I Secure Production Identity Framework For Everyone (SPIFFE)
I.1 What is SPIFFE?
SPIFFE is an open standard that defines a way that a microservice (a workload in SPIFFE terminology) can establish an identity. SPIFFE Runtime Environment (SPIRE) is an open-source reference implementation of SPIFFE. While helping establish an identity for each microservice in a given deployment, SPIFFE also solves the trust bootstrap problem. In this section, we discuss how SPIFFE works.
The inspiration behind SPIFFE came from three projects at Netflix, Facebook, and Google. Metatron is the Netflix project, which we’ve already discussed. It solves the credential bootstrap problem by injecting long-lived credentials into each microservice at the continuous delivery phase. Facebook has an internal public key infrastructure (PKI) project, which helps bootstrapping trust among systems that are secured with mTLS. Google has a project called LOAS, which is a cryptographic-key distribution system that helps establish an identity for all the jobs running on Google infrastructure.