Integrating Gitness with Jenkins
Jenkins is a popular open source CI server and many that are familiar with it often have a bit of a love/hate relationship. That being said, it is an …
A growing consideration for cloud spending and the proliferation of AI have caused many organizations to evaluate their use of the public cloud. Many are looking at taking better advantage of their existing data centers or leveraging colocation facilities to enable the best of both worlds. Many will state that the cloud isn’t a location but an operating model. This means that companies have adopted operational patterns for managing workloads in the public cloud (location) that would like to leverage in their private cloud. I believe that workload identity is one of those patterns that many would like to take advantage of in their private cloud.
Workload identity in the public cloud enables a frictionless authentication experience when a workload needs to access a cloud-native service. This not only reduces the overhead of creating and managing service accounts but also enables a better security posture through the use of short-lived credentials.
Workloads in a private cloud environment have identifiers like the name of a virtual machine or an operating system’s hostname. These pieces of metadata can easily be spoofed and don’t assure that the workload initiating the request is actually the workload.
The most frequently used method for machine authentication is a username and password. This is usually a dedicated service account but is often just an admin’s personal named account. This incurs the administrative overhead of needing to rotate dozens or hundreds of service account passwords on a regular basis. Another consideration is that most identity systems don’t allow the use of the service account to be restricted to a single IP address. This would help provide an assurance that the service account can only be used from the designated system.
Let’s start with the fact that Public Key Infrastructure (PKI) and certificates are notoriously difficult implement and manage for most organizations. Certificates suffer from many of the same problems as usernames and passwords, such as the need to rotate them. Many solutions, such as service meshes, use TLS certificates to enable mutual authentication (mTLS) between workloads. This works well but is tightly coupled to the service mesh deployment, which may not work for non-Kubernetes workloads. This means that every workload in the environment can’t take advantage of this capability.
The same reasons we’ve come to love workload identity in the public cloud as well as the value it could bring to hybrid cloud environments.
One of the reasons that workload identity hasn’t been more of a priority in the private cloud is that the services that the identity is used to access in the public cloud don’t exist in the same fashion in the private cloud. Services like object storage and database as a service (DBaaS) are table stakes for cloud providers but are still very immature in the private cloud. These services in the private cloud will only continue to mature as the technology options to enable them, like Kubernetes, continue to be adopted.
There are actually a number of solutions in the private cloud that aim to provide workloads with an identity, such as HashiCorp Vault (https://www.vaultproject.io/) and SPIFEE (https://spiffe.io/). These solutions provide half of the equation in that they still need something that they initially trust to verify the identity of the workload that just isn’t present in private clouds. In the public cloud, this is an identity provided by the cloud provider that these solutions can cryptographically verify.
Jenkins is a popular open source CI server and many that are familiar with it often have a bit of a love/hate relationship. That being said, it is an …
With everything being defined as code nowadays, there’s a need for a place to store and version that code. The popular selection would be a …