SPIFFE CSI Driver
WARNING: This project is in the "Development" phase of the SPIFFE Project Maturity Phases.
A Container Storage Interface driver for Kubernetes that facilitates injection of the SPIFFE Workload API.
The SPIFFE Workload API is nominally served over a Unix domain socket. Some SPIFFE implementations (e.g. SPIRE) rely on DaemonSets to run one Workload API server instance per host. In these cases, it is necessary to inject the Workload API socket into each pod. The primary motivation for using a CSI driver for this purpose is to avoid the use of hostPath, which is associated with security weaknesses and is commonly disallowed by policy.
This driver provides pods with an ephemeral inline volume. SPIFFE implementations can serve their Workload API socket in a central location, and the driver will bind mount this location into workload pods as directed.