Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Feature: Dashboard for organizational identity view #40

Open
3 tasks done
lumjjb opened this issue Apr 16, 2021 · 1 comment · Fixed by #75 or #76
Open
3 tasks done

Feature: Dashboard for organizational identity view #40

lumjjb opened this issue Apr 16, 2021 · 1 comment · Fixed by #75 or #76

Comments

@lumjjb
Copy link
Owner

lumjjb commented Apr 16, 2021

Feature: Dashboard for organizational identity view
Box Note:
https://ibm.box.com/s/uu9hvimaokhbiz6qd253ow4vad7tdw59
Flows:
Stories to work on Epic 
1 - Cluster Management Page

  • Cluster Create Page, Cluster Edit Page, Cluster List Page

Overview

This feature consists of the goal of allowing better oversight of workload identity. This consists of:

  • Ability to view workload identities based on organizational constructs (clusters, nodes, workloads, etc.) instead of having to map internally to agents/entries, etc.
  • Ability to automatically identify these constructs, or provide ability for user to annotate and define these constructs around SPIRE concepts
  • Ability to navigate through the constructs (e.g. clicking on a node shows all identities registered to the node/agent) and obtain information and perform actions (i.e. logs of SVID provisioning and attestations)

Consideration of moving propagation of logging information to a separate feature since the scope is rather large.... Or start with a rather naive propagation of metrics exposed by a simple tornjak API.

Motivation

  • Create a lower barrier of entry of utilizing SPIFFE/SPIRE for operators, CISOs, etc. who are interested in workload identity, but not familiar with underlying SPIRE mechanics.
  • Propagate identity use information (e.g. minting of identities, attestation actions, etc.) to the control plane for monitoring and auditing.
  • Provide a way to organize workload identity and agents in a way that matches the organization structure

Tasks

  • Ability to derive some structure based on the definition of identity (i.e. trust domains, agents, and entries parent IDs)
  • Ability for user to define metadata and tags around SPIRE servers, agents and entries to be used to provide structure
  • Dashboard
    • Define structure to be able to organize identity
    • Define the exploration dashboard overview
      • Within each trust domain: Clusters, nodes, workloads
      • On the organization level (MANAGER-ONLY): Groups
    • For each view, provide information related, including selectors, and general statistics
    • Organizational View data table
      • As an extension to dashboard, provide showing workload identity in table similar to entries/agents
      • Provide ability to filter and search based on tags and metadata
    • Add metadata search for entry/agent list
  • Information propagating:
    • As part of the dashboard view, additional data should be used to provide useful views and statistics, this can include:
      • Information from SPIRE server Debug API (https://github.com/spiffe/spire-api-sdk/blob/main/proto/spire/api/server/debug/v1/debug.proto)
      • Identity provisioning from SPIRE server logs (NOTE: Perhaps can be another feature on its own since its scope is rather big), alternatively fairly simple analysis can be done locally on each tornjak agent and only basic statistics propagated via tornjak API.
        • Define scalable way to keep logs up to date as well as provide filters to populate data structures. This should be done on the agent level, and propagated up to the managers.
          • maybe something like prometheus would work here for just metrics
          • or for log aggrergation and analysis, we could use Elasticsearch or Grafana/loki

Unless specified explicitly, functionality should be capable on agent views as well as managers.

Dashboard ideas

image

Something similar to k8s, where there is graphical information on top, and then a list of higher level constructs i.e. deployments <--> nodes/agents and pods <--> workloads

@lumjjb
Copy link
Owner Author

lumjjb commented Aug 2, 2021

@maia-iyer @mamy-CS please link your PRs to this issue.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging a pull request may close this issue.

3 participants