Production Identity Day: SPIFFE & SPIRE: Full Schedule

Virtual Event
November 17, 2020
Learn More and Register to Attend This Event

The Sched app allows you to build your schedule but is not a substitute for your event registration. You must be registered for KubeCon + CloudNativeCon North America 2020 - Virtual and add this co-located event to your registration to participate in these sessions. If you have not registered but would like to join us, please go to the event registration page to purchase a registration.

Please note: This schedule is automatically displayed in Eastern Standard Time (UTC–05:00). To see the schedule in your preferred timezone, please select from the drop-down menu to the right, above "Filter by Date." The schedule is subject to change.

MC’s for Production Identity Day: SPIFFE + SPIRE: Umair Khan, HPE + Andrès Vega, VMware

11:00am EST

Welcome

Speakers

Andrés Vega

Technical Lead, CNCF SIG-Security

Umair Khan

HPE

Tuesday November 17, 2020 11:00am - 11:05am EST
Virtual

General Session

11:06am EST

Keynote: Introduction to SPIFFE by Kelsey Hightower

Kelsey will be taking a look at SPIFFE and SPIRE from a beginners point of view and through a set of live demos demonstrate how to leverage SPIFFE in your own applications.

Speakers

Kelsey Hightower

Staff Developer Advocate, Google

Kelsey Hightower has worn every hat possible throughout his career in tech, and enjoys leadership roles focused on making things happen and shipping software. Kelsey is a strong open source advocate focused on building simple tools that make people smile. When he is not slinging Go... Read More →

Tuesday November 17, 2020 11:06am - 11:30am EST
Virtual

Keynotes

11:30am EST

SPIFFE Project Updates

Speakers

Evan Gilman

Staff Software Engineer, VMware Tanzu

Evan Gilman is an engineer with a background in computer networks. With roots in academia, and currently working on the SPIFFE project, he has been building and operating systems in hostile environments his entire professional career. An open source contributor, speaker, and author... Read More →

Tuesday November 17, 2020 11:30am - 11:45am EST
Virtual

Project Updates

11:45am EST

SPIRE Project Updates

Speakers

Agustín Martínez Fayó

Principal Software Engineer, Hewlett Packard Enterprise

SPIRE Maintainer

Tuesday November 17, 2020 11:45am - 12:05pm EST
Virtual

Project Updates

12:05pm EST

Community Integrations and other Works in Progress

This session would cover new community integrations and initiatives being worked on by community members. Guest speakers, along with their topics, include:

Extending Authentication for Istio with SPIRE – Doron Chen, IBM
Securing user privacy with transitive identity – Andrew Jessup, HPE
Leveraging certificate transparency to strengthen audibility in SPIRE - Ruide Zhang, ByteDance
Parsec and SPIFFE – Paul Howard, Arm

Speakers

Umair Khan

HPE

Tuesday November 17, 2020 12:05pm - 12:30pm EST
Virtual

General Session

12:30pm EST

Break

Tuesday November 17, 2020 12:30pm - 12:40pm EST
Virtual

Breaks

12:40pm EST

SPIFFE and SPIRE Architecture Deep Dive

Speakers

Andrew Harding

Staff Engineer, VMware

Core Maintainer on the SPIRE project: github.com/spiffe/spire

Evan Gilman

Staff Software Engineer, VMware Tanzu

Tuesday November 17, 2020 12:40pm - 1:10pm EST
Virtual

General Session

1:10pm EST

Securing Kafka with SPIFFE at TransferWise

For a long time in order to achieve mutual TLS between Kafka brokers and its clients we had to use long-lived certificates which is a nightmare to manage at large scale. At TransferWise, we have around 300 microservices and most of them use Kafka for the async communication, stream processing, event sourcing, etc. We wanted to implement Kafka security in a way that reduced the maintenance burden on platform teams, while making migration of diverse clients as simple as possible. In this talk we will describe how we have achieved that goal using SPIFFE with SPIRE and Envoy, requiring zero code changes on the client side.

Speakers

Jonathan Oddy

Principal Engineer, TransferWise

Levani Kokhreidze

Principal Engineer, TransferWise

Tuesday November 17, 2020 1:10pm - 1:35pm EST
Virtual

General Session

1:35pm EST

“Solving the Bottom Turtle”: Writing a book on SPIFFE in 10 days using Book Sprints

Speakers

Barbara Ruehling

CEO, Book Sprints

Writing, Collaboration, Facilitation, Documentation

Umair Khan

HPE

Tuesday November 17, 2020 1:35pm - 1:45pm EST
Virtual

Lightning Talks

1:45pm EST

Break

Tuesday November 17, 2020 1:45pm - 2:05pm EST
Virtual

Breaks

2:05pm EST

Using SPIRE in Production at Uber

In this session we will provide an overview of how Uber uses SPIFFE and SPIRE for workload authentication and authentication in a diverse deployment environment. We will highlight the deployment architecture, operational practices, and benefits achieved.

Speakers

Andrew Moore

Uber

Tuesday November 17, 2020 2:05pm - 2:20pm EST
Virtual

Lightning Talks

2:20pm EST

SPIFFE at GitHub

We’ve been rolling SPIFFE out internally at GitHub to empower teams to manage interoperable Production Identity documents. In this talk we’ll give a brief overview of how we’ve deployed SPIRE and leveraged its plugin system to integrate with our internal systems and tooling.

Speakers

Eric Lee

Staff Software Engineer, GitHub

Eric is an engineer in the Platform organization at GitHub working on SPIFFE/SPIRE. Prior to GitHub he was the technical lead for a team at Zillow introducing Kubernetes and containers to the infrastructure organization.

Eric Lee SPIFFE At GitHub pdf

Tuesday November 17, 2020 2:20pm - 2:45pm EST
Virtual

General Session

2:45pm EST

Passport App: The role of SPIFFE and SPIRE in a return to work solution

In this session, Frederick demonstrates a SPIFFE/SPIRE enabled solution which will help employers manage there return to work strategy. We will do a quick deep dive on how SPIRE allows us to accomplish our mission and what it may enable us to do in the future.

Speakers

Frederick Kautz

Head of Edge Infrastructure, Doc.AI

* Head of Edge Infrastructure and Federated Learning at Doc.ai* NSM Co-Creator and Committer* X-Factor CNF Methodology author & Organizer (CNF Best Practices)* CNCF TUG, OVP and CNTT contributor* Open Network Intelligence Creator (AI on Networking Dataplane)* Founding member of Container... Read More →

Tuesday November 17, 2020 2:45pm - 3:00pm EST
Virtual

Lightning Talks

3:00pm EST

Break + Making Your First Contribution to SPIRE (optional session)

Speakers

Ryan Turner

Software Engineer, Uber

I'm a software engineer on the Core Identity team at Uber and a contributor to the SPIRE project. Outside of work, I enjoy running, playing piano, golf, and skiing.

Making Your First Contribution to SPIRE pdf

Tuesday November 17, 2020 3:00pm - 3:10pm EST
Virtual

Breaks

3:10pm EST

10 Lessons From Migrating to SPIFFE After 10 Years Of Service Identity at Square

At Square we have developed our own service identity system a few years ago that served us well in our datacenters, but as we increasingly started adopting the cloud, we decided to implement SPIFFE to provide seamless service identity system that would span many environments. In this talk I would like to briefly present how we built a migration process and what we learned from it.

Speakers

Mat Byczkowski

Senior Security Engineer, Square

Production Identity Day 2020 Talk pdf

Tuesday November 17, 2020 3:10pm - 3:35pm EST
Virtual

General Session

3:35pm EST

Using a CRD to better integrate SPIRE and Kubernetes

In this talk we will discuss the Custom Resource Definition (CRD) for SPIRE we created. With the CRD we can better support automatic and manual generation of certificates, as well as integrate with kubectl.

Speakers

Faisal Memon

Software Engineer, F5 Networks

CRD SPIRE Kubernetes pdf

Tuesday November 17, 2020 3:35pm - 3:50pm EST
Virtual

Lightning Talks

3:50pm EST

Fortifying Microservice Security with SPIRE and OPA

Microservice architecture although beneficial brings with it unique security challenges around authentication and authorization which become more acute due to the diverse nature of microservice environments.
How do we reliably authenticate and authorize interactions between 10s, 100s, or even 1000s of services at scale while handling 1000 API calls per second?

SPIRE solves authentication by creating an identity plane across varied infrastructure over which cryptographically verifiable identities such as JWTs are delivered securely to workloads. OPA provides a policy engine that can be used to enforce fine-grained authorization policies across the stack.
We will show how SPIRE issued JWT SVID claims created using SPIRE’s OIDC Federation can be used by OPA to enforce service-to-service and end-user access control in microservice environments without compromising on speed and availability.

Speakers

Ash Nakar

SIG-Security Technical Lead, Styra

Ash Narkar is a maintainer of the Open Policy Agent project. Ash has over 5 years of experience working on large-scale distributed systems. Ash is a Senior Software Engineer at Styra, Inc. working on OPA development and integrations. Previously he was a Principal Engineer at Verizon... Read More →

Tuesday November 17, 2020 3:50pm - 4:10pm EST
Virtual

General Session

4:10pm EST

Using DevIDs and TPMs for Node Attestation

In this session we will present a proposal and demonstration for a TPM Node Attestor plugin following the TCG draft just published “TPM 2.0 Keys for Device Identity and Attestation” that applies the “IEEE Standard for Local and Metropolitan Area Networks, Secure Device Identity (802.1AR)“device identity module definition and formatting to keys protected by a TPM 2.

Speakers

Adriane Cardozo

Software Engineer, HPE

Marcos Yedro

Software Engineer, HPE

Tuesday November 17, 2020 4:10pm - 4:20pm EST
Virtual

Lightning Talks

4:20pm EST

Attestation and identity provisioning to Intel SGX workloads

Using workload attestation mechanisms to provision identity to workloads adds a huge value to this identity, especially in multi-cloud environments. Strong identities simplify policy management and help integration between services. However, attesting workloads based on properties collected from the Linux Kernel or the orchestrator is just the beginning. With confidential computing mechanisms reaching public cloud providers, there is an opportunity to raise the bar on the supported threat model and the strength of the application identities using technologies such as Intel SGX.

In this talk, I will explain how having an SGX Attestor could lead to identities that reflect not only where code is running, but also reflect the code of application that was actually loaded and the configuration of the filesystem that supports it. Next, I will discuss the benefits of such an attestor, which include enabling the seamless integration between sensitive workloads in untrusted environments with workloads on trusted environments with almost no additional burden on the developer.

Speakers

Andrey Brito

Professor, UFCG

I am a Professor at the Federal University of Campina Grande (UFCG, Brazil) in the Computer Science Department. My main interests are the robustness and scalability aspects of distributed systems, especially in cloud computing environments. More recently, our group has focused on... Read More →

Tuesday November 17, 2020 4:20pm - 4:35pm EST
Virtual

Lightning Talks

4:35pm EST

Network and Learn with the SPIRE Maintainers

Moderators

Tuesday November 17, 2020 4:35pm - 6:00pm EST
Virtual

Meet the Maintainers