Visit Aporeto at AWS re:invent at Booth 1500
Amir Sharif <amir@...>
Hi Bercovici,, I hope that you are doing well. If you are going to AWS re:invent in Las Vegas this year, please visit Aporeto at booth 1500 for a quick demonstrate our security solution. Our tagline is "Security Transcending Clouds." With Aporeto, you will be able to have a consistent security posture for your cloud applications regardless of how or where those applications are running. The benefits are powerful:
If you'd like to set up a meeting time or have a specific question, please respond to me or send an email to reinvent2017@.... I look forward to seeing you soon, -- ![]()
|
|
Re: SPIFFE Presentation - TOC Agenda 11/7/2017
alexis richardson
Thank you for posting questions Deepak!
On Sun, 12 Nov 2017, 20:32 Deepak Vij (A) via cncf-toc, <cncf-toc@...> wrote:
|
|
SPIFFE Presentation - TOC Agenda 11/7/2017
Deepak Vij (A) <deepak.vij@...>
Hi all, this is regarding the recent CNCF TOC meeting last week, specifically related to the SPIFFE presentation during the meeting. I saw most of the presentation but missed some of it at the end. It would be really great if there is recording available for this session which I could view.
Now coming back to SPIFFE, I am really interested in finding out more about it. After the TOC meeting, I did some research on it by going through the content on SPIFFE SIG web page and few other related documents. Based on my initial cursory look at it, I have following questions for gentleman who presented SPIFFE during the meeting: · Based on my understanding, SPIFFE is a set of specifications and SPIRE is the actual one of the reference implementation for the SPIFFE specs. Based on my initial research, it seems Istio Service Mesh project has its own implementation which is SPIFFE compliant. The fact SPIFFE/SPIRE and Istio are aspiring to be viable CNCF projects, are these two distinct SPIFFE implementations going to merge down the road or is it to do with the fact that domain of Istio service mesh is service-to-service authentication at the intra K8S cluster level versus SPIFFE/SPIRE strives to go beyond intra service-to-service authentication and additionally provide support for external services access as well? · Also, I noticed that currently SPIFFE Verifiable Identity Document (SVID) provides support for only X.509 format. Are there plans to provide support for SVID types such as JWT down the road. Or is it by design that only X.509 format is supported because of vulnerabilities of JWT (masquerading, playback attacks etc.) and X.509 is the only viable format which does not have all these vulnerabilities at the present time. Although, I recently saw a proposal in Kubernetes AUTH SIG “Trustworthy Workload JWTs” for addressing all the known issues with JWTs. Provided all the current JWT issues are sorted out (adding nonce to prevent replay attacks etc. etc.), do we see JWT as a viable SVID format type down the road? Also, from backward compatibility perspectives, Kubernetes Service Account Identity is currently JWT token based. · Currently in Kubernetes, identity is defined at the Service level, is the intent of SPIFFE to provide more granular identity at the actual workload level (Pods, Containers or possibly native UNIX Process level)? The SPIFFE demo I recently saw includes identity attestation for native Unix process (database running as a process), in addition to K8S Pod. · Why not implement OpenID Connect based identity provider within Kubernetes cluster instead of re-inventing the wheel. I am assuming this may be due to well-known JWT vulnerability related issues as mentioned before. Also, external OIDC implementation does have problems related to network round tripping. · Also, I noticed that SPIFFE design aspires to be decentralized versus SPOF issues for OpenID Connect type identity providers. Can’t SPOF issue of OIDCs be addressed by implementing redundant or back-up Identity Providers. Although, this does increase the complexity of the overall solution. Based on my understanding SPIFFE design consists of Node (at the Node level) & Server Agents (at the Master API Server level) components. Initially when I saw decentralized design of SPIFFE I thought it was peer-to-peer based trust model approach, there has been lot of research on P2P trust model in the academia but I have not seen that in practice yet. · Lastly, how does this all play out in the enterprise SAML based federated identity environment (good old WS-Security, WS-Trust stuff). How are the legacy coarse grained SOA Web Services going to play out in the SPIFFE like environment. The reason I bring all this up is because legacy enterprise SOA based web services are still going to be there as coarse grain services side-by-side with the newer micro-services architecture.
I am sure as I understand more about SPIFFE, I will have lot of follow up questions. In the meanwhile, it would be good to get the fog cleared up in my mind based on my initial understanding of all this. But overall, SPIFFE definitely seems to be a step in the right direction and I am really interested in this effort going forward. Look forward to your response on all this. Thanks.
Regards, Deepak Vij
From: cncf-toc-bounces@... [mailto:cncf-toc-bounces@...]
On Behalf Of Chris Aniszczyk via cncf-toc
Hey all, we have a TOC meeting tomorrow, here's the agenda deck: https://goo.gl/LoKyV5
We will be hearing from the Istio and SPIFFE projects, along with getting a brief update from the Serverless WG.
See everyone tomorrow!
-- Chris Aniszczyk (@cra) | +1-512-961-6719
|
|
CNCF Community Awards Voting 2017
Ihor Dvoretskyi
Greetings all, As it was announced last week (https://lists.cncf.io/pipermail/cncf-toc/2017-November/001320.html), CNCF is driving awards to respect the most active ambassadors and contributors to the CNCF projects. Today starts the second part of the Community Awards process - based on the nominations, voting is open! As a friendly reminder, in 2017 CNCF offers two community awards: - Top Cloud Native Ambassador - an individual with the incredible community-oriented skills, focused on spreading the word and sharing the knowledge with the entire Cloud Native community or within a specific project. - Top Cloud Native Committer - an individual with the incredible technical skills and notable technical achievements in one or multiple CNCF projects. The voting forms for Awards are available: - Top Cloud Native Ambassador Award at https://goo.gl/forms/Y5G3krjROuLqj1rE3. Please, note that only votes from CNCF TOC will be counted. - Top Cloud Native Committer Award at https://goo.gl/forms/nLZA3JMvU32nOEf53. Every person from the CNCF community may vote. Please, note that the voting deadline is November 15 (23:59 PM Pacific Time). Thank you!
|
|
Re: Sorry to miss the call...
alexis richardson
In other news: enthusiasts for Storage and Networking are warmly invited to attend the next TOC call, on Tuesday 14th Nov. That's in 7 days from today.
On Tue, Nov 7, 2017 at 7:19 PM, Bryan Cantrill <bryan@...> wrote:
|
|
Re: Sorry to miss the call...
Bryan Cantrill <bryan@...>
Both look like good candidates! - Bryan
On Tue, Nov 7, 2017 at 11:16 AM, Alexis Richardson <alexis@...> wrote:
|
|
Re: Sorry to miss the call...
alexis richardson
no worries, and thanks for email. we had a show of hands to proceed with two projects towards "written proposal" stage, BG as sponsoring TOC person. * SPIFFE / Spire * Istio let us know if you object or have questions please Bryan a
On Tue, Nov 7, 2017 at 7:10 PM, Bryan Cantrill via cncf-toc <cncf-toc@...> wrote:
|
|
Re: Istio
alexis richardson
thank you very much! I promise to be available next week for alexis impressions.
On Tue, Nov 7, 2017 at 7:09 PM, Chris Aniszczyk <caniszczyk@...> wrote:
|
|
Sorry to miss the call...
Bryan Cantrill <bryan@...>
I had the kids solo this morning, so the call was impossible for me -- sorry for not communicating that in advance. - Bryan
|
|
Re: Istio
Chris Aniszczyk
Yes, I did my best Alexis impression and no one had issues with Istio moving to the project proposal stage. I’ll be working with the Istio and SPIFFE projects in their proposals in the coming weeks.
On Tue, Nov 7, 2017 at 12:28 PM Alexis Richardson via cncf-toc <cncf-toc@...> wrote: Hi --
|
|
Istio
alexis richardson
Hi
Sorry I had to drop off call at ten to the hour. Did we get to a show of hands on istio? A
|
|
Re: Welcoming Michelle Noorali and Brandon Phillips to the CNCF GB
Andrew Randall
Happy to see CNCF governance is in good hands... congrats both!
On Tue, Nov 7, 2017 at 6:49 AM Alex Baretto via cncf-toc <cncf-toc@...> wrote: Congratulations! -- Andrew Randall Tigera, Inc. (510) 520-0999
|
|
Re: Welcoming Michelle Noorali and Brandon Phillips to the CNCF GB
Alex Baretto
Congratulations!
toggle quoted messageShow quoted text
On Tue, Nov 7, 2017 at 06:46, Gianluca Arbezzano via cncf-toc <cncf-toc@...> wrote:
|
|
Re: Welcoming Michelle Noorali and Brandon Phillips to the CNCF GB
Gianluca Arbezzano <gianarb92@...>
Congrats!! 2017-11-07 14:30 GMT+01:00 Ken Owens via cncf-toc <cncf-toc@...>:
--
|
|
Re: Welcoming Michelle Noorali and Brandon Phillips to the CNCF GB
Ken Owens
Congrats Michelle
On Mon, Nov 6, 2017 at 1:03 PM, Dan Kohn via cncf-toc <cncf-toc@...> wrote:
|
|
Re: Welcoming Michelle Noorali and Brandon Phillips to the CNCF GB
Ghe Rivero <ghe.rivero@...>
Congratulations! Ghe Rivero
On Mon, Nov 6, 2017 at 8:03 PM, Dan Kohn via cncf-toc <cncf-toc@...> wrote:
--
Pinky: "Gee, Brain, what do you want to do tonight?" The Brain: "The same thing we do every night, Pinky—try to take over the world!" GPG Key: BC52FA6F GPG fingerprint: 1904 7374 5A88 BF8D FFE8 44A0 DD0B A251 BC52 FA6F
|
|
Re: Welcoming Michelle Noorali and Brandon Phillips to the CNCF GB
Luis Pab?n
Congratulations!
On Nov 6, 2017 5:09 PM, "Camille Fournier via cncf-toc" <cncf-toc@...> wrote:
|
|
Re: Welcoming Michelle Noorali and Brandon Phillips to the CNCF GB
Camille Fournier
Welcome! Hope to see you both in Austin!
On Mon, Nov 6, 2017 at 5:28 PM, Bob Wise via cncf-toc <cncf-toc@...> wrote:
|
|
Re: Welcoming Michelle Noorali and Brandon Phillips to the CNCF GB
Bob Wise <bob.wise@...>
Great news, congrats!
-Bob
From: cncf-toc-bounces@... [mailto:cncf-toc-bounces@...] On Behalf Of Dan Kohn via cncf-toc
I'm pleased to welcome Michelle Noorali of Microsoft to the CNCF Governing Board as the developer seat representative from Kubernetes. She joins Brandon Phillips of CoreOS, who is the developer seat representative from the other projects. The process for this is described here:
https://github.com/cncf/foundation/blob/master/gb-developer-reps.md -- Dan Kohn <dan@...> Executive Director, Cloud Native Computing Foundation https://www.cncf.io +1-415-233-1000 https://www.dankohn.com
|
|
Re: Welcoming Michelle Noorali and Brandon Phillips to the CNCF GB
Ihor Dvoretskyi
Welcome Michelle and Brandon!
On Nov 7, 2017 06:03, "Dan Kohn via cncf-toc" <cncf-toc@...> wrote:
|
|