Rahul Jadhav,

• CTO, Cofounder AccuKnox
• SIG-Security Chair, Nephio

SPIFFE for Large Scale Telco Deployments: A Nephio Rationale

Identity & Entitlements

It is easier for a threat actor to log in versus hack in.

• Morey J. Haber

User Identity vs Workload Identity

User Identity

Workload Identity

aka NHI (Non Human Identity)

What about Access Tokens?

• Access Tokens aka Service Tokens
• Examples,
• Github Personal Access Token (PATs)
• Google Service Account Tokens
• AWS Secret ID and Key
• Access Tokens are widely used for Machine to Machine communication.
• Allows access to the Workload if the Client can produce an access token.

Problem with Access Tokens?

• Possession of the token implies access
• Tedious to maintain access token lifecycle
• No way to track where all is the token getting used.
• Permissions change requires new token to be created
• Rotation complexities results in use of long-lived keys!
• Contextual Access is not possible
• Allow access to workload only from a given region.
• Can easily go out of hand!
• If you have dozen services talking to each other then establishing access tokens across all the pairs will be a nightmare!

Security Solutions vying for this space

Secrets in Code Repositories

Secrets in S3 buckets, Google Storage, File Systems

Secrets hardcoded in IaC

Secrets in Kubernetes ConfigMaps

Credentials in Container Images

Secrets exposed during Runtime using env vars, configs etc

Workload Identity?

Doesn’t k8s solve this issue?

• K8s service-account-token can be used for workload authz
• Isn’t it already made use of in k8s RBAC?

Workload 1

Workload 2

Authz

Is the service-account-workload1 allowed access to workload 2?

/var/run/secrets/kubernetes.io/serviceaccount/token

Use service account token in API request

API Server

The scope is only within the given k8s cluster.

Emergence of Workload Identity solutions

• Google Workload Identity
• Microsoft Entra Workload ID
• AWS Workload Identity

What is SPIFFE?

• CNCF Graduated Project
• Specs that cover how a workload should retrieve and use it’s Identity
• SPIFFE ID
• SPIFFE Verifiable Identity Documents (SVIDs)
• The SPIFFE Workload API

• SPIFFE Runtime Environment (a reference implementation)
• A toolchain of APIs for establishing trust based on SPIFFE
• Provides out of the box Attestation Plugins

High Level SPIFFE Workflow

• Registration
• Attestation
• Provisioning/Updates

What is Nephio?

• Deliver carrier grade, open, k8s-based cloud native intent automation for large-scale edge/telco deployments.

​

“The problems Nephio aims to solve start only once we try to operate at scale. The fact that our infrastructure, workloads, and workload configurations are all interconnected greatly increases the difficulty in managing these architectures at scale.”

Nephio: High Level Architecture

Why is SPIFFE relevant to Nephio?

• Evolution of Telco Deployments
• SS7, ⇒ SIGTRAN ⇒ NGIN ⇒ Cloud Native Model
• Cloud Native Model (ORAN for e.g.), enables disaggregation and democratization allowing telcos adopt services beyond Voice & Data.
• A strong Identity Layer becomes a foundational concern for any Service-centric operators.
• Nephio’s automation combined with strong Identity layer provides ease of management and allays security concerns operating at scale.

Nephio Identity Requirements

• Framework’s Internal Requirements
• 5G ORAN, 5G Core specific requirements

Nephio Framework Requirements

Nepho Telco/5G Requirements

Nephio SPIFFE Implementation

1. Dev specifies the workload blueprint
2. Workload Blueprint automation using kpt, porch, and configsync
3. Porch specializers & mutators create IDentity resources for different clusters
4. Workload Identity resources are created in management repo
5. ConfigSync pushes custom resources for Workload Identity
6. SPIRE server registers the workload identity
7. Edge Cluster configsync pick up respective identity configuration
8. Edge Cluster workloads attests to the SPIRE server
9. SPIRE Server provisions the IDentity document on the workload

Note: Nephio SPIFFE Integration PRs are still in review state.

Identity Federation

• Multi Cloud Telco deployments is a real possibility
• Operators using combination of EKS, GKE, OpenShift for infra
• Identity Federation will play a key role in Nephio
• SPIFFE provides multi vendor Identity Federation

To sum it up

• Telco deployments are undergoing a fundamental shift
• More Disaggregated, more Cloud Native
• Frameworks such as Nephio are supporting this shift
• Operating at higher scales require foundational elements
• Identity is an important foundational element
• SPIFFE provides a consistent, scalable Identity framework for any large scale, multi-vendor deployment