily access them.
Software components must verify every request is coming from a legitimate source, known as authentication, and they must confirm the requesting party has the required permissions to access a resource, known as authorization. As part of this mission, we’ve seen a lot of development activity around automating secret issuance and distribution to securely store and distribute passwords among services.
Below, we’ll review some incubating and sandbox open source projects related to key management hosted with the Cloud Native Computing Foundation (CNCF). The systems that these projects and specifications describe are necessary elements to help ensure secure identity-driven access for cloud-native architecture. While some are helpful utilities, others are more open standards that can be implemented in different ways. Let’s dig in.
SPIFFE
A universal identity control plane for distributed systems
The Secure Production Identity Framework For Everyone (SPIFFE) is an open source standard that specifies a method to secure microservices communication. SPIFFE outlines three main specifications. First, the standard defines a way to identify services with a unique SPIFFE ID for each service, similar to a username. Next, it provides a method to prove this identity, a SPIFFE Verifiable Identity Document (SVID), which is a cryptographically-verifiable document signed by an authority. Lastly, SPIFFE delineates a workload API for issuing and retrieving SVIDs, allowing the system to expose SVIDs to each workload.
Since SPIFFE is an agnostic architecture, it’s disconnected from the platform and host layers and instead focuses on establishing workload identity. Using the SPIFFE framework, organizations can remove the need for application-level authentication and network access control. SPIFFE can be implemented to automatically secure service-to-service communication and authenticate with databases without needing to expose keys. The SPIFFE project itself contains specifications on how the standards should be implemented, along with sample code. At the time of writing, SPIFFE is an incubating project hosted by the CNCF.
SPIRE
The SPIFFE runtime environment
SPIRE is a production-ready reference implementation of the SPIFFE specification. The SPIRE reference implementation goes through the nitty-gritty details of communicating with the SPIFFE APIs and issuing IDs and SVIDs to specific workloads.
SPIRE, at a high level, is comprised of a server and agents. A server confirms the identity of new agents and the system works with the SPIFFE workload API to perform attestation on new agents. The best thing about this workload identity attestation structure is it removes the need to divulge secrets — it eliminates the need to insert secrets into a CI/CD flow, bake secrets into images or share secrets across services. Instead, the system uses the SPIFFE identity granted at runtime. The system also uses short-lived keys, meaning it can be used for key management duties like rapidly rotating keys or revoking secrets.
Although access policies are beyond the scope of these projects, the SPIFFE speciation and SPIRE implementation create an identity plane that can serve as an essential aspect of a zero-trust network. Istio recently included support for the SPIRE runtime in version 1.14. SPIFFE is also used within HashiCorp Consul, Envoy Proxy, Kuma and other projects. At the time of writing, SPIRE is an incubating project with CNCF.
Athenz
Open platform for X.509 certificate-based service authentication and RBAC
Athenz is an open platform for constructing service authentication and access control based on X.509 certificates. Similar to SPIFFE, Athenz can be used to establish a unique service identity for microservices. Athenz goes beyond authentication by offering a role-based access control (RBAC) system based on JWTs, which can be presented along with the identity certificate to verify communications. The utility is compatible with hybrid runtimes, whether on-premises or based in the public cloud.
At the time of writing, Athenz is a sandbox CNCF project. To get started, developers can read the Athenz documentation here or check out the Java Client/Servlet or Go Client/Server reference implementations.
Teller
A secrets management tool built in Go
Teller, developed and made open source by Spectral, is a simple utility for secrets management that emphasizes the developer experience above all else. It’s easy to use because it’s fully operational from the command line. Using Teller, you can maintain secrets hygiene across multiple sources.
According to the documentation, you can use Teller to “create a simple configuration for mixing any number of vaults and key stores using your cloud-native clusters or traditional cloud providers.” The tool supports cloud-native technologies and secrets managers from most major cloud service providers such as AWS Secret Manager, HashiCorp Vault, Google Cloud Secrets Manager and others. At the time of writing, Teller is a sandbox project within the CNCF.
Installing Teller is straightforward with a simple command:
$ brew tap spectralops/tap && brew install teller
Or, Teller can be used within a CI/CD process using GitHub Actions:
- name: Setup Teller
uses: spectralops/setup-teller@v1
- name: Run a Teller task (show, scan, run, etc.)
run: teller run [args]
Other Open Source Key Management Projects
Above, we’ve covered four key management projects hosted by the CNCF. Of course, plenty of other key management tools are supported by CNCF member companies. For example, HashiCorp’s open source Vault can be used for securing access to secrets. Or, Keycloak, sponsored by Red Hat, is a more full-blown identity and access management suite. Some other relevant open source cloud-native key management tools include Teleport, Square Keywhiz, Pinniped and CyberArk Conjur.
It should be noted that outside of key management, CNCF includes many projects that support all areas of the cloud-native DevOps life cycle. We’ve reviewed plenty of these fields, including CI/CD, persistent storage, orchestration and configuration.