CodersSecret

Module 6 of 16

SPIFFE & SPIRE Deep Dive

Production workload identity with the CNCF standard — from concepts to Kubernetes deployment

4 hours2 labsFree
Watch as Slides Course overview Lab code

Start here

Learning objectives

  • Understand SPIFFE specification and SPIRE architecture
  • Deploy SPIRE on Kubernetes with auto-registration
  • Configure workload attestation and SVID issuance
  • Implement SPIFFE federation across trust domains
SPIRE ARCHITECTURE ON KUBERNETESSPIRE Server (StatefulSet)CA + Registration + DatastoreAgent (DaemonSet)Workload API + AttestationAgent (DaemonSet)Agent (DaemonSet)Pod (SVID)Pod (SVID)Pod (SVID)Pod (SVID)Every pod gets a unique cryptographic SVID — automatic issuance, rotation, and revocation

This module teaches the SPIFFE specification and its production implementation SPIRE. If you have already taken our dedicated Mastering SPIFFE & SPIRE course, this module serves as a recap within the broader cloud-native security context.

SPIFFE in 5 Minutes

SPIFFE (Secure Production Identity Framework For Everyone) defines a standard for workload identity. SPIRE (SPIFFE Runtime Environment) implements it. Together they give every service a cryptographic identity — automatically issued, automatically rotated, cryptographically verifiable.

Key Concepts

  • Trust Domain: The root of trust (e.g., spiffe://company.org)
  • SPIFFE ID: URI identifying a workload (spiffe://company.org/ns/prod/sa/api)
  • X.509-SVID: Certificate proving identity — used for mTLS
  • JWT-SVID: Token proving identity — used for HTTP APIs
  • Workload API: Unix socket where pods request their identity

SPIRE on Kubernetes

SPIRE Server runs as a StatefulSet. SPIRE Agent runs as a DaemonSet on every node. The Controller Manager auto-registers workloads. The CSI Driver mounts the Workload API socket into pods. The result: every pod gets a cryptographic identity with zero manual configuration.

Why SPIFFE Matters for This Course

SPIFFE is the identity layer that enables everything in subsequent modules: Envoy mTLS (Module 7), OPA authorization (Module 8), Vault integration (Module 9), and production federation (Module 14). Without workload identity, none of these integrations work.

Real world

Where this shows up

  • Automatic workload identity for 500+ microservices
  • Cross-cluster identity with SPIFFE federation
  • Replacing shared secrets with SVID-based authentication
  • Kubernetes + VM hybrid identity

Common mistakes

What usually breaks

  • Using SQLite for SPIRE Server in production (no HA)
  • Not monitoring SVID rotation — stalled rotation = imminent certificate expiry
  • Overly broad ClusterSPIFFEID selectors matching unintended workloads
  • Confusing SPIFFE (identity) with authorization (what identity can do)

Key terms

Vocabulary used in this module

SPIFFE

Secure Production Identity Framework For Everyone — the standard

SPIRE

SPIFFE Runtime Environment — the implementation

SVID

SPIFFE Verifiable Identity Document — certificate or JWT

Trust Domain

Root of trust identified by domain name

Attestation

Process of verifying node or workload identity

Labs

Hands-on labs

40 minIntermediate

Deploy SPIRE on Kubernetes

Deploy the complete SPIRE stack on a Kind cluster.

  1. Create a Kind cluster
  2. Deploy SPIRE Server, Agent, and Controller Manager
  3. Register a workload and verify SVID issuance
  4. Inspect the SVID with openssl
View lab on GitHub
45 minAdvanced

Configure SPIFFE Federation

Federate two SPIRE deployments for cross-cluster trust.

  1. Deploy SPIRE on two separate Kind clusters
  2. Exchange trust bundles
  3. Register federated workloads
  4. Verify cross-cluster mTLS communication
View lab on GitHub

Recap

Key takeaways

  • SPIFFE is the specification, SPIRE is the implementation
  • Every pod gets automatic cryptographic identity via SVID
  • SPIRE Server (StatefulSet) + Agent (DaemonSet) + Controller Manager = automatic workload identity
  • Federation enables cross-cluster and cross-cloud trust
  • SPIFFE is the identity foundation for all subsequent security modules

Related resources

Keep learning across CodersSecret

Related guides

Read practical engineering walkthroughs that connect this lesson to real systems.

Cheatsheets

Keep command references and production checklists close while you practice.

Interactive labs

Practice infrastructure decisions through short, scenario-driven exercises.

Glossary terms

Build the vocabulary needed to explain architecture clearly in reviews.