The Cloud Native Computing Foundation has announced the graduation of SPIFFE and SPIRE. SPIFFE defines a standard to authenticate software services through the use of platform-agnostic, cryptographic identities. SPIRE is an implementation of the SPIFFE API that is production-ready. Recent improvements to the project include adding experimental Windows support.
The SPIFFE (Secure Production Identity Framework for Everyone) specification is designed to work within dynamic and heterogeneous environments providing a means to mutually authenticate workloads. At the base of the specification is the concept of short lived cryptographic identity docs, known as SVIDs (SPIFFE Verifiable Identity Documents), available via API. Workloads can leverage these documents to authenticate to other workloads.
In order to graduate, SPIFFE and SPIRE had to demonstrate a level of project maturity expected by the CNCF for stable projects. This includes good adoption, a Core Infrastructure Initiative Best Practices Badge, and a defined governance and committer process.
Both projects have undergone numerous security reviews including a TAG Security review in 2020 and, more recently, a third-party security audit from Cure53. The Cure53 audit focused on the security posture of the SPIRE project, performed a source code audit of the SPIRE code base, and a penetration test against a live SPIRE deployment. With no severe or critical issues found, the Cure53 team stated that "the overall quality of the whole project can be judged as quite mature".
SPIFFE has support for workloads within AWS, GCP, Azure, and running on bare metal. There are also integrations available with Kubernetes, Docker, Vault, MySQL, and Envoy. A number of projects are now issuing IDs as per the SPIFFE specification such as Istio Citadel, Consul, and Kuma.
As of version 1.3.0, SPIRE has introduced experimental support for Windows workloads. This allows for running both the SPIRE server and agent on Windows. With this new support, the goal of the project is to provide a similar feel to running on Linux. Many of the existing plugins that comprise SPIRE architecture have been adapted to work under Windows. A new Windows-specific workload attestor has been added that works similarly to the existing Linux version.
At the time of release, the SPIFFE Workload Endpoint standard does not expose the Workload API as a named pipe endpoint. As of version 1.4.0, the Kubernetes workload attestor plugin is now supported on Windows. The go-spiffe library has been updated to support the use of named pipes with the Workload API but other language libraries have not. Agustin Martinez Fayó, SPIRE maintainer, notes that this "is in part due to a lack of support for named pipe transports in the C/C++ gRPC library".
SPIFFE and SPIRE are available for download from GitHub under the Apache-2.0 license. With this announcement, SPIFFE and SPIRE join 16 other graduated projects including Envoy, Helm, and Prometheus.