Add service for spire sever-workload and ghostunnel arg descrption

tossmilestone · tossmilestone · commit b668f7442214 · 2026-04-21T15:51:34.000+08:00
diff --git a/docs/en/security/workload_security/spire.mdx b/docs/en/security/workload_security/spire.mdx
@@ -128,7 +128,7 @@ Register the client and server workloads with SPIRE:
 1. Register the client workload:
 
    ```bash
-   kubectl exec -n spire spire-server-0 -- \
+   kubectl exec -n spire-server spire-server-0 -- \
      /opt/spire/bin/spire-server entry create \
      -spiffeID spiffe://example.org/ns/example/sa/client-sa \
      -parentID spiffe://example.org/ns/spire/sa/spire-agent \
@@ -138,7 +138,7 @@ Register the client and server workloads with SPIRE:
 2. Register the server workload:
 
    ```bash
-   kubectl exec -n spire spire-server-0 -- \
+   kubectl exec -n spire-server spire-server-0 -- \
      /opt/spire/bin/spire-server entry create \
      -spiffeID spiffe://example.org/ns/example/sa/server-sa \
      -parentID spiffe://example.org/ns/spire/sa/spire-agent \
@@ -162,6 +162,24 @@ metadata:
   name: server-sa
   namespace: example
 ---
+apiVersion: v1
+kind: Service
+metadata:
+  name: server-workload
+  namespace: example
+spec:
+  internalTrafficPolicy: Cluster
+  ports:
+    - appProtocol: tcp
+      name: web
+      port: 8443
+      protocol: TCP
+      targetPort: 8443
+  selector:
+    app: server-workload
+  sessionAffinity: None
+  type: ClusterIP
+---
 apiVersion: apps/v1
 kind: Deployment
 metadata:
@@ -216,6 +234,8 @@ spec:
           name: spiffe-socket
 ```
 
+* The `--allow-uri` flag in the `ghostunnel` configuration specifies the SPIFFE ID of the client workload that is allowed to connect to the server. In this example, only the client workload with the SPIFFE ID `spiffe://example.org/ns/example/sa/client-sa` is allowed to connect to the server.
+
 Apply with: `kubectl apply -f server-workload.yaml`
 
 #### Deploy Client Workload
@@ -271,6 +291,8 @@ spec:
           name: spiffe-socket
 ```
 
+* The `--verify-uri` flag in the `ghostunnel` configuration specifies the SPIFFE ID of the server workload that the client workload is allowed to connect to. In this example, only the server workload with the SPIFFE ID `spiffe://example.org/ns/example/sa/server-sa` is allowed to connect to the client workload.
+
 Apply with: `kubectl apply -f client-workload.yaml`
 
 ### Verification
