Skip to main content

Module 6: SPIFFE & SPIRE Deep Dive Slides

Slide walkthrough for Module 6 of Cloud Native Security Engineering: Securing Kubernetes, Workloads, APIs & Zero Trust Systems: Production workload...

This slide page is the visual review companion for the full course module. Use it to recap the architecture, examples, exercises, production warnings, and takeaways after reading the lesson.

Slide Outline

  1. SPIFFE & SPIRE Deep Dive - Production workload identity with the CNCF standard — from concepts to Kubernetes deployment
  2. Learning Objectives - 4 outcomes for this module
  3. Why This Module Matters - Workload identity is the foundation of cloud-native zero trust. Without it, services cannot prove who they are, mTLS is
  4. SPIFFE in 5 Minutes - Lesson section from the full module
  5. Key Concepts - Lesson section from the full module
  6. SPIRE on Kubernetes - Lesson section from the full module
  7. Why SPIFFE Matters for This Course - Lesson section from the full module
  8. Real-World Use Cases - Automatic workload identity for 500+ microservices, Cross-cluster identity with SPIFFE federation
  9. Common Mistakes to Avoid - 4 mistakes covered
  10. Hands-On Labs - 2 hands-on labs
  11. Key Takeaways - 5 points to remember

Learning Objectives

  • Understand SPIFFE specification and SPIRE architecture
  • Deploy SPIRE on Kubernetes with auto-registration
  • Configure workload attestation and SVID issuance
  • Implement SPIFFE federation across trust domains

Why This Module Matters

Workload identity is the foundation of cloud-native zero trust. Without it, services cannot prove who they are, mTLS is impossible to manage at scale, and authorization policies have nothing to anchor on. This module gives you the identity layer everything else depends on.

Common Mistakes

  • Using SQLite for SPIRE Server in production (no HA)
  • Not monitoring SVID rotation — stalled rotation = imminent certificate expiry
  • Overly broad ClusterSPIFFEID selectors matching unintended workloads
  • Confusing SPIFFE (identity) with authorization (what identity can do)

Key Takeaways

  • SPIFFE is the specification, SPIRE is the implementation
  • Every pod gets automatic cryptographic identity via SVID
  • SPIRE Server (StatefulSet) + Agent (DaemonSet) + Controller Manager = automatic workload identity
  • Federation enables cross-cluster and cross-cloud trust
  • SPIFFE is the identity foundation for all subsequent security modules

Hands-On Labs

  1. Deploy SPIRE on Kubernetes

    Deploy the complete SPIRE stack on a Kind cluster.

    40 min - Intermediate

    • Create a Kind cluster
    • Deploy SPIRE Server, Agent, and Controller Manager
    • Register a workload and verify SVID issuance
    • Inspect the SVID with openssl

    View lab files on GitHub

  2. Configure SPIFFE Federation

    Federate two SPIRE deployments for cross-cluster trust.

    45 min - Advanced

    • Deploy SPIRE on two separate Kind clusters
    • Exchange trust bundles
    • Register federated workloads
    • Verify cross-cluster mTLS communication

    View lab files on GitHub

Read the full module | Back to course curriculum