Skip to content

Commit 6fcc5f7

Browse files
committed
docs: add SPIRE attestation details and end-to-end example
1 parent b866ad5 commit 6fcc5f7

1 file changed

Lines changed: 10 additions & 57 deletions

File tree

docs/en/security/workload_security/spire.mdx

Lines changed: 10 additions & 57 deletions
Original file line numberDiff line numberDiff line change
@@ -16,7 +16,6 @@ The SPIRE plugin includes several components to manage identities:
1616
- **SPIRE Server**: The central authority that manages trust and issues identities.
1717
- **SPIRE Agent**: Runs on every node and delivers identities to local workloads.
1818
- **SPIFFE CSI Driver**: A Container Storage Interface driver that mounts SVIDs as volumes into Pods.
19-
- **SPIRE Controller Manager**: Automates the registration of Kubernetes workloads.
2019
- **OIDC Discovery Provider**: Exposes an OIDC discovery document for SPIRE's trust domain.
2120

2221
## Workflow
@@ -84,11 +83,18 @@ Once SPIRE is installed, workloads can obtain their SVIDs using the SPIFFE CSI D
8483
8584
2. **Workload Authentication**: Your application can now use the SPIFFE Workload API at `/run/spiffe.io/public` to retrieve its identity and certificates.
8685

86+
### Attestation
87+
88+
Attestation is the process by which SPIRE identifies and verifies the identity of nodes and workloads.
89+
90+
- **Node Attestation**: The process where a SPIRE Agent identifies itself to the SPIRE Server. In the Alauda Container Platform, this typically uses the `k8s_psat` (Projected Service Account Token) method. The Agent provides a signed Kubernetes service account token, which the SPIRE Server verifies against the Kubernetes API to confirm the Agent's identity and node location.
91+
- **Workload Attestation**: The process where a workload identifies itself to the local SPIRE Agent. When a workload requests an identity, the Agent inspects the workload's metadata (such as its Kubernetes namespace, service account name, or Unix user ID) using "selectors". These selectors are then compared against registration entries in the SPIRE Server to determine which SVID the workload is authorized to receive.
92+
8793
### Workload Registration
8894

8995
By default, the **SPIRE Controller Manager** automatically creates SPIRE entries for Kubernetes workloads based on their labels or service accounts. You can customize this behavior using annotations on your workloads.
9096

91-
### End-to-End Implementation Example
97+
## End-to-End Implementation Example
9298

9399
The following example demonstrates a complete SPIRE deployment showing how to set up mutual TLS (mTLS) authentication between workloads using SPIFFE identities.
94100

@@ -113,62 +119,9 @@ The architecture consists of:
113119

114120
Before starting, ensure you have:
115121

116-
- A running Kubernetes cluster with storage component deployed
117-
- Kubelet API listening on 127.0.0.1
118122
- The `example` namespace created: `kubectl create namespace example`
119123

120-
### SPIRE Deployment
121-
122-
Deploy SPIRE using the official Helm chart with production-ready configuration:
123-
124-
1. Create a `values.yaml` file with the following content:
125-
126-
```yaml
127-
global:
128-
openshift: false
129-
spire:
130-
recommendations:
131-
enabled: true
132-
namespaces:
133-
create: true
134-
ingressControllerType: ''
135-
clusterName: example-cluster
136-
trustDomain: example.org
137-
caSubject:
138-
country: CN
139-
organization: Example
140-
commonName: example.org
141-
persistence:
142-
storageClass: your-storage-class
143-
```
144-
145-
2. Deploy SPIRE CRDs and main components:
146-
147-
```bash
148-
helm upgrade --install --create-namespace -n spire spire-crds spire-crds \
149-
--repo https://spiffe.github.io/helm-charts-hardened/
150-
151-
helm upgrade --install -n spire spire spire \
152-
--repo https://spiffe.github.io/helm-charts-hardened -f values.yaml
153-
```
154-
155-
3. Verify all pods are running:
156-
157-
```bash
158-
kubectl get pods -n spire
159-
```
160-
161-
Expected output should show all SPIRE components in `Running` state:
162-
163-
```
164-
NAME READY STATUS RESTARTS AGE
165-
spire-agent-xxx 1/1 Running 0 17h
166-
spire-server-0 2/2 Running 0 18h
167-
spire-spiffe-csi-driver-xxx 2/2 Running 0 19h
168-
spire-spiffe-oidc-discovery-provider-xxx 2/2 Running 0 17h
169-
```
170-
171-
### Example Workload Registration
124+
### Workload Registration
172125

173126
Register the client and server workloads with SPIRE:
174127

@@ -245,7 +198,7 @@ spec:
245198
- 127.0.0.1:8080
246199
- --allow-uri
247200
- spiffe://example.org/ns/example/sa/client-sa
248-
image: docker-mirrors.alauda.cn/ghostunnel/ghostunnel:v1.9.0
201+
image: ghostunnel/ghostunnel:v1.9.0
249202
imagePullPolicy: Always
250203
name: ghostunnel
251204
ports:

0 commit comments

Comments
 (0)