Workload Identity Part 2: How Cilium Implements Its Mutual Auth Leveraging SPIFFE and SPIRE

The classic mTLS implementation using sidecars is resource-intensive, slow, and poorly suited to microservices. The Cilium’s approach is to do away with sidecars and instead leverage eBPF which provides native performance. It has also split mTLS’s traditional mutual authentication and encryption into separate features that users can opt-in individually based on their requirements. To manage workload identity and their short-lived certificates, Cilium has embraced SPIFFE and SPIRE. In this episode, we will take a deep dive look at how Cilium has achieved this integration and how their lightweight pod mutual authentication works.

Video script files:
https://github.com/gary-RR/myYouTube_...

Timecodes
0:00 - Intro.
1:51 - Overview of classic mTLS.
10:34 - Cilium's vision for mTLS and channel encryption.
15:46 - SPIFFE Overview.
20:14 - SPIRE architecture.
22:39 - Kubernetes/Cilium/SPIRE Integration to implement Cilium's Mutual Auth.
39:57 - Demos.

My other videos:
►Workload Identity Part 1: Introduction to SPIFFE and SPIRE - YouTube
► Encrypt Client Communication to Kubernetes Services Leveraging Cert-Manage and Let’s Encrypt
   • Encrypt Client Communication to Kubernetes...  
►Kubernetes Security, Part 4: Kubernetes Authentication (Part B: Open ID Connect Auth)
   • Kubernetes Security, Part 4: Kubernetes Au...  
►Kubernetes Security, Part 3: Kubernetes Auth (Part A: Overview and X509 Client Certificate auth)
   • Kubernetes Security, Part 3: Kubernetes Au...  
►Kubernetes Security, Part 2: Managing POD Run Time Security
   • Kubernetes Security, Part 2: Managing POD ...  
► Istio Ambient Service Mesh
   • Istio Ambient Service Mesh  
► Kubernetes Security, Part 1: Kubernetes Security Overview and Role-Based Access Control (RBAC) in Detail
   • Kubernetes Security, Part 1: Kubernetes Se...  
► Cilium Service Mesh
   • Cilium Service Mesh  
► Cilium Kubernetes CNI Provider: Part 4, IP Routing Modes (Direct and Encapsulated)
   • Cilium Kubernetes CNI Provider: Part 4, IP...  
► Cilium Kubernetes CNI Provider, Part 3: Cluster Mesh
   • Cilium Kubernetes CNI Provider, Part 3: Cl...  
►Cilium Kubernetes CNI Provider, Part 2: Security Policies and Observability Leveraging Hubble
   • Cilium Kubernetes CNI Provider, Part 2: Se...  
► Cilium Kubernetes CNI Provider, Part 1: Overview of eBPF and Cilium and the Installation Process    • Cilium Kubernetes CNI Provider, Part 1: Ov...  
► What is VXLAN and How is it used as an Overlay Network in Kubernetes?
   • What is VXLAN and How It is Used as an Ove...  
► Managing Linux Log-ins, Users, and Machines in Active Directory (AD): Part 2- Join Linux Machines to AD:
   • Managing Linux Logins, Users, and Machines...  
► Managing Linux Log-ins, Users, and Machines in Active Directory (AD): Part 1- Setup AD:
   • Managing Linux Logins, Users, and Machines...  
► Sharing Resources between Windows and Linux:
   • Sharing Resources between Windows and Linux  
► Kubernetes kube-proxy Modes: iptables and ipvs, Deep Dive:
   • Kubernetes kube-proxy Modes: iptables and ...  
►Kubernetes: Configuration as Data: Environment Variables, ConfigMaps, and Secrets:
   • Kubernetes: Configuration as Data: Environ...  
►Configuring and Managing Storage in Kubernetes:
   • Configuring and Managing Storage (volumes)...  
► Istio Service Mesh – Securing Kubernetes Workloads:
   • Istio Service Mesh – Securing Kubernetes W...  
► Istio Service Mesh – Intro
   • Istio Service Mesh (sidecar-based)- Intro  
► Understanding Kubernetes Networking. Part 6: Calico Network Policies:
   • Understanding Kubernetes Networking. Part ...  
► Understanding Kubernetes Networking. Part 5: Intro to Kubernetes Network Policies:
   • Understanding Kubernetes Networking. Part ...  
► Understanding Kubernetes Networking. Part 4: Kubernetes Services:
   • Kubernetes services - (Understanding Kuber...  
► Understanding Kubernetes Networking Part 3: Calico Kubernetes CNI Provider in depth:
   • Understanding Kubernetes Networking Part 3...  
► Understanding Kubernetes Networking. Part 2: POD Network, CNI, and Flannel CNI: Plug-in:
   • Understanding Kubernetes Networking. Part ...  
►Understanding Kubernetes Networking. Part 1: Container Networking:
   • Видео  
► Setup a Linux-Windows (Calico-based) Hybrid Kubernetes Cluster to Host .NET Containers:
   • Setup a Linux-Windows (Calico based) Hybri...  
► A Docker and Kubernetes tutorial for beginners:
A Docker and Kubernetes tutorial for beginners. - YouTube