Also known as the Secure Production Identity Framework For Everyone, the SPIFFE project is an open-source identity framework designed expressly to support distributed systems deployed into environments that may be deeply heterogeneous, spanning on-premise and public cloud providers, and that may also be elastically scaled and dynamically scheduled through technologies like Kubernetes.
“The SPIFFE community believes that aligning on a common, flexible representation of workload identity, and prescribing best practices for identity issuance and management are critical for widespread adoption of cloud-native architectures,” said Sunil James, CEO of Scytale, a venture-backed company that serves as SPIFFE’s primary maintainer. “Modeled after similar production systems at Google, Netflix, Twitter, and more, SPIFFE delivers this platform capability for the rest of us. Joining the CNCF furthers this foundational technology, helps us build a diverse community, and delivers to the broader cloud-native community an increasingly ubiquitous identity framework that will be well-integrated with CNCF projects like Kubernetes and more.”
Accompanying SPIFFE is SPIRE (aka the “SPIFFE Runtime Environment”), which is an open-source SPIFFE implementation that enables organizations to provision, deploy, and manage SPIFFE identities throughout their heterogeneous production infrastructure. Coupled with CNCF projects like Envoy and gRPC, SPIRE forms a powerful solution for connecting, authenticating, and securing workloads in distributed environments.
TOC sponsors of the project include Brian Grant, Sam Lambert, and Ken Owens.
“SPIFFE provides one of the most important missing capabilities needed to enable cloud-native ecosystems,” said Brian Grant, a principal engineer at Google and member of the CNCF’s Technical Oversight Committee (TOC). “The internal Google system that inspired SPIFFE is ‘dial tone’ for Google’s software and operations engineers; it is ubiquitous and omnipresent. SPIFFE enables development and operations teams to easily and consistently authenticate and authorize microservices, and control (and audit) infrastructure access without needing to individually provision, manage, and rotate credentials per application and service.”
Sandbox replaces the Inception level — for further clarification around project maturity levels in CNCF, please visit our outlined Graduation Criteria.