The Istio-Attestor is a plugin for the SPIRE server. This plugin allows SPIRE to automatically attest nodes from Istio using K8s Token Review API to verify bearer tokens from Istio.
The plugin needs configuration to locate and authenticate with the Kubernetes API server. When SPIRE server is running within Kubernetes, the plugin will use in-cluster configuration (i.e. service account tokens and environment variables) for this purpose. When SPIRE server is running outside Kubernetes, a Kubernetes config file (e.g. ~/.kube/config
) is needed to supply the configuration.
A script is provided to simplify the process of creating the configuration file that is necessary when running SPIRE Server outside Kubernetes. This script takes in a service account name and a namespace and produces a configuration file containing the service account token for that service account. If the service account does not exist, it will be created first.
To run this script run
./createKubeConfig.sh <serviceAccount> <namespace>
for example:
./createKubeConfig.sh spire default
output:
Service account spire exist
Getting secret of service account spire on default
Extracting ca.crt from secret...
Getting user token from secret...
Setting current context to: minikube
Cluster name: minikube
Endpoint: https://192.168.99.251:8443
Preparing k8s-spire-default-conf
Setting a cluster entry in kubeconfig...Cluster "minikube" set.
Setting token credentials entry in kubeconfig...User "spire-default-minikube" set.
Setting a context entry in kubeconfig...Context "spire-default-minikube" modified.
Setting the current-context in the kubeconfig file...Switched to context "spire-default-minikube".
Configuration file 'k8s-spire-default-conf' done!!!!
As result a configuration file is created with name k8s-<serviceAccount>-<namespace>-conf
apiVersion: v1
clusters:
- cluster:
certificate-authority-data: <SERVICE ACCOUNT CA.CRT>
server: https://192.168.99.251:8443
name: minikube
contexts:
- context:
cluster: minikube
namespace: default
user: spire-default-minikube
name: spire-default-minikube
current-context: spire-default-minikube
kind: Config
preferences: {}
users:
- name: spire-default-minikube
user:
as-user-extra: {}
token: <SERVICE ACCOUNT TOKEN>
Configuration file can be tested running a kubectl:
KUBECONFIG=<CONFIG_FILE> kubectl get pods
output
NAME READY STATUS RESTARTS AGE
sleep-84488db7b7-ghrmw 2/2 Running 0 10h
The plugin can be installed directly by running:
go install github.com/spiffe/istio-attestor
It will download, build, and install the Istio-Attestor plugin in your ${GOPATH}/bin
directory by default, or in the path set by the ${GOBIN}
environment variable.
Build from Source
- Clone this repo:
git clone https://github.com/spiffe/istio-attestor ${GOPATH}/src/github.com/spiffe/istio-attestor
cd ${GOPATH}/src/github.com/spiffe/istio-attestor
- Build the Istio-Attestor:
make build
- Edit the SPIRE Server config file to add the Istio-Attestor server plugin config:
edit <SPIRE Installation Directory/conf/server/server.conf>
- Disable agent id validation:
server {
...
experimental {
allow_agentless_node_attestors = true
}
...
}
- Add plugin configuration in "plugin" section:
plugins {
...
NodeAttestor "istio_attestor" {
plugin_cmd = "<PATH TO PLUGIN>"
plugin_data {
# Path to Kubernetes config, in case it is not provided
# attestor is configured as it is inside k8s
k8s_config_path = "/etc/k8s-spire-default-conf"
}
}
...
}
SPIRE Server
cd <SPIRE Installation Directory>
./spire-server run