I'm in the process of vetting a move to service mesh. While Istio
and Consul Connect
are certainly still in the cards, I'm leaning towards building up from a bit lower level with Linkerd
and SPIFFE/SPIRE
.
I want to build a 'hello world' mesh to test this architecture out. In this hello world mesh, I'd like to be able to issue certificates from SPIFFE/SPIRE
that encode some kind of role. As you can probably tell, I'm new to service meshes. How would I implement roles? Are there any guides out there to help get me started?
If you're looking to build from scratch, you might want to start with Envoy rather than LinkerD. The integration between Envoy and SPIRE is much tighter, though of course you'll have to bring your own control plane.
SPIFFE is opinionated about authentication but not authorization. It's up to a workload receiving a SPIFFE-identified connection or message to apply authorization logic once you've authenticated the The ID of sending workload. The ID should denote a workload's logical identity, not its roles or entitlements.
That said, there aren't many constraints on how you structure your SPIFFE IDs, and the ID can be structured in a way that makes subsequent authorization simpler. For example, you might have a SPIFFE ID like:
spiffe://prod.acme.com/<group>/<application>/<service>
For a receiving workload might to apply authorization rule that says "allow connections from any service in the payments group" you'd simply allow any connection that matches:
spiffe://prod.acme.com/payments/.*