feat: SPIFFE unique workload identifiers with TPM support #2927
Labels
enhancement
New feature or request
triage
Add this label to issues that should be triaged and prioretized in the next planning call
Comments
bencorrado
added
enhancement
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Is your feature request related to a problem? Please describe.
Being able to unique identify workloads on the network and tie to a specific trust domain and attest to specifically which node they are running on linking back to the TPM using Keylime. This will allow a high level of certainty that as to where (which Karios device) services are being run.
https://spiffe.io/docs/latest/spiffe-about/overview/
Describe the solution you'd like
I would like to implement SPIFFE using SPIRE support into Kairos.
SPIRE supports Keylime with this plugin. Keylime is already planned in #1115
Keylime support to expose the right APIs on the right interfaces and configure any firewall settings will be important.
It seems like a bundle could be created added to #592 similar to:
https://spiffe.io/docs/latest/spire-helm-charts-hardened-about/ or https://spiffe.io/docs/latest/deploying/install-agents/
We should dive more into a deeper integration with the standard packaging as well:
https://spiffe.io/docs/latest/deploying/registering/
Describe alternatives you've considered
This could be implemented without Keylime support
Depends on: #1115
The text was updated successfully, but these errors were encountered: