Skip to content

A Kubernetes CSI plugin to automatically mount SPIFFE certificates to Pods using ephemeral volumes

License

Notifications You must be signed in to change notification settings

cert-manager/csi-driver-spiffe

Repository files navigation

cert-manager project logo
Go Report Card

csi-driver-spiffe

csi-driver-spiffe is a Container Storage Interface (CSI) driver plugin for Kubernetes, designed to work alongside cert-manager.

It transparently delivers SPIFFE SVIDs (in the form of X.509 certificate key pairs) to mounting Kubernetes Pods.

The end result is that any and all Pods running in Kubernetes can securely request a SPIFFE identity document from a Trust Domain with minimal configuration.

These documents in turn have the following properties:

  • automatically renewed ✔️
  • private key never leaves the node's virtual memory ✔️
  • each Pod's document is unique ✔️
  • the document shares the same life cycle as the Pod and is destroyed on Pod termination ✔️
...
          volumeMounts:
          - mountPath: "/var/run/secrets/spiffe.io"
            name: spiffe
      volumes:
        - name: spiffe
          csi:
            driver: spiffe.csi.cert-manager.io
            readOnly: true

SPIFFE documents can then be used by Pods for mutual TLS (mTLS) or other authentication within their Trust Domain.

Documentation

Please follow the documentation at cert-manager.io for installing and using csi-driver-spiffe.

Release Process

The release process is documented in RELEASE.md.