I'm in the process of vetting a move to service mesh. While Istio and Consul Connect are certainly still in the cards, I'm leaning towards building up from a bit lower level with Linkerd and SPIFFE/SPIRE.

I want to build a 'hello world' mesh to test this architecture out. In this hello world mesh, I'd like to be able to issue certificates from SPIFFE/SPIRE that encode some kind of role. As you can probably tell, I'm new to service meshes. How would I implement roles? Are there any guides out there to help get me started?

CodePudding user response：

If you're looking to build from scratch, you might want to start with Envoy rather than LinkerD. The integration between Envoy and SPIRE is much tighter, though of course you'll have to bring your own control plane.

SPIFFE is opinionated about authentication but not authorization. It's up to a workload receiving a SPIFFE-identified connection or message to apply authorization logic once you've authenticated the The ID of sending workload. The ID should denote a workload's logical identity, not its roles or entitlements.

That said, there aren't many constraints on how you structure your SPIFFE IDs, and the ID can be structured in a way that makes subsequent authorization simpler. For example, you might have a SPIFFE ID like:

spiffe://prod.acme.com/<group>/<application>/<service>

For a receiving workload might to apply authorization rule that says "allow connections from any service in the payments group" you'd simply allow any connection that matches:

spiffe://prod.acme.com/payments/.*

CodePudding user response：

So there isn't any kind of integration with Linkerd and SPIFFE/SPIRE. As of right now there isn't any particular plan for an integration but you can see the existing issue for more details. The next release of Linkerd, 2.11, will include the ability to create server side policy but current versions don't enforce any kind of policy settings.