概述SPIFFE为工作负载提供可验证的身份(SVID),SPIRE作为参考实现负责签发与轮换。结合代理或服务端完成mTLS握手与身份校验,可实现服务间零信任通信。关键实践与参数信任域:spiffe://example.org注册条目:按命名空间/标签/服务账户匹配工作负载SVID轮换:定期轮换证书并保持短TTLTrust Bundle:统一信任根分发与更新探针与观测:握手成功率与证书过期告警示例/配置/实现# SPIRE Server 配置(示意)
server {
trust_domain = "example.org"
data_dir = "/opt/spire/data"
}
plugins {
datastore "sql" { plugin_data { database_type = "sqlite" } }
}
spire-server entry create \
-spiffeID spiffe://example.org/ns/app/sa/api \
-selector k8s:ns:app -selector k8s:sa:api
# Envoy mTLS(验证SPIFFE ID)
static_resources:
clusters:
- name: api
type: LOGICAL_DNS
load_assignment:
cluster_name: api
endpoints:
- lb_endpoints:
- endpoint: { address: { socket_address: { address: api.svc, port_value: 8443 } } }
transport_socket:
name: envoy.transport_sockets.tls
typed_config:
"@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext
common_tls_context:
tls_certificate_sds_secret_configs: [{ name: "spiffe_svid" }]
validation_context_sds_secret_config: { name: "spiffe_bundle" }
combined_validation_context:
default_validation_context:
match_subject_alt_names: [{ exact: "spiffe://example.org/ns/app/sa/api" }]
验证握手身份:双向TLS握手成功并在证书SAN中看到SPIFFE ID轮换生效:SVID到期前自动轮换,连接不中断信任根更新:Bundle更新后握手仍正常告警:证书过期与握手失败触发告警注意事项统一信任域与ID命名规范证书与根分发需安全与可用结合Sidecar/网关统一身份策略定期演练轮换与失效恢复
发表评论 取消回复