Container Storage Interface components for SPIFFE

SPIFFE CSI Driver

WARNING: This project is in the "Development" phase of the SPIFFE Project Maturity Phases.

A Container Storage Interface driver for Kubernetes that facilitates injection of the SPIFFE Workload API.

The SPIFFE Workload API is nominally served over a Unix domain socket. Some SPIFFE implementations (e.g. SPIRE) rely on DaemonSets to run one Workload API server instance per host. In these cases, it is necessary to inject the Workload API socket into each pod. The primary motivation for using a CSI driver for this purpose is to avoid the use of hostPath, which is associated with security weaknesses and is commonly disallowed by policy.

This driver provides pods with an ephemeral inline volume. SPIFFE implementations can serve their Workload API socket in a central location, and the driver will bind mount this location into workload pods as directed.

Owner
SPIFFE
Secure Production Identity Framework For Everyone
SPIFFE
https://github.com/spiffe/spiffe-csi
Comments
  • Relabeling fails when SELinux is enabled

    Relabeling fails when SELinux is enabled

    Thanks for the great work on this CSI driver.

    We are trying to get the CSI driver working on clusters with SELinux enabled (RKE2 v1.24 and OpenShift v1.23).

    When deploying the example-workload we get the following error:

    CreateContainerError (failed to generate container "2d1bd76ada39d781110f6559ebe324f9f2c76f6a5fb0ce324426089ae4593f0b" 
spec: failed to generate spec: relabel "/var/lib/kubelet/pods/86e8ad89-bf07-421c-9ae2-a53745ce91e8/volumes/kubernetes.io~csi/spiffe-workload-api/mount" 
with "system_u:object_r:container_file_t:s0:c442,c843" failed: 
lsetxattr /var/lib/kubelet/pods/86e8ad89-bf07-421c-9ae2-a53745ce91e8/volumes/kubernetes.io~csi/spiffe-workload-api/mount: read-only file system)

    It seems to be related to SELinux and that the node isn't able to run lsetxattr on the mount since it's mounted "read-only".

    In the kubernetes-csi docs is states that it is possible to mount the volume "read-only" to the container and "read-write" to the node. Is this an option to solve this issue?

  • Improves spiffe-csi-driver security isolation in k8s deployment

    Improves spiffe-csi-driver security isolation in k8s deployment

    Updates the spiffe-csi-driver k8s deployment in order to improve its security isolation.

    Changes:

    • The spiffe-csi driver will run as a DaemonSet in a single pod instead of in the spire-agent pod.
    • The spiffe-csi driver will have its own service account instead of using the same one used by the spire-agent. The spire-agent DaemonSet RBAC is restrictive only to get verb to the following resources: pods, nodes, and nodes/proxy. The spiffe-csi driver ’s service account will have default behavior, thus more restrictive.
    • Configured pod securityContext to limit the scope of allowed capabilities of the spiffe-csi driver using the following spec:
    securityContext:
  readOnlyRootFilesystem: true
  capabilities:
    drop:
      - all
  privileged: true

    Signed-off-by: Alexandre Alvino [email protected]

  • feat(ci): run PR testing against a list of kubernetes versions

    feat(ci): run PR testing against a list of kubernetes versions

    This adds a matrix build with a few of the recent kubernetes versions supported by kind. I noticed mention of the desire for this feature in this issue https://github.com/spiffe/spiffe-csi/issues/4 .

    Screenshots:

    Screenshot 2022-01-18 at 17-50-47 feat(ci) add testing for multiple k8s versions · blairdrummond spiffe-csi ce6eb6c

    Screenshot 2022-01-18 at 17-55-22 feat(ci) add testing for multiple k8s versions · blairdrummond spiffe-csi ce6eb6c

  • Move to pre-production maturity

    Move to pre-production maturity

    This PR upgrades the maturity level of the project from Development to Pre-Production.

    @spiffe/ssc, I'm not quite sure what the process is to promote a project maturity level or if it needs SSC involvement. I've reviewed the checklist at the above link and think we've checked all the boxes. There is a simple integration test as well as unit tests for the driver package, which contains the majority of the business logic. The weakest assertion is that the project is supported by early adopters. I don't know of many and getting early adopters without being at pre-prod feels a little like a chicken-and-egg problem... nevertheless I have had many folks reach out about the availability and stability of this component (e.g. #7).

    I'd really appreciate some guidance!

  • Mount is lost when driver is deleted/re-created

    Mount is lost when driver is deleted/re-created

    When the csi driver is deleted and re-created for whatever reason (upgrade, crash, etc.) the old socket mount is lost, and all existing workloads that were attached will lose that connection. Even when a new csi driver starts up, it only attaches when new workload creation events occur, and is unaware of existing workloads that have a broken mount.

    Ideally the csi driver should be able to remount existing workloads if the mount is unhealthy or broken.

    The workaround is to re-roll the workloads once the new csi driver is running, so that it can see the new creation events and attach the new mount.

  • TImeline for GA ?

    TImeline for GA ?

    Hi ! Thanks for this awesome component ! Is there any timeline to make it GA/stable ? This is definitely a must have for multi-tenant clusters in an enterprise context where the containers don't/shouldn't have privileged access.

  • Bump golang.org/x/sys from 0.2.0 to 0.3.0

    Bump golang.org/x/sys from 0.2.0 to 0.3.0

    Bumps golang.org/x/sys from 0.2.0 to 0.3.0.

    Commits
    • 3ca3b18 windows: add GetLargePageMinimum
    • d684c6f execabs: isGo119ErrDot: use errors.Is instead of string-matching
    • See full diff in compare view

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  • Bump golang.org/x/sys from 0.1.0 to 0.2.0

    Bump golang.org/x/sys from 0.1.0 to 0.2.0

    Bumps golang.org/x/sys from 0.1.0 to 0.2.0.

    Commits
    • fc697a3 unix: add ParseOneSocketControlMessage to parse control messages without allo...
    • 5726498 unix: in Linux sendmsgN actually send one normal byte
    • See full diff in compare view

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  • Bump google.golang.org/grpc from 1.50.0 to 1.50.1

    Bump google.golang.org/grpc from 1.50.0 to 1.50.1

    Bumps google.golang.org/grpc from 1.50.0 to 1.50.1.

    Release notes

    Sourced from google.golang.org/grpc's releases.

    Release 1.50.1

    New Features

    • gcp/observability: support new configuration defined in public preview user guide
    Commits
    • 4c776ec Cherry-pick observability changes from master to v1.50.x and update version t...
    • 6576007 Change version to 1.50.1-dev (#5686)
    • See full diff in compare view

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  • Bump google.golang.org/grpc from 1.47.0 to 1.48.0

    Bump google.golang.org/grpc from 1.47.0 to 1.48.0

    Bumps google.golang.org/grpc from 1.47.0 to 1.48.0.

    Release notes

    Sourced from google.golang.org/grpc's releases.

    Release 1.48.0

    Bug Fixes

    • xds/priority: fix bug that could prevent higher priorities from receiving config updates (#5417)
    • RLS load balancer: don't propagate the status code returned on control plane RPCs to data plane RPCs (#5400)

    New Features

    • stats: add support for multiple stats handlers in a single client or server (#5347)
    • gcp/observability: add experimental OpenCensus tracing/metrics support (#5372)
    • xds: enable aggregate and logical DNS clusters by default (#5380)
    • credentials/google (for xds): support xdstp C2P cluster names (#5399)
    Commits
    • 6417495 Change version to 1.48.0 (#5482)
    • 5770b1d xds: drop localities with zero weight at the xdsClient layer (#5476)
    • 423cd8e interop: update proto to make vet happy (#5475)
    • c9b16c8 transport: remove unused bufWriter.onFlush() (#5464)
    • 755bf5a fix typo in the binary log (#5467)
    • 15739b5 health: split imports into healthpb and healthgrpc (#5466)
    • c075d20 interop client: provide new flag, --soak_min_time_ms_between_rpcs (#5421)
    • 4b75005 clusterresolver: merge P(p)arseConfig functions (#5462)
    • d883f3d test/xds: fail only when state changes to something other than READY and IDLE...
    • c6ee1c7 xdsclient: only include nodeID in error strings, not the whole nodeProto (#5461)
    • Additional commits viewable in compare view

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  • Bump github.com/stretchr/testify from 1.7.4 to 1.7.5

    Bump github.com/stretchr/testify from 1.7.4 to 1.7.5

    Bumps github.com/stretchr/testify from 1.7.4 to 1.7.5.

    Commits

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  • Bump golang.org/x/sys from 0.3.0 to 0.4.0

    Bump golang.org/x/sys from 0.3.0 to 0.4.0

    Bumps golang.org/x/sys from 0.3.0 to 0.4.0.

    Commits
    • b60007c unix: add Uvmexp and SysctlUvmexp for NetBSD
    • b751db5 unix: gofmt hurd files after CL 459895
    • b360406 unix: support TIOCGETA on GNU/Hurd
    • 3086868 unix: regen on OpenBSD 7.2
    • 2b11e6b unix: remove Mclpool from openbsd types
    • 7c6badc unix: convert openbsd/mips64 to direct libc calls
    • 3b1fc93 unix: avoid allocations for common uses of Readv, Writev, etc.
    • 2204b66 cpu: parse /proc/cpuinfo on linux/arm64 on old kernels when needed
    • 72f772c unix: offs2lohi should shift by bits, not bytes
    • cffae8e unix: add ClockGettime on *bsd and solaris
    • Additional commits viewable in compare view

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  • Limit workflow job permissions to bare minimum

    Limit workflow job permissions to bare minimum

    This allows to narrow down workflow permissions in GitHub settings

    See https://docs.github.com/en/actions/using-jobs/assigning-permissions-to-jobs and https://docs.github.com/en/actions/security-guides/automatic-token-authentication#permissions-for-the-github_token

    Signed-off-by: Marco Franssen [email protected]

  • ARM64 support for the Docker image

    ARM64 support for the Docker image

    Builds on top of:

    • [x] https://github.com/spiffe/spiffe-csi/pull/66
    • [x] https://github.com/spiffe/spiffe-csi/pull/67
    • [x] https://github.com/spiffe/spiffe-csi/pull/68
    • [x] https://github.com/spiffe/spiffe-csi/pull/69

    This PRs diff will drastically reduce once those other PRs are merged.

    I'll rebase this PR once those others are merged.

  • unable to read csi driver mounted file

    unable to read csi driver mounted file

    I installed this csi driver in OpenShift and it does not work. I can see the unix socket mounted in the container, but I get this error:

    drwxr-xr-x.   2 root root   60 Oct 29 20:28 spiffe-workload-api
drwxr-xr-x.   2 root root    6 Jun 21  2021 srv
dr-xr-xr-x.  13 root root    0 Oct 29 19:14 sys
drwxrwxrwx.   2 root root   58 Oct 26 11:23 tmp
drwxr-xr-x.  12 root root  144 Oct 26 11:09 usr
drwxr-xr-x.  19 root root  249 Oct 26 11:09 var
sh-4.4$ ls -la spiffe-workload-api
ls: cannot open directory 'spiffe-workload-api': Permission denied
sh-4.4$ id
uid=1000690000(1000690000) gid=0(root) groups=0(root),1000690000

    as you can see, based on the group, I should be able to ls that directory. I suspect selinux might be in play here. Any suggestions?

    also this is failing:

    /opt/spire $ /opt/spire/bin/spire-agent api fetch -socketPath $SPIFFE_ENDPOINT_SOCKET
rpc error: code = Unavailable desc = connection error: desc = "transport: Error while dialing dial unix /opt/spire/unix:/spiffe-workload-api/spire-agent.sock: connect: no such file or directory"

    see also https://github.com/spiffe/spire-tutorials/issues/95

  • WIP: chore: use ko instead of docker to minimize the image size

    WIP: chore: use ko instead of docker to minimize the image size

    Signed-off-by: Batuhan Apaydın [email protected]

    It requires ko => v0.12.0 to use the --bare option with the local daemon.

    https://github.com/ko-build/ko/pull/820

Related tags
DevOps Tools spiffe-csi
A Kubernetes CSI plugin to automatically mount SPIFFE certificates to Pods using ephemeral volumes
 A Kubernetes CSI plugin to automatically mount SPIFFE certificates to Pods using ephemeral volumes

csi-driver-spiffe csi-driver-spiffe is a Container Storage Interface (CSI) driver plugin for Kubernetes to work along cert-manager. This CSI driver tr

Dec 1, 2022
Sample Driver that provides reference implementation for Container Object Storage Interface (COSI) API

cosi-driver-minio Sample Driver that provides reference implementation for Container Object Storage Interface (COSI) API Community, discussion, contri

Oct 10, 2022
A set of components that can be composed into a highly available metric system with unlimited storage capacity
 A set of components that can be composed into a highly available metric system with unlimited storage capacity

Overview Thanos is a set of components that can be composed into a highly available metric system with unlimited storage capacity, which can be added

Oct 20, 2021
Local Storage is one of HwameiStor components. It will provision the local LVM volume.
 Local Storage is one of HwameiStor components. It will provision the local LVM volume.

Local Storage Module English | Simplified_Chinese Introduction Local Storage is one of modules of HwameiStor which is a cloud native local storage sys

Aug 6, 2022
Moby Project - a collaborative project for the container ecosystem to assemble container-based systems
 Moby Project - a collaborative project for the container ecosystem to assemble container-based systems

The Moby Project Moby is an open-source project created by Docker to enable and accelerate software containerization. It provides a "Lego set" of tool

Jan 8, 2023
Boxygen is a container as code framework that allows you to build container images from code

Boxygen is a container as code framework that allows you to build container images from code, allowing integration of container image builds into other tooling such as servers or CLI tooling.

Dec 13, 2021
Amazon ECS Container Agent: a component of Amazon Elastic Container Service
 Amazon ECS Container Agent: a component of Amazon Elastic Container Service

Amazon ECS Container Agent The Amazon ECS Container Agent is a component of Amazon Elastic Container Service (Amazon ECS) and is responsible for manag

Dec 28, 2021
Openshift's hpessa-exporter allows users to export SMART information of local storage devices as Prometheus metrics, by using HPE Smart Storage Administrator tool

hpessa-exporter Overview Openshift's hpessa-exporter allows users to export SMART information of local storage devices as Prometheus metrics, by using

Jan 17, 2022
Container Runtime Interface profile

criprof Container Runtime Interface profiling and introspection. Useful for tracking down containers in logs or grouping by runtime characteristics. c

Jan 18, 2022
TiDB Mesh: Implement Multi-Tenant Keyspace by Decorating Message between Components
 TiDB Mesh: Implement Multi-Tenant Keyspace by Decorating Message between Components

TiDB Mesh: Implement Multi-Tenant Keyspace by Decorating Message between Compone

Jan 11, 2022
Harbormaster - Toolkit for automating the creation & mgmt of Docker components and tools

My development environment is MacOS with an M1 chip and I mostly develop for lin

Feb 17, 2022
Local Disk Manager is one of HwameiStor components
 Local Disk Manager is one of HwameiStor components

Local Disk Manager is one of HwameiStor components. It will manage all the local disks of the HwameiStor nodes, including provision local Disk volume, and disk health management.

Aug 6, 2022
Production-Grade Container Scheduling and Management
 Production-Grade Container Scheduling and Management

Kubernetes (K8s) Kubernetes, also known as K8s, is an open source system for managing containerized applications across multiple hosts. It provides ba

Jan 2, 2023
Vilicus is an open source tool that orchestrates security scans of container images(docker/oci) and centralizes all results into a database for further analysis and metrics.
 Vilicus is an open source tool that orchestrates security scans of container images(docker/oci) and centralizes all results into a database for further analysis and metrics.

Vilicus Table of Contents Overview How does it work? Architecture Development Run deployment manually Usage Example of analysis Overview Vilicus is an

Dec 6, 2022
A Simple and Comprehensive Vulnerability Scanner for Container Images, Git Repositories and Filesystems. Suitable for CI
 A Simple and Comprehensive Vulnerability Scanner for Container Images, Git Repositories and Filesystems. Suitable for CI

A Simple and Comprehensive Vulnerability Scanner for Containers and other Artifacts, Suitable for CI. Table of Contents Abstract Features Installation

Jan 1, 2023
KEDA is a Kubernetes-based Event Driven Autoscaling component. It provides event driven scale for any container running in Kubernetes
KEDA is a Kubernetes-based Event Driven Autoscaling component. It provides event driven scale for any container running in Kubernetes

Kubernetes-based Event Driven Autoscaling KEDA allows for fine-grained autoscaling (including to/from zero) for event driven Kubernetes workloads. KED

Jan 7, 2023
Enterprise-grade container platform tailored for multicloud and multi-cluster management
 Enterprise-grade container platform tailored for multicloud and multi-cluster management

KubeSphere Container Platform What is KubeSphere English | 中文 KubeSphere is a distributed operating system providing cloud native stack with Kubernete

Jan 2, 2023
⎈ Multi pod and container log tailing for Kubernetes

stern Stern allows you to tail multiple pods on Kubernetes and multiple containers within the pod. Each result is color coded for quicker debugging. T

Nov 7, 2022
Testcontainers is a Golang library that providing a friendly API to run Docker container. It is designed to create runtime environment to use during your automatic tests.

When I was working on a Zipkin PR I discovered a nice Java library called Testcontainers. It provides an easy and clean API over the go docker sdk to

Jan 7, 2023