We built a solution that uses Spire to attest Istio workload identities. The configuration allows identities to be tied not only to the nodes within the Kubernetes Cluster but also to the workloads (at the container image level) to ensure that there is a strong cryptographic identity for each container image running within the cluster.
- docker:
brew install docker - kubectl:
brew install kubectl - k3d :
brew install k3d - makecert:
brew install mkcert
- create registry
bash boot.sh local_container_registry - tag your image
docker image tag nginx:latest registry.localhost:5000/nginx:latest - push images using
docker push registry.localhost:5000/nginx:latest
- Create Cluster
bash boot.sh local_up - Deploy Istio
bash boot.sh istio - Delete cluster without destroying registry
bash boot.sh local_down - delete everything
bash boo.sh local_clear
Note:
- k3d will handle loadbalancer so you dont need to worry about getting cluster IP address.
- Add your apps virtual service hostname to
/etc/hostsie ..127.0.0.1 myapp.local #virtual service
- Please create cluster before your run istio
- Deploy command
bash boot.sh istio
Note :
- This will create self-signed certs and force traffic to go by https. You will see trusted certificated because it is generated by your machine and that cannot be trusted.
- This will create a gateway and allow all traffic with
*.local
- You need to deploy k8s cluster and also need to have istio deployed in the previous step.
- This script will deploy spire server and one agent per node.
- You have to register node in spire server first then you can register workloads using parent SVID
- To deploy spire agent and server
bash boot.sh spire
- Here we will deploy a workload and then register.
- you can deploy and register demo workload using
bash boot.sh spifee_workload