{"id":13668701,"url":"https://github.com/spiffe/spiffe-csi","last_synced_at":"2025-04-06T03:07:12.304Z","repository":{"id":37384102,"uuid":"398391365","full_name":"spiffe/spiffe-csi","owner":"spiffe","description":"Container Storage Interface components for SPIFFE","archived":false,"fork":false,"pushed_at":"2025-03-25T04:10:26.000Z","size":321,"stargazers_count":59,"open_issues_count":7,"forks_count":22,"subscribers_count":5,"default_branch":"main","last_synced_at":"2025-03-29T08:33:43.698Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/spiffe.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":"CODEOWNERS","security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2021-08-20T20:19:17.000Z","updated_at":"2025-03-25T14:03:35.000Z","dependencies_parsed_at":"2023-10-13T10:36:45.397Z","dependency_job_id":"cdf21f1f-63bb-4ed2-8bd7-d5ceeab6c24d","html_url":"https://github.com/spiffe/spiffe-csi","commit_stats":null,"previous_names":[],"tags_count":8,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/spiffe%2Fspiffe-csi","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/spiffe%2Fspiffe-csi/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/spiffe%2Fspiffe-csi/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/spiffe%2Fspiffe-csi/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/spiffe","download_url":"https://codeload.github.com/spiffe/spiffe-csi/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":247427006,"owners_count":20937201,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-08-02T08:00:47.465Z","updated_at":"2025-04-06T03:07:12.287Z","avatar_url":"https://github.com/spiffe.png","language":"Go","funding_links":[],"categories":["Utils"],"sub_categories":["SDK"],"readme":"# SPIFFE CSI Driver\n\n[![Pre-Production Phase](https://github.com/spiffe/spiffe/blob/main/.img/maturity/pre-prod.svg)](https://github.com/spiffe/spiffe/blob/main/MATURITY.md#pre-production)\n\nA [Container Storage\nInterface](https://github.com/container-storage-interface/spec/blob/master/spec.md)\ndriver for Kubernetes that facilitates injection of the SPIFFE Workload API.\n\nThe SPIFFE Workload API is nominally served over a Unix domain socket. Some\nSPIFFE implementations (e.g. [SPIRE](https://github.com/spiffe/spire)) rely on DaemonSets to run one Workload API\nserver instance per host. In these cases, it is necessary to inject the\nWorkload API socket into each pod. The primary motivation for using a CSI\ndriver for this purpose is to avoid the use of\n[hostPath](https://kubernetes.io/docs/concepts/storage/volumes/#hostpath)\nvolumes in workload containers, which is commonly disallowed or limited by\npolicy due to inherent security concerns. Note that `hostPath` volumes are\nstill required for the CSI driver to interact with the\n[Kubelet](https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet/)\n(see [Limitations](#limitations)).\n\nThis driver mounts a directory containing a SPIFFE Workload API socket provided\nby a SPIFFE implementation (e.g. SPIRE) as an ephemeral inline volume into\nworkload pods.\n\n## How it Works\n\nThis component is generally deployed as a container in the DaemonSet that\nprovides the Workload API implementation (e.g SPIRE agent) and registered with\nthe kubelet using the official CSI Node Driver Registrar image. The SPIFFE CSI\nDriver and the Workload API implementation share the directory hosting the\nWorkload API Unix Domain Socket using an `hostPath` volume. An `emptyDir`\nvolume cannot be used since the backing directory would be removed if the\nSPIFFE CSI Driver pod is restarted, invalidating the mount into workload\ncontainers.\n\nWhen pods declare an ephemeral inline mount using this driver, the driver is\ninvoked to mount the volume. The driver does a read-only bind mount of the\ndirectory containing the Workload API Unix Domain Socket into the container\nat the requested target path.\n\nSimilarly, when the pod is destroyed, the driver is invoked and removes the\nbind mount.\n\n## Dependencies\n\nCSI Ephemeral Inline Volumes require at least Kubernetes 1.15 (enabled via the\n`CSIInlineVolume` feature gate) or 1.16 (enabled by default).\n\n## Limitations\n\nCSI drivers are registered as plugins and otherwise interact with the Kubelet,\nwhich requires several `hostPath` volumes. As such, this driver cannot be used\nin environments where `hostPath` volumes are forbidden.\n\n## Example\n\nAn example deployment can be found [here](./example). \n\n## Troubleshooting\n\nThis component has a fairly simple design and function but some of the\nfollowing problems may manifest.\n\n### Failure to Register with the Kubelet\n\nThis problem can be diagnosed by dumping the logs of the kubelet (if possible),\nthe driver registrar container, and the SPIFFE CSI driver container. Likely\nsuspects are a misconfiguratoin of the various volume mounts needed for\ncommunication between the register, the SPIFFE CSI driver, and the kubelet.\n\n### Failure to Mount the Socket Directory\n\nThis problem can be diagnosed by dumping the SPIFFE CSI driver logs.\n\n### Failure to Terminate Pods when Driver is Unhealthy Or Removed\n\nIf the SPIFFE CSI Driver is removed (or is otherwise unhealthy), any pods that\ncontain a volume mounted by the driver will fail to fully terminate until\ndriver health is restored. The describe command (i.e. kubectl describe) will\nshow the failure to unmount the volume. Kubernetes will continue to retry to\nunmount the volume via the CSI driver. Once the driver has been restored, the\nunmounting will eventually succeed and the pod will be fully terminated.\n\n### Broken Mount when the CSI Driver Pod is Restarted\n\nEnsure that the Workload API socket directory is shared with the SPIFFE CSI\nDriver via a `hostPath` volume. The directory backing `emptyDir` volumes are\ntied to the pod instance and invalidated when the pod is restarted.\n\n## Reporting a Vulnerability\n\nVulnerabilities can be reported by sending an email to security@spiffe.io. A\nconfirmation email will be sent to acknowledge the report within 72 hours. A\nsecond acknowledgement will be sent within 7 days when the vulnerability has\nbeen positively or negatively confirmed.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fspiffe%2Fspiffe-csi","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fspiffe%2Fspiffe-csi","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fspiffe%2Fspiffe-csi/lists"}