Skip to main content

Module 12: Building a Complete Zero Trust Platform

Capstone project: assemble everything into a production architecture

4 hours. 1 hands-on lab. Free course module.

Learning Objectives

  • Design an end-to-end zero trust platform architecture
  • Deploy SPIRE with Envoy mTLS and OPA authorization
  • Implement federation across two clusters
  • Create a reference architecture for your organization

Why This Matters

This capstone project is your proof of competence. By building a complete zero trust platform end-to-end, you demonstrate that you can architect, deploy, and operate production identity infrastructure — not just follow tutorials. This is what you put on your resume and discuss in interviews.

ZERO TRUST PLATFORM — CAPSTONE ARCHITECTURESPIRE Server (HA) — Identity AuthorityCluster A (Production)Frontend + EnvoyAPI + EnvoyOrders + EnvoyPayments + EnvoyOPA (Policy Engine)SPIRE Agents (DaemonSet)Cluster B (Staging)Frontend + EnvoyAPI + EnvoyOPA (Policy Engine)SPIRE Agents (DaemonSet)mTLS
Architecture diagram for Module 12: Building a Complete Zero Trust Platform.

Lesson Content

This is the capstone module. You will combine everything from the previous 11 modules into a complete, production-style zero trust platform. By the end, you will have a fully functional multi-cluster deployment with SPIRE, Envoy, OPA, and federation.

Architecture Overview

The capstone project deploys a microservice e-commerce application across two Kubernetes clusters with every service identified by SPIRE, all communication encrypted with Envoy mTLS, authorization enforced by OPA policies, cross-cluster communication via SPIFFE federation, and monitoring via Prometheus and Grafana.

What You Will Build

  1. Deploy SPIRE in HA mode on both clusters
  2. Configure automatic workload registration via Controller Manager
  3. Deploy Envoy sidecars for transparent mTLS
  4. Write and deploy OPA policies for service-to-service authorization
  5. Configure federation between the two clusters
  6. Deploy monitoring with SPIRE-specific dashboards
  7. Test failure scenarios: what happens when identity expires? When a policy changes?

Reference Architecture

This architecture serves as a template you can adapt for your organization. The key decisions documented: trust domain naming, SPIFFE ID schema, attestation plugin choices, certificate TTL settings, policy structure, and monitoring/alerting thresholds.

Common Pitfalls

  • Starting too big: Deploy SPIRE for one critical service first, then expand
  • Ignoring day-two operations: Monitoring and runbooks are not optional
  • Over-complicated policies: Start with broad allow rules, tighten incrementally
  • Not testing failure modes: What happens when SPIRE Server is down? Test it.

Real-World Use Cases

  • Multi-cluster production deployment with HA and federation
  • Complete zero trust stack: identity + encryption + authorization
  • Production-style monitoring and incident response
  • Threat modeling: simulating a compromised service and verifying containment

Common Mistakes

  • Building everything at once instead of layering: identity first, then encryption, then authorization
  • Not testing failure scenarios: what happens when SPIRE Server goes down?
  • Skipping monitoring — deploying without dashboards means flying blind
  • Not documenting the architecture decisions for your team

Think Like an Engineer

  • How would you present this architecture to a VP of Engineering for approval?
  • What is the total cost of running this stack? (compute, storage, operational overhead)
  • How would you migrate an existing service mesh to use SPIRE instead of built-in CA?
  • What compliance frameworks (SOC 2, PCI-DSS, HIPAA) does this architecture help satisfy?

Hands-On Labs

  1. Capstone: Build a Zero Trust Kubernetes Platform

    Deploy the complete zero trust stack end-to-end.

    • Create two Kind clusters for production and staging
    • Deploy SPIRE Server (HA) and Agents on both clusters
    • Deploy a microservice application with Envoy sidecars
    • Configure OPA policies for service authorization
    • Set up SPIFFE federation between clusters
    • Deploy Prometheus monitoring with SPIRE dashboards
    • Test by simulating a compromised service attempting unauthorized access

    View lab files on GitHub

Key Takeaways

  • Zero trust is a system: identity (SPIRE) + encryption (Envoy) + authorization (OPA)
  • Start with one critical service path and expand incrementally
  • Document your trust domain schema, SPIFFE ID naming, and policy structure
  • Test failure modes: expired certs, server downtime, policy misconfiguration
  • This reference architecture is your template for production deployments