2025-11-08 –, Room 2
Edera leveraged SPIRE for cryptographically attestation of a workload’s environment. We started with a question: how do we prove that workloads are running in an isolated environment? It turns out that this is very similar to the workload identity question already answered by SPIFFE/SPIRE. By integrating SPIRE, Edera’s users are able to prove that workloads are running in a fully isolated Edera zone and get end-to-end encryption between these workloads, allowing for use cases like non-falisifiable build provenance and remote attestation.
In this talk, we will discuss workload identity and the SPIFFE specification, explaining how workload identity enabled us to build a hypervisor-based, verifiable identity system for isolated workloads. We will talk about lessons learned when deploying SPIRE, walk through some of our configuration choices, and give some tips to others looking to use this project.
Marina Moore is a Research Scientist at Edera. She is a maintainer of The Update Framework (TUF), a CNCF graduated project that provides secure software update and delivery. She is also a chair of CNCF's TAG Security and Compliance where she contributes to security assessments and whitepapers, as well as providing technical security leadership to CNCF projects.
Her research interests include container isolation, software supply chain security, and cloud security.